Using predictable/constant cryptographic key when creating and verifing Json Web Token.

[xubowenW]

版本信息：

JDK 版本(必填) : --
源码版本(必填)：3.7.0
MySQL(必填)：--
Nacos(必填)：--

问题描述：

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language. We found your great public repository (i.e., lamp-cloud) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: lamp-core-3.7.0 Package: top.tangyh.basic.context Class: ContextConstant.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.
(2) Location: lamp-util-3.7.0 Package: top.tangyh.basic.jwt.utils
Class: JwtUtil.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.

报错截图

重现步骤

1. 访问了什么接口？
2. 传递什么参数？
3. 后端控制台报了什么错？
4. 前端控制台报了什么错？

支持一下

如果该issue帮助了你, 麻烦给项目点个star, 并给当前issue回复一下 “👍” 或者 “已解决”.

[xubowenW]

screenshot

[zuihou]

这会带来什么问题？

[xubowenW]

First of all, any hardcoded(predictable/constant) cryptographic key (private key or symmetric key for signing or encryption) is not secure, it can be see CWE-321, NIST Special Publication 800-57 and other public publications.
Second, I observed that lamp-core-3.7.0, lamp-util-3.7.0 are two separate librares, in which the key you use to generate or verify the JWT signature is hardcoded, All JWTs generated by applications or web programs that use these two packages can be forged.
JWT is widely used in permission granting or identity authentication, and the integrity of the JWT is guaranteed by the signature algorithm. If the signature key is obtained by others, the attacker can arbitrarily forge the JWT to obtain the corresponding permission or log in as any user.

[zuihou]

31f79b1