native: Improve asymmetric key check in CryptographyHMACKey

Implement same is_pem_format in native backend.

Author: danigm

jose/backends/cryptography_backend.py

@@ -1,4 +1,3 @@
-import re
 import math
 import warnings
 
@@ -18,83 +17,12 @@
 from ..constants import ALGORITHMS
 from ..exceptions import JWEError, JWKError
 from ..utils import base64_to_long, base64url_decode, base64url_encode, ensure_binary, long_to_base64
+from ..utils import is_pem_format, is_ssh_key
 from .base import Key
 
 _binding = None
 
 
-# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
-# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252
-_PEMS = {
-    b"CERTIFICATE",
-    b"TRUSTED CERTIFICATE",
-    b"PRIVATE KEY",
-    b"PUBLIC KEY",
-    b"ENCRYPTED PRIVATE KEY",
-    b"OPENSSH PRIVATE KEY",
-    b"DSA PRIVATE KEY",
-    b"RSA PRIVATE KEY",
-    b"RSA PUBLIC KEY",
-    b"EC PRIVATE KEY",
-    b"DH PARAMETERS",
-    b"NEW CERTIFICATE REQUEST",
-    b"CERTIFICATE REQUEST",
-    b"SSH2 PUBLIC KEY",
-    b"SSH2 ENCRYPTED PRIVATE KEY",
-    b"X509 CRL",
-}
-
-
-_PEM_RE = re.compile(
-    b"----[- ]BEGIN ("
-    + b"|".join(_PEMS)
-    + b""")[- ]----\r?
-.+?\r?
-----[- ]END \\1[- ]----\r?\n?""",
-    re.DOTALL,
-)
-
-
-def is_pem_format(key):
-    """
-    Return True if the key is PEM format
-    This function uses the list of valid PEM headers defined in
-    _PEMS dict.
-    """
-    return bool(_PEM_RE.search(key))
-
-
-# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46
-_CERT_SUFFIX = b"-cert-v01@openssh.com"
-_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)")
-_SSH_KEY_FORMATS = [
-    b"ssh-ed25519",
-    b"ssh-rsa",
-    b"ssh-dss",
-    b"ecdsa-sha2-nistp256",
-    b"ecdsa-sha2-nistp384",
-    b"ecdsa-sha2-nistp521",
-]
-
-
-def is_ssh_key(key):
-    """
-    Return True if the key is a SSH key
-    This function uses the list of valid SSH key format defined in
-    _SSH_KEY_FORMATS dict.
-    """
-    if any(string_value in key for string_value in _SSH_KEY_FORMATS):
-        return True
-
-    ssh_pubkey_match = _SSH_PUBKEY_RC.match(key)
-    if ssh_pubkey_match:
-        key_type = ssh_pubkey_match.group(1)
-        if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]:
-            return True
-
-    return False
-
-
 def get_random_bytes(num_bytes):
     """
     Get random bytes

jose/backends/native.py

@@ -6,6 +6,7 @@
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
 from jose.utils import base64url_decode, base64url_encode
+from jose.utils import is_pem_format, is_ssh_key
 
 
 def get_random_bytes(num_bytes):
@@ -36,14 +37,7 @@ def __init__(self, key, algorithm):
         if isinstance(key, str):
             key = key.encode("utf-8")
 
-        invalid_strings = [
-            b"-----BEGIN PUBLIC KEY-----",
-            b"-----BEGIN RSA PUBLIC KEY-----",
-            b"-----BEGIN CERTIFICATE-----",
-            b"ssh-rsa",
-        ]
-
-        if any(string_value in key for string_value in invalid_strings):
+        if is_pem_format(key) or is_ssh_key(key):
             raise JWKError(
                 "The specified key is an asymmetric key or x509 certificate and"
                 " should not be used as an HMAC secret."

jose/utils.py

@@ -1,3 +1,4 @@
+import re
 import base64
 import struct
 
@@ -105,3 +106,75 @@ def ensure_binary(s):
     if isinstance(s, str):
         return s.encode("utf-8", "strict")
     raise TypeError(f"not expecting type '{type(s)}'")
+
+
+# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
+# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252
+_PEMS = {
+    b"CERTIFICATE",
+    b"TRUSTED CERTIFICATE",
+    b"PRIVATE KEY",
+    b"PUBLIC KEY",
+    b"ENCRYPTED PRIVATE KEY",
+    b"OPENSSH PRIVATE KEY",
+    b"DSA PRIVATE KEY",
+    b"RSA PRIVATE KEY",
+    b"RSA PUBLIC KEY",
+    b"EC PRIVATE KEY",
+    b"DH PARAMETERS",
+    b"NEW CERTIFICATE REQUEST",
+    b"CERTIFICATE REQUEST",
+    b"SSH2 PUBLIC KEY",
+    b"SSH2 ENCRYPTED PRIVATE KEY",
+    b"X509 CRL",
+}
+
+
+_PEM_RE = re.compile(
+    b"----[- ]BEGIN ("
+    + b"|".join(_PEMS)
+    + b""")[- ]----\r?
+.+?\r?
+----[- ]END \\1[- ]----\r?\n?""",
+    re.DOTALL,
+)
+
+
+def is_pem_format(key):
+    """
+    Return True if the key is PEM format
+    This function uses the list of valid PEM headers defined in
+    _PEMS dict.
+    """
+    return bool(_PEM_RE.search(key))
+
+
+# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46
+_CERT_SUFFIX = b"-cert-v01@openssh.com"
+_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)")
+_SSH_KEY_FORMATS = [
+    b"ssh-ed25519",
+    b"ssh-rsa",
+    b"ssh-dss",
+    b"ecdsa-sha2-nistp256",
+    b"ecdsa-sha2-nistp384",
+    b"ecdsa-sha2-nistp521",
+]
+
+
+def is_ssh_key(key):
+    """
+    Return True if the key is a SSH key
+    This function uses the list of valid SSH key format defined in
+    _SSH_KEY_FORMATS dict.
+    """
+    if any(string_value in key for string_value in _SSH_KEY_FORMATS):
+        return True
+
+    ssh_pubkey_match = _SSH_PUBKEY_RC.match(key)
+    if ssh_pubkey_match:
+        key_type = ssh_pubkey_match.group(1)
+        if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]:
+            return True
+
+    return False

tests/algorithms/test_HMAC.py

@@ -14,14 +14,17 @@ def test_non_string_key(self):
 
     def test_RSA_key(self):
         key = "-----BEGIN PUBLIC KEY-----"
+        key += "\n\n\n-----END PUBLIC KEY-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
 
         key = "-----BEGIN RSA PUBLIC KEY-----"
+        key += "\n\n\n-----END RSA PUBLIC KEY-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
 
         key = "-----BEGIN CERTIFICATE-----"
+        key += "\n\n\n-----END CERTIFICATE-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)