Merge pull request jpadilla#20 from mandus/master

Update of pyjwt to support RSA keys

Author: progrium

AUTHORS

@@ -7,3 +7,6 @@ Patches and Suggestions
 -----------------------
 
  - FELD Boris <boris.feld@novapost.fr> <lothiraldan@gmail.com>
+
+ - Åsmund Ødegård <asmund@xal.no> <ao@mcash.no> 
+   Adding support for RSA-SHA256 privat/public signature.

README.md

@@ -29,11 +29,18 @@ The JWT spec supports several algorithms for cryptographic signing. This library
 * HS256 - HMAC using SHA-256 hash algorithm (default)
 * HS384 - HMAC using SHA-384 hash algorithm
 * HS512 - HMAC using SHA-512 hash algorithm
+* RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
+* RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
+* RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
 
 Change the algorithm with by setting it in encode:
 
     jwt.encode({"some": "payload"}, "secret", "HS512")
 
+For the RSASSA-PKCS1-v1_5 algorithms, the "secret" argument in jwt.encode is supposed to be a private RSA key as
+imported with Crypto.PublicKey.RSA.importKey. Likewise, the "secret" argument in jwt.decode is supposed to be the
+public RSA key imported with the same method. 
+
 Tests
 -----
 

jwt/__init__.py

@@ -14,6 +14,11 @@
 from calendar import timegm
 from collections import Mapping
 
+from Crypto.Signature import PKCS1_v1_5
+from Crypto.Hash import SHA256
+from Crypto.Hash import SHA384
+from Crypto.Hash import SHA512
+
 try:
     import json
 except ImportError:
@@ -38,7 +43,19 @@ class ExpiredSignature(Exception):
     'HS256': lambda msg, key: hmac.new(key, msg, hashlib.sha256).digest(),
     'HS384': lambda msg, key: hmac.new(key, msg, hashlib.sha384).digest(),
     'HS512': lambda msg, key: hmac.new(key, msg, hashlib.sha512).digest(),
-}
+    'RS256': lambda msg, key: PKCS1_v1_5.new(key).sign(SHA256.new(msg)),
+    'RS384': lambda msg, key: PKCS1_v1_5.new(key).sign(SHA384.new(msg)),
+    'RS512': lambda msg, key: PKCS1_v1_5.new(key).sign(SHA512.new(msg)),
+    }
+
+verify_methods = {
+    'HS256': lambda msg, key: hmac.new(key, msg, hashlib.sha256).digest(),
+    'HS384': lambda msg, key: hmac.new(key, msg, hashlib.sha384).digest(),
+    'HS512': lambda msg, key: hmac.new(key, msg, hashlib.sha512).digest(),
+    'RS256': lambda msg, key, sig: PKCS1_v1_5.new(key).verify(SHA256.new(msg), sig),
+    'RS384': lambda msg, key, sig: PKCS1_v1_5.new(key).verify(SHA384.new(msg), sig),
+    'RS512': lambda msg, key, sig: PKCS1_v1_5.new(key).verify(SHA512.new(msg), sig),
+    }
 
 
 def constant_time_compare(val1, val2):
@@ -146,9 +163,13 @@ def decode(jwt, key='', verify=True, verify_expiration=True, leeway=0):
         try:
             if isinstance(key, unicode):
                 key = key.encode('utf-8')
-            expected = signing_methods[header['alg']](signing_input, key)
-            if not constant_time_compare(signature, expected):
-                raise DecodeError("Signature verification failed")
+            if header['alg'].startswith('HS'):
+                expected = verify_methods[header['alg']](signing_input, key)
+                if not constant_time_compare(signature, expected):
+                    raise DecodeError("Signature verification failed")
+            else:
+                if not verify_methods[header['alg']](signing_input, key, signature):
+                    raise DecodeError("Signature verification failed")
         except KeyError:
             raise DecodeError("Algorithm not supported")
 

tests/test_jwt.py

@@ -10,6 +10,8 @@
 if sys.version_info >= (3, 0, 0):
     unicode = str
 
+from Crypto.PublicKey import RSA
+
 
 def utc_timestamp():
     return timegm(datetime.utcnow().utctimetuple())
@@ -172,6 +174,32 @@ def test_decode_with_expiration_with_leeway(self):
         with self.assertRaises(jwt.ExpiredSignature):
             jwt.decode(jwt_message, secret, leeway=1)
 
+    def test_encode_decode_with_rsa_sha256(self):
+        with open('tests/testkey','r') as rsa_priv_file:
+            priv_rsakey = RSA.importKey(rsa_priv_file.read())
+            jwt_message = jwt.encode(self.payload, priv_rsakey, algorithm='RS256')
+        with open('tests/testkey.pub','r') as rsa_pub_file:
+            pub_rsakey = RSA.importKey(rsa_pub_file.read())
+            assert jwt.decode(jwt_message, pub_rsakey)
+
+    def test_encode_decode_with_rsa_sha384(self):
+        with open('tests/testkey','r') as rsa_priv_file:
+            priv_rsakey = RSA.importKey(rsa_priv_file.read())
+            jwt_message = jwt.encode(self.payload, priv_rsakey, algorithm='RS384')
+        with open('tests/testkey.pub','r') as rsa_pub_file:
+            pub_rsakey = RSA.importKey(rsa_pub_file.read())
+            assert jwt.decode(jwt_message, pub_rsakey)
+
+    def test_encode_decode_with_rsa_sha512(self):
+        with open('tests/testkey','r') as rsa_priv_file:
+            priv_rsakey = RSA.importKey(rsa_priv_file.read())
+            jwt_message = jwt.encode(self.payload, priv_rsakey, algorithm='RS512')
+        with open('tests/testkey.pub','r') as rsa_pub_file:
+            pub_rsakey = RSA.importKey(rsa_pub_file.read())
+            assert jwt.decode(jwt_message, pub_rsakey)
+
+
+
 
