For JSON serialized signed JWT allow the verifier to not have all keys

rohe · rohe · commit 65443517afa4 · 2019-05-28T21:47:59.000+02:00
necessary to verify all the signatures. If so chosen only one signature
MUSt be verified correctly.
diff --git a/src/cryptojwt/jws/jws.py b/src/cryptojwt/jws/jws.py
@@ -2,6 +2,7 @@
 import json
 import logging
 
+from cryptojwt.jws.exception import JWSException
 
 try:
     from builtins import str
@@ -292,11 +293,15 @@ def create_signature(protected, unprotected):
 
         return json.dumps(res)
 
-    def verify_json(self, jws, keys=None, allow_none=False, sigalg=None):
+    def verify_json(self, jws, keys=None, allow_none=False, at_least_one=False):
         """
 
-        :param jws:
-        :param keys:
+        :param jws: The JSON document representing the signed JSON
+        :param keys: Keys that might be useful for verifying the signatures
+        :param allow_none: Allow the None signature algorithm. Is the same
+            as allowing no signature at all.
+        :param at_least_one: At least one of the signatures must verify
+            correctly. No suitable signing key is the only allow exception.
         :return:
         """
 
@@ -317,7 +322,7 @@ def verify_json(self, jws, keys=None, allow_none=False, sigalg=None):
                     signature[key] = _jwss[key]
             _signs = [signature]
 
-        _claim = None
+        _claim = last_exception = None
         for _sign in _signs:
             protected_headers = _sign.get("protected", "")
             token = b".".join([protected_headers.encode(), _payload.encode(),
@@ -329,13 +334,28 @@ def verify_json(self, jws, keys=None, allow_none=False, sigalg=None):
                 json.loads(b64d_enc_dec(protected_headers) or {}))
             self.__init__(**all_headers)
 
-            _tmp = self.verify_compact(token, keys, allow_none, sigalg)
+            try:
+                _tmp = self.verify_compact(token, keys, allow_none)
+            except NoSuitableSigningKeys:
+                if at_least_one is True:
+                    logger.warning(
+                        'Could not verify signature with headers: {}'.format(
+                            all_headers))
+                    continue
+                else:
+                    raise
+            except JWSException as err:
+                raise
+
             if _claim is None:
                 _claim = _tmp
             else:
                 if _claim != _tmp:
                     raise ValueError()
 
+        if not _claim:
+            raise NoSuitableSigningKeys('None')
+
         return _claim
 
     def is_jws(self, jws):
diff --git a/tests/test_06_jws.py b/tests/test_06_jws.py
@@ -40,14 +40,18 @@ def full_path(local_file):
 
 PRIV_KEY = full_path("server.key")
 
-JWK_a = {"keys": [{'alg': 'RSA',
+JWK_a = {
+    "keys": [{
+                 'alg': 'RSA',
                  'use': 'foo',
                  'e': 'AQAB',
                  'n': (
                      'wf-wiusGhA-gleZYQAOPQlNUIucPiqXdPVyieDqQbXXOPBe3nuggtV'
                      'zeq7pVFH1dZz4dY2Q2LA5DaegvP8kRvoSB_87ds3dy3Rfym_GUSc5B'
                      '0l1TgEobcyaep8jguRoHto6GWHfCfKqoUYZq4N8vh4LLMQwLR6zi6J'
-                     'tu82nB5k8')}]}
+                     'tu82nB5k8')
+                 }]
+    }
 
 # 64*8 = 256 bits
 HMAC_KEY = [3, 35, 53, 75, 43, 15, 165, 188, 131, 126, 6, 101, 119, 123, 166,
@@ -56,42 +60,48 @@ def full_path(local_file):
             119, 98, 61, 34, 61, 46, 33, 114, 5, 46, 79, 8, 192, 205, 154, 245,
             103, 208, 128, 163]
 
