search

daviddesmet / paseto-dotnet

🔑 Paseto.NET, a Paseto (Platform-Agnostic Security Tokens) implementation for .NET
MIT License
99 stars 8 forks source link

Bind Keys to Version and Purpose #47

Closed paragonie-security closed 2 years ago

paragonie-security commented 3 years ago

https://github.com/daviddesmet/paseto-dotnet/blob/db9d2b7b6b10c8494e42b7a84f77145dc3f0668a/src/Paseto/Protocol/Version2.cs#L96

https://github.com/daviddesmet/paseto-dotnet/blob/db9d2b7b6b10c8494e42b7a84f77145dc3f0668a/src/Paseto/Protocol/Version2.cs#L197

See https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/03-Algorithm-Lucidity.md

Right now, byte arrays are accepted by this API. There's no mechanism to prevent a user from using a v2 public key as a v2 local key.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in one week if no further activity occurs. Thank you for your contributions.

paragonie-security commented 2 years ago

Bad bot.

daviddesmet commented 2 years ago

@paragonie-security FYI https://github.com/paragonie/paseto-io/pull/42