Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

io.jsonwebtoken.security.weakkeyexception: The verification key's size is 48 bits which is not secure enough for the HS256 algorithm

I'm attempting to take a token from my web application's api and parse out the user id from it in android studio. I'm using jjwt to decode the token, but am running into this issue. I was reading online and the solutions said to make sure my 'secret-key' was in base 64, but it's still causing issues.

I tried using the encoder, and an online encoder and hardcoding the base-64 String of my 'secret', but still returns the same issues. A link to people having similar issues is found here github.com/auth0/node-jsonwebtoken/issues/208

    final TextView tv = (TextView) findViewById(R.id.tvText);

    final String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVjOWYzYWI2NzY2Mjg2NDYyNDY0YTczNCIsIm5hbWUiOiJSYW5keSIsImF2YXRhciI6Ii8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMTNhN2MyYzdkOGVkNTNkMDc2MzRkOGNlZWVkZjM0NTE_cz0yMDAmcj1wZyZkPW1tIiwiaWF0IjoxNTU0NTIxNjk1LCJleHAiOjE1NTQ1MjUyOTV9._SxRurShXS-SI3SE11z6nme9EoaD29T_DBFr8Qwngkg";
    final String secret = "secret";
    String secret64 = "c2VjcmV0";

    String encoded = Base64.encodeToString(secret.getBytes(), Base64.DEFAULT);

    Jws<Claims> jws;
    try {
        jws = Jwts.parser()         // (1)

                .setSigningKey(secret64)       // (2)
                .parseClaimsJws(token); // (3)

        // we can safely trust the JWT

    }
    catch (JwtException ex) {       // (4)
        // we *cannot* use the JWT as intended by its creator
        tv.setText(ex.toString());
    }
like image 625
ancd3ea4 Avatar asked Apr 06 '19 04:04

ancd3ea4


1 Answers

The verification key's size is 48 bits

This statement tells the whole story . The secret key you've used is too short . If you are using HS256 which is HMAC with SHA-256 needs at least 256 bits or larger MUST be used with the HS256 algorithm .

As mentioned in JSON Web Algorithms

the JSON Web Algorithms RFC 7518 states that a key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with the HS256 algorithm.

So change your key size and you are good to go

like image 65
Tejas Pandya Avatar answered Oct 05 '22 12:10

Tejas Pandya