Skip to content

feat: implement minimum key length validation for HMAC and RSA algorithms #1084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

feat: implement minimum key length validation for HMAC and RSA algorithms #1084

wants to merge 4 commits into from
+545 −236

Conversation

@amanjolhe
Copy link

@amanjolhe amanjolhe commented Aug 20, 2025

Security Fix: CVE-2025-45768 - Implement Minimum Key Length Validation

This PR addresses CVE-2025-45768 by implementing minimum key length requirements for HMAC and RSA algorithms per RFC 7518 and NIST SP800-117.

Changes:

  • ✅ HMAC algorithms now enforce minimum key lengths:
    • HS256: 32 bytes minimum
    • HS384: 48 bytes minimum
    • HS512: 64 bytes minimum
  • ✅ RSA algorithms now enforce 2048-bit minimum key size
  • ✅ Enhanced key validation in prepare_key() and from_jwk() methods
  • ✅ Comprehensive test suite with 310 passing tests
  • ✅ Updated all test secrets to meet new requirements

Breaking Change:

Keys below minimum length requirements will now be rejected with InvalidKeyError.

Fixes CVE-2025-45768

@amanjolhe amanjolhe force-pushed the security/cve-2025-45768-key-length-validation branch from 0f44c5e to ef883bb Compare August 20, 2025 05:44
@auvipy auvipy requested review from auvipy, Copilot and jpadilla August 20, 2025 05:46
Copilot AI reviewed Aug 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses CVE-2025-45768 by implementing minimum key length validation for HMAC and RSA algorithms in compliance with RFC 7518 and NIST SP800-117 security standards.

  • Enforces minimum key lengths for HMAC algorithms (HS256: 32 bytes, HS384: 48 bytes, HS512: 64 bytes)
  • Enforces minimum 2048-bit key size for RSA algorithms
  • Updates all test secrets to meet the new security requirements

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
jwt/algorithms.py Implements key length validation in HMACAlgorithm and RSAAlgorithm classes
tests/test_algorithms.py Adds comprehensive tests for the new key validation logic
tests/test_jwt.py Updates test secrets to meet minimum requirements
tests/test_api_jwt.py Updates test secrets and JWT tokens to use compliant keys
tests/test_api_jws.py Updates test secrets and expected signatures for longer keys
tests/test_compressed_jwt.py Updates test secrets and JWT token for compression tests

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@amanjolhe amanjolhe force-pushed the security/cve-2025-45768-key-length-validation branch from 7f55420 to 31381f6 Compare August 20, 2025 05:50
@amanjolhe
Copy link
Author

amanjolhe commented Aug 20, 2025

Hi @auvipy , do we need to take care of those failing checks ? or should we discuss next steps?

@amanjolhe amanjolhe closed this Aug 20, 2025
@amanjolhe amanjolhe deleted the security/cve-2025-45768-key-length-validation branch August 20, 2025 10:52
@amanjolhe amanjolhe mentioned this pull request Aug 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@auvipy auvipy auvipy approved these changes

@jpadilla jpadilla Awaiting requested review from jpadilla

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amanjolhe @auvipy @AJolhe-FIS