Problem
TokenIDGenerator.generateTokenID() was migrated from HMACUtils to HMACUtils2 but the call pattern was not updated, causing a double-hash bug.
Root Cause
HMACUtils.digestAsPlainText(byte[]) only hex-encodes the input — hashing is done by the caller.
HMACUtils2.digestAsPlainText(byte[]) hashes AND hex-encodes internally.
When HMACUtils2 was introduced in commons, the old call pattern was carried over unchanged, causing double-hashing:
// Wrong - generateHash() called twice (once explicitly, once inside digestAsPlainText)
HMACUtils2.digestAsPlainText(HMACUtils2.generateHash(input))
Fix
File: kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/tokenidgenerator/generator/TokenIDGenerator.java
Before:
String uinHash = HMACUtils2.digestAsPlainText(HMACUtils2.generateHash((uin + uinSalt).getBytes()));
String hash = HMACUtils2.digestAsPlainText(HMACUtils2.generateHash((partnerCodeSalt + partnerCode + uinHash).getBytes()));
After:
String uinHash = HMACUtils2.digestAsPlainText((uin + uinSalt).getBytes());
String hash = HMACUtils2.digestAsPlainText((partnerCodeSalt + partnerCode + uinHash).getBytes());
Impact
- Fixes double-hash bug introduced when migrating from HMACUtils to HMACUtils2
- Token ID now hashed exactly once as intended
- Added try-catch for NoSuchAlgorithmException thrown by HMACUtils2.digestAsPlainText()
Problem
TokenIDGenerator.generateTokenID()was migrated fromHMACUtilstoHMACUtils2but the call pattern was not updated, causing a double-hash bug.Root Cause
HMACUtils.digestAsPlainText(byte[])only hex-encodes the input — hashing is done by the caller.HMACUtils2.digestAsPlainText(byte[])hashes AND hex-encodes internally.When
HMACUtils2was introduced in commons, the old call pattern was carried over unchanged, causing double-hashing: