Merge pull request #4 from jschlyter/fix_dsasigner

rohe · web-flow · commit 7c4e16da248c · 2018-03-09T08:25:29.000+01:00
Fix DSASigner
diff --git a/src/cryptojwt/jws.py b/src/cryptojwt/jws.py
@@ -11,6 +11,8 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.asymmetric import utils
+from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
+from cryptography.utils import int_from_bytes, int_to_bytes
 
 try:
     from builtins import str
@@ -174,16 +176,30 @@ def __init__(self, algorithm='SHA256'):
             raise UnSupported('algorithm: {}'.format(algorithm))
 
     def sign(self, msg, key):
-        return key.sign(msg, ec.ECDSA(self.hash_algorithm()))
+        # cryptography returns ASN.1-encoded signature data; decode as JWS uses raw signatures (r||s)
+        asn1sig = key.sign(msg, ec.ECDSA(self.hash_algorithm()))
+        (r, s) = decode_dss_signature(asn1sig)
+        return int_to_bytes(r) + int_to_bytes(s)
 
     def verify(self, msg, sig, key):
         try:
-            key.verify(sig, msg, ec.ECDSA(self.hash_algorithm()))
+            # cryptography uses ASN.1-encoded signature data; split JWS signature (r||s) and encode before verification
+            (r, s) = self._split_raw_signature(sig)
+            asn1sig = encode_dss_signature(r, s)
+            key.verify(asn1sig, msg, ec.ECDSA(self.hash_algorithm()))
         except InvalidSignature as err:
             raise BadSignature(err)
         else:
             return True
 
+    @staticmethod
+    def _split_raw_signature(sig):
+        """Split raw signature into components"""
+        c_length = len(sig) // 2
+        r = int_from_bytes(sig[:c_length], byteorder='big')
+        s = int_from_bytes(sig[c_length:], byteorder='big')
+        return (r, s)
+
 
 class PSSSigner(Signer):
     def __init__(self, algorithm='SHA256'):
