From 607efe37f9a1cd254fec4343621f2aebc4baab61 Mon Sep 17 00:00:00 2001 From: ABaptista Date: Mon, 8 Aug 2016 01:06:50 +0100 Subject: [PATCH 1/3] Adds support for encrypted RSA private keys in decrypt_oaep --- jose.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jose.py b/jose.py index beb5b81..f65313a 100644 --- a/jose.py +++ b/jose.py @@ -564,7 +564,8 @@ def encrypt_oaep(plaintext, jwk): def decrypt_oaep(ciphertext, jwk): try: - return PKCS1_OAEP.new(RSA.importKey(jwk['k'])).decrypt(ciphertext) + passphrase = jwk['passphrase'] if 'passphrase' in jwk else None + return PKCS1_OAEP.new(RSA.importKey(jwk['k'], passphrase)).decrypt(ciphertext) except ValueError as e: raise Error(e.args[0]) From a77c681128a419f719e1f5324c0cf6e586a5aa11 Mon Sep 17 00:00:00 2001 From: ABaptista Date: Tue, 9 Aug 2016 01:38:21 +0100 Subject: [PATCH 2/3] Adds support for encrypted RSA private keys in rsa_sign. Changes key to jwk in rsa_verify, hmac_sign and hmac_verify functions. --- jose.py | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/jose.py b/jose.py index f65313a..1b1969b 100644 --- a/jose.py +++ b/jose.py @@ -1,3 +1,6 @@ +#This modified version supports encrypted private keys (passphrase) +#I already submitted a pull request: https://github.com/Demonware/jose/pull/23 + import logging logger = logging.getLogger(__name__) @@ -475,7 +478,7 @@ def sign(claims, jwk, add_header=None, alg='HS256'): header = dict((add_header or {}).items() + [(HEADER_ALG, alg)]) header, payload = map(b64encode_url, map(json_encode, (header, claims))) - sig = b64encode_url(hash_fn(_jws_hash_str(header, payload), jwk['k'], + sig = b64encode_url(hash_fn(_jws_hash_str(header, payload), jwk, mod=mod)) return JWS(header, payload, sig) @@ -499,6 +502,7 @@ def verify(jws, jwk, alg, validate_claims=True, expiry_seconds=None): :raises: :class:`~jose.NotYetValid` if the JWT is not yet valid :raises: :class:`~jose.Error` if there is an error decrypting the JWE """ + header, payload, sig = map(b64decode_url, jws) header = json_decode(header) if alg != header[HEADER_ALG]: @@ -507,7 +511,7 @@ def verify(jws, jwk, alg, validate_claims=True, expiry_seconds=None): (_, verify_fn), mod = JWA[header[HEADER_ALG]] if not verify_fn(_jws_hash_str(jws.header, jws.payload), - jwk['k'], sig, mod=mod): + jwk, sig, mod=mod): raise Error('Mismatched signatures') claims = json_decode(b64decode_url(jws.payload)) @@ -570,8 +574,8 @@ def decrypt_oaep(ciphertext, jwk): raise Error(e.args[0]) -def hmac_sign(s, key, mod=SHA256): - hmac = HMAC.new(key, digestmod=mod) +def hmac_sign(s, jwk, mod=SHA256): + hmac = HMAC.new(jwk['k'], digestmod=mod) if not isinstance(s, (tuple, list)): s = (s,) for item in s: @@ -579,8 +583,8 @@ def hmac_sign(s, key, mod=SHA256): return hmac.digest() -def hmac_verify(s, key, sig, mod=SHA256): - hmac = HMAC.new(key, digestmod=mod) +def hmac_verify(s, jwk, sig, mod=SHA256): + hmac = HMAC.new(jwk['k'], digestmod=mod) if not isinstance(s, (tuple, list)): s = (s,) for item in s: @@ -592,14 +596,15 @@ def hmac_verify(s, key, sig, mod=SHA256): return True -def rsa_sign(s, key, mod=SHA256): - key = RSA.importKey(key) +def rsa_sign(s, jwk, mod=SHA256): + passphrase = jwk['passphrase'] if 'passphrase' in jwk else None + key = RSA.importKey(jwk['k'], passphrase) hash = mod.new(s) return PKCS1_v1_5_SIG.new(key).sign(hash) -def rsa_verify(s, key, sig, mod=SHA256): - key = RSA.importKey(key) +def rsa_verify(s, jwk, sig, mod=SHA256): + key = RSA.importKey(jwk['k']) hash = mod.new(s) return PKCS1_v1_5_SIG.new(key).verify(hash, sig) From 6526fbf32dd26c3058757b1343e176b8372ac874 Mon Sep 17 00:00:00 2001 From: ABaptista Date: Tue, 9 Aug 2016 01:41:44 +0100 Subject: [PATCH 3/3] Small fixes. --- jose.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/jose.py b/jose.py index 1b1969b..7a3d4e6 100644 --- a/jose.py +++ b/jose.py @@ -1,6 +1,3 @@ -#This modified version supports encrypted private keys (passphrase) -#I already submitted a pull request: https://github.com/Demonware/jose/pull/23 - import logging logger = logging.getLogger(__name__)