Skip to content

Commit

Permalink
native: Improve asymmetric key check in CryptographyHMACKey
Browse files Browse the repository at this point in the history
Implement same is_pem_format in native backend.
  • Loading branch information
danigm committed May 6, 2024
1 parent 6965967 commit c998b7b
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 81 deletions.
74 changes: 1 addition & 73 deletions jose/backends/cryptography_backend.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
import re
import math
import warnings

Expand All @@ -18,83 +17,12 @@
from ..constants import ALGORITHMS
from ..exceptions import JWEError, JWKError
from ..utils import base64_to_long, base64url_decode, base64url_encode, ensure_binary, long_to_base64
from ..utils import is_pem_format, is_ssh_key
from .base import Key

_binding = None


# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252
_PEMS = {
b"CERTIFICATE",
b"TRUSTED CERTIFICATE",
b"PRIVATE KEY",
b"PUBLIC KEY",
b"ENCRYPTED PRIVATE KEY",
b"OPENSSH PRIVATE KEY",
b"DSA PRIVATE KEY",
b"RSA PRIVATE KEY",
b"RSA PUBLIC KEY",
b"EC PRIVATE KEY",
b"DH PARAMETERS",
b"NEW CERTIFICATE REQUEST",
b"CERTIFICATE REQUEST",
b"SSH2 PUBLIC KEY",
b"SSH2 ENCRYPTED PRIVATE KEY",
b"X509 CRL",
}


_PEM_RE = re.compile(
b"----[- ]BEGIN ("
+ b"|".join(_PEMS)
+ b""")[- ]----\r?
.+?\r?
----[- ]END \\1[- ]----\r?\n?""",
re.DOTALL,
)


def is_pem_format(key):
"""
Return True if the key is PEM format
This function uses the list of valid PEM headers defined in
_PEMS dict.
"""
return bool(_PEM_RE.search(key))


# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46
_CERT_SUFFIX = b"[email protected]"
_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)")
_SSH_KEY_FORMATS = [
b"ssh-ed25519",
b"ssh-rsa",
b"ssh-dss",
b"ecdsa-sha2-nistp256",
b"ecdsa-sha2-nistp384",
b"ecdsa-sha2-nistp521",
]


def is_ssh_key(key):
"""
Return True if the key is a SSH key
This function uses the list of valid SSH key format defined in
_SSH_KEY_FORMATS dict.
"""
if any(string_value in key for string_value in _SSH_KEY_FORMATS):
return True

ssh_pubkey_match = _SSH_PUBKEY_RC.match(key)
if ssh_pubkey_match:
key_type = ssh_pubkey_match.group(1)
if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]:
return True

return False


def get_random_bytes(num_bytes):
"""
Get random bytes
Expand Down
10 changes: 2 additions & 8 deletions jose/backends/native.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
from jose.constants import ALGORITHMS
from jose.exceptions import JWKError
from jose.utils import base64url_decode, base64url_encode
from jose.utils import is_pem_format, is_ssh_key


def get_random_bytes(num_bytes):
Expand Down Expand Up @@ -36,14 +37,7 @@ def __init__(self, key, algorithm):
if isinstance(key, str):
key = key.encode("utf-8")

invalid_strings = [
b"-----BEGIN PUBLIC KEY-----",
b"-----BEGIN RSA PUBLIC KEY-----",
b"-----BEGIN CERTIFICATE-----",
b"ssh-rsa",
]

if any(string_value in key for string_value in invalid_strings):
if is_pem_format(key) or is_ssh_key(key):
raise JWKError(
"The specified key is an asymmetric key or x509 certificate and"
" should not be used as an HMAC secret."
Expand Down
73 changes: 73 additions & 0 deletions jose/utils.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import re
import base64
import struct

Expand Down Expand Up @@ -105,3 +106,75 @@ def ensure_binary(s):
if isinstance(s, str):
return s.encode("utf-8", "strict")
raise TypeError(f"not expecting type '{type(s)}'")


# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252
_PEMS = {
b"CERTIFICATE",
b"TRUSTED CERTIFICATE",
b"PRIVATE KEY",
b"PUBLIC KEY",
b"ENCRYPTED PRIVATE KEY",
b"OPENSSH PRIVATE KEY",
b"DSA PRIVATE KEY",
b"RSA PRIVATE KEY",
b"RSA PUBLIC KEY",
b"EC PRIVATE KEY",
b"DH PARAMETERS",
b"NEW CERTIFICATE REQUEST",
b"CERTIFICATE REQUEST",
b"SSH2 PUBLIC KEY",
b"SSH2 ENCRYPTED PRIVATE KEY",
b"X509 CRL",
}


_PEM_RE = re.compile(
b"----[- ]BEGIN ("
+ b"|".join(_PEMS)
+ b""")[- ]----\r?
.+?\r?
----[- ]END \\1[- ]----\r?\n?""",
re.DOTALL,
)


def is_pem_format(key):
"""
Return True if the key is PEM format
This function uses the list of valid PEM headers defined in
_PEMS dict.
"""
return bool(_PEM_RE.search(key))


# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46
_CERT_SUFFIX = b"[email protected]"
_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)")
_SSH_KEY_FORMATS = [
b"ssh-ed25519",
b"ssh-rsa",
b"ssh-dss",
b"ecdsa-sha2-nistp256",
b"ecdsa-sha2-nistp384",
b"ecdsa-sha2-nistp521",
]


def is_ssh_key(key):
"""
Return True if the key is a SSH key
This function uses the list of valid SSH key format defined in
_SSH_KEY_FORMATS dict.
"""
if any(string_value in key for string_value in _SSH_KEY_FORMATS):
return True

ssh_pubkey_match = _SSH_PUBKEY_RC.match(key)
if ssh_pubkey_match:
key_type = ssh_pubkey_match.group(1)
if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]:
return True

return False
3 changes: 3 additions & 0 deletions tests/algorithms/test_HMAC.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,17 @@ def test_non_string_key(self):

def test_RSA_key(self):
key = "-----BEGIN PUBLIC KEY-----"
key += "\n\n\n-----END PUBLIC KEY-----"
with pytest.raises(JOSEError):
HMACKey(key, ALGORITHMS.HS256)

key = "-----BEGIN RSA PUBLIC KEY-----"
key += "\n\n\n-----END RSA PUBLIC KEY-----"
with pytest.raises(JOSEError):
HMACKey(key, ALGORITHMS.HS256)

key = "-----BEGIN CERTIFICATE-----"
key += "\n\n\n-----END CERTIFICATE-----"
with pytest.raises(JOSEError):
HMACKey(key, ALGORITHMS.HS256)

Expand Down

0 comments on commit c998b7b

Please sign in to comment.