fix: warning about draft-ietf-jose-deprecate-none-rsa15-02

lepture · lepture · commit b829715a5cc7 · 2025-06-30T14:39:25.000+09:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -77,7 +77,10 @@ line-length = 120
 [tool.pytest.ini_options]
 pythonpath = ["src", "."]
 testpaths = ["tests"]
-filterwarnings = ["error"]
+filterwarnings = [
+  "error::DeprecationWarning",
+  "ignore::UserWarning",
+]
 
 [tool.coverage.run]
 branch = true
diff --git a/src/joserfc/_rfc7515/model.py b/src/joserfc/_rfc7515/model.py
@@ -1,5 +1,5 @@
 from __future__ import annotations
-from typing import Any, ClassVar
+from typing import Any, ClassVar, Literal
 from abc import ABCMeta, abstractmethod
 from .types import SegmentsDict, JSONSignatureDict
 from ..errors import InvalidKeyTypeError
@@ -107,8 +107,10 @@ class JWSAlgModel(object, metaclass=ABCMeta):
     name: str
     description: str
     recommended: bool = False
+    security_warning: str | None = None
+
     key_type = "oct"
-    algorithm_type = "JWS"
+    algorithm_type: Literal["JWS"] = "JWS"
     algorithm_location = "sig"
 
     def check_key_type(self, key: Any) -> None:
diff --git a/src/joserfc/_rfc7515/registry.py b/src/joserfc/_rfc7515/registry.py
@@ -1,7 +1,8 @@
 from __future__ import annotations
+import warnings
 from typing import Dict
 from .model import JWSAlgModel
-from ..errors import UnsupportedAlgorithmError
+from ..errors import UnsupportedAlgorithmError, SecurityWarning
 from ..registry import (
     JWS_HEADER_REGISTRY,
     Header,
@@ -66,7 +67,11 @@ def get_alg(self, name: str) -> JWSAlgModel:
         else:
             if name not in self.recommended:
                 raise UnsupportedAlgorithmError(f"Algorithm of '{name}' is not recommended")
-        return self.algorithms[name]
+
+        alg = self.algorithms[name]
+        if alg.security_warning:
+            warnings.warn(alg.security_warning, SecurityWarning)
+        return alg
 
     def check_header(self, header: Header) -> None:
         """Check and validate the fields in header part of a JWS object."""
diff --git a/src/joserfc/_rfc7516/models.py b/src/joserfc/_rfc7516/models.py
@@ -229,8 +229,10 @@ class KeyManagement:
     name: str
     description: str
     recommended: bool = False
-    key_size: t.Optional[int] = None
+    key_size: int | None = None
     key_types: t.List[str]
+    security_warning: str | None = None
+
     algorithm_type: t.Literal["JWE"] = "JWE"
     algorithm_location: t.Literal["alg"] = "alg"
     more_header_registry: HeaderRegistryDict = {}
diff --git a/src/joserfc/_rfc7516/registry.py b/src/joserfc/_rfc7516/registry.py
@@ -1,7 +1,8 @@
 from __future__ import annotations
+import warnings
 import typing as t
 from .models import JWEAlgModel, JWEEncModel, JWEZipModel
-from ..errors import UnsupportedAlgorithmError
+from ..errors import UnsupportedAlgorithmError, SecurityWarning
 from ..registry import (
     Header,
     HeaderRegistryDict,
@@ -91,7 +92,10 @@ def get_alg(self, name: str) -> JWEAlgModel:
         """
         registry = self.algorithms["alg"]
         self._check_algorithm(name, registry)
-        return registry[name]
+        alg: JWEAlgModel = registry[name]
+        if alg.security_warning:
+            warnings.warn(alg.security_warning, SecurityWarning)
+        return alg
 
     def get_enc(self, name: str) -> JWEEncModel:
         """Get the allowed ("enc") algorithm instance of the given name.
diff --git a/src/joserfc/_rfc7518/jwe_algs.py b/src/joserfc/_rfc7518/jwe_algs.py
@@ -60,6 +60,8 @@ def __init__(self, name: str, description: str, pad_fn: padding.AsymmetricPaddin
         self.description = description
         self.padding = pad_fn
         self.recommended = recommended
+        if name == "RSA1_5":
+            self.security_warning = 'JWE algorithm "RSA1_5" is deprecated, via draft-ietf-jose-deprecate-none-rsa15-02'
 
     def encrypt_cek(self, cek: bytes, recipient: Recipient[RSAKey]) -> bytes:
         key = recipient.recipient_key
diff --git a/src/joserfc/_rfc7518/jws_algs.py b/src/joserfc/_rfc7518/jws_algs.py
@@ -30,6 +30,7 @@
 class NoneAlgModel(JWSAlgModel):
     name = "none"
     description = "No digital signature or MAC performed"
+    security_warning = 'JWS algorithm "none" is deprecated, via draft-ietf-jose-deprecate-none-rsa15-02'
 
     def sign(self, msg: bytes, key: t.Any) -> bytes:
         return b""
diff --git a/src/joserfc/errors.py b/src/joserfc/errors.py
@@ -1,6 +1,11 @@
 from __future__ import annotations
 
 
+class SecurityWarning(UserWarning):
+    """Base class for warnings of security issues."""
+    pass
+
+
 class JoseError(Exception):
     """Base Exception for all errors in joserfc."""
 
