Skip to content

Hardening: Enforce length of keys for HMAC operations #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simo5 merged 4 commits into from
Oct 22, 2025
Merged

Hardening: Enforce length of keys for HMAC operations #369

simo5 merged 4 commits into from
Oct 22, 2025

Conversation

@simo5
Copy link
Member

@simo5 simo5 commented Oct 22, 2025

Enforce minimum HMAC key size per RFC 7518

Adds a validation check to ensure that keys used for HMAC-based JWS
algorithms (HS256, HS384, HS512) are at least as large as the hash
algorithm's output size.

This change aligns the library with RFC 7518, Section 3.2, which
mandates this minimum key size.

Fixes #368

simo5 and others added 4 commits October 22, 2025 15:31
@simo5
Enforce minimum HMAC key size per RFC 7518
a958c88 
Adds a validation check to ensure that keys used for HMAC-based JWS
algorithms (HS256, HS384, HS512) are at least as large as the hash
algorithm's output size.

This change aligns the library with RFC 7518, Section 3.2, which
mandates this minimum key size. An `InvalidJWEKeyLength` exception
is now raised if an undersized key is used.

Tests were updated to generate and use keys of the appropriate size to
pass the new validation.

Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Make HMAC key length enforcement optional
299b1af 
Adds a new global flag, `jwa.default_enforce_hmac_key_length`, to control
whether RFC 7518 key length requirements are enforced for HMAC-based JWS
algorithms.

By default, the check remains enabled to ensure secure key sizes are used.
Setting this flag to `False` allows the use of undersized keys, providing an
escape hatch for interoperability with non-compliant systems.

Co-authored-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Document JWA module and update theme
eacc5a4 
This commit improves the project documentation in several ways:

- The internal `jwcrypto.jwa` module, which implements the JSON Web
Algorithms, is now documented.
- Docstrings are added to module-level settings in `jwa.py` to clarify their
purpose and security considerations.
- The main table of contents is reorganized to separate public APIs from
internal modules.

Co-authored-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Update tox for CI tests
8a0fdff 
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 requested a review from a team October 22, 2025 19:32
rjeffman
rjeffman reviewed Oct 22, 2025
View reviewed changes
rjeffman
rjeffman reviewed Oct 22, 2025
View reviewed changes
Copy link
Collaborator

@rjeffman rjeffman left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the question on the test_mismatching_encoding change, LGTM.

(FreeIPA deployment with ansible-freeipa was not broken with this change.)

@simo5
Copy link
Member Author

simo5 commented Oct 22, 2025

@rjeffman thanks a lot for the review!

@simo5 simo5 merged commit f2921cd into latchset:main Oct 22, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjeffman rjeffman rjeffman left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HMAc key sizes are not enforced as required by RFC 7518

2 participants

@simo5 @rjeffman