From fb1a4a6305eec55ffd4fa3f9dbb96809d713894a Mon Sep 17 00:00:00 2001
From: Alexander Batishchev <abatishchev@gmail.com>
Date: Fri, 8 Apr 2022 13:44:40 -0700
Subject: [PATCH 1/2] Marked HMAC SHA based algorithms as insecure and obsolete

---
 src/JWT/Algorithms/HMACSHA256Algorithm.cs     |  4 +-
 src/JWT/Algorithms/HMACSHA384Algorithm.cs     |  4 +-
 src/JWT/Algorithms/HMACSHA512Algorithm.cs     |  4 +-
 src/JWT/Algorithms/HMACSHAAlgorithm.cs        | 48 ++++++++++---------
 src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs |  1 +
 5 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/src/JWT/Algorithms/HMACSHA256Algorithm.cs b/src/JWT/Algorithms/HMACSHA256Algorithm.cs
index 072058d8b..a223dddb0 100644
--- a/src/JWT/Algorithms/HMACSHA256Algorithm.cs
+++ b/src/JWT/Algorithms/HMACSHA256Algorithm.cs
@@ -1,10 +1,12 @@
-using System.Security.Cryptography;
+using System;
+using System.Security.Cryptography;
 
 namespace JWT.Algorithms
 {
     /// <summary>
     /// HMAC using SHA-256
     /// </summary>
+    [Obsolete(ObsoleteMessage, error: false)]
     public sealed class HMACSHA256Algorithm : HMACSHAAlgorithm
     {
         /// <inheritdoc />
diff --git a/src/JWT/Algorithms/HMACSHA384Algorithm.cs b/src/JWT/Algorithms/HMACSHA384Algorithm.cs
index cac171668..836ec68dd 100644
--- a/src/JWT/Algorithms/HMACSHA384Algorithm.cs
+++ b/src/JWT/Algorithms/HMACSHA384Algorithm.cs
@@ -1,10 +1,12 @@
-using System.Security.Cryptography;
+using System;
+using System.Security.Cryptography;
 
 namespace JWT.Algorithms
 {
     /// <summary>
     /// HMAC using SHA-384
     /// </summary>
+    [Obsolete(ObsoleteMessage, error: false)]
     public sealed class HMACSHA384Algorithm : HMACSHAAlgorithm
     {
         /// <inheritdoc />
diff --git a/src/JWT/Algorithms/HMACSHA512Algorithm.cs b/src/JWT/Algorithms/HMACSHA512Algorithm.cs
index b5c043b47..09bb65ec2 100644
--- a/src/JWT/Algorithms/HMACSHA512Algorithm.cs
+++ b/src/JWT/Algorithms/HMACSHA512Algorithm.cs
@@ -1,10 +1,12 @@
-using System.Security.Cryptography;
+using System;
+using System.Security.Cryptography;
 
 namespace JWT.Algorithms
 {
     /// <summary>
     /// HMAC using SHA-512
     /// </summary>
+    [Obsolete(ObsoleteMessage, error: false)]
     public sealed class HMACSHA512Algorithm : HMACSHAAlgorithm
     {
         /// <inheritdoc />
diff --git a/src/JWT/Algorithms/HMACSHAAlgorithm.cs b/src/JWT/Algorithms/HMACSHAAlgorithm.cs
index 888de50ed..1d076f138 100644
--- a/src/JWT/Algorithms/HMACSHAAlgorithm.cs
+++ b/src/JWT/Algorithms/HMACSHAAlgorithm.cs
@@ -1,22 +1,26 @@
-using System.Security.Cryptography;
-
-namespace JWT.Algorithms
-{
-    public abstract class HMACSHAAlgorithm : IJwtAlgorithm
-    {
-        /// <inheritdoc />
-        public abstract string Name { get; }
-
-        /// <inheritdoc />
-        public abstract HashAlgorithmName HashAlgorithmName { get; }
-
-        /// <inheritdoc />
-        public byte[] Sign(byte[] key, byte[] bytesToSign)
-        {
-            using var sha = CreateAlgorithm(key);
-            return sha.ComputeHash(bytesToSign);
-        }
-
-        protected abstract HMAC CreateAlgorithm(byte[] key);
-    }
-}
+using System;
+using System.Security.Cryptography;
+
+namespace JWT.Algorithms
+{
+    [Obsolete(ObsoleteMessage, error: false)]
+    public abstract class HMACSHAAlgorithm : IJwtAlgorithm
+    {
+        internal const string ObsoleteMessage = "HMAC SHA based algorithms are not secure to protect modern web applications. Consider switch to RSASSA or ECDSA.";
+
+        /// <inheritdoc />
+        public abstract string Name { get; }
+
+        /// <inheritdoc />
+        public abstract HashAlgorithmName HashAlgorithmName { get; }
+
+        /// <inheritdoc />
+        public byte[] Sign(byte[] key, byte[] bytesToSign)
+        {
+            using var sha = CreateAlgorithm(key);
+            return sha.ComputeHash(bytesToSign);
+        }
+
+        protected abstract HMAC CreateAlgorithm(byte[] key);
+    }
+}
\ No newline at end of file
diff --git a/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs b/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs
index 918250749..80c2d2cc9 100644
--- a/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs
+++ b/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs
@@ -3,6 +3,7 @@
 namespace JWT.Algorithms
 {
     /// <inheritdoc />
+    [Obsolete(HMACSHAAlgorithm.ObsoleteMessage, error: false)]
     public class HMACSHAAlgorithmFactory : JwtAlgorithmFactory
     {
         protected override IJwtAlgorithm Create(JwtAlgorithmName algorithm)

From 28c67bc4424778167e5a4aea63c56b3057b7ba5d Mon Sep 17 00:00:00 2001
From: Alexander Batishchev <abatishchev@gmail.com>
Date: Fri, 8 Apr 2022 13:46:27 -0700
Subject: [PATCH 2/2] Update JWT.csproj

---
 src/JWT/JWT.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/JWT/JWT.csproj b/src/JWT/JWT.csproj
index fa5bc48ca..c379fe71d 100644
--- a/src/JWT/JWT.csproj
+++ b/src/JWT/JWT.csproj
@@ -24,7 +24,7 @@
     <Authors>Alexander Batishchev, John Sheehan, Michael Lehenbauer</Authors>
     <PackageTags>jwt;json;authorization</PackageTags>
     <PackageLicense>CC0-1.0</PackageLicense>
-    <Version>9.0.0-beta3</Version>
+    <Version>9.0.0-beta4</Version>
     <FileVersion>9.0.0.0</FileVersion>
     <AssemblyVersion>9.0.0.0</AssemblyVersion>
     <RootNamespace>JWT</RootNamespace>