def _process_jwk(self, jwk_dict):
if not jwk_dict.get("kty") == "RSA":
raise JWKError(
"Incorrect key type. Expected: 'RSA', Received: %s" %
jwk_dict.get("kty"))
e = base64_to_long(jwk_dict.get("e"))
n = base64_to_long(jwk_dict.get("n"))
if "d" not in jwk_dict:
return pyrsa.PublicKey(e=e, n=n)
else:
d = base64_to_long(jwk_dict.get("d"))
extra_params = ["p", "q", "dp", "dq", "qi"]
if any(k in jwk_dict for k in extra_params):
# Precomputed private key parameters are available.
if not all(k in jwk_dict for k in extra_params):
# These values must be present when 'p' is according to
# Section 6.3.2 of RFC7518, so if they are not we raise
# an error.
raise JWKError(
"Precomputed private key parameters are incomplete.")
p = base64_to_long(jwk_dict["p"])
q = base64_to_long(jwk_dict["q"])
return pyrsa.PrivateKey(e=e, n=n, d=d, p=p, q=q)
else:
p, q = _rsa_recover_prime_factors(n, e, d)
return pyrsa.PrivateKey(n=n, e=e, d=d, p=p, q=q)
def __init__(self, key, algorithm):
if algorithm not in self.valid_hash_algs:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self.hash_alg = get_algorithm_object(algorithm)
if isinstance(key, _RSAKey):
self.prepared_key = key
return
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if isinstance(key, six.string_types):
if isinstance(key, six.text_type):
key = key.encode('utf-8')
try:
self.prepared_key = RSA.importKey(key)
except Exception as e:
raise JWKError(e)
return
raise JWKError('Unable to parse an RSA_JWK from key: %s' % key)
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.RSA:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self.hash_alg = get_algorithm_object(algorithm)
if isinstance(key, _RSAKey):
self.prepared_key = key
return
if isinstance(key, dict):
self._process_jwk(key)
return
if isinstance(key, six.string_types):
if isinstance(key, six.text_type):
key = key.encode('utf-8')
if key.startswith(b'-----BEGIN CERTIFICATE-----'):
try:
self._process_cert(key)
except Exception as e:
raise JWKError(e)
return
try:
self.prepared_key = RSA.importKey(key)
except Exception as e:
raise JWKError(e)
return
raise JWKError('Unable to parse an RSA_JWK from key: %s' % key)
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.EC:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self.hash_alg = get_algorithm_object(algorithm)
self.curve = self.CURVE_MAP.get(self.hash_alg)
if isinstance(key, (ecdsa.SigningKey, ecdsa.VerifyingKey)):
self.prepared_key = key
return
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if isinstance(key, six.string_types):
if isinstance(key, six.text_type):
key = key.encode('utf-8')
# Attempt to load key. We don't know if it's
# a Signing Key or a Verifying Key, so we try
# the Verifying Key first.
try:
key = ecdsa.VerifyingKey.from_pem(key)
except ecdsa.der.UnexpectedDER:
key = ecdsa.SigningKey.from_pem(key)
except Exception as e:
raise JWKError(e)
self.prepared_key = key
return
raise JWKError('Unable to parse an ECKey from key: %s' % key)
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'EC':
raise JWKError(
"Incorrect key type. Expected: 'EC', Received: %s" %
jwk_dict.get('kty'))
if not all(k in jwk_dict for k in ['x', 'y', 'crv']):
raise JWKError('Mandatory parameters are missing')
x = base64_to_long(jwk_dict.get('x'))
y = base64_to_long(jwk_dict.get('y'))
curve = {
'P-256': ec.SECP256R1,
'P-384': ec.SECP384R1,
'P-521': ec.SECP521R1,
}[jwk_dict['crv']]
public = ec.EllipticCurvePublicNumbers(x, y, curve())
if 'd' in jwk_dict:
d = base64_to_long(jwk_dict.get('d'))
private = ec.EllipticCurvePrivateNumbers(d, public)
return private.private_key(self.cryptography_backend())
else:
return public.public_key(self.cryptography_backend())
def __init__(self, key, algorithm):
if algorithm not in self.valid_hash_algs:
raise JWKError('hash_alg: %s is not a valid hash '
'algorithm', algorithm)
self.curve = self.curve_map.get(algorithm)
sha_map = {
'ES256': 'sha256',
'ES384': 'sha384',
'ES512': 'sha512',
}
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key, sha_map[algorithm])
return
if isinstance(key, six.string_types):
if isinstance(key, six.text_type):
key = key.encode('utf-8')
# be a bit smart about what you're doing.
# keys must be in raw form, not ASN1, so convert if needed.
# The private key provided for testing is a base64 ASN1 that has a
# PEM wrapper. This may take a bit of guesswork...
der = self.pem_to_der(key)
# The key dictates the curve, this emulates the ecdsa lib
(self.curve, raw_key, raw_pub) = self.asn_to_raw(der, self.curve)
self.prepared_key = pyelliptic.ECC(curve=self.curve,
privkey=raw_key,
pubkey=raw_pub,
hasher=sha_map[algorithm])
return
raise JWKError('Unable to parse an ECKey from key: %s' % key)
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.HMAC:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self._algorithm = algorithm
self.hash_alg = get_algorithm_object(algorithm)
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if not isinstance(key, six.string_types) and not isinstance(
key, bytes):
raise JWKError('Expecting a string- or bytes-formatted key.')
if isinstance(key, six.text_type):
key = key.encode('utf-8')
invalid_strings = [
b'-----BEGIN PUBLIC KEY-----', b'-----BEGIN RSA PUBLIC KEY-----',
b'-----BEGIN CERTIFICATE-----', b'ssh-rsa'
]
if any(string_value in key for string_value in invalid_strings):
raise JWKError(
'The specified key is an asymmetric key or x509 certificate and'
' should not be used as an HMAC secret.')
self.prepared_key = key
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.HMAC:
raise JWKError("hash_alg: %s is not a valid hash algorithm" %
algorithm)
self._algorithm = algorithm
self._hash_alg = self.HASHES.get(algorithm)
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if not isinstance(key, str) and not isinstance(key, bytes):
raise JWKError("Expecting a string- or bytes-formatted key.")
if isinstance(key, str):
key = key.encode("utf-8")
invalid_strings = [
b"-----BEGIN PUBLIC KEY-----",
b"-----BEGIN RSA PUBLIC KEY-----",
b"-----BEGIN CERTIFICATE-----",
b"ssh-rsa",
]
if any(string_value in key for string_value in invalid_strings):
raise JWKError(
"The specified key is an asymmetric key or x509 certificate and"
" should not be used as an HMAC secret.")
self.prepared_key = key
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'RSA':
raise JWKError("Incorrect key type. Expected: 'RSA', Received: %s" % jwk_dict.get('kty'))
e = base64_to_long(jwk_dict.get('e'))
n = base64_to_long(jwk_dict.get('n'))
if 'd' not in jwk_dict:
return pyrsa.PublicKey(e=e, n=n)
else:
d = base64_to_long(jwk_dict.get('d'))
extra_params = ['p', 'q', 'dp', 'dq', 'qi']
if any(k in jwk_dict for k in extra_params):
# Precomputed private key parameters are available.
if not all(k in jwk_dict for k in extra_params):
# These values must be present when 'p' is according to
# Section 6.3.2 of RFC7518, so if they are not we raise
# an error.
raise JWKError('Precomputed private key parameters are incomplete.')
p = base64_to_long(jwk_dict['p'])
q = base64_to_long(jwk_dict['q'])
return pyrsa.PrivateKey(e=e, n=n, d=d, p=p, q=q)
else:
p, q = _rsa_recover_prime_factors(n, e, d)
return pyrsa.PrivateKey(n=n, e=e, d=d, p=p, q=q)
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.RSA:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
if algorithm in ALGORITHMS.RSA_KW and algorithm != ALGORITHMS.RSA1_5:
raise JWKError('alg: %s is not supported by the RSA backend' %
algorithm)
self.hash_alg = {
ALGORITHMS.RS256: self.SHA256,
ALGORITHMS.RS384: self.SHA384,
ALGORITHMS.RS512: self.SHA512
}.get(algorithm)
self._algorithm = algorithm
if isinstance(key, dict):
self._prepared_key = self._process_jwk(key)
return
if isinstance(key, (pyrsa.PublicKey, pyrsa.PrivateKey)):
self._prepared_key = key
return
if isinstance(key, str):
key = key.encode('utf-8')
if isinstance(key, bytes):
try:
self._prepared_key = pyrsa.PublicKey.load_pkcs1(key)
except ValueError:
try:
self._prepared_key = pyrsa.PublicKey.load_pkcs1_openssl_pem(
key)
except ValueError:
try:
self._prepared_key = pyrsa.PrivateKey.load_pkcs1(key)
except ValueError:
try:
der = pyrsa_pem.load_pem(key, b'PRIVATE KEY')
try:
pkcs1_key = rsa_private_key_pkcs8_to_pkcs1(der)
except PyAsn1Error:
