Skip to content

Commit

Permalink
Allow to pass through pem loading unsafe option
Browse files Browse the repository at this point in the history 
This has some significant performance impact and
is ok to use with trusted keys.

Signed-off-by: Simo Sorce <simo@redhat.com>
  • Loading branch information
@simo5
simo5 committed Apr 25, 2024
1 parent 90bce18 commit cabac91
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
9 changes: 7 additions & 2 deletions jwcrypto/jwk.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,7 @@ def __init__(self, **kwargs):
super(JWK, self).__init__()
self._cache_pub_k = None
self._cache_pri_k = None
self.unsafe_skip_rsa_key_validation = False

if 'generate' in kwargs:
self.generate_key(**kwargs)
Expand Down Expand Up @@ -838,7 +839,9 @@ def _rsa_pub(self):
def _rsa_pri(self):
k = self._cache_pri_k
if k is None:
k = self._rsa_pri_n().private_key(default_backend())
u = self.unsafe_skip_rsa_key_validation
k = self._rsa_pri_n().private_key(default_backend(),
unsafe_skip_rsa_key_validation=u)
self._cache_pri_k = k
return k

Expand Down Expand Up @@ -993,8 +996,10 @@ def import_from_pem(self, data, password=None, kid=None):
"""

try:
u = self.unsafe_skip_rsa_key_validation
key = serialization.load_pem_private_key(
data, password=password, backend=default_backend())
data, password=password, backend=default_backend(),
unsafe_skip_rsa_key_validation=u)
except ValueError as e:
if password is not None:
raise e
Expand Down
10 changes: 10 additions & 0 deletions jwcrypto/tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -757,6 +757,16 @@ def test_thumbprint_uri(self):
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:{}".format(
PublicKeys['thumbprints'][1]))

def test_unsafe_rsa(self):
key = jwk.JWK()
key.unsafe_skip_rsa_key_validation = True
key.import_from_pem(RSAPrivatePEM, password=RSAPrivatePassword)
self.assertTrue(key.has_private)
# finally check private works
s = jws.JWS(payload='plaintext')
s.add_signature(key, None, {"alg": "PS256"})
s.serialize()


# RFC 7515 - A.1
A1_protected = \
Expand Down

0 comments on commit cabac91

Please sign in to comment.