Using hardcoded cryptographic key when creating and verifing Json Web Token.

[xubowenW]

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., sureness) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows: (1) Location: Package: com.usthe.sureness.util Class: JsonWebTokenUtil.class Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.

Using a hard-coded secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended that you use a more secure way to store the secret used to generate the JWT. （For the hazards of hardcoded keys, you can refer to CWE-321, NIST Special Publication 800-57).

I noticed that you mentioned that users can change the key used to generate JWT signatures, probably for ease of use, you still provide a default key for generating and verifying JWTs. Developers who don't understand JWT may directly use this hardcoded key to generate JWT, which brings some security risks. Therefore, it is recommended that you store this hardcoded key in a more secure way.

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.

[tomsun28]

hi, thanks for this security issue! 👍👍👍 This is very helpful for this project.