Skip to content

Fix double-hash issue in TokenIDGenerator: migrate from HMACUtils to HMACUtils2 #575

Description

@nagendra0721

Problem

TokenIDGenerator.generateTokenID() was migrated from HMACUtils to HMACUtils2 but the call pattern was not updated, causing a double-hash bug.

Root Cause

HMACUtils.digestAsPlainText(byte[]) only hex-encodes the input — hashing is done by the caller.
HMACUtils2.digestAsPlainText(byte[]) hashes AND hex-encodes internally.

When HMACUtils2 was introduced in commons, the old call pattern was carried over unchanged, causing double-hashing:

// Wrong - generateHash() called twice (once explicitly, once inside digestAsPlainText)                                                                                                                                                                
HMACUtils2.digestAsPlainText(HMACUtils2.generateHash(input))                                                                                                                                                                                         
                                                                                                                                                                                                                                                       
Fix
                                                                                                                                                                                                                                                       
File: kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/tokenidgenerator/generator/TokenIDGenerator.java                                                                                                                                  
 
Before:                                                                                                                                                                                                                                                
String uinHash = HMACUtils2.digestAsPlainText(HMACUtils2.generateHash((uin + uinSalt).getBytes()));                                                                                                                                                  
String hash = HMACUtils2.digestAsPlainText(HMACUtils2.generateHash((partnerCodeSalt + partnerCode + uinHash).getBytes()));

After:                                                                                                                                                                                                                                                 
String uinHash = HMACUtils2.digestAsPlainText((uin + uinSalt).getBytes());
String hash = HMACUtils2.digestAsPlainText((partnerCodeSalt + partnerCode + uinHash).getBytes());                                                                                                                                                      
                                                                                                                                                                                                                                                       
Impact
                                                                                                                                                                                                                                                       
- Fixes double-hash bug introduced when migrating from HMACUtils to HMACUtils2                                                                                                                                                                         
- Token ID now hashed exactly once as intended
- Added try-catch for NoSuchAlgorithmException thrown by HMACUtils2.digestAsPlainText()                                                                                                                      

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions