From 4ee74481c2a237a6b8629f3505acb99efe1d4e5a Mon Sep 17 00:00:00 2001
From: uhensler <urs.hensler@frentix.com>
Date: Tue, 23 Apr 2019 11:08:27 +0200
Subject: [PATCH] OO-4009: Better validation of JWT secret and lazy
 instantiation of JWT key

---
 .../doceditor/onlyoffice/OnlyOfficeModule.java      | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/olat/core/commons/services/doceditor/onlyoffice/OnlyOfficeModule.java b/src/main/java/org/olat/core/commons/services/doceditor/onlyoffice/OnlyOfficeModule.java
index f2eedf58767..0edd872c943 100644
--- a/src/main/java/org/olat/core/commons/services/doceditor/onlyoffice/OnlyOfficeModule.java
+++ b/src/main/java/org/olat/core/commons/services/doceditor/onlyoffice/OnlyOfficeModule.java
@@ -23,6 +23,8 @@ import java.security.Key;
 
 import org.olat.core.configuration.AbstractSpringModule;
 import org.olat.core.configuration.ConfigOnOff;
+import org.olat.core.logging.OLog;
+import org.olat.core.logging.Tracing;
 import org.olat.core.util.StringHelper;
 import org.olat.core.util.coordinate.CoordinatorManager;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -40,6 +42,8 @@ import io.jsonwebtoken.security.Keys;
 @Service
 public class OnlyOfficeModule extends AbstractSpringModule implements ConfigOnOff {
 
+	private static final OLog log = Tracing.createLoggerFor(OnlyOfficeModule.class);
+
 	private static final String ONLYOFFICE_ENABLED = "onlyoffice.enabled";
 	private static final String ONLYOFFICE_API_URL = "onlyoffice.apiUrl";
 	private static final String ONLYOFFICE_JWT_SECRET = "onlyoffice.jwt.secret";
@@ -80,7 +84,6 @@ public class OnlyOfficeModule extends AbstractSpringModule implements ConfigOnOf
 		String jwtSecretObj = getStringPropertyValue(ONLYOFFICE_JWT_SECRET, true);
 		if(StringHelper.containsNonWhitespace(jwtSecretObj)) {
 			jwtSecret = jwtSecretObj;
-			jwtSignKey = Keys.hmacShaKeyFor(jwtSecret.getBytes());
 		}
 	}
 
@@ -109,11 +112,17 @@ public class OnlyOfficeModule extends AbstractSpringModule implements ConfigOnOf
 
 	public void setJwtSecret(String jwtSecret) {
 		this.jwtSecret = jwtSecret;
-		this.jwtSignKey = Keys.hmacShaKeyFor(jwtSecret.getBytes());
 		setStringProperty(ONLYOFFICE_JWT_SECRET, jwtSecret, true);
 	}
 
 	public Key getJwtSignKey() {
+		if (jwtSignKey == null) {
+			try {
+				jwtSignKey = Keys.hmacShaKeyFor(jwtSecret.getBytes());
+			} catch (Exception e) {
+				log.error("", e);
+			}
+		}
 		return jwtSignKey;
 	}
 
-- 
GitLab