diff options
author | Mark Adams <mark@markadams.me> | 2017-03-14 19:03:47 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-03-14 19:03:47 -0500 |
commit | 5bc498a60a01322b1271e1a1e99791a6938e21d7 (patch) | |
tree | cd292df6687973ce1c63b4ed517c0884e7557824 | |
parent | 0a4b8ddcb3ee95fd1e91539f5976854bb42ab375 (diff) | |
parent | 1710c1524c69c39dfece7a24b87179be5eeff217 (diff) | |
download | pyjwt-5bc498a60a01322b1271e1a1e99791a6938e21d7.tar.gz |
Merge pull request #244 from jpadilla/fix-ec-ssh-pub-key
Add support for ECDSA public keys in OpenSSH (RFC 4253) format
-rw-r--r-- | CHANGELOG.md | 2 | ||||
-rw-r--r-- | jwt/algorithms.py | 5 | ||||
-rw-r--r-- | tests/keys/testkey_ec_ssh.pub | 1 | ||||
-rw-r--r-- | tests/test_algorithms.py | 7 |
4 files changed, 14 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 37b6ffd..060876c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). [Unreleased][unreleased] ------------------------------------------------------------------------- ### Changed +- Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244] - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances. - Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230] @@ -129,3 +130,4 @@ rarely used. Users affected by this should upgrade to 3.3+. [182]: https://github.com/jpadilla/pyjwt/pull/182 [183]: https://github.com/jpadilla/pyjwt/pull/183 [213]: https://github.com/jpadilla/pyjwt/pull/214 +[244]: https://github.com/jpadilla/pyjwt/pull/244 diff --git a/jwt/algorithms.py b/jwt/algorithms.py index 2fe1883..f6d990a 100644 --- a/jwt/algorithms.py +++ b/jwt/algorithms.py @@ -356,7 +356,10 @@ if has_crypto: # a Signing Key or a Verifying Key, so we try # the Verifying Key first. try: - key = load_pem_public_key(key, backend=default_backend()) + if key.startswith(b'ecdsa-sha2-'): + key = load_ssh_public_key(key, backend=default_backend()) + else: + key = load_pem_public_key(key, backend=default_backend()) except ValueError: key = load_pem_private_key(key, password=None, backend=default_backend()) diff --git a/tests/keys/testkey_ec_ssh.pub b/tests/keys/testkey_ec_ssh.pub new file mode 100644 index 0000000..4fa3a6b --- /dev/null +++ b/tests/keys/testkey_ec_ssh.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFZwnA8QCdL+TiQWBSHE0XsnRJBCFkb6c2DL7+ZfCFDk9khSYh3VrVOOQ1eIrO/oOm20Gp24dvP9XQS0f5B9bLQHgGFnkydPIMaNzPUNCop17F5uHOhtuFIhmOlh3lpTjyj2ten86cCetqN12kawnRs1/iu0wsGoVgk3os6yUAHvFMFGA== diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py index 97fdc22..11d8cd0 100644 --- a/tests/test_algorithms.py +++ b/tests/test_algorithms.py @@ -376,6 +376,13 @@ class TestAlgorithms: algo.prepare_key(ec_key.read()) @pytest.mark.skipif(not has_crypto, reason='Not supported without cryptography library') + def test_ec_should_accept_ssh_public_key_bytes(self): + algo = ECAlgorithm(ECAlgorithm.SHA256) + + with open(key_path('testkey_ec_ssh.pub'), 'r') as ec_key: + algo.prepare_key(ec_key.read()) + + @pytest.mark.skipif(not has_crypto, reason='Not supported without cryptography library') def test_ec_verify_should_return_false_if_signature_invalid(self): algo = ECAlgorithm(ECAlgorithm.SHA256) |