Merge pull request #13 from mpdavis/jws-refactor

Refactor JWS to allow string payloads

Author: Michael Davis

jose/jwk.py

@@ -1,8 +1,12 @@
 
+import base64
 import hashlib
 import hmac
+import struct
 import six
 
+from builtins import int
+
 import Crypto.Hash.SHA256
 import Crypto.Hash.SHA384
 import Crypto.Hash.SHA512
@@ -60,6 +64,19 @@ def get_algorithm_object(algorithm):
     raise JWSError('Algorithm not supported: %s' % algorithm)
 
 
+def int_arr_to_long(arr):
+    return int(''.join(["%02x" % byte for byte in arr]), 16)
+
+
+def base64_to_long(data):
+    if isinstance(data, six.text_type):
+        data = data.encode("ascii")
+
+    # urlsafe_b64decode will happily convert b64encoded data
+    _d = base64.urlsafe_b64decode(bytes(data) + b'==')
+    return int_arr_to_long(struct.unpack('%sB' % len(_d), _d))
+
+
 class Key(object):
     """
     The interface for an JWK used to sign and verify tokens.
@@ -228,22 +245,13 @@ def process_prepare_key(self, key):
 
     def process_jwk(self, jwk):
 
-        def urlsafe_b64decode(encoded):
-            import base64
-            if not encoded:
-                return encoded
-            modulo = len(encoded) % 4
-            if modulo != 0:
-                encoded += ('=' * (4 - modulo))
-            return base64.b64decode(encoded)
-
         if not jwk.get('kty') == 'RSA':
             raise JWKError("Incorrect key type.  Expected: 'RSA', Recieved: %s" % jwk.get('kty'))
 
-        e = bytes(jwk.get('e', 256))
-        n = bytes(jwk.get('n'))
+        e = base64_to_long(jwk.get('e', 256))
+        n = base64_to_long(jwk.get('n'))
 
-        return RSA.construct((long(n), long(e)))
+        return RSA.construct((n, e))
 
     def process_sign(self, msg, key):
         return PKCS1_v1_5.new(key).sign(self.hash_alg.new(msg))

jose/jws.py

@@ -13,11 +13,11 @@
 from jose.utils import base64url_decode
 
 
-def sign(claims, key, headers=None, algorithm=ALGORITHMS.HS256):
+def sign(payload, key, headers=None, algorithm=ALGORITHMS.HS256):
     """Signs a claims set and returns a JWS string.
 
     Args:
-        claims (dict): A claims set to sign
+        payload (str): A string to sign
         key (str): The key to use for signing the claim set
         headers (dict, optional): A set of headers that will be added to
             the default headers.  Any headers that are added as additional
@@ -42,8 +42,8 @@ def sign(claims, key, headers=None, algorithm=ALGORITHMS.HS256):
         raise JWSError('Algorithm %s not supported.' % algorithm)
 
     encoded_header = _encode_header(algorithm, additional_headers=headers)
-    encoded_claims = _encode_claims(claims)
-    signed_output = _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key)
+    encoded_payload = _encode_payload(payload)
+    signed_output = _sign_header_and_claims(encoded_header, encoded_payload, algorithm, key)
 
     return signed_output
 
@@ -57,27 +57,27 @@ def verify(token, key, algorithms, verify=True):
         algorithms (str or list): Valid algorithms that should be used to verify the JWS.
 
     Returns:
-        dict: The dict representation of the claims set, assuming the signature is valid.
+        str: The str representation of the payload, assuming the signature is valid.
 
     Raises:
         JWSError: If there is an exception verifying a token.
 
     Examples:
 
-        >>> payload = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoiYiJ9.jiMyrsmD8AoHWeQgmxZ5yq8z0lXS67_QGs52AzC8Ru8'
-        >>> jws.verify(payload, 'secret', algorithms='HS256')
+        >>> token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoiYiJ9.jiMyrsmD8AoHWeQgmxZ5yq8z0lXS67_QGs52AzC8Ru8'
+        >>> jws.verify(token, 'secret', algorithms='HS256')
 
     """
 
-    header, claims, signing_input, signature = _load(token)
+    header, payload, signing_input, signature = _load(token)
 
     if verify:
-        _verify_signature(claims, signing_input, header, signature, key, algorithms)
+        _verify_signature(payload, signing_input, header, signature, key, algorithms)
 
-    return claims
+    return payload
 
 
-def get_unverified_headers(token):
+def get_unverified_header(token):
     """Returns the decoded headers without verification of any kind.
 
     Args:
@@ -93,6 +93,24 @@ def get_unverified_headers(token):
     return header
 
 
+def get_unverified_headers(token):
+    """Returns the decoded headers without verification of any kind.
+
+    This is simply a wrapper of get_unverified_header() for backwards
+    compatibility.
+
+    Args:
+        token (str): A signed JWS to decode the headers from.
+
+    Returns:
+        dict: The dict representation of the token headers.
+
+    Raises:
+        JWSError: If there is an exception decoding the token.
+    """
+    return get_unverified_header(token)
+
+
 def get_unverified_claims(token):
     """Returns the decoded claims without verification of any kind.
 
