Add ECDSA support

Author: Michael Davis

ecdsa.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBzs13YUnYbLfYXTz4SG4DE4rPmsL3wBTdy34JcO+BDpI+NDZ0pqam
+UM/1sGZT+8hqUjSeQo6oz+Mx0VS6SJh31zygBwYFK4EEACOhgYkDgYYABACYencK
+8pm/iAeDVptaEZTZwNT0yW/muVwvvwkzS/D6GDCLsnLfI6e1FwEnTJF/GPFUlN5l
+9JSLxsbbFdM1muI+NgBE6ZLR1GZWjsNzu7BOB8RMy/mvSTokZwyIaWvWSn3hOF4i
+/4iczJnzJhUKDqHe5dJ//PLd7R3WVHxkvv7jFNTKYg==
+-----END EC PRIVATE KEY-----

ecdsa.pub

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAmHp3CvKZv4gHg1abWhGU2cDU9Mlv
+5rlcL78JM0vw+hgwi7Jy3yOntRcBJ0yRfxjxVJTeZfSUi8bG2xXTNZriPjYAROmS
+0dRmVo7Dc7uwTgfETMv5r0k6JGcMiGlr1kp94TheIv+InMyZ8yYVCg6h3uXSf/zy
+3e0d1lR8ZL7+4xTUymI=
+-----END PUBLIC KEY-----

jose/__init__.py

@@ -1,5 +1,5 @@
 
-__version__ = "0.1.8"
+__version__ = "0.2.0"
 __author__ = 'Michael Davis'
 __license__ = 'MIT'
 __copyright__ = 'Copyright 2015 Michael Davis'

jose/algorithms/EC.py

@@ -0,0 +1,58 @@
+
+import hashlib
+
+import ecdsa
+
+from .base import Algorithm
+from six import string_types, text_type
+
+
+class ECAlgorithm(Algorithm):
+    """
+    Performs signing and verification operations using
+    ECDSA and the specified hash function
+
+    This class requires the ecdsa package to be installed.
+
+    This is based off of the implementation in PyJWT 0.3.2
+    """
+    SHA256 = hashlib.sha256
+    SHA384 = hashlib.sha384
+    SHA512 = hashlib.sha512
+
+    def __init__(self, hash_alg):
+        self.hash_alg = hash_alg
+
+    def prepare_key(self, key):
+
+        if isinstance(key, ecdsa.SigningKey) or \
+           isinstance(key, ecdsa.VerifyingKey):
+            return key
+
+        if isinstance(key, string_types):
+            if isinstance(key, text_type):
+                key = key.encode('utf-8')
+
+            # Attempt to load key. We don't know if it's
+            # a Signing Key or a Verifying Key, so we try
+            # the Verifying Key first.
+            try:
+                key = ecdsa.VerifyingKey.from_pem(key)
+            except ecdsa.der.UnexpectedDER:
+                key = ecdsa.SigningKey.from_pem(key)
+
+        else:
+            raise TypeError('Expecting a PEM-formatted key.')
+
+        return key
+
+    def sign(self, msg, key):
+        return key.sign(msg, hashfunc=self.hash_alg,
+                        sigencode=ecdsa.util.sigencode_der)
+
+    def verify(self, msg, key, sig):
+        try:
+            return key.verify(sig, msg, hashfunc=self.hash_alg,
+                              sigdecode=ecdsa.util.sigdecode_der)
+        except ecdsa.der.UnexpectedDER:
+            return False

jose/algorithms/__init__.py

@@ -4,6 +4,7 @@
 
 from .HMAC import HMACAlgorithm
 from .RSA import RSAAlgorithm
+from .EC import ECAlgorithm
 
 
 def get_algorithm_object(algorithm):
@@ -29,4 +30,13 @@ def get_algorithm_object(algorithm):
     if algorithm == ALGORITHMS.RS512:
         return RSAAlgorithm(RSAAlgorithm.SHA512)
 
