Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ecdsa dependency #403

Merged
merged 6 commits into from
May 23, 2024
Merged

Remove ecdsa dependency #403

merged 6 commits into from
May 23, 2024

Conversation

agburch
Copy link
Contributor

@agburch agburch commented May 15, 2024

This PR proposes to remove the ecdsa dependency completely by refactoring to use jwcrypto and pyjwt. This change is motivated by the recent CVE that demonstrated the potential vulnerabilities in ecdsa. But regardless of any specific vuln, the maintainers of the ecdsa library have commented to suggest that it is not intended for "production use":
https://github.com/tlsfuzzer/python-ecdsa?tab=readme-ov-file#Security

By removing python-jose this PR does remove functionality from the jwt module (e.g. specifying alternate hash algorithms or JWT_OPTIONS). But as of today, these features appear to be unused. However please let me know if I'm mistaken here. As far as this PR is concerned though, the output of JWT.create_token() has not changed.

I believe this PR extends the work done in PR #398 by fully removing the package in question. It should also address:
Issues #395
Issues #388

@agburch agburch changed the title Remove vulnerable dependencies Remove ecdsa dependency May 15, 2024
@agburch agburch marked this pull request as ready for review May 15, 2024 19:59
@agburch
Copy link
Contributor Author

agburch commented May 15, 2024

@justinabrokwah-okta - I'm curious to get your thoughts here, I think you might be the most familiar with the current implementation.

@justinabrokwah-okta
Copy link
Contributor

@justinabrokwah-okta - I'm curious to get your thoughts here, I think you might be the most familiar with the current implementation.

Thanks so much for this PR, sorry for the delay in response. I'll try to take a look at this today but skimming through, it looks like an overdue change to make. Also tagging @bryanapellanes-okta for visibility

@bryanapellanes-okta
Copy link
Contributor

@agburch Thank you so much for your contribution! I'll review this week and consult with @justinabrokwah-okta . If no issues or concerns arise, I'll plan to merge and publish a new release by the end of next week.

bryanapellanes-okta
bryanapellanes-okta approved these changes May 23, 2024
View reviewed changes
Copy link
Contributor

@bryanapellanes-okta bryanapellanes-okta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@bryanapellanes-okta bryanapellanes-okta merged commit 51e9c96 into okta:master May 23, 2024
3 of 4 checks passed
@agburch agburch deleted the agburch/remove_python_jose branch May 28, 2024 15:19
This was referenced May 30, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinabrokwah-okta justinabrokwah-okta justinabrokwah-okta approved these changes

@bryanapellanes-okta bryanapellanes-okta bryanapellanes-okta approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@agburch @justinabrokwah-okta @bryanapellanes-okta