diff -r -u oauthlib-2.0.1/oauthlib/common.py oauthlib-2.0.1.patched/oauthlib/common.py
--- oauthlib-2.0.1/oauthlib/common.py 2016-11-23 05:30:34.000000000 -0500
+++ oauthlib-2.0.1.patched/oauthlib/common.py 2017-03-16 17:50:22.814033506 -0400
@@ -15,6 +15,16 @@
import re
import sys
import time
+from calendar import timegm
+
+from jwcrypto.jwk import JWK as _JWK
+from jwcrypto.jwt import JWT
+from jwcrypto.common import json_decode
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.serialization import (
+ load_pem_private_key, load_pem_public_key)
+from cryptography.hazmat.primitives.asymmetric.rsa import (
+ RSAPrivateKey, RSAPublicKey)
try:
from urllib import quote as _quote
@@ -29,6 +39,82 @@
except ImportError:
import urllib.parse as urlparse
+# Copy code from jwcrypto 0.3.2, we need JWK.from_pyca()
+from cryptography.hazmat.primitives.asymmetric import rsa
+class JWK(_JWK):
+ def __init__(self, **kwargs):
+ self._params = dict()
+ self._key = dict()
+ self._unknown = dict()
+
+ if 'generate' in kwargs:
+ self.generate_key(**kwargs)
+ elif kwargs:
+ self.import_key(**kwargs)
+
+ def _import_pyca_pri_rsa(self, key, **params):
+ pn = key.private_numbers()
+ params.update(
+ kty='RSA',
+ n=self._encode_int(pn.public_numbers.n),
+ e=self._encode_int(pn.public_numbers.e),
+ d=self._encode_int(pn.d),
+ p=self._encode_int(pn.p),
+ q=self._encode_int(pn.q),
+ dp=self._encode_int(pn.dmp1),
+ dq=self._encode_int(pn.dmq1),
+ qi=self._encode_int(pn.iqmp)
+ )
+ self.import_key(**params)
+
+ def _import_pyca_pub_rsa(self, key, **params):
+ pn = key.public_numbers()
+ params.update(
+ kty='RSA',
+ n=self._encode_int(pn.n),
+ e=self._encode_int(pn.e)
+ )
+ self.import_key(**params)
+
+ def _import_pyca_pri_ec(self, key, **params):
+ pn = key.private_numbers()
+ params.update(
+ kty='EC',
+ crv=JWKpycaCurveMap[key.curve.name],
+ x=self._encode_int(pn.public_numbers.x),
+ y=self._encode_int(pn.public_numbers.y),
+ d=self._encode_int(pn.private_value)
+ )
+ self.import_key(**params)
+
+ def _import_pyca_pub_ec(self, key, **params):
+ pn = key.public_numbers()
+ params.update(
+ kty='EC',
+ crv=JWKpycaCurveMap[key.curve.name],
+ x=self._encode_int(pn.x),
+ y=self._encode_int(pn.y),
+ )
+ self.import_key(**params)
+
+ def import_from_pyca(self, key):
+ if isinstance(key, rsa.RSAPrivateKey):
+ self._import_pyca_pri_rsa(key)
+ elif isinstance(key, rsa.RSAPublicKey):
+ self._import_pyca_pub_rsa(key)
+ elif isinstance(key, ec.EllipticCurvePrivateKey):
+ self._import_pyca_pri_ec(key)
+ elif isinstance(key, ec.EllipticCurvePublicKey):
+ self._import_pyca_pub_ec(key)
+ else:
+ raise InvalidJWKValue('Unknown key object %r' % key)
+
+ @classmethod
+ def from_pyca(cls, key):
+ obj = cls()
+ obj.import_from_pyca(key)
+ return obj
+
UNICODE_ASCII_CHARACTER_SET = ('abcdefghijklmnopqrstuvwxyz'
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
'0123456789')
@@ -229,28 +315,69 @@
return ''.join(rand.choice(chars) for x in range(length))
-def generate_signed_token(private_pem, request):
- import jwt
+def get_rsa_private_key(data):
+ if isinstance(data, (bytes_type, unicode_type)):
+ if isinstance(data, unicode_type):
+ data = data.encode('ascii')
+ # load_pem_private_key() requires the data to be str or bytes
+ private_key = load_pem_private_key(data, None, default_backend())
+ else:
+ private_key = data
- now = datetime.datetime.utcnow()
+ if not isinstance(private_key, RSAPrivateKey):
+ raise TypeError("Expected RSAPrivateKey, but got %s" %
+ private_key.__class__.__name__)
+
+ return private_key
+
+
+def get_rsa_public_key(data):
+ if isinstance(data, (bytes_type, unicode_type)):
+ if isinstance(data, unicode_type):
+ data = data.encode('ascii')
+ # load_pem_public_key() requires the data to be str or bytes
+ public_key = load_pem_public_key(data, default_backend())
+ else:
+ public_key = data
+
+ if not isinstance(public_key, RSAPublicKey):
+ raise TypeError("Expected RSAPublicKey, but got %s" %
+ public_key.__class__.__name__)
+ return public_key
+
+
+def normalize_claims(claims):
+ for claim in ['exp', 'iat', 'nbf']:
+ # Convert datetime to a intDate value in known time-format claims
+ if isinstance(claims.get(claim), datetime.datetime):
+ claims[claim] = timegm(claims[claim].utctimetuple())
+ return claims
+
+
+def generate_jwt_assertion(private_key, claims):
+ rsa_private_key = get_rsa_private_key(private_key)
+ jwkey = JWK.from_pyca(rsa_private_key)
+ token = JWT(header={'alg': 'RS256'}, claims=normalize_claims(claims))
+ token.make_signed_token(jwkey)
+ return to_unicode(token.serialize(), "UTF-8")
+
+
+def generate_signed_token(private_pem, request):
+ now = datetime.datetime.utcnow()
claims = {
'scope': request.scope,
'exp': now + datetime.timedelta(seconds=request.expires_in)
}
-
claims.update(request.claims)
+ return generate_jwt_assertion(private_pem, claims)
- token = jwt.encode(claims, private_pem, 'RS256')
- token = to_unicode(token, "UTF-8")
-
- return token
-
-
-def verify_signed_token(public_pem, token):
- import jwt
- return jwt.decode(token, public_pem, algorithms=['RS256'])
+def verify_signed_token(public_key, token):
+ rsa_public_key = get_rsa_public_key(public_key)
+ jwkey = JWK.from_pyca(rsa_public_key)
+ signed_token = JWT(key=jwkey, jwt=token)
+ return json_decode(signed_token.claims)
def generate_client_id(length=30, chars=CLIENT_ID_CHARACTER_SET):
diff -r -u oauthlib-2.0.1/oauthlib/oauth1/rfc5849/signature.py oauthlib-2.0.1.patched/oauthlib/oauth1/rfc5849/signature.py
--- oauthlib-2.0.1/oauthlib/oauth1/rfc5849/signature.py 2016-11-23 05:30:34.000000000 -0500
+++ oauthlib-2.0.1.patched/oauthlib/oauth1/rfc5849/signature.py 2017-03-16 13:54:56.881287445 -0400
@@ -31,8 +31,15 @@
except ImportError:
import urllib.parse as urlparse
from . import utils
-from oauthlib.common import urldecode, extract_params, safe_string_equals
-from oauthlib.common import bytes_type, unicode_type
+
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from jwcrypto.jwk import JWK
+from jwcrypto.jws import JWS
+
+from oauthlib.common import (urldecode, extract_params, safe_string_equals,
+ bytes_type, unicode_type,
+ get_rsa_private_key, get_rsa_public_key)
def construct_base_string(http_method, base_string_uri,
@@ -464,17 +471,8 @@
# .. _`RFC2045, Section 6.8`: http://tools.ietf.org/html/rfc2045#section-6.8
return binascii.b2a_base64(signature.digest())[:-1].decode('utf-8')
-_jwtrs1 = None
-
-#jwt has some nice pycrypto/cryptography abstractions
-def _jwt_rs1_signing_algorithm():
- global _jwtrs1
- if _jwtrs1 is None:
- import jwt.algorithms as jwtalgo
- _jwtrs1 = jwtalgo.RSAAlgorithm(jwtalgo.hashes.SHA1)
- return _jwtrs1
-def sign_rsa_sha1(base_string, rsa_private_key):
+def sign_rsa_sha1(base_string, private_key):
"""**RSA-SHA1**
Per `section 3.4.3`_ of the spec.
@@ -493,10 +491,11 @@
if isinstance(base_string, unicode_type):
base_string = base_string.encode('utf-8')
# TODO: finish RSA documentation
- alg = _jwt_rs1_signing_algorithm()
- key = _prepare_key_plus(alg, rsa_private_key)
- s=alg.sign(base_string, key)
- return binascii.b2a_base64(s)[:-1].decode('utf-8')
+ key = get_rsa_private_key(private_key)
+ signer = key.signer(padding.PKCS1v15(), hashes.SHA1())
+ signer.update(base_string)
+ signature = signer.finalize()
+ return binascii.b2a_base64(signature)[:-1].decode('utf-8')
def sign_rsa_sha1_with_client(base_string, client):
@@ -568,17 +567,13 @@
resource_owner_secret)
return safe_string_equals(signature, request.signature)
-def _prepare_key_plus(alg, keystr):
- if isinstance(keystr, bytes_type):
- keystr = keystr.decode('utf-8')
- return alg.prepare_key(keystr)
def verify_rsa_sha1(request, rsa_public_key):
"""Verify a RSASSA-PKCS #1 v1.5 base64 encoded signature.
Per `section 3.4.3`_ of the spec.
- Note this method requires the jwt and cryptography libraries.
+ Note this method requires the cryptography library.
.. _`section 3.4.3`: http://tools.ietf.org/html/rfc5849#section-3.4.3
@@ -595,9 +590,14 @@
message = construct_base_string(request.http_method, uri, norm_params).encode('utf-8')
sig = binascii.a2b_base64(request.signature.encode('utf-8'))
- alg = _jwt_rs1_signing_algorithm()
- key = _prepare_key_plus(alg, rsa_public_key)
- return alg.verify(message, key, sig)
+ key = get_rsa_public_key(rsa_public_key)
+ verifier = key.verifier(sig, padding.PKCS1v15(), hashes.SHA1())
+ verifier.update(message)
+ try:
+ verifier.verify()
+ return True
+ except InvalidSignature:
+ return False
def verify_plaintext(request, client_secret=None, resource_owner_secret=None):
diff -r -u oauthlib-2.0.1/oauthlib/oauth2/rfc6749/clients/service_application.py oauthlib-2.0.1.patched/oauthlib/oauth2/rfc6749/clients/service_application.py
--- oauthlib-2.0.1/oauthlib/oauth2/rfc6749/clients/service_application.py 2016-11-23 05:30:34.000000000 -0500
+++ oauthlib-2.0.1.patched/oauthlib/oauth2/rfc6749/clients/service_application.py 2017-03-16 13:54:56.881287445 -0400
@@ -10,7 +10,7 @@
import time
-from oauthlib.common import to_unicode
+from oauthlib.common import generate_jwt_assertion
from .base import Client
from ..parameters import prepare_token_request
@@ -139,7 +139,6 @@
.. _`Section 3.2.1`: http://tools.ietf.org/html/rfc6749#section-3.2.1
"""
- import jwt
key = private_key or self.private_key
if not key:
@@ -166,8 +165,7 @@
claim.update(extra_claims or {})
- assertion = jwt.encode(claim, key, 'RS256')
- assertion = to_unicode(assertion)
+ assertion = generate_jwt_assertion(key, claim)
return prepare_token_request(self.grant_type,
body=body,
diff -r -u oauthlib-2.0.1/oauthlib.egg-info/requires.txt oauthlib-2.0.1.patched/oauthlib.egg-info/requires.txt
--- oauthlib-2.0.1/oauthlib.egg-info/requires.txt 2016-11-23 05:31:05.000000000 -0500
+++ oauthlib-2.0.1.patched/oauthlib.egg-info/requires.txt 2017-03-16 13:55:02.296191560 -0400
@@ -7,10 +7,10 @@
[signedtoken]
cryptography
-pyjwt>=1.0.0
+jwcrypto
[test]
nose
cryptography
-pyjwt>=1.0.0
+jwcrypto
blinker
diff -r -u oauthlib-2.0.1/oauthlib.egg-info/SOURCES.txt oauthlib-2.0.1.patched/oauthlib.egg-info/SOURCES.txt
--- oauthlib-2.0.1/oauthlib.egg-info/SOURCES.txt 2016-11-23 05:31:05.000000000 -0500
+++ oauthlib-2.0.1.patched/oauthlib.egg-info/SOURCES.txt 2017-03-16 13:55:02.320191135 -0400
@@ -2,6 +2,7 @@
LICENSE
MANIFEST.in
README.rst
+setup.cfg
setup.py
oauthlib/__init__.py
oauthlib/common.py
diff -r -u oauthlib-2.0.1/setup.py oauthlib-2.0.1.patched/setup.py
--- oauthlib-2.0.1/setup.py 2016-11-23 05:30:34.000000000 -0500
+++ oauthlib-2.0.1.patched/setup.py 2017-03-16 13:54:56.883287410 -0400
@@ -18,11 +18,11 @@
return f.read()
if sys.version_info[0] == 3:
- tests_require = ['nose', 'cryptography', 'pyjwt>=1.0.0', 'blinker']
+ tests_require = ['nose', 'cryptography', 'jwcrypto', 'blinker']
else:
- tests_require = ['nose', 'unittest2', 'cryptography', 'mock', 'pyjwt>=1.0.0', 'blinker']
+ tests_require = ['nose', 'cryptography', 'mock', 'jwcrypto', 'blinker']
rsa_require = ['cryptography']
-signedtoken_require = ['cryptography', 'pyjwt>=1.0.0']
+signedtoken_require = ['cryptography', 'jwcrypto']
signals_require = ['blinker']
requires = []
diff -r -u oauthlib-2.0.1/tests/oauth2/rfc6749/clients/test_service_application.py oauthlib-2.0.1.patched/tests/oauth2/rfc6749/clients/test_service_application.py
--- oauthlib-2.0.1/tests/oauth2/rfc6749/clients/test_service_application.py 2016-11-23 05:30:34.000000000 -0500
+++ oauthlib-2.0.1.patched/tests/oauth2/rfc6749/clients/test_service_application.py 2017-03-16 13:54:56.882287427 -0400
@@ -4,10 +4,9 @@
import os
from time import time
-import jwt
from mock import patch
-from oauthlib.common import Request
+from oauthlib.common import Request, verify_signed_token
from oauthlib.oauth2 import ServiceApplicationClient
from ....unittest import TestCase
@@ -92,10 +91,10 @@
self.assertEqual(r.isnot, 'empty')
self.assertEqual(r.grant_type, ServiceApplicationClient.grant_type)
- claim = jwt.decode(r.assertion, self.public_key, audience=self.audience, algorithms=['RS256'])
+ claim = verify_signed_token(self.public_key, r.assertion)
self.assertEqual(claim['iss'], self.issuer)
- # audience verification is handled during decode now
+ self.assertEqual(claim['aud'], self.audience)
self.assertEqual(claim['sub'], self.subject)
self.assertEqual(claim['iat'], int(t.return_value))
diff -r -u oauthlib-2.0.1/tests/oauth2/rfc6749/test_server.py oauthlib-2.0.1.patched/tests/oauth2/rfc6749/test_server.py
--- oauthlib-2.0.1/tests/oauth2/rfc6749/test_server.py 2016-11-23 05:30:34.000000000 -0500
+++ oauthlib-2.0.1.patched/tests/oauth2/rfc6749/test_server.py 2017-03-16 13:54:56.882287427 -0400
@@ -2,7 +2,6 @@
from __future__ import absolute_import, unicode_literals
from ...unittest import TestCase
import json
-import jwt
import mock
from oauthlib import common