search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.1k stars 682 forks source link

Cryptography generated EC key is invalid #925

Closed sebbegg closed 8 months ago

sebbegg commented 10 months ago

Hi there,

in a mock for local testing we're using a randomly generated EC key to sign tokens. Sometimes the key that's generated does not seem to be usable by pyjwt though, which seems odd.

Expected Result

Keys generated via cryptography, dumped to and loaded as jwk should be valid keys.

Actual Result

Some keys seem to be not supported or maybe wrongly exported/imported as jwk, leading to an InvalidKeyError. See example below:

Reproduction Steps

import json
import time

import cryptography.hazmat.primitives.asymmetric.ec as ec
from jwt import InvalidKeyError
from jwt.algorithms import ECAlgorithm

if __name__ == "__main__":

    t = time.time()
    while time.time() - t < 10:
        private_key = ec.generate_private_key(ec.SECP256R1())
        jwk = json.loads(ECAlgorithm.to_jwk(private_key.public_key()))
        try:
            ECAlgorithm.from_jwk(jwk)
        except InvalidKeyError:
            print("Failed key:")
            print(json.dumps(jwk, indent=True))
            raise

This fails very quickly with e.g. (the key data is obviously different each time):

Failed key:
{
 "kty": "EC",
 "crv": "P-256",
 "x": "oUU2SoDzIpcux68yJAih8kCiObMKp159_j1viE2rkRQ",
 "y": "z7Os4ZxXJbpuuZD8ASTm9i5EoCAhlv_hWz2A6gG-HA"
}
Traceback (most recent call last):
  File "/xyz/jwk_error.py", line 16, in <module>
    ECAlgorithm.from_jwk(jwk)
  File "/xyz/venv/lib/python3.9/site-packages/jwt/algorithms.py", line 630, in from_jwk
    raise InvalidKeyError("Coords should be 32 bytes for curve P-256")
jwt.exceptions.InvalidKeyError: Coords should be 32 bytes for curve P-256

System Information

$ python -m jwt.help

❯ python -m "jwt.help"
{
  "cryptography": {
    "version": "41.0.5"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.9.16"
  },
  "platform": {
    "release": "23.1.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.8.0"
  }
}```

This command is only available on PyJWT v1.6.3 and greater. Otherwise,
please provide some basic information about your system.
github-actions[bot] commented 8 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days