diff options
author | Evgeniy Tatarkin <tatarkin.evg@gmail.com> | 2021-12-12 14:49:19 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-12 17:49:19 +0600 |
commit | aabeb061348cedaafa1ae2e67371525a30b6b93a (patch) | |
tree | 02520d6aad9e13df46b259e4f5745ea2416b36be | |
parent | 43d38a0c7070961a166a21b94f968e104de947e2 (diff) | |
download | pyjwt-aabeb061348cedaafa1ae2e67371525a30b6b93a.tar.gz |
Explicit check the key for ECAlgorithm (#713)
* Explicit check the key for ECAlgorithm
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
-rw-r--r-- | jwt/algorithms.py | 6 | ||||
-rw-r--r-- | tests/test_algorithms.py | 12 |
2 files changed, 18 insertions, 0 deletions
diff --git a/jwt/algorithms.py b/jwt/algorithms.py index 1f8865a..739df80 100644 --- a/jwt/algorithms.py +++ b/jwt/algorithms.py @@ -417,6 +417,12 @@ if has_crypto: except ValueError: key = load_pem_private_key(key, password=None) + # Explicit check the key to prevent confusing errors from cryptography + if not isinstance(key, (EllipticCurvePrivateKey, EllipticCurvePublicKey)): + raise InvalidKeyError( + "Expecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms" + ) + return key def sign(self, msg, key): diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py index b6a73fc..f4ab75b 100644 --- a/tests/test_algorithms.py +++ b/tests/test_algorithms.py @@ -495,6 +495,18 @@ class TestAlgorithms: assert not result @crypto_required + def test_ec_should_throw_exception_on_wrong_key(self): + algo = ECAlgorithm(ECAlgorithm.SHA256) + + with pytest.raises(InvalidKeyError): + with open(key_path("testkey_rsa.priv")) as keyfile: + algo.prepare_key(keyfile.read()) + + with pytest.raises(InvalidKeyError): + with open(key_path("testkey2_rsa.pub.pem")) as pem_key: + algo.prepare_key(pem_key.read()) + + @crypto_required def test_rsa_pss_sign_then_verify_should_return_true(self): algo = RSAPSSAlgorithm(RSAPSSAlgorithm.SHA256) |