# If the key was encoded using the old, invalid,
# encoding then pyasn1 will throw an error attempting
# to parse the key.
pkcs1_key = _legacy_private_key_pkcs8_to_pkcs1(
der)
self._prepared_key = pyrsa.PrivateKey.load_pkcs1(
pkcs1_key, format="DER")
except ValueError as e:
raise JWKError(e)
return
raise JWKError('Unable to parse an RSA_JWK from key: %s' % key)
def __init__(self, key, algorithm, cryptography_backend=default_backend):
if algorithm not in ALGORITHMS.EC:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self.hash_alg = {
ALGORITHMS.ES256: self.SHA256,
ALGORITHMS.ES384: self.SHA384,
ALGORITHMS.ES512: self.SHA512,
ALGORITHMS.ES256K: self.SHA256
}.get(algorithm)
self._algorithm = algorithm
self.cryptography_backend = cryptography_backend
if hasattr(key, 'public_bytes') or hasattr(key, 'private_bytes'):
self.prepared_key = key
return
if None not in (EcdsaSigningKey, EcdsaVerifyingKey) and isinstance(
key, (EcdsaSigningKey, EcdsaVerifyingKey)):
# convert to PEM and let cryptography below load it as PEM
key = key.to_pem().decode('utf-8')
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if isinstance(key, six.string_types):
key = key.encode('utf-8')
if isinstance(key, six.binary_type):
# Attempt to load key. We don't know if it's
# a Public Key or a Private Key, so we try
# the Public Key first.
try:
try:
key = load_pem_public_key(key, self.cryptography_backend())
except ValueError:
key = load_pem_private_key(
key,
password=None,
backend=self.cryptography_backend())
except Exception as e:
raise JWKError(e)
self.prepared_key = key
return
raise JWKError('Unable to parse an ECKey from key: %s' % key)
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'EC':
raise JWKError("Incorrect key type. Expected: 'EC', Recieved: %s" % jwk_dict.get('kty'))
x = base64_to_long(jwk_dict.get('x'))
y = base64_to_long(jwk_dict.get('y'))
if not ecdsa.ecdsa.point_is_valid(self.curve.generator, x, y):
raise JWKError("Point: %s, %s is not a valid point" % (x, y))
point = ecdsa.ellipticcurve.Point(self.curve.curve, x, y, self.curve.order)
verifying_key = ecdsa.keys.VerifyingKey.from_public_point(point, self.curve)
return verifying_key
def construct(key_data, algorithm=None):
"""
Construct a Key object for the given algorithm with the given
key_data.
"""
# Allow for pulling the algorithm off of the passed in jwk.
if not algorithm and isinstance(key_data, dict):
algorithm = key_data.get('alg', None)
if not algorithm:
raise JWKError('Unable to find a algorithm for key: %s' % key_data)
if algorithm in ALGORITHMS.HMAC:
return HMACKey(key_data, algorithm)
if algorithm in ALGORITHMS.RSA:
return RSAKey(key_data, algorithm)
if algorithm in ALGORITHMS.EC:
