don't use ssl key file for admin console auth, use a generated key instead

Change-Id: I424afe0184a64b7f069d896bde6941e42b7b5531
rational: setup is easier in case, when user does not use ssl in loolwsd config
Reviewed-on: https://gerrit.libreoffice.org/61076
Reviewed-by: Andras Timar <andras.timar@collabora.com>
Tested-by: Andras Timar <andras.timar@collabora.com>

5 files changed, 8 insertions, 11 deletions

diff --git a/wsd/Admin.cpp b/wsd/Admin.cpp
index b8d8d6afd..6025c59a5 100644
--- a/wsd/Admin.cpp
+++ b/wsd/Admin.cpp
@@ -76,11 +76,9 @@ void AdminSocketHandler::handleMessage(bool /* fin */, WSOpCode /* code */,
         }
         std::string jwtToken;
         LOOLProtocol::getTokenString(tokens[1], "jwt", jwtToken);
-        const auto& config = Application::instance().config();
-        const std::string sslKeyPath = config.getString("ssl.key_file_path", "");
 
         LOG_INF("Verifying JWT token: " << jwtToken);
-        JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin");
+        JWTAuth authAgent("admin", "admin", "admin");
         if (authAgent.verify(jwtToken))
         {
             LOG_TRC("JWT token is valid");
diff --git a/wsd/Auth.cpp b/wsd/Auth.cpp
index 8b1a0ec77..6be7eceea 100644
--- a/wsd/Auth.cpp
+++ b/wsd/Auth.cpp
@@ -37,6 +37,8 @@ using Poco::Base64Decoder;
 using Poco::Base64Encoder;
 using Poco::OutputLineEndingConverter;
 
+const Poco::Crypto::RSAKey JWTAuth::_key(Poco::Crypto::RSAKey(Poco::Crypto::RSAKey::KL_2048, Poco::Crypto::RSAKey::EXP_LARGE));
+
 void Authorization::authorizeURI(Poco::URI& uri) const
 {
     if (_type == Authorization::Type::Token)
diff --git a/wsd/Auth.hpp b/wsd/Auth.hpp
index 1832b7868..3616b0144 100644
--- a/wsd/Auth.hpp
+++ b/wsd/Auth.hpp
@@ -73,11 +73,10 @@ public:
 class JWTAuth : public AuthBase
 {
 public:
-    JWTAuth(const std::string& keyPath, const std::string& name, const std::string& sub, const std::string& aud)
+    JWTAuth(const std::string& name, const std::string& sub, const std::string& aud)
         : _name(name),
           _sub(sub),
           _aud(aud),
-          _key(Poco::Crypto::RSAKey("", keyPath)),
           _digestEngine(_key, "SHA256")
     {
     }
@@ -100,7 +99,7 @@ private:
     const std::string _sub;
     const std::string _aud;
 
-    const Poco::Crypto::RSAKey _key;
+    static const Poco::Crypto::RSAKey _key;
     Poco::Crypto::RSADigestEngine _digestEngine;
 };
 
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index e0b475595..fde70d242 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -196,7 +196,6 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
     assert(LOOLWSD::AdminEnabled);
 
     const auto& config = Application::instance().config();
-    const std::string& sslKeyPath = config.getString("ssl.key_file_path", "");
 
     NameValueCollection cookies;
     request.getCookies(cookies);
@@ -204,7 +203,7 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
     {
         const std::string jwtToken = cookies.get("jwt");
         LOG_INF("Verifying JWT token: " << jwtToken);
-        JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin");
+        JWTAuth authAgent("admin", "admin", "admin");
         if (authAgent.verify(jwtToken))
         {
             LOG_TRC("JWT token is valid");
@@ -247,7 +246,7 @@ bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
     }
 
     // authentication passed, generate and set the cookie
-    JWTAuth authAgent(sslKeyPath, "admin", "admin", "admin");
+    JWTAuth authAgent("admin", "admin", "admin");
     const std::string jwtToken = authAgent.getAccessToken();
 
     Poco::Net::HTTPCookie cookie("jwt", jwtToken);
diff --git a/wsd/README b/wsd/README
index 172c85f73..3c42f674b 100644
--- a/wsd/README
+++ b/wsd/README
@@ -183,8 +183,7 @@ there is a less verbose way, but this worked for me:
     openssl ca -keyfile private/ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha256 -in csr.pem -out cert.pem
 
 HTTPS is the default. HTTP-only mode can be enabled with --disable-ssl
-configure option. key.pem is required even in HTTP-only mode, because it is
-used to generate the secure token for the admin console.
+configure option.
 
 If you plan to hack on loolwsd, you probably want to familiarize
 yourself with loolwsd's --numprespawns switch, and the 'connect'