-JWKS_a = {"keys": [
-    {'e': 'AQAB', 'kty': 'RSA', 'alg': 'RSA256',
-     'n': 'qYJqXTXsDroPYyQBBmSolK3bJtrSerEm'
-          '-nrmbSpfn8Rz3y3oXLydvUqj8869PkcEzoJIY5Xf7xDN1Co_qyT9qge'
-          '-3C6DEwGVHXOwRoXRGQ_h50Vsh60MB5MIuDN188EeZnQ30dtCTBB9KDTSEA2DunplhwLCq4xphnMNUaeHdEk',
-     'kid': 'rsa1'},
-    {
-        "k":
-            b"YTEyZjBlMDgxMGI4YWU4Y2JjZDFiYTFlZTBjYzljNDU3YWM0ZWNiNzhmNmFlYTNkNTY0NzMzYjE",
-        "kty": "oct",
-    }]}
-
-JWKS_b = {"keys": [
-    {
-        "n":
-            b"zkpUgEgXICI54blf6iWiD2RbMDCOO1jV0VSff1MFFnujM4othfMsad7H1kRo50YM5S_X9TdvrpdOfpz5aBaKFhT6Ziv0nhtcekq1eRl8mjBlvGKCE5XGk-0LFSDwvqgkJoFYInq7bu0a4JEzKs5AyJY75YlGh879k1Uu2Sv3ZZOunfV1O1Orta-NvS-aG_jN5cstVbCGWE20H0vFVrJKNx0Zf-u-aA-syM4uX7wdWgQ-owoEMHge0GmGgzso2lwOYf_4znanLwEuO3p5aabEaFoKNR4K6GjQcjBcYmDEE4CtfRU9AEmhcD1kleiTB9TjPWkgDmT9MXsGxBHf3AKT5w",
-        "e": b"AQAB",
-        "kty": "RSA",
-        "kid": "rsa1",
-        "use": "sig"
-    },
-    {
-        "k":
-            b"YTEyZjBlMDgxMGI4YWU4Y2JjZDFiYTFlZTBjYzljNDU3YWM0ZWNiNzhmNmFlYTNkNTY0NzMzYjE",
-        "kty": "oct",
-        "use": "sig"
-    },
-    {
-        "kty": "EC",
-        "kid": "ec1",
-        "use": "sig",
-        "x": "q0WbWhflRbxyQZKFuQvh2nZvg98ak-twRoO5uo2L7Po",
-        "y": "GOd2jL_6wa0cfnyA0SmEhok9fkYEnAHFKLLM79BZ8_E",
-        "crv": "P-256"
+JWKS_a = {
+    "keys": [
+        {
+            'e': 'AQAB', 'kty': 'RSA', 'alg': 'RSA256',
+            'n': 'qYJqXTXsDroPYyQBBmSolK3bJtrSerEm'
+                 '-nrmbSpfn8Rz3y3oXLydvUqj8869PkcEzoJIY5Xf7xDN1Co_qyT9qge'
+                 '-3C6DEwGVHXOwRoXRGQ_h50Vsh60MB5MIuDN188EeZnQ30dtCTBB9KDTSEA2DunplhwLCq4xphnMNUaeHdEk',
+            'kid': 'rsa1'
+            },
+        {
+            "k":
+                b"YTEyZjBlMDgxMGI4YWU4Y2JjZDFiYTFlZTBjYzljNDU3YWM0ZWNiNzhmNmFlYTNkNTY0NzMzYjE",
+            "kty": "oct",
+            }]
+    }
+
+JWKS_b = {
+    "keys": [
+        {
+            "n":
+                b"zkpUgEgXICI54blf6iWiD2RbMDCOO1jV0VSff1MFFnujM4othfMsad7H1kRo50YM5S_X9TdvrpdOfpz5aBaKFhT6Ziv0nhtcekq1eRl8mjBlvGKCE5XGk-0LFSDwvqgkJoFYInq7bu0a4JEzKs5AyJY75YlGh879k1Uu2Sv3ZZOunfV1O1Orta-NvS-aG_jN5cstVbCGWE20H0vFVrJKNx0Zf-u-aA-syM4uX7wdWgQ-owoEMHge0GmGgzso2lwOYf_4znanLwEuO3p5aabEaFoKNR4K6GjQcjBcYmDEE4CtfRU9AEmhcD1kleiTB9TjPWkgDmT9MXsGxBHf3AKT5w",
+            "e": b"AQAB",
+            "kty": "RSA",
+            "kid": "rsa1",
+            "use": "sig"
+            },
+        {
+            "k":
+                b"YTEyZjBlMDgxMGI4YWU4Y2JjZDFiYTFlZTBjYzljNDU3YWM0ZWNiNzhmNmFlYTNkNTY0NzMzYjE",
+            "kty": "oct",
+            "use": "sig"
+            },
+        {
+            "kty": "EC",
+            "kid": "ec1",
+            "use": "sig",
+            "x": "q0WbWhflRbxyQZKFuQvh2nZvg98ak-twRoO5uo2L7Po",
+            "y": "GOd2jL_6wa0cfnyA0SmEhok9fkYEnAHFKLLM79BZ8_E",
+            "crv": "P-256"
+            }
+        ]
     }
-]}
 
 JWK_b = {
     "keys": [
@@ -105,9 +115,9 @@ def full_path(local_file):
             "use": "sig",
             "x5c": [
                 "MIIDPjCCAiqgAwIBAgIQsRiM0jheFZhKk49YD0SK1TAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTQwMTAxMDcwMDAwWhcNMTYwMTAxMDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkSCWg6q9iYxvJE2NIhSyOiKvqoWCO2GFipgH0sTSAs5FalHQosk9ZNTztX0ywS/AHsBeQPqYygfYVJL6/EgzVuwRk5txr9e3n1uml94fLyq/AXbwo9yAduf4dCHTP8CWR1dnDR+Qnz/4PYlWVEuuHHONOw/blbfdMjhY+C/BYM2E3pRxbohBb3x//CfueV7ddz2LYiH3wjz0QS/7kjPiNCsXcNyKQEOTkbHFi3mu0u13SQwNddhcynd/GTgWN8A+6SN1r4hzpjFKFLbZnBt77ACSiYx+IHK4Mp+NaVEi5wQtSsjQtI++XsokxRDqYLwus1I1SihgbV/STTg5enufuwIDAQABo2IwYDBeBgNVHQEEVzBVgBDLebM6bK3BjWGqIBrBNFeNoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQsRiM0jheFZhKk49YD0SK1TAJBgUrDgMCHQUAA4IBAQCJ4JApryF77EKC4zF5bUaBLQHQ1PNtA1uMDbdNVGKCmSf8M65b8h0NwlIjGGGy/unK8P6jWFdm5IlZ0YPTOgzcRZguXDPj7ajyvlVEQ2K2ICvTYiRQqrOhEhZMSSZsTKXFVwNfW6ADDkN3bvVOVbtpty+nBY5UqnI7xbcoHLZ4wYD251uj5+lo13YLnsVrmQ16NCBYq2nQFNPuNJw6t3XUbwBHXpF46aLT1/eGf/7Xx6iy8yPJX4DyrpFTutDz882RWofGEO5t4Cw+zZg70dJ/hH/ODYRMorfXEW+8uKmXMKmX2wyxMKvfiPbTy5LmAU8Jvjs2tLg4rOBcXWLAIarZ"
-            ],
+                ],
             "x5t": "kriMPdmBvx68skT8-mPAB3BseeA"
-        },
+            },
         {
             "e": "AQAB",
             "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0/",
@@ -118,9 +128,9 @@ def full_path(local_file):
             "use": "sig",
             "x5c": [
                 "MIIC4jCCAcqgAwIBAgIQQNXrmzhLN4VGlUXDYCRT3zANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE0MTAyODAwMDAwMFoXDTE2MTAyNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyKs/uPhEf7zVizjfcr/ISGFe9+yUOqwpel38zgutvLHmFD39E2hpPdQhcXn4c4dt1fU5KvkbcDdVbP8+e4TvNpJMy/nEB2V92zCQ/hhBjilwhF1ETe1TMmVjALs0KFvbxW9ZN3EdUVvxFvz/gvG29nQhl4QWKj3x8opr89lmq14Z7T0mzOV8kub+cgsOU/1bsKqrIqN1fMKKFhjKaetctdjYTfGzVQ0AJAzzbtg0/Q1wdYNAnhSDafygEv6kNiquk0r0RyasUUevEXs2LY3vSgKsKseI8ZZlQEMtE9/k/iAG7JNcEbVg53YTurNTrPnXJOU88mf3TToX14HpYsS1ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfolx45w0i8CdAUjjeAaYdhG9+NDHxop0UvNOqlGqYJexqPLuvX8iyUaYxNGzZxFgGI3GpKfmQP2JQWQ1E5JtY/n8iNLOKRMwqkuxSCKJxZJq4Sl/m/Yv7TS1P5LNgAj8QLCypxsWrTAmq2HSpkeSk4JBtsYxX6uhbGM/K1sEktKybVTHu22/7TmRqWTmOUy9wQvMjJb2IXdMGLG3hVntN/WWcs5w8vbt1i8Kk6o19W2MjZ95JaECKjBDYRlhG1KmSBtrsKsCBQoBzwH/rXfksTO9JoUYLXiW0IppB7DhNH4PJ5hZI91R8rR0H3/bKkLSuDaKLWSqMhozdhXsIIKvJQ=="
-            ],
+                ],
             "x5t": "MnC_VZcATfM5pOYiJHMba9goEKY"
-        },
+            },
         {
             "e": "AQAB",
             "issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b"
@@ -134,9 +144,9 @@ def full_path(local_file):
             "use": "sig",
             "x5c": [
                 "MIICWzCCAcSgAwIBAgIJAKVzMH2FfC12MA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xMzExMTExODMzMDhaFw0xNjExMTAxODMzMDhaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5ymq/xwmst1nstPr8YFOTyD1J5N4idYmrph7AyAv95RbWXfDRqy8CMRG7sJq+UWOKVOA4MVrd/NdV+ejj1DE5MPSiG+mZK/5iqRCDFvPYqOyRj539xaTlARNY4jeXZ0N6irZYKqSfYACjkkKxbLKcijSu1pJ48thXOTED0oNa6UCAwEAAaOBijCBhzAdBgNVHQ4EFgQURCN+4cb0pvkykJCUmpjyfUfnRMowWQYDVR0jBFIwUIAURCN+4cb0pvkykJCUmpjyfUfnRMqhLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJAKVzMH2FfC12MAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQB8v8G5/vUl8k7xVuTmMTDA878AcBKBrJ/Hp6RShmdqEGVI7SFR7IlBN1//NwD0n+IqzmnRV2PPZ7iRgMF/Fyvqi96Gd8X53ds/FaiQpZjUUtcO3fk0hDRQPtCYMII5jq+YAYjSybvF84saB7HGtucVRn2nMZc5cAC42QNYIlPMqA=="
-            ],
+                ],
             "x5t": "GvnPApfWMdLRi8PDmisFn7bprKg"
-        },
+            },
         {
             "e": "AQAB",
             "issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b"
@@ -148,22 +158,25 @@ def full_path(local_file):
             "use": "sig",
             "x5c": [
                 "MIICWzCCAcSgAwIBAgIJAL3MzqqEFMYjMA0GCSqGSIb3DQEBBQUAMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTAeFw0xMzExMTExOTA1MDJaFw0xOTExMTAxOTA1MDJaMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx7HNcD9ZxTFRaAgZ7+gdYLkgQua3zvQseqBJIt8Uq3MimInMZoE9QGQeSML7qZPlowb5BUakdLI70ayM4vN36++0ht8+oCHhl8YjGFQkU+Iv2yahWHEP+1EK6eOEYu6INQP9Lk0HMk3QViLwshwb+KXVD02jdmX2HNdYJdPyc0cCAwEAAaOBijCBhzAdBgNVHQ4EFgQULR0aj9AtiNMgqIY8ZyXZGsHcJ5gwWQYDVR0jBFIwUIAULR0aj9AtiNMgqIY8ZyXZGsHcJ5ihLaQrMCkxJzAlBgNVBAMTHkxpdmUgSUQgU1RTIFNpZ25pbmcgUHVibGljIEtleYIJAL3MzqqEFMYjMAsGA1UdDwQEAwIBxjANBgkqhkiG9w0BAQUFAAOBgQBshrsF9yls4ArxOKqXdQPDgHrbynZL8m1iinLI4TeSfmTCDevXVBJrQ6SgDkihl3aCj74IEte2MWN78sHvLLTWTAkiQSlGf1Zb0durw+OvlunQ2AKbK79Qv0Q+wwGuK+oymWc3GSdP1wZqk9dhrQxb3FtdU2tMke01QTut6wr7ig=="
-            ],
+                ],
             "x5t": "dEtpjbEvbhfgwUI-bdK5xAU_9UQ"
-        }
-    ]
-}
+            }
+        ]
+    }
 
