Added a check so that asymmetric keys cannot be used as HMAC secrets to fix jpadilla#105

Author: mark-adams

jwt/algorithms.py

@@ -2,6 +2,7 @@
 import hmac
 
 from .compat import constant_time_compare, string_types, text_type
+from .exceptions import InvalidAlgorithmError
 
 try:
     from cryptography.hazmat.primitives import interfaces, hashes
@@ -96,6 +97,12 @@ def prepare_key(self, key):
         if isinstance(key, text_type):
             key = key.encode('utf-8')
 
+        if (b'-----BEGIN PUBLIC KEY-----' in key
+            or b'-----BEGIN CERTIFICATE-----' in key):
+            raise InvalidAlgorithmError(
+                'The specified key is an assymetric key or x509 certificate and'
+                ' should not be used as an HMAC secret.')
+
         return key
 
     def sign(self, msg, key):

jwt/exceptions.py

@@ -17,6 +17,9 @@ class InvalidAudienceError(InvalidTokenError):
 class InvalidIssuerError(InvalidTokenError):
     pass
 
+class InvalidAlgorithmError(Exception):
+    pass
+
 
 # Compatibility aliases (deprecated)
 ExpiredSignature = ExpiredSignatureError