@ prefix to read a binary file cannot be used with HMAC algorithms #109
Comments
lizfeed
added a commit
to lizfeed/jwt-cli
that referenced
this issue
Jun 16, 2021
lizfeed
added a commit
to lizfeed/jwt-cli
that referenced
this issue
Jun 16, 2021
mike-engel
pushed a commit
that referenced
this issue
Jul 21, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
The help text claims that a value starting with
@can be provided to the-S/--secretparameter in order to read the secret from a binary file. However, this is not implemented for the HMAC algorithms (like HS256) - instead, the string starting with@provided on the command line is used verbatim as the secret, leading to confusing signature validation issues.This unfortunately leads this tool to encourage the exclusive use of human-readable strings as JWT secrets when using the HMAC modes, which considerably reduces the size of the keyspace.
Steps to reproduce
Expected behavior
The bytes contained in the file
secret.keyare used as the JWT secret.Actual behavior
The bytes of the string
@secret.keyare used as the JWT secret.The text was updated successfully, but these errors were encountered: