Skip to content

feat: Add configurable CBC-HMAC support with backward compatibility #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Add configurable CBC-HMAC support with backward compatibility #51

wants to merge 3 commits into from

Conversation

@karen-avetisyan-mc
Copy link
Contributor

@karen-avetisyan-mc karen-avetisyan-mc commented Nov 12, 2025

eat: Add configurable CBC-HMAC support for JWE encryption

Add support for HMAC authentication in CBC mode encryption algorithms
(A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) with backward compatibility.

Features:

  • Implement RFC 7516 compliant HMAC verification for CBC-HMAC algorithms
  • Add EnableCbcHmacVerification configuration flag (default: false)
  • Support all three CBC-HMAC variants with proper key splitting
  • Constant-time HMAC comparison to prevent timing attacks
  • Proper HMAC tag truncation per RFC specification

Configuration:

  • Add WithCbcHmacVerification() method to JweConfigBuilder
  • HMAC verification disabled by default for backward compatibility
  • Users can opt-in to enable authenticated encryption

Implementation:

  • Update AesCbc class with conditional HMAC generation and verification
  • Split CEK into HMAC key (first half) and AES key (second half)
  • Compute HMAC over: AAD || IV || Ciphertext || AAD_Length
  • Select HMAC algorithm (SHA-256/384/512) based on key length
  • Pass configuration flag through JweObject to AesCbc methods

Testing:

  • Add 14 comprehensive unit tests covering all scenarios
  • Test backward compatibility with HMAC disabled
  • Test encryption/decryption for all CBC-HMAC algorithms
  • Test security features (tampering detection)
  • Test configuration builder methods
  • All 186 tests pass (172 existing + 14 new)

Documentation:

  • Update README with supported algorithms section
  • Document CBC-HMAC verification configuration
  • Add security recommendations
  • Include code examples for enabling HMAC

Breaking Changes: None

  • HMAC verification is disabled by default
  • Full backward compatibility maintained

@karen-avetisyan-mc
feat: Add configurable CBC-HMAC support with backward compatibility
349bd4a 
- Implement HMAC verification for A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- Add EnableCbcHmacVerification config flag (default: false)
- Follow RFC 7516 specification for authenticated encryption
- Add 14 comprehensive unit tests (all 186 tests pass)
- Update README with configuration examples
- Maintain full backward compatibility
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 26, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danny-gallagher danny-gallagher Awaiting requested review from danny-gallagher

@joseph-neeraj joseph-neeraj Awaiting requested review from joseph-neeraj

@NehaSony NehaSony Awaiting requested review from NehaSony

@ShimonaR-MC ShimonaR-MC Awaiting requested review from ShimonaR-MC

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karen-avetisyan-mc