Unamrked HMAC SHA based algorithms as insecure and obsolete (#478)

* Reverted #384. * Bumped version to 10.1.0 * Updated changelog
jwt-dotnet · Aug 11, 2023 · 2c76ee0 · 2c76ee0
1 parent 906002e
commit 2c76ee0
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 37 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Unreleased
 
-- TBD
+# 10.1.0
+
+- Unmarked HMAC SHA based algorithms as insecure and obsolete (was done in 9.0.0-beta4)
 
 # 10.0.3
 

diff --git a/src/JWT/Algorithms/HMACSHA256Algorithm.cs b/src/JWT/Algorithms/HMACSHA256Algorithm.cs
@@ -1,12 +1,10 @@
-using System;
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 
 namespace JWT.Algorithms
 {
     /// <summary>
     /// HMAC using SHA-256
     /// </summary>
-    [Obsolete(ObsoleteMessage, error: false)]
     public sealed class HMACSHA256Algorithm : HMACSHAAlgorithm
     {
         /// <inheritdoc />

diff --git a/src/JWT/Algorithms/HMACSHA384Algorithm.cs b/src/JWT/Algorithms/HMACSHA384Algorithm.cs
@@ -1,12 +1,10 @@
-using System;
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 
 namespace JWT.Algorithms
 {
     /// <summary>
     /// HMAC using SHA-384
     /// </summary>
-    [Obsolete(ObsoleteMessage, error: false)]
     public sealed class HMACSHA384Algorithm : HMACSHAAlgorithm
     {
         /// <inheritdoc />

diff --git a/src/JWT/Algorithms/HMACSHA512Algorithm.cs b/src/JWT/Algorithms/HMACSHA512Algorithm.cs
@@ -1,12 +1,10 @@
-using System;
-using System.Security.Cryptography;
+using System.Security.Cryptography;
 
 namespace JWT.Algorithms
 {
     /// <summary>
     /// HMAC using SHA-512
     /// </summary>
-    [Obsolete(ObsoleteMessage, error: false)]
     public sealed class HMACSHA512Algorithm : HMACSHAAlgorithm
     {
         /// <inheritdoc />

diff --git a/src/JWT/Algorithms/HMACSHAAlgorithm.cs b/src/JWT/Algorithms/HMACSHAAlgorithm.cs
@@ -1,26 +1,22 @@
-using System;
-using System.Security.Cryptography;
-
-namespace JWT.Algorithms
-{
-    [Obsolete(ObsoleteMessage, error: false)]
-    public abstract class HMACSHAAlgorithm : IJwtAlgorithm
-    {
-        internal const string ObsoleteMessage = "HMAC SHA based algorithms are not secure to protect modern web applications. Consider switching to RSASSA or ECDSA.";
-
-        /// <inheritdoc />
-        public abstract string Name { get; }
-
-        /// <inheritdoc />
-        public abstract HashAlgorithmName HashAlgorithmName { get; }
-
-        /// <inheritdoc />
-        public byte[] Sign(byte[] key, byte[] bytesToSign)
-        {
-            using var sha = CreateAlgorithm(key);
-            return sha.ComputeHash(bytesToSign);
-        }
-
-        protected abstract HMAC CreateAlgorithm(byte[] key);
-    }
+using System.Security.Cryptography;
+
+namespace JWT.Algorithms
+{
+    public abstract class HMACSHAAlgorithm : IJwtAlgorithm
+    {
+        /// <inheritdoc />
+        public abstract string Name { get; }
+
+        /// <inheritdoc />
+        public abstract HashAlgorithmName HashAlgorithmName { get; }
+
+        /// <inheritdoc />
+        public byte[] Sign(byte[] key, byte[] bytesToSign)
+        {
+            using var sha = CreateAlgorithm(key);
+            return sha.ComputeHash(bytesToSign);
+        }
+
+        protected abstract HMAC CreateAlgorithm(byte[] key);
+    }
 }
diff --git a/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs b/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs
@@ -3,7 +3,6 @@
 namespace JWT.Algorithms
 {
     /// <inheritdoc />
-    [Obsolete(HMACSHAAlgorithm.ObsoleteMessage, error: false)]
     public class HMACSHAAlgorithmFactory : JwtAlgorithmFactory
     {
         protected override IJwtAlgorithm Create(JwtAlgorithmName algorithm)

diff --git a/src/JWT/JWT.csproj b/src/JWT/JWT.csproj
@@ -25,7 +25,7 @@
   </PropertyGroup>
 
   <PropertyGroup>
-    <Version>10.0.3</Version>
+    <Version>10.1.0</Version>
     <FileVersion>10.0.0.0</FileVersion>
     <AssemblyVersion>10.0.0.0</AssemblyVersion>
   </PropertyGroup>