# TODO: Add switch between libraries.
# ECKey uses a more forgiving, python based ecdsa library.
# It may be preferred in a low to medium demand environment,
# return ECKey(key_data, algorithm)
# ECKey2 uses a far stricter, openssl wrapper library.
# It may be preferred in a high demand environment.
return ECKey(key_data, algorithm)
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'oct':
raise JWKError(
"Incorrect key type. Expected: 'oct', Received: %s" %
jwk_dict.get('kty'))
raise JWKError(
"Incorrect key type. Expected: 'oct', Received: %s" %
jwk_dict.get('kty'))
k = jwk_dict.get('k')
k = k.encode('utf-8')
k = bytes(k)
k = base64url_decode(k)
return k
def sign(self, msg):
try:
signature = self.prepared_key.sign(msg, padding.PKCS1v15(),
self.hash_alg())
except Exception as e:
raise JWKError(e)
return signature
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.RSA:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self.hash_alg = {
ALGORITHMS.RS256: self.SHA256,
ALGORITHMS.RS384: self.SHA384,
ALGORITHMS.RS512: self.SHA512
}.get(algorithm)
self._algorithm = algorithm
if isinstance(key, dict):
self._prepared_key = self._process_jwk(key)
return
if isinstance(key, (pyrsa.PublicKey, pyrsa.PrivateKey)):
self._prepared_key = key
return
if isinstance(key, six.string_types):
key = key.encode('utf-8')
if isinstance(key, six.binary_type):
try:
self._prepared_key = pyrsa.PublicKey.load_pkcs1(key)
except ValueError:
try:
self._prepared_key = pyrsa.PublicKey.load_pkcs1_openssl_pem(
key)
except ValueError:
try:
self._prepared_key = pyrsa.PrivateKey.load_pkcs1(key)
except ValueError:
try:
# python-rsa does not support PKCS8 yet so we have to manually remove OID
der = pyrsa_pem.load_pem(key, b'PRIVATE KEY')
header, der = der[:22], der[22:]
if header != PKCS8_RSA_HEADER:
raise ValueError("Invalid PKCS8 header")
self._prepared_key = pyrsa.PrivateKey._load_pkcs1_der(
der)
except ValueError as e:
raise JWKError(e)
return
raise JWKError('Unable to parse an RSA_JWK from key: %s' % key)
def construct(key_data, algorithm=None):
"""
Construct a Key object for the given algorithm with the given
key_data.
"""
# Allow for pulling the algorithm off of the passed in jwk.
if not algorithm and isinstance(key_data, dict):
algorithm = key_data.get('alg', None)
if not algorithm:
raise JWKError('Unable to find a algorithm for key: %s' % key_data)
key_class = get_key(algorithm)
if not key_class:
raise JWKError('Unable to find a algorithm for key: %s' % key_data)
return key_class(key_data, algorithm)
def __init__(self, key, algorithm, cryptography_backend=default_backend):
if algorithm not in ALGORITHMS.RSA:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self.hash_alg = {
ALGORITHMS.RS256: self.SHA256,
ALGORITHMS.RS384: self.SHA384,
ALGORITHMS.RS512: self.SHA512
}.get(algorithm)
self._algorithm = algorithm
self.cryptography_backend = cryptography_backend
# if it conforms to RSAPublicKey interface
if hasattr(key, 'public_bytes') and hasattr(key, 'public_numbers'):
self.prepared_key = key
return
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if isinstance(key, six.string_types):
key = key.encode('utf-8')
if isinstance(key, six.binary_type):
try:
if key.startswith(b'-----BEGIN CERTIFICATE-----'):
self._process_cert(key)
return
try:
self.prepared_key = load_pem_public_key(
key, self.cryptography_backend())
except ValueError:
self.prepared_key = load_pem_private_key(
key,
password=None,
backend=self.cryptography_backend())
except Exception as e:
raise JWKError(e)
return
raise JWKError('Unable to parse an RSA_JWK from key: %s' % key)
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'RSA':
raise JWKError("Incorrect key type. Expected: 'RSA', Recieved: %s" % jwk_dict.get('kty'))
e = base64_to_long(jwk_dict.get('e', 256))
n = base64_to_long(jwk_dict.get('n'))
self.prepared_key = RSA.construct((n, e))
return self.prepared_key
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'RSA':
raise JWKError("Incorrect key type. Expected: 'RSA', Recieved: %s" % jwk_dict.get('kty'))
e = base64_to_long(jwk_dict.get('e', 256))
n = base64_to_long(jwk_dict.get('n'))
verifying_key = rsa.RSAPublicNumbers(e, n).public_key(self.cryptography_backend())
return verifying_key
def sign(self, msg):
try:
signer = self.prepared_key.signer(padding.PKCS1v15(),
self.hash_alg())
signer.update(msg)
signature = signer.finalize()
except Exception as e:
raise JWKError(e)
return signature
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'RSA':
raise JWKError(
"Incorrect key type. Expected: 'RSA', Received: %s" %
jwk_dict.get('kty'))
e = base64_to_long(jwk_dict.get('e', 256))
n = base64_to_long(jwk_dict.get('n'))
public = rsa.RSAPublicNumbers(e, n)
if 'd' not in jwk_dict:
return public.public_key(self.cryptography_backend())
else:
