Is Keys.password supported to sign JWT tokens?

[pgmarc]

Hi I am currently using version 0.12.6 of jjwt and due to some requirements in my project I just need to sign a JWT with a plain password (even if not recommended in docs) so I tried to use Keys.password but unfortunately I keep encountering UnsupportedKeyException when creating the token.

Here is the snippet of code I used:

package example;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.Password;

public class Example {

    public static void main(String[] args) {
        String secretString = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
        Password key = Keys.password(secretString.toCharArray());
        String jwt = Jwts.builder().claim("foo", "bar").signWith(key).compact();
        System.out.println(jwt);
    }
}

I just assumed looking at SecretKey Formats section that I was able to sign a JWT token using that method, Am I using the API incorrectly or missing something?

Thanks in advance for your help

[lhazlewood]

Hi @pgmarc !

Plaintext passwords (and their Password type complement) are unsafe inputs for any cryptographic algorithms other than key derivation algorithms. Key derivation algorithms work by taking an unsafe input (like a poor-entropy text password) and they produce/output a cryptographically safe key that is sufficiently strong to use in the actual desired algorithm (e.g. signature algorithm, encryption algorithm, etc).

The only JWA-defined password input algorithms are for Key Encryption using PBES2, used during JWT encryption, not signing.

So, because .signWith attempts to find the most suitable mac or signature algorithm for the specified key, and as Password instances are not suitable with any RFC-specified mac or signature algorithm, it throws the UnsupportedKeyException, because it would be a big security risk otherwise.

As for using a plaintext string to get a HMAC key, the intended API is to use Keys.hmacShaKeyFor, HOWEVER:

The input to that method is expected to be the encoded bytes of a previously created valid HMAC key, for example:

SecretKey key = Jwts.SIG.HS512.key().build();
String secretString = Encoders.BASE64.encode(key.getEncoded());
// WARNING: `secretString` is not encrypted, it must be saved somewhere safe, ideally encrypted first.

Then, during application startup, the secretString value is obtained, decrypted, and referenced for runtime use:

String secretString = getFromApplicationConfigAndDecrypt();
byte[] decoded = Decoders.BASE64.decode(secretString);
SecretKey key = null;
try {
    key = Keys.hmacKeyFor(decoded);
} finally {
    java.util.Arrays.fill(decoded, (byte) 0);
}

Then later during runtime when needing to sign JWTs:

String jwt = Jwts.builder().claim("foo", "bar").signWith(key).compact();
// etc ...

One could abuse this API to get around having validly-encoded key bytes:

// HERE BE DRAGONS. THOU ART FOREWARNED.
// This is cryptographically unsafe and will fail any reasonable security audit:
SecretKey key = Keys.hmacShaKeyFor(secretString.getBytes(StandardCharsets.UTF_8)); // INSECURE, DO NOT DO THIS

That might be your workaround, but I strongly advise contacting whoever is forcing this as a requirement in the project and advocate the cryptographically safe way. The application's security model is at risk otherwise.

I hope that helps!