 SIGJWKS = KeyBundle(JWKS_b)
 
 
 def P256():
     return ec.generate_private_key(ec.SECP256R1(), default_backend())
 
+
 def test_1():
-    claimset = {"iss": "joe",
-                "exp": 1300819380,
-                "http://example.com/is_root": True}
+    claimset = {
+        "iss": "joe",
+        "exp": 1300819380,
+        "http://example.com/is_root": True
+        }
 
     _jws = JWS(claimset, cty="JWT", alg='none')
     _jwt = _jws.sign_compact()
@@ -361,7 +374,7 @@ def test_jws_mm():
     (ec.SECP256R1, "ES256"),
     (ec.SECP384R1, "ES384"),
     (ec.SECP521R1, "ES512"),
-])
+    ])
 def test_signer_es(ec_func, alg):
     payload = "Please take a moment to register today"
     eck = ec.generate_private_key(ec_func(), default_backend())
@@ -469,17 +482,20 @@ def test_no_alg_and_alg_none_same():
 
 
 def test_sign_2():
-    keyset = {"keys": [
-        {"alg": "RS512",
-         "kty": "RSA",
-         "d": "ckLyXxkbjC4szg8q8G0ERBZV"
-              "-9CszeOxpRtx1KM9BLl0Do3li_Km2vvFvfXJ7MxQpiZ18pBoCcyYQEU262ym8wI22JWMPrZe24HCNxLxqzr_JEuBhpKFxQF6EFTSvJEJD1FkoTuCTvN0zD7YHGaJQG6JzVEuFUY3ewxjH0FYNa_ppTnPP3LC-T9u_GX9Yqyuw1KOYoHSzhWSWQOeAgs4dH9-iAxN1wdZ6eH1jFWAs43svk_rhwdgyJMlihFtV9MAInBlfi_Zu8wRVhVl5urkJrLf0tGFnMbnzb6dYSlUXxEYClpY12W7kXW9aePDqkCwI4oZyxmOmgq4hunKGR1dAQ",
-         "e": "AQAB",
-         "use": "sig",
-         "kid": "af22448d-4c7b-464d-b63a-f5bd90f6d7d1",
-         "n": "o9g8DpUwBW6B1qmcm-TfEh4rNX7n1t38jdo4Gkl_cI3q"
-              "--7n0Blg0kN88LHZvyZjUB2NhBdFYNxMP8ucy0dOXvWGWzaPmGnq3DM__lN8P4WjD1cCTAVEYKawNBAmGKqrFj1SgpPNsSqiqK-ALM1w6mZ-QGimjOgwCyJy3l9lzZh5D8tKnS2t1pZgE0X5P7lZQWHYpHPqp4jKhETzrCpPGfv0Rl6nmmjp7NlRYBkWKf_HEKE333J6M039m2FbKgxrBg3zmYYpmHuMzVgxxb8LSiv5aqyeyJjxM-YDUAgNQBfKNhONqXyu9DqtSprNkw6sqmuxK0QUVrNYl3b03PgS5Q"
-         }]}
+    keyset = {
+        "keys": [
+            {
+                "alg": "RS512",
+                "kty": "RSA",
+                "d": "ckLyXxkbjC4szg8q8G0ERBZV"
+                     "-9CszeOxpRtx1KM9BLl0Do3li_Km2vvFvfXJ7MxQpiZ18pBoCcyYQEU262ym8wI22JWMPrZe24HCNxLxqzr_JEuBhpKFxQF6EFTSvJEJD1FkoTuCTvN0zD7YHGaJQG6JzVEuFUY3ewxjH0FYNa_ppTnPP3LC-T9u_GX9Yqyuw1KOYoHSzhWSWQOeAgs4dH9-iAxN1wdZ6eH1jFWAs43svk_rhwdgyJMlihFtV9MAInBlfi_Zu8wRVhVl5urkJrLf0tGFnMbnzb6dYSlUXxEYClpY12W7kXW9aePDqkCwI4oZyxmOmgq4hunKGR1dAQ",
+                "e": "AQAB",
+                "use": "sig",
+                "kid": "af22448d-4c7b-464d-b63a-f5bd90f6d7d1",
+                "n": "o9g8DpUwBW6B1qmcm-TfEh4rNX7n1t38jdo4Gkl_cI3q"
+                     "--7n0Blg0kN88LHZvyZjUB2NhBdFYNxMP8ucy0dOXvWGWzaPmGnq3DM__lN8P4WjD1cCTAVEYKawNBAmGKqrFj1SgpPNsSqiqK-ALM1w6mZ-QGimjOgwCyJy3l9lzZh5D8tKnS2t1pZgE0X5P7lZQWHYpHPqp4jKhETzrCpPGfv0Rl6nmmjp7NlRYBkWKf_HEKE333J6M039m2FbKgxrBg3zmYYpmHuMzVgxxb8LSiv5aqyeyJjxM-YDUAgNQBfKNhONqXyu9DqtSprNkw6sqmuxK0QUVrNYl3b03PgS5Q"
+                }]
+        }
 
     keys = KeyBundle(keyset)
     jws = JWS("payload", alg="RS512")
@@ -524,10 +540,10 @@ def test_verify_protected_headers():
             header=dict(alg=u"ES256", jwk=_key.serialize()),
             protected=protectedHeader,
             signature=sig,
-        )
-    ])
+            )
+        ])
 
-    #_pub_key = ECKey().load_key(eck.public_key())
+    # _pub_key = ECKey().load_key(eck.public_key())
     _jws = JWS()
     assert _jws.verify_json(json.dumps(data)) == payload
 
@@ -828,3 +844,35 @@ def test_factory_verify_alg():
     _jws = _signer.sign_compact(keys, abc=123)
     _verifier = factory(_jws)
     assert _verifier.jwt.verify_headers(alg='RS512') is False
+
+
+def test_verify_json_missing_key():
+    ec_key = ECKey().load_key(P256())
+    sym_key = SYMKey(key=b'My hollow echo chamber', alg="HS384")
+
+    protected_headers_1 = {"foo": "bar", 'alg': 'ES256'}
+    unprotected_headers_1 = {"abc": "xyz"}
+    protected_headers_2 = {"foo": "bar", 'alg': 'HS384'}
+    unprotected_headers_2 = {"abc": "zeb"}
+    payload = "hello world"
+    _jwt = JWS(msg=payload).sign_json(
+        headers=[
+            (protected_headers_1, unprotected_headers_1),
+            (protected_headers_2, unprotected_headers_2)],
+        keys=[ec_key, sym_key])
+
+    # Only the EC key
+    vkeys = [ECKey().load_key(ec_key.public_key())]
+    with pytest.raises(NoSuitableSigningKeys):
+        JWS().verify_json(_jwt, keys=vkeys)
+
+    assert JWS().verify_json(_jwt, keys=vkeys, at_least_one=True)
+
+    # Only the SYM key
+    with pytest.raises(NoSuitableSigningKeys):
+        JWS().verify_json(_jwt, keys=[sym_key])
+
+    assert JWS().verify_json(_jwt, keys=[sym_key], at_least_one=True)
+
+    # With both
+    assert JWS().verify_json(_jwt, keys=[vkeys[0], sym_key])