# This is a private key.
d = base64_to_long(jwk_dict.get('d'))
extra_params = ['p', 'q', 'dp', 'dq', 'qi']
if any(k in jwk_dict for k in extra_params):
# Precomputed private key parameters are available.
if not all(k in jwk_dict for k in extra_params):
# These values must be present when 'p' is according to
# Section 6.3.2 of RFC7518, so if they are not we raise
# an error.
raise JWKError(
'Precomputed private key parameters are incomplete.')
p = base64_to_long(jwk_dict['p'])
q = base64_to_long(jwk_dict['q'])
dp = base64_to_long(jwk_dict['dp'])
dq = base64_to_long(jwk_dict['dq'])
qi = base64_to_long(jwk_dict['qi'])
else:
# The precomputed private key parameters are not available,
# so we use cryptography's API to fill them in.
p, q = rsa.rsa_recover_prime_factors(n, e, d)
dp = rsa.rsa_crt_dmp1(d, p)
dq = rsa.rsa_crt_dmq1(d, q)
qi = rsa.rsa_crt_iqmp(p, q)
private = rsa.RSAPrivateNumbers(p, q, d, dp, dq, qi, public)
return private.private_key(self.cryptography_backend())
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.HMAC:
raise JWKError('hash_alg: %s is not a valid hash algorithm' %
algorithm)
self._algorithm = algorithm
self.hash_alg = get_algorithm_object(algorithm)
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if not isinstance(key, six.string_types) and not isinstance(
key, bytes):
raise JWKError('Expecting a string- or bytes-formatted key.')
if isinstance(key, six.text_type):
key = key.encode('utf-8')
self.prepared_key = key
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'EC':
raise JWKError("Incorrect key type. Expected: 'EC', Received: %s" % jwk_dict.get('kty'))
if not all(k in jwk_dict for k in ['x', 'y', 'crv']):
raise JWKError('Mandatory parameters are missing')
if 'd' in jwk_dict:
# We are dealing with a private key; the secret exponent is enough
# to create an ecdsa key.
d = base64_to_long(jwk_dict.get('d'))
return ecdsa.keys.SigningKey.from_secret_exponent(d, self.curve)
else:
x = base64_to_long(jwk_dict.get('x'))
y = base64_to_long(jwk_dict.get('y'))
if not ecdsa.ecdsa.point_is_valid(self.curve.generator, x, y):
raise JWKError(f"Point: {x}, {y} is not a valid point")
point = ecdsa.ellipticcurve.Point(self.curve.curve, x, y, self.curve.order)
return ecdsa.keys.VerifyingKey.from_public_point(point, self.curve)
def _process_jwk(self, jwk_dict):
if not jwk_dict.get("kty") == "oct":
raise JWKError(
"Incorrect key type. Expected: 'oct', Received: %s" %
jwk_dict.get("kty"))
k = jwk_dict.get("k")
k = k.encode("utf-8")
k = bytes(k)
k = base64url_decode(k)
return k
def __init__(self, key, algorithm):
if algorithm not in ALGORITHMS.EC:
raise JWKError("hash_alg: %s is not a valid hash algorithm" %
algorithm)
self.hash_alg = {
ALGORITHMS.ES256: self.SHA256,
ALGORITHMS.ES384: self.SHA384,
ALGORITHMS.ES512: self.SHA512,
}.get(algorithm)
self._algorithm = algorithm
self.curve = self.CURVE_MAP.get(self.hash_alg)
if isinstance(key, (ecdsa.SigningKey, ecdsa.VerifyingKey)):
self.prepared_key = key
return
if isinstance(key, dict):
self.prepared_key = self._process_jwk(key)
return
if isinstance(key, str):
key = key.encode("utf-8")
if isinstance(key, bytes):
# Attempt to load key. We don't know if it's
# a Signing Key or a Verifying Key, so we try
# the Verifying Key first.
try:
key = ecdsa.VerifyingKey.from_pem(key)
except ecdsa.der.UnexpectedDER:
key = ecdsa.SigningKey.from_pem(key)
except Exception as e:
raise JWKError(e)
self.prepared_key = key
return
raise JWKError("Unable to parse an ECKey from key: %s" % key)
def verify(self, msg, sig):
# Convert byte array strings back into their longs
if len(sig) % 2:
raise JWKError("Invalid signature value used.")
