Skip to content

feat: Add configurable CBC-HMAC support with backward compatibility#51

Open
karen-avetisyan-mc wants to merge 3 commits intomainfrom
ases-cbs-hmac-support
Open

feat: Add configurable CBC-HMAC support with backward compatibility#51
karen-avetisyan-mc wants to merge 3 commits intomainfrom
ases-cbs-hmac-support

Conversation

@karen-avetisyan-mc
Copy link
Contributor

@karen-avetisyan-mc karen-avetisyan-mc commented Nov 12, 2025

eat: Add configurable CBC-HMAC support for JWE encryption

Add support for HMAC authentication in CBC mode encryption algorithms
(A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) with backward compatibility.

Features:

  • Implement RFC 7516 compliant HMAC verification for CBC-HMAC algorithms
  • Add EnableCbcHmacVerification configuration flag (default: false)
  • Support all three CBC-HMAC variants with proper key splitting
  • Constant-time HMAC comparison to prevent timing attacks
  • Proper HMAC tag truncation per RFC specification

Configuration:

  • Add WithCbcHmacVerification() method to JweConfigBuilder
  • HMAC verification disabled by default for backward compatibility
  • Users can opt-in to enable authenticated encryption

Implementation:

  • Update AesCbc class with conditional HMAC generation and verification
  • Split CEK into HMAC key (first half) and AES key (second half)
  • Compute HMAC over: AAD || IV || Ciphertext || AAD_Length
  • Select HMAC algorithm (SHA-256/384/512) based on key length
  • Pass configuration flag through JweObject to AesCbc methods

Testing:

  • Add 14 comprehensive unit tests covering all scenarios
  • Test backward compatibility with HMAC disabled
  • Test encryption/decryption for all CBC-HMAC algorithms
  • Test security features (tampering detection)
  • Test configuration builder methods
  • All 186 tests pass (172 existing + 14 new)

Documentation:

  • Update README with supported algorithms section
  • Document CBC-HMAC verification configuration
  • Add security recommendations
  • Include code examples for enabling HMAC

Breaking Changes: None

  • HMAC verification is disabled by default
  • Full backward compatibility maintained

@karen-avetisyan-mc
feat: Add configurable CBC-HMAC support with backward compatibility
349bd4a 
- Implement HMAC verification for A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- Add EnableCbcHmacVerification config flag (default: false)
- Follow RFC 7516 specification for authenticated encryption
- Add 14 comprehensive unit tests (all 186 tests pass)
- Update README with configuration examples
- Maintain full backward compatibility
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 26, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

stoyanovaantoaneta76-hash
stoyanovaantoaneta76-hash approved these changes Jan 17, 2026
View reviewed changes
Copy link

@stoyanovaantoaneta76-hash stoyanovaantoaneta76-hash left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

README.md

stoyanovaantoaneta76-hash
stoyanovaantoaneta76-hash approved these changes Jan 17, 2026
View reviewed changes
Copy link

@stoyanovaantoaneta76-hash stoyanovaantoaneta76-hash left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

349bd4a

@stoyanovaantoaneta76-hash stoyanovaantoaneta76-hash mentioned this pull request Jan 17, 2026
Open
@stoyanovaantoaneta76-hash
Copy link

stoyanovaantoaneta76-hash commented Jan 24, 2026

ases-cbs-hmac-support

This was referenced Jan 24, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danny-gallagher danny-gallagher Awaiting requested review from danny-gallagher

@joseph-neeraj joseph-neeraj Awaiting requested review from joseph-neeraj

@NehaSony NehaSony Awaiting requested review from NehaSony

@ShimonaR-MC ShimonaR-MC Awaiting requested review from ShimonaR-MC

1 more reviewer

@stoyanovaantoaneta76-hash stoyanovaantoaneta76-hash stoyanovaantoaneta76-hash approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karen-avetisyan-mc @stoyanovaantoaneta76-hash