@@ -126,13 +144,17 @@ def _encode_header(algorithm, additional_headers=None):
     return base64url_encode(json_header)
 
 
-def _encode_claims(claims):
-    json_payload = json.dumps(
-        claims,
-        separators=(',', ':'),
-    ).encode('utf-8')
+def _encode_payload(payload):
+    if isinstance(payload, Mapping):
+        try:
+            payload = json.dumps(
+                payload,
+                separators=(',', ':'),
+            ).encode('utf-8')
+        except ValueError:
+            pass
 
-    return base64url_encode(json_payload)
+    return base64url_encode(payload)
 
 
 def _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key):
@@ -172,22 +194,16 @@ def _load(jwt):
         raise JWSError('Invalid header string: must be a json object')
 
     try:
-        claims_data = base64url_decode(claims_segment)
-        claims = json.loads(claims_data.decode('utf-8'))
+        payload = base64url_decode(claims_segment)
     except (TypeError, binascii.Error):
         raise JWSError('Invalid payload padding')
-    except ValueError as e:
-        raise JWSError('Invalid payload string: %s' % e)
-
-    if not isinstance(claims, Mapping):
-        raise JWSError('Invalid payload string: must be a json object')
 
     try:
         signature = base64url_decode(crypto_segment)
     except (TypeError, binascii.Error):
         raise JWSError('Invalid crypto padding')
 
-    return (header, claims, signing_input, signature)
+    return (header, payload, signing_input, signature)
 
 
 def _verify_signature(payload, signing_input, header, signature, key='', algorithms=None):

jose/jwt.py

@@ -1,5 +1,9 @@
 
+import binascii
+import json
+
 from calendar import timegm
+from collections import Mapping
 from datetime import datetime
 from datetime import timedelta
 from six import string_types
@@ -108,14 +112,24 @@ def decode(token, key, algorithms=None, options=None, audience=None, issuer=None
         defaults.update(options)
 
     verify_signature = defaults.get('verify_signature', True)
-    token_info = jws.verify(token, key, algorithms, verify=verify_signature)
+    payload = jws.verify(token, key, algorithms, verify=verify_signature)
 
-    _validate_claims(token_info, audience=audience, issuer=issuer, options=defaults)
+    try:
+        claims = json.loads(payload.decode('utf-8'))
+    except (TypeError, binascii.Error):
+        raise JWTError('Invalid payload padding')
+    except ValueError as e:
+        raise JWTError('Invalid payload string: %s' % e)
 
-    return token_info
+    if not isinstance(claims, Mapping):
+        raise JWTError('Invalid payload string: must be a json object')
 
+    _validate_claims(claims, audience=audience, issuer=issuer, options=defaults)
 
-def get_unverified_headers(token):
+    return claims
+
+
+def get_unverified_header(token):
     """Returns the decoded headers without verification of any kind.
 
     Args:
@@ -135,6 +149,24 @@ def get_unverified_headers(token):
     return headers
 
 
+def get_unverified_headers(token):
+    """Returns the decoded headers without verification of any kind.
+
+    This is simply a wrapper of get_unverified_header() for backwards
+    compatibility.
+
+    Args:
+        token (str): A signed JWT to decode the headers from.
+
+    Returns:
+        dict: The dict representation of the token headers.
+
+    Raises:
+        JWTError: If there is an exception decoding the token.
+    """
+    return get_unverified_header(token)
+
+
 def get_unverified_claims(token):
     """Returns the decoded claims without verification of any kind.
 

requirements.txt

@@ -1,2 +1,3 @@
 pycrypto
 six
+future

tests/algorithms/test_RSA.py

@@ -67,17 +67,6 @@ def alg():
 
 class TestRSAAlgorithm:
 
-    def test_cookbook_access_token(self, alg):
-        token = "eyJhbGciOiJSUzI1NiIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9" \
-            ".SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9" \
-            "vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXI" \
-            "gZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9" \
-            "mZiB0by4.MRjdkly7_-oTPTS3AXP41iQIGKa80A0ZmTuV5MEaHoxnW2e5CZ5NlKtainoFmKZ" \
-            "opdHM1O2U4mwzJdQx996ivp83xuglII7PNDi84wnB-BDkoBwA78185hX-Es4JIwmDLJK3lfW" \
-            "Ra-XtL0RnltuYv746iYTh_qHRD68BNt1uSNCrUCTJDt5aAE6x8wW1Kt9eRo4QPocSadnHXFx" \
-            "nt8Is9UzpERV0ePPQdLuW3IS_de3xyIrDaLGdjluPxUAhb6L2aXic1U12podGU0KLUQSE_oI" \
-            "-ZnmKJ3F4uOZDnd6QZWJushZ41Axf_fcIe8u9ipH84ogoree7vjbU5y18kDquDg"
-
     def test_RSA_key(self, alg):
         key = RSA.importKey(private_key)
         alg.prepare_key(key)