New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use pkcs1v15 for signature #721

Open

cryptochecktool opened this issue Nov 16, 2024 · 0 comments

cryptochecktool commented Nov 16, 2024

Message signatures should be populated in a more secure way using pss.
Code is located at:

oci-python-sdk/src/oci/_vendor/jwt/algorithms.py

Line 378 in 22fd62c

return key.sign(msg, padding.PKCS1v15(), self.hash_alg())

You can refer to cryptography for pkcs1v15 specifications, https://cryptography.io/en/latest/limitations/#rsa-pkcs1-v1-5-constant-time-decryption

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment