You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to verify the signature of a JWS with the JWK that is included in its header. I believe the fact that it has a detached payload is only incidental to the primary issue of not recognizing the correct form of a JWS's key. The JWK is normal and valid, for example:
I can get a jwt.api_jwk.PyJWK object if I do api_jwk.PyJWK(jws_jwk, algorithm='ES256') , proving there is no issue with the JWK itself.
However when I try to use it to verify the signature of a JWS in the manner below, I receive the error message Expecting a PEM-formatted key.
It's clear that this is because the prepare_key method of the ECAlgorithm class expects either a key of type EllipticCurvePublicKey or a PEM string. However this is not how one typically receives the verification key in a JWS. They are always in JWK form, and I can't find any clear way to convert a JWK to a EllipticCurvePublicKey object nor a PEM.
Is this intended? Am I missing something obvious here? This seems like a bug or an oversight to me, so I appreciate any clarification on the proper verification of a JWS using its own key material.
Expected Result
To verify a standard JWS using the included key material, wherein it passes or fails depending upon the validity of the included signature as verified by the standard JWK included in a JWS protected header.
Actual Result
I am asked for a PEM-formatted key, which is not how keys are sent with a JWS.
Reproduction Steps
Use the JWK in any JWS and pass it into api_jws.decode along with the JWS as shown above.
The text was updated successfully, but these errors were encountered:
Nice, that does work. In that case it seems like updating the api_jws.decode method to handle actual JWKs could be implemented pretty easily. The conversion performed by PyJWK.key could be called on the verification material argument when the type is a dict instead of a PEM string or EllipticCurvePublicKey instance.
I am trying to verify the signature of a JWS with the JWK that is included in its header. I believe the fact that it has a detached payload is only incidental to the primary issue of not recognizing the correct form of a JWS's key. The JWK is normal and valid, for example:
I can get a
jwt.api_jwk.PyJWK object
if I doapi_jwk.PyJWK(jws_jwk, algorithm='ES256')
, proving there is no issue with the JWK itself.However when I try to use it to verify the signature of a JWS in the manner below, I receive the error message
Expecting a PEM-formatted key
.It's clear that this is because the
prepare_key
method of theECAlgorithm
class expects either a key of typeEllipticCurvePublicKey
or a PEM string. However this is not how one typically receives the verification key in a JWS. They are always in JWK form, and I can't find any clear way to convert a JWK to aEllipticCurvePublicKey
object nor a PEM.Is this intended? Am I missing something obvious here? This seems like a bug or an oversight to me, so I appreciate any clarification on the proper verification of a JWS using its own key material.
Expected Result
To verify a standard JWS using the included key material, wherein it passes or fails depending upon the validity of the included signature as verified by the standard JWK included in a JWS protected header.
Actual Result
I am asked for a PEM-formatted key, which is not how keys are sent with a JWS.
Reproduction Steps
Use the JWK in any JWS and pass it into
api_jws.decode
along with the JWS as shown above.The text was updated successfully, but these errors were encountered: