python-jose

python-jose copied to clipboard

CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code

3

Hey guys, There's a new high level risk vulnerability in the RSA python library that this repo uses. I'm not familiar with the fine details but is there any way...

ran-isenberg

zsh: no matches found: python-jose[cryptography]

7

(py375) ghoti@ghotideMacBook-Pro pay_test % pip install python-jose[cryptography] zsh: no matches found: python-jose[cryptography]

ghotiv

jws.verify returns byte, not string as documented

1

**Problem** jws.verify() returns byte, not string. It's wrong in your code and it's wrong in the documentation https://python-jose.readthedocs.io/en/latest/jwk/index.html https://github.com/mpdavis/python-jose/blob/5ec9f48c1babcbfa62d433b29e55db8888c315ec/jose/jws.py#L65 **Actual result** ``` >>> token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoiYiJ9.jiMyrsmD8AoHWeQgmxZ5yq8z0lXS67_QGs52AzC8Ru8' >>> jws.verify(token, 'secret', algorithms='HS256')...

raphet

https://github.com/mpdavis/python-jose/blob/b4d4385b71b6c1e151e34b996eaaafcf96d60c05/jose/backends/cryptography_backend.py#L249

blackmicha

Hello, I notice that the validation behaviour during the `jwt.decode` it's different for "issuer" and "audience" although the description it's the same. I realise about the open issue #95 regarding...

alexhermida

issuer check incorrect

2

https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L75 ` issuer (str or iterable) – Acceptable value(s) for the issuer of the token. If the “iss” claim is included in the claim set, then the issuer must be...

topher96

EdDSA support

4

I'm trying to find a Python library that can verify EdDSA-signed JWTs. Does python-jose support EdDSA? (I don't see any [references in the code](https://github.com/mpdavis/python-jose/search?q=eddsa&unscoped_q=eddsa), and the entry for python-jose on...

twosigmajab

Docs need to be clearer regarding verification of signature

1

I wanted to verify a signature I had previously generated with ```ES256```. Creating the signature was straightforward. Since JOSE was using ```cryptography``` as the backend, I used the ```private_bytes``` method...

ruddymondal

enable `ES256K` for ECDSA signing scheme

7

Ethereum, Bitcoin (and uPort) use the secp256k1 curve for their signature scheme. To allow for JWT (and other JOSE schemes) handling in uPort, the `ES256K` algorithm has been added. Additionally,...

pohutukawa

JWKError when using a JWKS with multiple algorithms

5

Hi, again, I'm not sure if this is expected behavior or a bug, but currently I'm in a situation where a JWT needs to be decoded and it can be...

piedrahitapablo