Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13666

Cannot use non-extractable/sensitive HSM key for HMAC


    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes but I used my own steps. (If so, please add them in a new comment)


      Bug description

      As described in COMMONS-366, the JWT library currently cannot be used with a HSM key to sign with HMAC unless the key is marked as extractable and non-sensitive (not best practice). When the commons bug is fixed the following places in the AM source code will also need a minor fix to ensure compatibility:

      • org.forgerock.openam.auth.nodes.ProvisionIdmAccountNode#generateClientJwtToken
      • org.forgerock.openam.authentication.modules.social.AbstractSocialAuthLoginModule.ClientTokenJwtGenerator#generate
      • org.forgerock.openam.selfservice.JwtSnapshotTokenHandlerFactory#configureJwtTokenHandler

      That is, for signing tokens used in USS and for integration with IDM during authentication.

      How to reproduce the issue

      1. Buy an HSM that supports HMAC-SHA256
      2. Configure self-service and/or IDM integration to use a key from the HSM for HMAC signing
      3. See if it works
      Expected behaviour

      It works

      Current behaviour

      It doesn't work.

      Work around

      Make your HSM keys extractable. (NB: this is not best practice).

      Code analysis

      In each case, the code creates a HmacSigningHandler from the key by calling key.getEncoded() to get the raw bytes. For a non-extractable HSM key this will return null. Instead the Key object should be passed to the signing handler directly.



          Issue Links



              • Assignee:
                craig.mcdonnell Craig McDonnell
                neil.madden Neil Madden
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: