Python dict keys are in an undefined order, which means json.dumps() doesn't reliably produce the same string. So in JWT, it's best to verify the input JSON, rather than decoding it, re-encoding it, and verifying it. Otherwise you get spurious verification failures.

(see http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-11.html#DefiningPSS)

Using salt len = hash len as per http://www.ietf.org/mail-archive/web/jose/current/msg02901.html Tests added but I've not touched the README

Currently setup.py pulls in the long description from the README.md: (long_description=read('README.md')

Sadly, because you have unicode emdashes ("\xe2\x80\x93" instead of "--") in the readme.md python will fail trying to stringify those characters and error with:

Collecting jws>=0.1.3 (from python_jwt==1.1.0->-r /tmp/tmpEbDt97/requirements.txt (line 27))
  Downloading jws-0.1.3.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-db5dsmc7/jws/setup.py", line 17, in <module>
        long_description=read('README.md'),
      File "/tmp/pip-build-db5dsmc7/jws/setup.py", line 5, in read
        return open(os.path.join(os.path.dirname(__file__), fname)).read()
      File "/venv3/lib/python3.5/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 500: ordinal not in range(128)

To reproduce, under Python 3.5 run: LC_CTYPE=C pip3 install jws

This fixes this, but it would require a subsequent point release (0.1.4) to actually to keep it from happening on future pip installs.

The '%s.%s.%s' was giving me a 'not enough arguments for format string' TypeError, so I switched it to use string join instead. It would be equally good to use a tuple instead of a list for the list of format parameters.

The special notices and submodule reference regarding pycrypto for RSA are no longer required.

• As of 2.5, pycrypto supports PKCS #1.5
• As of 2.4, pycrypto supports SHA384 & SHA512.

I'd like to try your software, but couldn't find it in the python package index at http://pypi.python.org/ — could you submit it there ?

You probably want to change name = "python-jws" in setup.py to "jws" (still available!) or "json-web-signatures" before submitting, because the "python-" prefix is kind of redundant on PyPI.

Problem

Imagine the following:

• Sign some data on a smartphone, using smartphone libraries
• Trying to verify that in python-jws, we first need to parse the JSON and python-jws will re-convert the generated object to JSON in its verification process. But if the re-conversion does not format the JSON in exactly the same way as the library on the smartphone did (i.e. the way it was in the payload), verification fails. But the signature was good!

Solution

Add the possibility to verify a signature on a json string, not only python objects.

# pip install jws
Collecting jws
  Downloading jws-0.1.3.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 20, in <module>
      File "/tmp/pip-build-4smf5vyz/jws/setup.py", line 17, in <module>
        long_description=read('README.md'),
      File "/tmp/pip-build-4smf5vyz/jws/setup.py", line 5, in read
        return open(os.path.join(os.path.dirname(__file__), fname)).read()
      File "/opt/venv/lib/python3.5/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 500: ordinal not in range(128)

I've tested it on Python 2.7.x and Python 3.3+. I did the changes so I could use python-jwt but in the end I went with PyJWT instead. However, since I did the changes, I thought I'd offer them up to you if you'd like them included.

There is a small typo in README.md.

Should read implementation rather than implemention.

Semi-automated pull request generated by https://github.com/timgates42/meticulous/blob/master/docs/NOTE.md

While I tried to install this package via 'pip install jws' in Windows 10 (python 3.7), 'UnicodeDecodeError: 'cp949' codec can't decode byte 0xe2 in position 500: illegal multibyte sequence' occured. I end up modifying 'setup.py' file (add parameter "encoding='UTF8'" in open function in line 5).

payload ={"alg":"ES256","typ":"passport","ppt":"shaken","x5u":"https://wiresharkserver.mtimslab.atttest.com/vesper/dig-sig.crt"} payload ={} header = {"alg":"ES256","typ":"passport","ppt":"shaken","x5u":"https://wiresharkserver.mtimslab.atttest.com/vesper/dig-sig.crt"} payload = {"attest":"A","dest":{"tn":["+12249587065"]},"iat":1504163217,"orig":{"tn":"+12249587035"},"origid":"6cf14ce7-5c58-403c-8982-07f11b8680d5"} signature = jws.sign(header, payload, 'secret') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/site-packages/jws/init.py", line 23, in sign header.process(data, 'sign') File "/usr/lib/python2.7/site-packages/jws/header.py", line 67, in process instance = cls(param, data['header'][param], data) File "/usr/lib/python2.7/site-packages/jws/header.py", line 10, in init self.value = self.clean(value) File "/usr/lib/python2.7/site-packages/jws/header.py", line 30, in clean raise ParameterNotUnderstood("Could not find an action for Header Parameter '%s'" % self.name) jws.exceptions.ParameterNotUnderstood: Could not find an action for Header Parameter 'ppt'

pycrypto is dead. pycryptodome is a drop-in replacement. However, python-jws uses a private member (_RSAobj) of pycrypto:

https://github.com/brianloveswords/python-jws/blob/master/jws/algos.py#L87

which pycryptodome doesn't have.

But pycryptodome does have the RsaKey member in the same place.

So a change something like https://github.com/mpdavis/python-jose/pull/8/files#diff-f5aa2743c17dabc292333673fe591c30R20 is required where the presence of each member is checked for.