Uploaded image for project: 'Commons'
  1. Commons
  2. COMMONS-366

HMAC JWS handler cannot be used with HSM

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 24.0.0
    • 24.0.0
    • JSON Web Token
    • None

      Description

      The HMAC signing handler for JWS assumes that it can get at the raw key bytes (via `key.getEncoded()`) and the underlying handler constructor takes the key as a byte array and then reconstructs a Key object from it. This prevents it being used with a sensitive/non-extractable key from a HSM, for which the raw key bytes will not be available. The code should be changed to pass a Key object rather than a byte array.

        Attachments

          Issue Links

            Activity

              People

              neil.madden Neil Madden
              neil.madden Neil Madden
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: