-
Notifications
You must be signed in to change notification settings - Fork 237
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add message about lack of X.509 certificate support in documentation #27
Comments
Can you provide an example JWT and key that you are getting the error for? |
jwt: key:
|
It appears that you are trying to verify the token with an X.509 certificate, as opposed to a public key. Unfortunately, PyCrypto doesn't support X.509 using certificates. The certificate contains the public key and it can be converted with openssl.
Using that public key allows me to verify the given token (ignoring that it is expired) >>> from jose import jwt
>>> key = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFZpGaiLkQXKPlMGtQYo
Ujq4EnjH3BIer22VEvWqafDN01uUOh6iHobDcfngiozReqNlnCBXkpc5AM5qhSkw
FEf3fHsxrs2OGIO2lCvQlJsUhAuwhrL9XFD2B9r8jzcdWIQBsXUVeOEEqeLAUpS/
bqZTfS6ll+wNCQczw4tz+JdG+EBiftLvfY5592/SQn23eH5Y4YoZWRh8NoAaflTL
PH72jLItjfduiso4EHOmFJCVkKsvnr3NNe+8uC91K2uw8ZqJEaPrgMZcPosKDppw
slwxS+VVQ7pMcckdWCnynOWs9AbcHWtmTrWVmonKMr+dOLa1j0Y8t93E58MAyM2j
PwIDAQAB
-----END PUBLIC KEY-----"""
>>> token = "eyJhbGciOiJSUzI1NiIsImtpZCI6ImY0YjBhNWM3M2FkODVhNWRhMDlmMGU3Zjc2NDYzNjMxMzM5ZTBiYmYifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vd2Vkb3RyYW5zZmVyLTIwMTYiLCJhdWQiOiJ3ZWRvdHJhbnNmZXItMjAxNiIsImF1dGhfdGltZSI6MTQ2NzM0NjI3MCwidXNlcl9pZCI6IjRjemVXVllIekNNVnN0WEZOYldHVXBKYmJTZzEiLCJzdWIiOiI0Y3plV1ZZSHpDTVZzdFhGTmJXR1VwSmJiU2cxIiwiaWF0IjoxNDY3MzQ2MjcwLCJleHAiOjE0NjczNDk4NzAsImVtYWlsIjoic2V1bkBjbXUuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7InBhc3N3b3JkIjpbInNldW5AY211LmNvbSJdLCJlbWFpbCI6WyJzZXVuQGNtdS5jb20iXX19fQ.U-fYjx8rMm5tYV24r0uEcNQtIe3UKULxsHecLdGzTbi1v-VKzKDk_QPL26SPDoU8JUMY3nJQ1hOE9AapBrQck8NVUZSKFMD49XdtsyoN2kKdinpFR1hSxIE0L2dRStS7OZ8sGiX866lNa52Cr6TXSsnMD6N2P0OtVE5EeD1Nf-AiJ-gsaLrP4tBnmj1MNYhEYVHb6sAUrT3nEI9gWmeKcPWPfn76FGTdGWZ2mjdaeAG4RbuFL4cHdOISA_0HVLGJxuNyEHAHybDX8mVdNW_F4yzL3H-SmPFY5Kv3tCdBzpzhUKfNOnFFmf2ggFOJnDsqMp-TZaIPk6ce_ltqhQ0dnQ"
>>> print jwt.decode(token, key, algorithms='RS256', audience='wedotransfer-2016', options={'verify_exp': False})
{u'user_id': u'4czeWVYHzCMVstXFNbWGUpJbbSg1', u'sub': u'4czeWVYHzCMVstXFNbWGUpJbbSg1', u'iss': u'https://securetoken.google.com/wedotransfer-2016', u'email_verified': False, u'firebase': {u'identities': {u'password': [u'seun@cmu.com'], u'email': [u'seun@cmu.com']}}, u'exp': 1467349870, u'auth_time': 1467346270, u'iat': 1467346270, u'email': u'seun@cmu.com', u'aud': u'wedotransfer-2016'} |
Thanks. |
It may be good to point this out in the docs somewhere, since I had the same problem We try to decode an Firebase provided JWT. The publc keys are published here in the form ob je json object of X509 certificates ... this stack overfow post seems to be helpfull: http://stackoverflow.com/questions/12911373/how-do-i-use-a-x509-certificate-with-pycrypto |
I think it makes sense to at least include this in the docs. |
Thanks @mpdavis for the library and @TNGPS for the hint to the stackoverflow question. While migrating from "Gitkit" to "Firebase+(python-jose)":
|
@danielfaust It looks like you have given my enough info to be able to convert Firebase's certificates to a public key that PyCrypto will accept. It won't work for arbitrary ASN.1 formatted certificates, but even just supporting Firebase certificates appears to be beneficial to consumers of this library. I'll see what I can do to add support. |
@anjorinjnr @TNGPS @danielfaust I added support for Firebase certs in https://github.com/mpdavis/python-jose/releases/tag/1.3.0 Let me know if you run into any issues with it. |
Thanks, this is very nice. I was checking the code and noticed the effort you put into the different ways the downloaded certs can be fed into the function. A nice surprise, as I expected it just to be able to get fed the certificate string into While testing them through, I did get an error.
This is because I can pass the specific cert Gitkit has not yet been deprecated, and no deprecation announcement has been done. Google explicitly says that they would announce it if they would deprecate it, but that there are currently no plans to do so. Currently it's just as valuable for authentication as Firebase. I had no problems using Firebase. Update: This occurs randomly... let's hope that Firebase isn't affected as well. Update2: This is a very strange error. I have been trying this for 5 minutes now, and it only happened once or twice in the beginning. This is not caused by a malformed cert server response as this raises a It appears to be working. I would open a new issue if this comes back and I've got some clue on why this occurred. |
I'll take a look. Thanks for the triage. On Thu, Sep 1, 2016 at 6:46 PM Daniel Faust notifications@github.com
|
The
Some of the certs in the list have a smaller modulus and would throw that error if tried. As you saw, I am iterating over the list of certs instead of picking one out with the As for why it was intermittently failing, python dictionaries don't have a set order. If the correct cert is used first, everything will work. If a cert with a smaller modulus is used, it will blow up. I released a fix in https://github.com/mpdavis/python-jose/releases/tag/1.3.1 Again, thank you for the triage and help working through this. Let me know if that works for you. |
Thanks again for the effort, and for publishing it so fast on pypi. Good to know what caused the randomly occurring exception. I checked the code and the solution looks totally ok to me, based on the reason for failure you mention. I also checked how the oauth2client library is handling the |
I get this error when using algorithms='RS256' on google app engine.
Full stack trace
The text was updated successfully, but these errors were encountered: