Skip to content

Salt length #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Salt length #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5c088c1
Bli explicit about salt length when doing PSS padding.
rohe Apr 29, 2025
79e68c0
Don't add key if it's already there.
rohe May 1, 2025
e500b36
Bli explicit about salt length when doing PSS padding.
rohe Apr 29, 2025
f6c7cd5
Merge branch 'salt_length' of github.com:IdentityPython/JWTConnect-Py…
rohe May 7, 2025
f852106
Ran ruff
rohe May 7, 2025
b0f39a5
The expression in order_key_defs didn't make sense.
rohe May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions src/cryptojwt/jws/pss.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,13 @@ class PSSSigner(Signer):
def __init__(self, algorithm="SHA256"):
if algorithm == "SHA256":
self.hash_algorithm = hashes.SHA256
self.salt_length = 32
elif algorithm == "SHA384":
self.hash_algorithm = hashes.SHA384
self.salt_length = 48
elif algorithm == "SHA512":
self.hash_algorithm = hashes.SHA512
self.salt_length = 64
else:
raise Unsupported(f"algorithm: {algorithm}")

Expand All @@ -36,7 +39,7 @@ def sign(self, msg, key):
digest,
padding.PSS(
mgf=padding.MGF1(self.hash_algorithm()),
salt_length=padding.PSS.MAX_LENGTH,
salt_length=self.salt_length,
),
utils.Prehashed(self.hash_algorithm()),
)
Expand All @@ -48,7 +51,7 @@ def verify(self, msg, signature, key):

:param msg: The message
:param sig: A signature
:param key: A ec.EllipticCurvePublicKey to use for the verification.
:param key: A rsa._RSAPublicKey to use for the verification.
:raises: BadSignature if the signature can't be verified.
:return: True
"""
Expand All @@ -58,7 +61,7 @@ def verify(self, msg, signature, key):
msg,
padding.PSS(
mgf=padding.MGF1(self.hash_algorithm()),
salt_length=padding.PSS.MAX_LENGTH,
salt_length=self.salt_length,
),
self.hash_algorithm(),
)
Expand Down
21 changes: 11 additions & 10 deletions src/cryptojwt/key_bundle.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1134,23 +1134,24 @@

def order_key_defs(key_def):
"""
Sort a set of key definitions. A key definition that defines more then
one usage type are splitted into as many definitions as the number of
Sort a set of key definitions. A key definition that defines more than
one usage type are split into as many definitions as the number of
usage types specified. One key definition per usage type.

:param key_def: A set of key definitions
:param key_def: A set of key definitions. List of dictionaries
:return: The set of definitions as a sorted list
"""
_int = []
# First make sure all defs only reference one usage
for _def in key_def:
if len(_def["use"]) > 1:
for _use in _def["use"]:
_kd = _def.copy()
_kd["use"] = _use
_int.append(_kd)
else:
_int.append(_def)
if isinstance(_def, dict):
if len(_def["use"]) > 1:
for _use in _def["use"]:
_kd = _def.copy()
_kd["use"] = _use
_int.append(_kd)

Check warning on line 1152 in src/cryptojwt/key_bundle.py

View check run for this annotation

Codecov / codecov/patch

src/cryptojwt/key_bundle.py#L1150-L1152 

Added lines #L1150 - L1152 were not covered by tests
else:
_int.append(_def)

_int.sort(key=cmp_to_key(sort_func))

Expand Down
4 changes: 3 additions & 1 deletion src/cryptojwt/key_jar.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -492,7 +492,9 @@ def _add_key(
if _add_keys[0] not in keys:
keys.append(_add_keys[0])
elif allow_missing_kid:
keys.extend(_add_keys)
for _key in _add_keys:
if _key and _key not in keys:
keys.append(_key)
elif no_kid_issuer:
try:
allowed_kids = no_kid_issuer[issuer_id]
Expand Down
26 changes: 26 additions & 0 deletions tests/test_21_pss.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
import json

import pytest

from cryptojwt.jwk.jwk import key_from_jwk_dict
from cryptojwt.jws.jws import JWS
import test_vector


@pytest.mark.parametrize("alg", ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"])
def test_jws_rsa_signer_and_verifier(alg):
_jwk_dict = json.loads(test_vector.json_rsa_priv_key)
_key = key_from_jwk_dict(_jwk_dict)
_key.alg = alg
_key.add_kid()

json_header_rsa = json.loads(test_vector.test_header_rsa)
json_header_rsa["alg"] = alg

# Sign
jws = JWS(msg=test_vector.test_payload, **json_header_rsa)
signed_token = jws.sign_compact([_key])

# Verify
verifier = JWS(alg=[alg])
assert verifier.verify_compact(signed_token, [_key])