Recommended length of OIDCCryptoPassphrase

[wadahiro]

From my understanding, OIDCCryptoPassphrase value is used below to generate a SHA-256 symmetric key.

https://github.com/zmartzone/mod_auth_openidc/blob/884c1250fb173e2956a3d1211df826e84c30a7bf/src/util.c#L135

Therefore, I believe a minimum length of 256 bits (32 bytes) is necessary for security reason.

Reference: https://openid.net/specs/openid-connect-core-1_0.html#SymmetricKeyEntropy

Also, since only Ascii code can be set, a minimum of 43 characters encoded with base64url is required instead of 32 characters.

Is my understanding correct?

[zandbelt]

for the record: the text in the spec refers to the OIDCClientSecret, which is used towards the Provider; the OIDCCryptoPassphrase is only used internal to the module and technically is not subject to the requirements from the spec; I do agree that it makes sense to treat both the same and that it would be useful to add something to the documentation about it

[wadahiro]

@zandbelt Thank you for your comment.

for the record: the text in the spec refers to the OIDCClientSecret, which is used towards the Provider; the OIDCCryptoPassphrase is only used internal to the module and technically is not subject to the requirements from the spec;

Yes, the reference is to the Security Consideration in the OIDC specification when using symmetric keys for signing or encryption operations.

Sorry for my lack of explanation, but it looks like OIDCCryptoPassphrase uses the same algorithm (HS256) as the OIDC specification. Therefore, I asked this question because I thought that the following Security Consideration written in the OIDC specification would be applicable.

So for instance, for HS256, the client_secret value MUST contain at least 32 
octets (and almost certainly SHOULD contain more, since client_secret 
values are likely to use a restricted alphabet).

I do agree that it makes sense to treat both the same and that it would be useful to add something to the documentation about it

How about mentioning the recommended length in the following section of auth_openidc.conf?

https://github.com/zmartzone/mod_auth_openidc/blob/62e175378c86ea5f495cd6aa8d94a4441fdb4107/auth_openidc.conf#L23

For example, how about adding the following sentence at the end of the comment?

Currently, this passphrase is used as the secret value to generate symmetric key with SHA-256 algorithm.
Therefore, it must be at least 32 octets for security reasons.
In addition, the value is set in ASCII characters, so if it is to be expressed in base64url encoding without padding,
it must be set to at least 43 characters.

[zandbelt]

actually SHA-256 hashing of the OIDCCryptoPassphrase is done to generate 64 octets out of that before using it as a symmetric key; but adding something like that to the OIDCClientSecret documentation would make it align with the spec, since that is not hashed before using it as a symmetric key

[wadahiro]

@zandbelt

actually SHA-256 hashing of the OIDCCryptoPassphrase is done to generate 64 octets out of that before using it as a symmetric key

I'm very sorry if I misunderstood.

I added oidc_debug(r, "debug passphrase: crypto_passphrase=%s", secret); in the following place.

https://github.com/zmartzone/mod_auth_openidc/blob/62e175378c86ea5f495cd6aa8d94a4441fdb4107/src/util.c#L135

As a result, the value of OIDCCryptoPassphrase is output as is, as shown below. Therefore, I believe that the passphrase is being used directly to generate the symmetric key. The symmetric key generated here is used to generate the cookie value for state.

[Mon Dec 13 02:36:51.423790 2021] [auth_openidc:debug] [pid 19] src/mod_auth_openidc.c(209): [client 10.99.0.1:57508] oidc_get_browser_state_hash: enter
[Mon Dec 13 02:36:51.423794 2021] [auth_openidc:debug] [pid 19] src/util.c(2464): [client 10.99.0.1:57508] oidc_util_hdr_in_get: User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
[Mon Dec 13 02:36:51.423805 2021] [auth_openidc:debug] [pid 19] src/util.c(135): [client 10.99.0.1:57508] oidc_util_jwt_create: debug passphrase: crypto_passphrase=blabla1234
[Mon Dec 13 02:36:51.423875 2021] [auth_openidc:debug] [pid 19] src/util.c(2279): [client 10.99.0.1:57508] oidc_util_create_symmetric_key: key_len=32
[Mon Dec 13 02:36:51.423987 2021] [auth_openidc:debug] [pid 19] src/util.c(2464): [client 10.99.0.1:57508] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_session=cc1e9069-9597-4314-ba04-3f2829dc94d4
[Mon Dec 13 02:36:51.424010 2021] [auth_openidc:debug] [pid 19] src/util.c(1103): [client 10.99.0.1:57508] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Mon Dec 13 02:36:51.424015 2021] [auth_openidc:debug] [pid 19] src/util.c(2542): [client 10.99.0.1:57508] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_state_Q9dhhh....; Path=/; HttpOnly

So, I'm assuming that the value of OIDCCryptoPassphrase, like OIDCClientSecret, must contain at least the minimum number of octets (256 bits) required for the keys of the algorithm used (currently SHA-256), is that correct?