(improvement)(auth) Fix the issue of a too short key. (#1207)

2025-12-11 03:58:14 +00:00 · 2024-06-24 23:57:48 +08:00
parent 96d8ba5ec4
commit 2fd2c5690b
5 changed files with 37 additions and 24 deletions
--- a/auth/api/src/main/java/com/tencent/supersonic/auth/api/authentication/config/AuthenticationConfig.java
+++ b/auth/api/src/main/java/com/tencent/supersonic/auth/api/authentication/config/AuthenticationConfig.java
@@ -1,12 +1,13 @@
 package com.tencent.supersonic.auth.api.authentication.config;


+import lombok.Data;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+
 import java.util.Arrays;
 import java.util.Map;
 import java.util.stream.Collectors;
-import lombok.Data;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Configuration;

@Data
@Configuration
@@ -24,7 +25,8 @@ public class AuthenticationConfig {
    @Value("${authentication.token.default.appKey:supersonic}")
    private String tokenDefaultAppKey;

-    @Value("${authentication.token.appSecret:supersonic:secret}")
+    @Value("${authentication.token.appSecret:supersonic:WIaO9YRRVt+7QtpPvyWsARFngnEcbaKBk"
+            + "783uGFwMrbJBaochsqCH62L4Kijcb0sZCYoSsiKGV/zPml5MnZ3uQ==}")
    private String tokenAppSecret;

    @Value("${authentication.token.http.header.key:Authorization}")
--- a/auth/authentication/src/main/java/com/tencent/supersonic/auth/authentication/adaptor/DefaultUserAdaptor.java
+++ b/auth/authentication/src/main/java/com/tencent/supersonic/auth/authentication/adaptor/DefaultUserAdaptor.java
@@ -12,9 +12,10 @@ import com.tencent.supersonic.auth.authentication.persistence.repository.UserRep
 import com.tencent.supersonic.auth.authentication.utils.AESEncryptionUtil;
 import com.tencent.supersonic.auth.authentication.utils.UserTokenUtils;
 import com.tencent.supersonic.common.util.ContextUtils;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.BeanUtils;
+
+import javax.servlet.http.HttpServletRequest;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -94,6 +95,7 @@ public class DefaultUserAdaptor implements UserAdaptor {
            UserWithPassword user = getUserWithPassword(userReq);
            return userTokenUtils.generateToken(user, request);
        } catch (Exception e) {
+            log.error("", e);
            throw new RuntimeException("password encrypt error, please try again");
        }
    }
--- a/auth/authentication/src/main/java/com/tencent/supersonic/auth/authentication/utils/AESEncryptionUtil.java
+++ b/auth/authentication/src/main/java/com/tencent/supersonic/auth/authentication/utils/AESEncryptionUtil.java
@@ -1,14 +1,17 @@
 package com.tencent.supersonic.auth.authentication.utils;

+import lombok.extern.slf4j.Slf4j;
+
 import javax.crypto.Cipher;
 import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
-import javax.crypto.spec.IvParameterSpec;
 import java.security.MessageDigest;
 import java.security.spec.KeySpec;
 import java.util.Base64;

+@Slf4j
 public class AESEncryptionUtil {

    private static final String ALGORITHM = "AES/CBC/PKCS5Padding";
@@ -28,24 +31,29 @@ public class AESEncryptionUtil {
    }

    public static String encrypt(String password, byte[] salt) throws Exception {
-        // TODO 固定IV，确保每次加密时使用相同的IV,该值应该安全保管
-        byte[] iv = "supersonic@bicom".getBytes(ENCODE);
-        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+        try {
+            // TODO 固定IV，确保每次加密时使用相同的IV,该值应该安全保管
+            byte[] iv = "supersonic@bicom".getBytes(ENCODE);
+            IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);

-        KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_LENGTH);
-        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_ALGORITHM);
-        byte[] keyBytes = keyFactory.generateSecret(keySpec).getEncoded();
-        SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");
+            KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_LENGTH);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(SECRET_KEY_ALGORITHM);
+            byte[] keyBytes = keyFactory.generateSecret(keySpec).getEncoded();
+            SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");

-        Cipher cipher = Cipher.getInstance(ALGORITHM);
-        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);
+            Cipher cipher = Cipher.getInstance(ALGORITHM);
+            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec);

-        byte[] encrypted = cipher.doFinal(password.getBytes(ENCODE));
-        byte[] combined = new byte[iv.length + encrypted.length];
-        System.arraycopy(iv, 0, combined, 0, iv.length);
-        System.arraycopy(encrypted, 0, combined, iv.length, encrypted.length);
+            byte[] encrypted = cipher.doFinal(password.getBytes(ENCODE));
+            byte[] combined = new byte[iv.length + encrypted.length];
+            System.arraycopy(iv, 0, combined, 0, iv.length);
+            System.arraycopy(encrypted, 0, combined, iv.length, encrypted.length);

-        return Base64.getEncoder().encodeToString(combined);
+            return Base64.getEncoder().encodeToString(combined);
+        } catch (Throwable e) {
+            log.error("encrypt", e);
+            throw e;
+        }
    }

    public static String getStringFromBytes(byte[] salt) {
--- a/auth/authentication/src/main/java/com/tencent/supersonic/auth/authentication/utils/UserTokenUtils.java
+++ b/auth/authentication/src/main/java/com/tencent/supersonic/auth/authentication/utils/UserTokenUtils.java
@@ -12,13 +12,13 @@ import org.apache.commons.lang3.StringUtils;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.stereotype.Component;

+import javax.crypto.spec.SecretKeySpec;
 import javax.servlet.http.HttpServletRequest;
 import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;

-import static com.tencent.supersonic.auth.api.authentication.constant.UserConstants.TOKEN_ALGORITHM;
 import static com.tencent.supersonic.auth.api.authentication.constant.UserConstants.TOKEN_CREATE_TIME;
 import static com.tencent.supersonic.auth.api.authentication.constant.UserConstants.TOKEN_IS_ADMIN;
 import static com.tencent.supersonic.auth.api.authentication.constant.UserConstants.TOKEN_PREFIX;
@@ -122,6 +122,7 @@ public class UserTokenUtils {
                    .setSigningKey(tokenSecret.getBytes(StandardCharsets.UTF_8))
                    .build().parseClaimsJws(getTokenString(token)).getBody();
        } catch (Exception e) {
+            log.error("getClaims", e);
            throw new AccessException("parse user info from token failed :" + token);
        }
        return claims;
@@ -143,13 +144,12 @@ public class UserTokenUtils {
        Date expirationDate = new Date(expiration);
        String tokenSecret = getTokenSecret(appKey);

-        SignatureAlgorithm.valueOf(TOKEN_ALGORITHM);
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(claims.get(TOKEN_USER_NAME).toString())
                .setExpiration(expirationDate)
-                .signWith(SignatureAlgorithm.valueOf(TOKEN_ALGORITHM),
-                        tokenSecret.getBytes(StandardCharsets.UTF_8))
+                .signWith(new SecretKeySpec(tokenSecret.getBytes(StandardCharsets.UTF_8),
+                        SignatureAlgorithm.HS512.getJcaName()), SignatureAlgorithm.HS512)
                .compact();
    }