forked from mpdavis/python-jose
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve asymmetric key check in CryptographyHMACKey
This change should fix mpdavis#346 security issue. The code is based on pyjwt change: jpadilla/pyjwt@9c52867
- Loading branch information
Showing
2 changed files
with
98 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
import re | ||
import math | ||
import warnings | ||
|
||
|
@@ -22,6 +23,68 @@ | |
_binding = None | ||
|
||
|
||
# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc | ||
# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252 | ||
_PEMS = { | ||
b"CERTIFICATE", | ||
b"TRUSTED CERTIFICATE", | ||
b"PRIVATE KEY", | ||
b"PUBLIC KEY", | ||
b"ENCRYPTED PRIVATE KEY", | ||
b"OPENSSH PRIVATE KEY", | ||
b"DSA PRIVATE KEY", | ||
b"RSA PRIVATE KEY", | ||
b"RSA PUBLIC KEY", | ||
b"EC PRIVATE KEY", | ||
b"DH PARAMETERS", | ||
b"NEW CERTIFICATE REQUEST", | ||
b"CERTIFICATE REQUEST", | ||
b"SSH2 PUBLIC KEY", | ||
b"SSH2 ENCRYPTED PRIVATE KEY", | ||
b"X509 CRL", | ||
} | ||
|
||
|
||
_PEM_RE = re.compile( | ||
b"----[- ]BEGIN (" | ||
+ b"|".join(_PEMS) | ||
+ b""")[- ]----\r? | ||
.+?\r? | ||
----[- ]END \\1[- ]----\r?\n?""", | ||
re.DOTALL, | ||
) | ||
|
||
|
||
def is_pem_format(key): | ||
return bool(_PEM_RE.search(key)) | ||
|
||
|
||
# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46 | ||
_CERT_SUFFIX = b"[email protected]" | ||
_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)") | ||
_SSH_KEY_FORMATS = [ | ||
b"ssh-ed25519", | ||
b"ssh-rsa", | ||
b"ssh-dss", | ||
b"ecdsa-sha2-nistp256", | ||
b"ecdsa-sha2-nistp384", | ||
b"ecdsa-sha2-nistp521", | ||
] | ||
|
||
|
||
def is_ssh_key(key): | ||
if any(string_value in key for string_value in _SSH_KEY_FORMATS): | ||
return True | ||
|
||
ssh_pubkey_match = _SSH_PUBKEY_RC.match(key) | ||
if ssh_pubkey_match: | ||
key_type = ssh_pubkey_match.group(1) | ||
if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]: | ||
return True | ||
|
||
return False | ||
|
||
|
||
def get_random_bytes(num_bytes): | ||
""" | ||
Get random bytes | ||
|
@@ -552,14 +615,7 @@ def __init__(self, key, algorithm): | |
if isinstance(key, str): | ||
key = key.encode("utf-8") | ||
|
||
invalid_strings = [ | ||
b"-----BEGIN PUBLIC KEY-----", | ||
b"-----BEGIN RSA PUBLIC KEY-----", | ||
b"-----BEGIN CERTIFICATE-----", | ||
b"ssh-rsa", | ||
] | ||
|
||
if any(string_value in key for string_value in invalid_strings): | ||
if is_pem_format(key) or is_ssh_key(key): | ||
raise JWKError( | ||
"The specified key is an asymmetric key or x509 certificate and" | ||
" should not be used as an HMAC secret." | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters