python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard

Published 20 hours ago verified publisher icon mpdavis

Support for RFC-8037 and RFC-7539

Open pohutukawa opened this issue 6 years ago • 4 comments

I'd love to see support for RFC-8037 (JWS/JWT specifically with Ed25519 via PyNaCl) and RFC-7539 (JWE using ChaCha20/Poly1305 encryption) in here.

  • Regarding RFC-8037, there seems to be a PR #100 available already, that needs merging. So I guess the work's pretty much done if it's deemed acceptable.
  • Regarding RFC-7539 things are a bit more difficult, as not all functions from libsodium (used underneath PyNaCl) are available via the PyNaCl API. Though, if somebody has PyNaCl, they also do have libsodium available. I have recently hacked around in my own code base to make some libsodium functions for the IETF-compliant authenticated encryption available to Python by using ctypes. That may provide a working pathway into enabling RFC-7539 for ChaCha20/Poly1305 encryption.

Hopefully some things will make their way into python-jose to allow for more modern, compact and fast ciphers to be used.

pohutukawa avatar Aug 01 '18 02:08 pohutukawa

Regarding RFC-8037: PR #100 would benefit from a few small changes in order not to make pynacl a hard requirement.

Regarding RFC-7539: PR #100 uses pynacl. Have you tried raising this with pyca team at https://github.com/pyca/pynacl to include support for required functions to make pynacl bindings capable of supporting RFC-7539?

zejn avatar Aug 30 '18 10:08 zejn

@zejn Regarding RFC-7539: No, I hadn't. But it's a good idea to do so, as opposed to 'butchering around' in the soft fluffies of the C library via ctypes.

pohutukawa avatar Sep 03 '18 05:09 pohutukawa

OK, it looks like the current master branch of PyNaCl (to be released in the at whenever upcoming v1.3.0 release) does have the bindings exposed in nacl.bindings (in raw). From there it's easily possible to implement the RFC-7539 bits without need to do any pull ups through ctypes and libsodium. However, I'd say that it's probably only viable once 1.3 of PyNaCl is released, and this extension needs to be parked until then for python-jose. Let's keep our fingers crossed that this will be soon :-) Even though, one can already go and code it up in a branch using PyNaCl 1.3.0.dev1, and have a PR in the drawer once the release is out.

pohutukawa avatar Sep 04 '18 02:09 pohutukawa

PyNaCl 1.3 is there. So I'd be keen to crack on with this soon.

pohutukawa avatar Nov 27 '18 03:11 pohutukawa