JSON Web Signature (JWS)¶
The jws Module implements the JSON Web Signature standard. A JSON Web Signature is represented by a JWS object, related utility classes and functions are available in this module too.
Classes¶
- class jwcrypto.jws.JWS(payload=None, header_registry=None)¶
Bases:
object
JSON Web Signature object
This object represent a JWS token.
Creates a JWS object.
- Parameters:
payload(bytes) – An arbitrary value (optional).
header_registry – Optional additions to the header registry
- add_signature(key, alg=None, protected=None, header=None)¶
Adds a new signature to the object.
- Parameters:
key – A (
jwcrypto.jwk.JWK
) key of appropriate for the “alg” provided.alg – An optional algorithm name. If already provided as an element of the protected or unprotected header it can be safely omitted.
protected – The Protected Header (optional)
header – The Unprotected Header (optional)
- Raises:
InvalidJWSObject – if invalid headers are provided.
ValueError – if the key is not a (
jwcrypto.jwk.JWK
)ValueError – if the algorithm is missing or is not provided by one of the headers.
InvalidJWAAlgorithm – if the algorithm is not valid, is unknown or otherwise not yet implemented.
- deserialize(raw_jws, key=None, alg=None)¶
Deserialize a JWS token.
NOTE: Destroys any current status and tries to import the raw JWS provided.
If a key is provided a verification step will be attempted after the object is successfully deserialized.
- Parameters:
raw_jws – a ‘raw’ JWS token (JSON Encoded or Compact notation) string.
key – A (
jwcrypto.jwk.JWK
) verification or a (jwcrypto.jwk.JWKSet
) that contains a key indexed by the ‘kid’ header (optional).alg – The signing algorithm (optional). Usually the algorithm is known as it is provided with the JOSE Headers of the token.
- Raises:
InvalidJWSObject – if the raw object is an invalid JWS token.
InvalidJWSSignature – if the verification fails.
JWKeyNotFound – if key is a JWKSet and the key is not found.
- classmethod from_jose_token(token)¶
Creates a JWS object from a serialized JWS token.
- Parameters:
token – A string with the json or compat representation of the token.
- Raises:
InvalidJWSObject – if the raw object is an invalid JWS token.
- Returns:
A JWS token
- Return type:
- serialize(compact=False)¶
Serializes the object into a JWS token.
- Parameters:
compact(boolean) – if True generates the compact representation, otherwise generates a standard JSON format.
- Raises:
InvalidJWSOperation – if the object cannot serialized with the compact representation and compact is True.
InvalidJWSSignature – if no signature has been added to the object, or no valid signature can be found.
- Returns:
A json formatted string or a compact representation string
- Return type:
str
- verify(key, alg=None, detached_payload=None)¶
Verifies a JWS token.
- Parameters:
key – A (
jwcrypto.jwk.JWK
) verification or a (jwcrypto.jwk.JWKSet
) that contains a key indexed by the ‘kid’ header.alg – The signing algorithm (optional). Usually the algorithm is known as it is provided with the JOSE Headers of the token.
detached_payload – A detached payload to verify the signature against. Only valid for tokens that are not carrying a payload.
- Raises:
InvalidJWSSignature – if the verification fails.
InvalidJWSOperation – if a detached_payload is provided but an object payload exists
JWKeyNotFound – if key is a JWKSet and the key is not found.
- property allowed_algs¶
Allowed algorithms.
The list of allowed algorithms. Can be changed by setting a list of algorithm names.
- class jwcrypto.jws.JWSCore(alg, key, header, payload, algs=None)¶
Bases:
object
The inner JWS Core object.
This object SHOULD NOT be used directly, the JWS object should be used instead as JWS perform necessary checks on the validity of the object and requested operations.
Core JWS token handling.
- Parameters:
alg – The algorithm used to produce the signature. See RFC 7518
key – A (
jwcrypto.jwk.JWK
) verification or a (jwcrypto.jwk.JWKSet
) that contains a key indexed by the ‘kid’ header. A JWKSet is allowed only for verification operations.header – A JSON string representing the protected header.
payload(bytes) – An arbitrary value
algs – An optional list of allowed algorithms
- Raises:
ValueError – if the key is not a (
jwcrypto.jwk.JWK
)InvalidJWAAlgorithm – if the algorithm is not valid, is unknown or otherwise not yet implemented.
InvalidJWSOperation – if the algorithm is not allowed.
- sign()¶
Generates a signature
- verify(signature)¶
Verifies a signature
- Raises:
InvalidJWSSignature – if the verification fails.
- Returns:
Returns True or an Exception
- Return type:
bool
Variables¶
- jwcrypto.jws.default_allowed_algs = ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512', 'EdDSA', 'ES256K']¶
Default allowed algorithms
Exceptions¶
- class jwcrypto.jws.InvalidJWSSignature(message=None, exception=None)¶
Bases:
JWException
Invalid JWS Signature.
This exception is raised when a signature cannot be validated.
- class jwcrypto.jws.InvalidJWSObject(message=None, exception=None)¶
Bases:
JWException
Invalid JWS Object.
This exception is raised when the JWS Object is invalid and/or improperly formatted.
- class jwcrypto.jws.InvalidJWSOperation(message=None, exception=None)¶
Bases:
JWException
Invalid JWS Object.
This exception is raised when a requested operation cannot be execute due to unsatisfied conditions.
Registries¶
- jwcrypto.jws.JWSHeaderRegistry¶
Registry of valid header parameters
Examples¶
- Sign a JWS token::
>>> from jwcrypto import jwk, jws >>> from jwcrypto.common import json_encode >>> key = jwk.JWK.generate(kty='oct', size=256) >>> payload = "My Integrity protected message" >>> jwstoken = jws.JWS(payload.encode('utf-8')) >>> jwstoken.add_signature(key, None, ... json_encode({"alg": "HS256"}), ... json_encode({"kid": key.thumbprint()})) >>> sig = jwstoken.serialize()
- Verify a JWS token::
>>> jwstoken = jws.JWS() >>> jwstoken.deserialize(sig) >>> jwstoken.verify(key) >>> payload = jwstoken.payload