 if __name__ == '__main__':
     unittest.main()

tests/testkey

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1HgzBfJv2cOjQryCwe8NEelriOTNFWKZUivevUrRhlqcmZJd
+CvuCJRr+xCN+OmO8qwgJJR98feNujxVg+J9Ls3/UOA4HcF9nYH6aqVXELAE8Hk/A
+Lvxi96ms1DDuAvQGaYZ+lANxlvxeQFOZSbjkz/9mh8aLeGKwqJLp3p+OhUBQpwvA
+UAPg82+OUtgTW3nSljjeFr14B8qAneGSc/wl0ni++1SRZUXFSovzcqQOkla3W27r
+rLfrD6LXgj/TsDs4vD1PnIm1zcVenKT7TfYI17bsG/O/Wecwz2Nl19pL7gDosNru
+F3ogJWNq1Lyn/ijPQnkPLpZHyhvuiycYcI3DiQIDAQABAoIBAQCt9uzwBZ0HVGQs
+lGULnUu6SsC9iXlR9TVMTpdFrij4NODb7Tc5cs0QzJWkytrjvB4Se7XhK3KnMLyp
+cvu/Fc7J3fRJIVN98t+V5pOD6rGAxlIPD4Vv8z6lQcw8wQNgb6WAaZriXh93XJNf
+YBO2hSj0FU5CBZLUsxmqLQBIQ6RR/OUGAvThShouE9K4N0vKB2UPOCu5U+d5zS3W
+44Q5uatxYiSHBTYIZDN4u27Nfo5WA+GTvFyeNsO6tNNWlYfRHSBtnm6SZDY/5i4J
+fxP2JY0waM81KRvuHTazY571lHM/TTvFDRUX5nvHIu7GToBKahfVLf26NJuTZYXR
+5c09GAXBAoGBAO7a9M/dvS6eDhyESYyCjP6w61jD7UYJ1fudaYFrDeqnaQ857Pz4
+BcKx3KMmLFiDvuMgnVVj8RToBGfMV0zP7sDnuFRJnWYcOeU8e2sWGbZmWGWzv0SD
++AhppSZThU4mJ8aa/tgsepCHkJnfoX+3wN7S9NfGhM8GDGxTHJwBpxINAoGBAOO4
+ZVtn9QEblmCX/Q5ejInl43Y9nRsfTy9lB9Lp1cyWCJ3eep6lzT60K3OZGVOuSgKQ
+vZ/aClMCMbqsAAG4fKBjREA6p7k4/qaMApHQum8APCh9WPsKLaavxko8ZDc41kZt
+hgKyUs2XOhW/BLjmzqwGryidvOfszDwhH7rNVmRtAoGBALYGdvrSaRHVsbtZtRM3
+imuuOCx1Y6U0abZOx9Cw3PIukongAxLlkL5G/XX36WOrQxWkDUK930OnbXQM7ZrD
++5dW/8p8L09Zw2VHKmb5eK7gYA1hZim4yJTgrdL/Y1+jBDz+cagcfWsXZMNfAZxr
+VLh628x0pVF/sof67pqVR9UhAoGBAMcQiLoQ9GJVhW1HMBYBnQVnCyJv1gjBo+0g
+emhrtVQ0y6+FrtdExVjNEzboXPWD5Hq9oKY+aswJnQM8HH1kkr16SU2EeN437pQU
+zKI/PtqN8AjNGp3JVgLioYp/pHOJofbLA10UGcJTMpmT9ELWsVA8P55X1a1AmYDu
+y9f2bFE5AoGAdjo95mB0LVYikNPa+NgyDwLotLqrueb9IviMmn6zKHCwiOXReqXD
+X9slB8RA15uv56bmN04O//NyVFcgJ2ef169GZHiRFIgIy0Pl8LYkMhCYKKhyqM7g
+xN+SqGqDTKDC22j00S7jcvCaa1qadn1qbdfukZ4NXv7E2d/LO0Y2Kkc=
+-----END RSA PRIVATE KEY-----

tests/testkey.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUeDMF8m/Zw6NCvILB7w0R6WuI5M0VYplSK969StGGWpyZkl0K+4IlGv7EI346Y7yrCAklH3x9426PFWD4n0uzf9Q4DgdwX2dgfpqpVcQsATweT8Au/GL3qazUMO4C9AZphn6UA3GW/F5AU5lJuOTP/2aHxot4YrCokunen46FQFCnC8BQA+Dzb45S2BNbedKWON4WvXgHyoCd4ZJz/CXSeL77VJFlRcVKi/NypA6SVrdbbuust+sPoteCP9OwOzi8PU+cibXNxV6cpPtN9gjXtuwb879Z5zDPY2XX2kvuAOiw2u4XeiAlY2rUvKf+KM9CeQ8ulkfKG+6LJxhwjcOJ aasmundo@mair.local