split = len(sig) / 2
r = Integer(base64_to_long(base64.urlsafe_b64encode(sig[:split])))
s = Integer(base64_to_long(base64.urlsafe_b64encode(sig[split:])))
ss = Sequence(tagSet=[tag.Tag(0, 32, 16)])
ss.setComponentByPosition(0, r)
ss.setComponentByPosition(1, s)
sig_asn = encoder.encode(ss)
ver = self.prepared_key.verify(sig_asn, msg)
return ver
def _process_jwk(self, jwk_dict):
if not jwk_dict.get('kty') == 'RSA':
raise JWKError(
"Incorrect key type. Expected: 'RSA', Recieved: %s" %
jwk_dict.get('kty'))
e = base64_to_long(jwk_dict.get('e', 256))
n = base64_to_long(jwk_dict.get('n'))
params = (n, e)
if 'd' in jwk_dict:
params += (base64_to_long(jwk_dict.get('d')), )
extra_params = ['p', 'q', 'dp', 'dq', 'qi']
if any(k in jwk_dict for k in extra_params):
# Precomputed private key parameters are available.
if not all(k in jwk_dict for k in extra_params):
# These values must be present when 'p' is according to
# Section 6.3.2 of RFC7518, so if they are not we raise
# an error.
raise JWKError(
'Precomputed private key parameters are incomplete.')
p = base64_to_long(jwk_dict.get('p'))
q = base64_to_long(jwk_dict.get('q'))
qi = base64_to_long(jwk_dict.get('qi'))
# PyCrypto does not take the dp and dq as arguments, so we do
# not pass them. Furthermore, the parameter qi specified in
# the JWK is the inverse of q modulo p, whereas PyCrypto
# takes the inverse of p modulo q. We therefore switch the
# parameters to make the third parameter the inverse of the
# second parameter modulo the first parameter.
params += (q, p, qi)
self.prepared_key = RSA.construct(params)
return self.prepared_key
def asn_to_raw(self, candidate, curve):
"""Extract the ASN1 information and return the curve and key pairs."""
decoded = base64.urlsafe_b64decode(self.repad(candidate))
# if it's already raw... (Most likely a public key)
if len(decoded) == 64:
return curve, None, "\04" + decoded
if decoded[0] == "\04":
return curve, None, decoded
try:
asn_set = decoder.decode(decoded)[0]
except:
raise JWKError("Invalid EC Key")
pri_key = self.bitstring_to_str(asn_set[1])
pub_key = None
# A private key starts with a Integer(1)
if (isinstance(asn_set[0], univ.Integer) and asn_set[0] == 1):
# Followed by the OID
curve = self.curve_oids.get(asn_set[2])
if curve:
# And finally the public key
pub_key = self.bitstring_to_str(asn_set[3])
# A public key starts with a sequence
if isinstance(asn_set[0], univ.Sequence):
# confirm that the public key curve matches up
# with the OID pair type (Also includes the public key OID,
# which we ignore)
pcurve = self.curve_oids.get(asn_set[0][1])
if pcurve:
curve = pcurve
# Shuffle the key to the right return.
pub_key = pri_key
pri_key = None
if not curve:
raise JWKError("Invalid EC curve type key specified.")
return curve, pri_key, pub_key
def _process_jwk(self, jwk_dict, algorythm="sha256"):
key_type = jwk_dict.get('kty')
if key_type != 'EC':
raise JWKError("Incorrect key type. "
"Expected 'EC' Received: %s" % key_type)
privkey = None
if 'd' in jwk_dict:
privkey = base64.urlsafe_b64decode(self.repad(jwk_dict.get('d')))
key = pyelliptic.ECC(
curve=self.curve,
raw_privkey=privkey,
pubkey_x=base64.urlsafe_b64decode(self.repad(jwk_dict.get('x'))),
pubkey_y=base64.urlsafe_b64decode(self.repad(jwk_dict.get('y'))),
hasher=algorythm)
return key
