Description Michał Górny 2022-05-13 05:55:32 UTC

> Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation).
>
>> PyJWT supports multiple different JWT signing algorithms. With JWT, an
>> attacker submitting the JWT token can choose the used signing algorithm.
>> 
>> The PyJWT library requires that the application chooses what algorithms
>> are supported. The application can specify
>> "jwt.algorithms.get_default_algorithms()" to get support for all
>> algorithms. They can also specify a single one of them (which is the
>> usual use case if calling jwt.decode directly. However, if calling
>> jwt.decode in a helper function, all algorithms might be enabled.)
>> 
>> For example, if the user chooses "none" algorithm and the JWT checker
>> supports that, there will be no signature checking. This is a common
>> security issue with some JWT implementations.
>> 
>> PyJWT combats this by requiring that the if the "none" algorithm is
>> used, the key has to be empty. As the key is given by the application
>> running the checker, attacker cannot force "none" cipher to be used.
>> 
>> Similarly with HMAC (symmetric) algorithm, PyJWT checks that the key is
>> not a public key meant for asymmetric algorithm i.e. HMAC cannot be used
>> if the key begins with "ssh-rsa". If HMAC is used with a public key, the
>> attacker can just use the publicly known public key to sign the token
>> and the checker would use the same key to verify.
>> 
>> From PyJWT 2.0.0 onwards, PyJWT supports ed25519 asymmetric algorithm.
>> With ed25519, PyJWT supports public keys that start with "ssh-", for
>> example "ssh-ed25519".