Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation to prevent asymmetric keys from being used as secrets for non-asymmetric algorithms #105

Closed
mark-adams opened this issue Mar 17, 2015 · 0 comments
Closed

Add validation to prevent asymmetric keys from being used as secrets for non-asymmetric algorithms #105

mark-adams opened this issue Mar 17, 2015 · 0 comments
Milestone
v1.0.0

Comments

@mark-adams
Copy link
Contributor

We should validate that the secret is not a asymmetric key or certificate for HMAC.

Example:
Create an HS256 token. Generate the HMAC signature using the literal bytes of the public key file (often in the PEM format). This will confuse the implementation into interpreting the public key file as an HMAC key.
mark-adams added a commit to mark-adams/pyjwt that referenced this issue Mar 17, 2015
@mark-adams
Added a check so that asymmetric keys cannot be used as HMAC secrets to
e487a0b 
fix jpadilla#105
@jpadilla jpadilla modified the milestone: v1.0.0 Mar 17, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@jpadilla @mark-adams