fix(jwk): add security warnings at OctKey.import_key and RSAKey.import_key

Author: lepture

src/joserfc/_rfc7518/oct_key.py

@@ -57,7 +57,11 @@ def import_key(
         parameters: KeyParameters | None = None,
         password: Any = None,
     ) -> "OctKey":
-        return super(OctKey, cls).import_key(value, parameters, password)
+        key: OctKey = super(OctKey, cls).import_key(value, parameters, password)
+        if len(key.raw_value) < 14:
+            # https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
+            warnings.warn("Key size should be >= 112 bits", SecurityWarning)
+        return key
 
     @classmethod
     def generate_key(

src/joserfc/_rfc7518/rsa_key.py

@@ -139,7 +139,11 @@ def import_key(
         parameters: KeyParameters | None = None,
         password: Any = None,
     ) -> "RSAKey":
-        return super(RSAKey, cls).import_key(value, parameters, password)
+        key: RSAKey = super(RSAKey, cls).import_key(value, parameters, password)
+        if key.raw_value.key_size < 2048:
+            # https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
+            warnings.warn("Key size should be >= 2048 bits", SecurityWarning)
+        return key
 
     @classmethod
     def generate_key(

tests/jwk/test_oct_key.py

@@ -1,5 +1,6 @@
 from unittest import TestCase
 from joserfc.jwk import OctKey
+from joserfc.errors import SecurityWarning
 from tests.keys import read_key
 
 
@@ -86,7 +87,7 @@ def test_invalid_key_ops(self):
 
     def test_import_pem_key(self):
         public_pem = read_key("ec-p256-public.pem")
-        self.assertWarns(UserWarning, OctKey.import_key, public_pem)
+        self.assertWarns(SecurityWarning, OctKey.import_key, public_pem)
 
     def test_generate_key(self):
         key = OctKey.generate_key()
@@ -103,6 +104,12 @@ def test_generate_key(self):
         key = OctKey.generate_key(auto_kid=True)
         self.assertIsNotNone(key.kid)
 
+    def test_generate_key_with_warnings(self):
+        self.assertWarns(SecurityWarning, OctKey.generate_key, 16)
+
+    def test_import_key_with_warnings(self):
+        self.assertWarns(SecurityWarning, OctKey.import_key, b"rfc")
+
     def test_key_eq(self):
         key1 = OctKey.generate_key()
         key2 = OctKey.import_key(key1.as_dict())

tests/jwk/test_rsa_key.py

@@ -1,5 +1,6 @@
 from unittest import TestCase
 from joserfc.jwk import RSAKey
+from joserfc.errors import SecurityWarning
 from tests.keys import read_key
 
 
@@ -126,6 +127,29 @@ def test_generate_key(self):
         key = RSAKey.generate_key(auto_kid=True)
         self.assertIsNotNone(key.kid)
 
+    def test_generate_key_with_warnings(self):
+        self.assertWarns(SecurityWarning, RSAKey.generate_key, 1024)
+
+    def test_import_key_with_warnings(self):
+        rsa_jwk = {
+            "n": (
+                "qEr7algLblN5qcstFCfOkAVERAWOyq3UuIor3BZq6s932Zs97yrkKw6XhKobGlNKEXNJhFiKU9oG-XA1dyvwv"
+                "9uRbFPiUxLC0IS1mnIeF1Uz3n9h8o3v23TIkbcTPPNsJJuSPiRybefddDBtld7i_9mzNjDR4Ios6DJCNthnIKc"
+            ),
+            "e": "AQAB",
+            "d": (
+                "QfOYkXVNjX_TFvJTiSmMbq5RsWKIMe9rhKJJS-fRIJILgtCutdKWNjVytX_APVHUngATGHVmSDQSNaB-o2Qp5TMG"
+                "0KQ8-TuCXD3nRQIsDj0CCRSuq_CoVUjsFkP3hPvJ8MStN5xpyNGWusHNjgyz_KMQMziFM2wnjRIpMw7J3ck"
+            ),
+            "p": "3fJ5EmJpD7YCElVtAWBUWSVw5uO_NcvDMvTsshVsSY7H6atE4UZSsKEy3HKmVLB3zfqHZYg1Bd8DV52EnGOogw",
+            "q": "wh0awdt7hnpdHJGbrbaC1Pr12MRd6bnraPTGewBB9o6KxPXpkSVBlm5mLuhEiB0gnuA933zxvt1bSHHUNuGGDQ",
+            "dp": "1GFJ6YWx8w6_PLvx6vc6v3NMbiRQvDGXQBOOy3okfN7b_YWeC9M3HT2jZb9v2mpiuf-ZwFZuJogYsqZQVzYl8Q",
+            "dq": "U5Tqn4xdHON1UkbULLFIlmJVF3g-I9SdK70x9WaAAKUR1Ys5ffj3y8lPkGUMlTtNf3t4yNFo2lE_6-qvgM4MxQ",
+            "qi": "dhaZmFV6lFH-jD4hb_-GtaMlsk97gqW7zU2gSVZdULGXZsqbQEfm0k34mglOWC6Hxmi1rqQB_HAe9HUyNdHPXg",
+            "kty": "RSA",
+        }
+        self.assertWarns(SecurityWarning, RSAKey.import_key, rsa_jwk)
+
     def test_import_from_der_bytes(self):
         value1 = self.default_key.as_der()
         key1 = RSAKey.import_key(value1)