If it's an EC key you ant make sure you get one with the correct curve.

rohe · rohe · commit dc617febdba2 · 2018-11-28T18:25:49.000+01:00
diff --git a/src/cryptojwt/jwt.py b/src/cryptojwt/jwt.py
@@ -49,14 +49,29 @@ def pick_key(keys, use, alg='', key_type='', kid=''):
             key_type = jws_alg2keytype(alg)
         else:
             key_type = jwe_alg2keytype(alg)
+
     for key in keys:
         if key.use and key.use != use:
             continue
 
         if key.kty == key_type:
-            if key.alg == '' or alg == '' or key.alg == alg:
-                if key.kid == '' or kid == '' or key.kid == kid:
+            if key.kid and kid:
+                if key.kid == kid:
                     res.append(key)
+                else:
+                    continue
+
+            if key.alg == '':
+                if alg:
+                    if key_type == 'EC':
+                        if key.crv == 'P-{}'.format(alg[2:]):
+                            res.append(key)
+                        continue
+                res.append(key)
+            elif alg and key.alg == alg:
+                res.append(key)
+            else:
+                res.append(key)
     return res
 
 
diff --git a/tests/test_09_jwt.py b/tests/test_09_jwt.py
@@ -1,8 +1,8 @@
 import os
 
-from cryptojwt.jwt import JWT
+from cryptojwt.jwt import JWT, pick_key
 from cryptojwt.key_bundle import KeyBundle
-from cryptojwt.key_jar import KeyJar
+from cryptojwt.key_jar import KeyJar, init_key_jar
 
 __author__ = 'Roland Hedberg'
 
@@ -164,3 +164,33 @@ def test_msg_cls():
     bob.msg_cls = DummyMsg
     info = bob.unpack(_jwt)
     assert isinstance(info, DummyMsg)
+
+
+KEY_DEFS = [
+    {"type": "RSA", "use": ["sig"]},
+    {"type": "RSA", "use": ["enc"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]},
+    {"type": "EC", "crv": "P-384", "use": ["sig"]}
+    ]
+
+kj = init_key_jar(key_defs=KEY_DEFS)
+
+
+def test_pick_key():
+    keys = kj.get_issuer_keys('')
+
+    _k = pick_key(keys, 'sig', 'RS256')
+    assert len(_k) == 1
+
+    _k = pick_key(keys, 'sig', 'ES256')
+    assert len(_k) == 1
+
+    _k = pick_key(keys, 'sig', 'ES384')
+    assert len(_k) == 1
+
+    _k = pick_key(keys, 'enc', "RSA-OAEP-256")
+    assert len(_k) == 1
+
+    _k = pick_key(keys, 'enc', "ECDH-ES")
+    assert len(_k) == 0
+
