Improve asymmetric key check in CryptographyHMACKey

This change should fix #346 security issue. The code is based on pyjwt change: jpadilla/pyjwt@9c52867
mpdavis · May 31, 2024 · 9320fed · 9320fed
1 parent 58e543e
commit 9320fed
Show file tree

Hide file tree

Showing 6 changed files with 168 additions and 59 deletions.
diff --git a/jose/backends/cryptography_backend.py b/jose/backends/cryptography_backend.py
@@ -17,6 +17,7 @@
 from ..constants import ALGORITHMS
 from ..exceptions import JWEError, JWKError
 from ..utils import base64_to_long, base64url_decode, base64url_encode, ensure_binary, long_to_base64
+from ..utils import is_pem_format, is_ssh_key
 from .base import Key
 
 _binding = None
@@ -555,14 +556,7 @@ def __init__(self, key, algorithm):
         if isinstance(key, str):
             key = key.encode("utf-8")
 
-        invalid_strings = [
-            b"-----BEGIN PUBLIC KEY-----",
-            b"-----BEGIN RSA PUBLIC KEY-----",
-            b"-----BEGIN CERTIFICATE-----",
-            b"ssh-rsa",
-        ]
-
-        if any(string_value in key for string_value in invalid_strings):
+        if is_pem_format(key) or is_ssh_key(key):
             raise JWKError(
                 "The specified key is an asymmetric key or x509 certificate and"
                 " should not be used as an HMAC secret."

diff --git a/jose/backends/native.py b/jose/backends/native.py
@@ -6,6 +6,7 @@
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
 from jose.utils import base64url_decode, base64url_encode
+from jose.utils import is_pem_format, is_ssh_key
 
 
 def get_random_bytes(num_bytes):
@@ -36,14 +37,7 @@ def __init__(self, key, algorithm):
         if isinstance(key, str):
             key = key.encode("utf-8")
 
-        invalid_strings = [
-            b"-----BEGIN PUBLIC KEY-----",
-            b"-----BEGIN RSA PUBLIC KEY-----",
-            b"-----BEGIN CERTIFICATE-----",
-            b"ssh-rsa",
-        ]
-
-        if any(string_value in key for string_value in invalid_strings):
+        if is_pem_format(key) or is_ssh_key(key):
             raise JWKError(
                 "The specified key is an asymmetric key or x509 certificate and"
                 " should not be used as an HMAC secret."

diff --git a/jose/jwt.py b/jose/jwt.py
@@ -141,6 +141,14 @@ def decode(token, key, algorithms=None, options=None, audience=None, issuer=None
 
     verify_signature = defaults.get("verify_signature", True)
 
+    # Forbid the usage of the jwt.decode without alogrightms parameter
+    # See https://github.com/mpdavis/python-jose/issues/346 for more
+    # information CVE-2024-33663
+    if verify_signature and algorithms is None:
+        raise JWTError("It is required that you pass in a value for "
+                       'the "algorithms" argument when calling '
+                       "decode().")
+
     try:
         payload = jws.verify(token, key, algorithms, verify=verify_signature)
     except JWSError as e:

diff --git a/jose/utils.py b/jose/utils.py
@@ -1,3 +1,4 @@
+import re
 import base64
 import struct
 
@@ -105,3 +106,75 @@ def ensure_binary(s):
     if isinstance(s, str):
         return s.encode("utf-8", "strict")
     raise TypeError(f"not expecting type '{type(s)}'")
+
+
+# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
+# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252
+_PEMS = {
+    b"CERTIFICATE",
+    b"TRUSTED CERTIFICATE",
+    b"PRIVATE KEY",
+    b"PUBLIC KEY",
+    b"ENCRYPTED PRIVATE KEY",
+    b"OPENSSH PRIVATE KEY",
+    b"DSA PRIVATE KEY",
+    b"RSA PRIVATE KEY",
+    b"RSA PUBLIC KEY",
+    b"EC PRIVATE KEY",
+    b"DH PARAMETERS",
+    b"NEW CERTIFICATE REQUEST",
+    b"CERTIFICATE REQUEST",
+    b"SSH2 PUBLIC KEY",
+    b"SSH2 ENCRYPTED PRIVATE KEY",
+    b"X509 CRL",
+}
+
+
+_PEM_RE = re.compile(
+    b"----[- ]BEGIN ("
+    + b"|".join(_PEMS)
+    + b""")[- ]----\r?
+.+?\r?
+----[- ]END \\1[- ]----\r?\n?""",
+    re.DOTALL,
+)
+
+
+def is_pem_format(key):
+    """
+    Return True if the key is PEM format
+    This function uses the list of valid PEM headers defined in
+    _PEMS dict.
+    """
+    return bool(_PEM_RE.search(key))
+
+
+# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46
+_CERT_SUFFIX = b"[email protected]"
+_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)")
+_SSH_KEY_FORMATS = [
+    b"ssh-ed25519",
+    b"ssh-rsa",
+    b"ssh-dss",
+    b"ecdsa-sha2-nistp256",
+    b"ecdsa-sha2-nistp384",
+    b"ecdsa-sha2-nistp521",
+]
+
+
+def is_ssh_key(key):
+    """
+    Return True if the key is a SSH key
+    This function uses the list of valid SSH key format defined in
+    _SSH_KEY_FORMATS dict.
+    """
+    if any(string_value in key for string_value in _SSH_KEY_FORMATS):
+        return True
+
+    ssh_pubkey_match = _SSH_PUBKEY_RC.match(key)
+    if ssh_pubkey_match:
+        key_type = ssh_pubkey_match.group(1)
+        if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]:
+            return True
+
+    return False
diff --git a/tests/algorithms/test_HMAC.py b/tests/algorithms/test_HMAC.py
@@ -14,14 +14,17 @@ def test_non_string_key(self):
 
     def test_RSA_key(self):
         key = "-----BEGIN PUBLIC KEY-----"
+        key += "\n\n\n-----END PUBLIC KEY-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
 
         key = "-----BEGIN RSA PUBLIC KEY-----"
+        key += "\n\n\n-----END RSA PUBLIC KEY-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
 
         key = "-----BEGIN CERTIFICATE-----"
+        key += "\n\n\n-----END CERTIFICATE-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)