+    if algorithm == ALGORITHMS.ES256:
+        return ECAlgorithm(ECAlgorithm.SHA256)
+
+    if algorithm == ALGORITHMS.ES384:
+        return ECAlgorithm(ECAlgorithm.SHA384)
+
+    if algorithm == ALGORITHMS.ES512:
+        return ECAlgorithm(ECAlgorithm.SHA512)
+
     raise JWSError('Algorithm not supported: %s' % algorithm)

jose/algorithms/base.py

@@ -8,6 +8,9 @@ def prepare_key(self, key):
         """
         Performs necessary validation and conversions on the key and returns
         the key value in the proper format for sign() and verify().
+
+        Raises:
+            TypeError: If an invalid key is attempted to be used.
         """
         raise NotImplementedError
 

jose/constants.py

@@ -8,10 +8,14 @@ class ALGORITHMS(object):
     RS256 = 'RS256'
     RS384 = 'RS384'
     RS512 = 'RS512'
+    ES256 = 'ES256'
+    ES384 = 'ES384'
+    ES512 = 'ES512'
 
     HMAC = (HS256, HS384, HS512)
     RSA = (RS256, RS384, RS512)
+    EC = (ES256, ES384, ES512)
 
-    SUPPORTED = (HS256, HS384, HS512, RS256, RS384, RS512)
+    SUPPORTED = HMAC + RSA + EC
 
-    ALL = (NONE, HS256, HS384, HS512, RS256, RS384, RS512)
+    ALL = SUPPORTED + (NONE, )

jose/exceptions.py

@@ -8,6 +8,10 @@ class JWSError(JOSEError):
     pass
 
 
+class JWSAlgorithmError(JWSError):
+    pass
+
+
 class JWTError(JOSEError):
     pass
 

tests/algorithms/test_EC.py

@@ -0,0 +1,38 @@
+
+
+from jose.algorithms import ECAlgorithm
+
+import ecdsa
+import pytest
+
+
+@pytest.fixture
+def alg():
+    return ECAlgorithm(ECAlgorithm.SHA256)
+
+private_key = """-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEIIAK499svJugZZfsTsgL2tc7kH/CpzQbkr4g55CEWQyPoAcGBSuBBAAK
+oUQDQgAEsOnVqWVPfjte2nI0Ay3oTZVehCUtH66nJM8z6flUluHxhLG8ZTTCkJAZ
+W6xQdXHfqGUy3Dx40NDhgTaM8xAdSw==
+-----END EC PRIVATE KEY-----"""
+
+
+class TestECAlgorithm:
+
+    def test_EC_key(self, alg):
+        key = ecdsa.SigningKey.from_pem(private_key)
+        alg.prepare_key(key)
+
+    def test_string_secret(self, alg):
+        key = 'secret'
+        with pytest.raises(TypeError):
+            alg.prepare_key(key)
+
+    def test_string_unicode(self, alg):
+        unicode_key = private_key.decode('utf-8')
+        alg.prepare_key(unicode_key)
+
+    def test_object(self, alg):
+        key = object()
+        with pytest.raises(Exception):
+            alg.prepare_key(key)

tests/test_jws.py

@@ -96,7 +96,7 @@ def test_add_headers(self, claims):
         assert expected_headers == header
 
 
-private_key = """-----BEGIN RSA PRIVATE KEY-----
+rsa_private_key = """-----BEGIN RSA PRIVATE KEY-----
 MIIJKwIBAAKCAgEAtSKfSeI0fukRIX38AHlKB1YPpX8PUYN2JdvfM+XjNmLfU1M7
 4N0VmdzIX95sneQGO9kC2xMIE+AIlt52Yf/KgBZggAlS9Y0Vx8DsSL2HvOjguAdX
 ir3vYLvAyyHin/mUisJOqccFKChHKjnk0uXy/38+1r17/cYTp76brKpU1I4kM20M
@@ -148,7 +148,7 @@ def test_add_headers(self, claims):
 mdUxHwi1ulkspAn/fmY7f0hZpskDwcHyZmbKZuk+NU/FJ8IAcmvk9y7m25nSSc8=
 -----END RSA PRIVATE KEY-----"""
 
-public_key = """-----BEGIN PUBLIC KEY-----
+rsa_public_key = """-----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtSKfSeI0fukRIX38AHlK
 B1YPpX8PUYN2JdvfM+XjNmLfU1M74N0VmdzIX95sneQGO9kC2xMIE+AIlt52Yf/K
 gBZggAlS9Y0Vx8DsSL2HvOjguAdXir3vYLvAyyHin/mUisJOqccFKChHKjnk0uXy
@@ -167,26 +167,61 @@ def test_add_headers(self, claims):
 class TestRSA:
 
     def test_RSA256(self, claims):
-        token = jws.sign(claims, private_key, algorithm=ALGORITHMS.RS256)
-        assert jws.verify(token, public_key, ALGORITHMS.RS256) == claims
+        token = jws.sign(claims, rsa_private_key, algorithm=ALGORITHMS.RS256)
+        assert jws.verify(token, rsa_public_key, ALGORITHMS.RS256) == claims
 
     def test_RSA384(self, claims):
-        token = jws.sign(claims, private_key, algorithm=ALGORITHMS.RS384)
-        assert jws.verify(token, public_key, ALGORITHMS.RS384) == claims
+        token = jws.sign(claims, rsa_private_key, algorithm=ALGORITHMS.RS384)
+        assert jws.verify(token, rsa_public_key, ALGORITHMS.RS384) == claims
 
     def test_RSA512(self, claims):
-        token = jws.sign(claims, private_key, algorithm=ALGORITHMS.RS512)
-        assert jws.verify(token, public_key, ALGORITHMS.RS512) == claims
+        token = jws.sign(claims, rsa_private_key, algorithm=ALGORITHMS.RS512)
+        assert jws.verify(token, rsa_public_key, ALGORITHMS.RS512) == claims
 
     def test_wrong_alg(self, claims):
-        token = jws.sign(claims, private_key, algorithm=ALGORITHMS.RS256)
+        token = jws.sign(claims, rsa_private_key, algorithm=ALGORITHMS.RS256)
         with pytest.raises(JWSError):
-            jws.verify(token, public_key, ALGORITHMS.RS384)
+            jws.verify(token, rsa_public_key, ALGORITHMS.RS384)
 
     def test_wrong_key(self, claims):
-        token = jws.sign(claims, private_key, algorithm=ALGORITHMS.RS256)
+        token = jws.sign(claims, rsa_private_key, algorithm=ALGORITHMS.RS256)
         with pytest.raises(JWSError):
-            jws.verify(token, public_key, ALGORITHMS.HS256)
+            jws.verify(token, rsa_public_key, ALGORITHMS.HS256)
+
+ec_private_key = """-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBzs13YUnYbLfYXTz4SG4DE4rPmsL3wBTdy34JcO+BDpI+NDZ0pqam
+UM/1sGZT+8hqUjSeQo6oz+Mx0VS6SJh31zygBwYFK4EEACOhgYkDgYYABACYencK
+8pm/iAeDVptaEZTZwNT0yW/muVwvvwkzS/D6GDCLsnLfI6e1FwEnTJF/GPFUlN5l
+9JSLxsbbFdM1muI+NgBE6ZLR1GZWjsNzu7BOB8RMy/mvSTokZwyIaWvWSn3hOF4i
+/4iczJnzJhUKDqHe5dJ//PLd7R3WVHxkvv7jFNTKYg==
+-----END EC PRIVATE KEY-----"""
+
+ec_public_key = """-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAmHp3CvKZv4gHg1abWhGU2cDU9Mlv
+5rlcL78JM0vw+hgwi7Jy3yOntRcBJ0yRfxjxVJTeZfSUi8bG2xXTNZriPjYAROmS
+0dRmVo7Dc7uwTgfETMv5r0k6JGcMiGlr1kp94TheIv+InMyZ8yYVCg6h3uXSf/zy
+3e0d1lR8ZL7+4xTUymI=
+-----END PUBLIC KEY-----"""
+
+
+class TestEC:
+
+    def test_EC256(self, claims):
+        token = jws.sign(claims, ec_private_key, algorithm=ALGORITHMS.ES256)
+        assert jws.verify(token, ec_public_key, ALGORITHMS.ES256) == claims
+
+    def test_EC384(self, claims):
+        token = jws.sign(claims, ec_private_key, algorithm=ALGORITHMS.ES384)
+        assert jws.verify(token, ec_public_key, ALGORITHMS.ES384) == claims
+
+    def test_EC512(self, claims):
+        token = jws.sign(claims, ec_private_key, algorithm=ALGORITHMS.ES512)
+        assert jws.verify(token, ec_public_key, ALGORITHMS.ES512) == claims
+
+    def test_wrong_alg(self, claims):
+        token = jws.sign(claims, ec_private_key, algorithm=ALGORITHMS.ES256)
+        with pytest.raises(JWSError):
+            jws.verify(token, rsa_public_key, ALGORITHMS.ES384)
 
 
 class TestLoad: