Merge branch 'master' into update-pyasn

Author: asherf

.github/workflows/ci.yml

@@ -15,27 +15,27 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", "pypy3.9"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "pypy3.9"]
         os: [ubuntu-latest, macos-latest, windows-latest]
         exclude:
           - os: macos-latest
-            python-version:  "pypy3.9"
+            python-version:  "pypy3.9"          
           - os: windows-latest
             python-version:  "pypy3.9"
     runs-on: ${{ matrix.os }}
     name: "${{ matrix.os }} Python: ${{ matrix.python-version }}"
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
-        pip install -U "pip>=23.1.2"
-        pip install -U "tox-gh-actions==3.1.0" coverage
+        pip install -U "pip>=25.1.1"
+        pip install -U "tox-gh-actions==3.3.0" coverage
     - name: Log python & pip versions
       run: |
         python --version
@@ -51,23 +51,23 @@ jobs:
   linting:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v4
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
       with:
-        python-version: 3.9
+        python-version: "3.12"
     - name: Install dependencies
       run: |
         pip install -U setuptools 
-        pip install -U "tox>=4.5.1,<5"
+        pip install -U "tox>=4.26.0,<5"
     - run: tox -e lint
   package:
     name: Build & verify package
     runs-on: "ubuntu-latest"
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
-          python-version: "3.9"
+          python-version: "3.12"
       - name: Install build, check-wheel-content, and twine
         run: "python -m pip install build twine check-wheel-contents"
       - name: Build package

CHANGELOG.md

@@ -1,17 +1,26 @@
 # Changelog #
 
-## 3.4.0 -- UNPUBLISHED ##
+## 3.4.0 -- 2025-02-14 ##
 
 ### News ###
 
-* Remove support for python 3.6
+* Remove support for Python 3.6 and 3.7
+* Added support for Python 3.10 and 3.11
+
+### Bug fixes and Improvements ###
+* Updating `CryptographyAESKey::encrypt` to generate 96 bit IVs for GCM block
+  cipher mode
+* Fix for PEM key comparisons caused by line lengths and new lines
+* Fix for CVE-2024-33664 - JWE limited to 250KiB
+* Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
+* Replace usage of deprecated datetime.utcnow() with datetime.now(UTC) 
 
 ### Housekeeping ###
 
 * Updated Github Actions Workflows
 * Updated to use tox 4.x
 * Revise codecov integration
-
+* Fixed DeprecationWarnings
 
 ## 3.3.0 -- 2021-06-04 ##
 

README.rst

@@ -87,8 +87,8 @@ This library was originally based heavily on the work of the folks over at PyJWT
 .. |pypi| image:: https://img.shields.io/pypi/v/python-jose?style=flat-square
    :target: https://pypi.org/project/python-jose/
    :alt: PyPI
-.. |Github Actions CI Status| image:: https://github.com/mpdavis/python-jose/workflows/main/badge.svg?branch=master
-   :target: https://github.com/mpdavis/python-jose/actions?workflow=main
+.. |Github Actions CI Status| image:: https://github.com/mpdavis/python-jose/actions/workflows/ci.yml/badge.svg
+   :target: https://github.com/mpdavis/python-jose/actions/workflows/ci.yml
    :alt: Github Actions CI Status
 .. |Coverage Status| image:: http://codecov.io/github/mpdavis/python-jose/coverage.svg?branch=master
    :target: http://codecov.io/github/mpdavis/python-jose?branch=master

TODO.md

@@ -14,6 +14,6 @@
 * Refactor Algorithm logic with set Exceptions to return
 * Add HTML documentation
 * Implement ECSDA signing
-* Refactor JWT claims verifcation
+* Refactor JWT claims verification
 * Add actual exceptions instead of using the base exception
 * Audit JWT claims tests and rectify against the spec

docs/jwk/index.rst

@@ -26,7 +26,7 @@ Verifying token signatures
     >>> key = jwk.construct(hmac_key)
     >>>
     >>> message, encoded_sig = token.rsplit('.', 1)
-    >>> decoded_sig = base64url_decode(encoded_sig)
+    >>> decoded_sig = base64url_decode(encoded_sig.encode())
     >>> key.verify(message, decoded_sig)
 
 

jose/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "3.3.0"
+__version__ = "3.4.0"
 __author__ = "Michael Davis"
 __license__ = "MIT"
 __copyright__ = "Copyright 2016 Michael Davis"

jose/backends/__init__.py

@@ -1,10 +1,4 @@
-try:
-    from jose.backends.cryptography_backend import get_random_bytes  # noqa: F401
-except ImportError:
-    try:
-        from jose.backends.pycrypto_backend import get_random_bytes  # noqa: F401
-    except ImportError:
-        from jose.backends.native import get_random_bytes  # noqa: F401
+from jose.backends.native import get_random_bytes  # noqa: F401
 
 try:
     from jose.backends.cryptography_backend import CryptographyRSAKey as RSAKey  # noqa: F401

jose/backends/_asn1.py

@@ -2,6 +2,7 @@
 
 Required by rsa_backend but not cryptography_backend.
 """
+
 from pyasn1.codec.der import decoder, encoder
 from pyasn1.type import namedtype, univ
 

jose/backends/cryptography_backend.py

@@ -3,7 +3,6 @@
 
 from cryptography.exceptions import InvalidSignature, InvalidTag
 from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.bindings.openssl.binding import Binding
 from cryptography.hazmat.primitives import hashes, hmac, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa
 from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
@@ -16,35 +15,21 @@
 
 from ..constants import ALGORITHMS
 from ..exceptions import JWEError, JWKError
-from ..utils import base64_to_long, base64url_decode, base64url_encode, ensure_binary, long_to_base64
+from ..utils import (
+    base64_to_long,
+    base64url_decode,
+    base64url_encode,
+    ensure_binary,
+    is_pem_format,
+    is_ssh_key,
+    long_to_base64,
+)
+from . import get_random_bytes
 from .base import Key
 
 _binding = None
 
 
-def get_random_bytes(num_bytes):
-    """
-    Get random bytes
-
-    Currently, Cryptography returns OS random bytes. If you want OpenSSL
-    generated random bytes, you'll have to switch the RAND engine after
-    initializing the OpenSSL backend
-    Args:
-        num_bytes (int): Number of random bytes to generate and return
-    Returns:
-        bytes: Random bytes
-    """
-    global _binding
-
-    if _binding is None:
-        _binding = Binding()
-
-    buf = _binding.ffi.new("char[]", num_bytes)
-    _binding.lib.RAND_bytes(buf, num_bytes)
-    rand_bytes = _binding.ffi.buffer(buf, num_bytes)[:]
-    return rand_bytes
-
-
 class CryptographyECKey(Key):
     SHA256 = hashes.SHA256
     SHA384 = hashes.SHA384
@@ -439,6 +424,8 @@ class CryptographyAESKey(Key):
         ALGORITHMS.A256KW: None,
     }
 
+    IV_BYTE_LENGTH_MODE_MAP = {"CBC": algorithms.AES.block_size // 8, "GCM": 96 // 8}
+
     def __init__(self, key, algorithm):
         if algorithm not in ALGORITHMS.AES:
             raise JWKError("%s is not a valid AES algorithm" % algorithm)
@@ -468,7 +455,8 @@ def to_dict(self):
     def encrypt(self, plain_text, aad=None):
         plain_text = ensure_binary(plain_text)
         try:
-            iv = get_random_bytes(algorithms.AES.block_size // 8)
+            iv_byte_length = self.IV_BYTE_LENGTH_MODE_MAP.get(self._mode.name, algorithms.AES.block_size)
+            iv = get_random_bytes(iv_byte_length)
             mode = self._mode(iv)
             if mode.name == "GCM":
                 cipher = aead.AESGCM(self._key)
@@ -552,14 +540,7 @@ def __init__(self, key, algorithm):
         if isinstance(key, str):
             key = key.encode("utf-8")
 
-        invalid_strings = [
-            b"-----BEGIN PUBLIC KEY-----",
-            b"-----BEGIN RSA PUBLIC KEY-----",
-            b"-----BEGIN CERTIFICATE-----",
-            b"ssh-rsa",
-        ]
-
-        if any(string_value in key for string_value in invalid_strings):
+        if is_pem_format(key) or is_ssh_key(key):
             raise JWKError(
                 "The specified key is an asymmetric key or x509 certificate and"
                 " should not be used as an HMAC secret."

jose/backends/native.py

@@ -5,7 +5,7 @@
 from jose.backends.base import Key
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
-from jose.utils import base64url_decode, base64url_encode
+from jose.utils import base64url_decode, base64url_encode, is_pem_format, is_ssh_key
 
 
 def get_random_bytes(num_bytes):
@@ -36,14 +36,7 @@ def __init__(self, key, algorithm):
         if isinstance(key, str):
             key = key.encode("utf-8")
 
-        invalid_strings = [
-            b"-----BEGIN PUBLIC KEY-----",
-            b"-----BEGIN RSA PUBLIC KEY-----",
-            b"-----BEGIN CERTIFICATE-----",
-            b"ssh-rsa",
-        ]
-
-        if any(string_value in key for string_value in invalid_strings):
+        if is_pem_format(key) or is_ssh_key(key):
             raise JWKError(
                 "The specified key is an asymmetric key or x509 certificate and"
                 " should not be used as an HMAC secret."