[Python-modules-commits] r32872 - in packages/pyjwt/branches/0.2.1/debian (4 files)

eriol-guest at users.alioth.debian.org eriol-guest at users.alioth.debian.org
Fri Jun 5 01:29:27 UTC 2015 

    Date: Friday, June 5, 2015 @ 01:29:24
  Author: eriol-guest
Revision: 32872

Add a check so that asymmetric keys cannot be used as HMAC secrets

Added:
  packages/pyjwt/branches/0.2.1/debian/patches/
  packages/pyjwt/branches/0.2.1/debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch
  packages/pyjwt/branches/0.2.1/debian/patches/series
Modified:
  packages/pyjwt/branches/0.2.1/debian/changelog

Modified: packages/pyjwt/branches/0.2.1/debian/changelog
===================================================================
--- packages/pyjwt/branches/0.2.1/debian/changelog	2015-06-04 23:10:14 UTC (rev 32871)
+++ packages/pyjwt/branches/0.2.1/debian/changelog	2015-06-05 01:29:24 UTC (rev 32872)
@@ -1,3 +1,11 @@
+pyjwt (0.2.1-2) UNRELEASED; urgency=medium
+
+  * debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch
+    - Add a check so that asymmetric keys cannot be used as HMAC
+      secrets. (Closes: #781640)
+
+ -- Daniele Tricoli <eriol at mornie.org>  Fri, 05 Jun 2015 03:25:03 +0200
+
 pyjwt (0.2.1-1) unstable; urgency=low
 
   * Initial release (Closes: #755832)

Added: packages/pyjwt/branches/0.2.1/debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch
===================================================================
--- packages/pyjwt/branches/0.2.1/debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch	                        (rev 0)
+++ packages/pyjwt/branches/0.2.1/debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch	2015-06-05 01:29:24 UTC (rev 32872)
@@ -0,0 +1,32 @@
+Description: Add a check so that asymmetric keys cannot be used as HMAC
+ secrets.
+Origin: https://github.com/jpadilla/pyjwt/commit/6a84d73f5a48488d3daf554a69500c3f42bb464d
+
+--- a/jwt/__init__.py
++++ b/jwt/__init__.py
+@@ -35,6 +35,10 @@
+     pass
+ 
+ 
++class InvalidAlgorithmError(Exception):
++    pass
++
++
+ signing_methods = {
+     'HS256': lambda msg, key: hmac.new(key, msg, hashlib.sha256).digest(),
+     'HS384': lambda msg, key: hmac.new(key, msg, hashlib.sha384).digest(),
+@@ -53,6 +57,14 @@
+             key = key.encode('utf-8')
+     else:
+         raise TypeError("Expecting a string-formatted key.")
++
++    if (b'-----BEGIN PUBLIC KEY-----' in key
++        or b'-----BEGIN CERTIFICATE-----' in key):
++        raise InvalidAlgorithmError(
++            'The specified key is an assymetric key or x509 certificate and'
++            ' should not be used as an HMAC secret.')
++
++
+     return key
+ 
+ prepare_key_methods = {

Added: packages/pyjwt/branches/0.2.1/debian/patches/series
===================================================================
--- packages/pyjwt/branches/0.2.1/debian/patches/series	                        (rev 0)
+++ packages/pyjwt/branches/0.2.1/debian/patches/series	2015-06-05 01:29:24 UTC (rev 32872)
@@ -0,0 +1 @@
+01_not-use-asymmetric-keys-as-HMAC.patch

More information about the Python-modules-commits mailing list