python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

Add "algorithm mismatch" error to improve jws

Open ghost opened this issue 3 years ago • 4 comments

Upstream libraries that depend on jws.verify() break when the upstream keys contain a mixed set of algorithms. This is a nominal occurance for OIDC servers and should be properly handled.

ghost avatar Nov 07 '22 22:11 ghost

Codecov Report

Merging #304 (546e96c) into master (96474ec) will decrease coverage by 0.11%. The diff coverage is 84.00%.

:exclamation: Current head 546e96c differs from pull request most recent head 1ce256e. Consider uploading reports for the commit 1ce256e to get more accurate results

@@            Coverage Diff             @@
##           master     #304      +/-   ##
==========================================
- Coverage   92.94%   92.83%   -0.12%     
==========================================
  Files          15       15              
  Lines        1418     1423       +5     
==========================================
+ Hits         1318     1321       +3     
- Misses        100      102       +2
Impacted Files Coverage Δ
jose/jws.py 93.54% <60.00%> (-1.50%) :arrow_down:
jose/backends/cryptography_backend.py 93.18% <77.77%> (ø)
jose/backends/ecdsa_backend.py 97.50% <100.00%> (ø)
jose/backends/native.py 97.56% <100.00%> (ø)
jose/backends/rsa_backend.py 95.62% <100.00%> (ø)
jose/exceptions.py 100.00% <100.00%> (ø)

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

codecov[bot] avatar Nov 08 '22 14:11 codecov[bot]

As mentioned in the issue, this implements step 2 of Appendix D of the JWS spec

  1. Filter the set of collected keys. For instance, some applications will use only keys referenced by "kid" (key ID) or "x5t" (X.509 certificate SHA-1 thumbprint) parameters. If the application uses the JWK "alg" (algorithm), "use" (public key use), or "key_ops" (key operations) parameters, keys with inappropriate values of those parameters would be excluded. Additionally, keys might be filtered to include or exclude keys with certain other member values in an application-specific manner. For some applications, no filtering will be applied.

ghost avatar Nov 08 '22 15:11 ghost

@mpdavis given that the original PR author account is deleted, maybe it's time to make a call: either take this PR over, maybe add more tests and merge it, or close it if it's incomplete?

My 2c: this PR is a good start.

dimaqq avatar Jun 27 '23 06:06 dimaqq