From 1c866cb3d7cd337472474c43f36a6b7895aaebe2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 18 Apr 2024 17:12:36 -0400 Subject: [PATCH] Allow to pass through pem loading unsafe option This has some significant performance impact and is ok to use with trusted keys. Signed-off-by: Simo Sorce --- jwcrypto/jwk.py | 9 +++++++-- jwcrypto/tests.py | 10 ++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/jwcrypto/jwk.py b/jwcrypto/jwk.py index fe8598e..c273445 100644 --- a/jwcrypto/jwk.py +++ b/jwcrypto/jwk.py @@ -339,6 +339,7 @@ def __init__(self, **kwargs): super(JWK, self).__init__() self._cache_pub_k = None self._cache_pri_k = None + self.unsafe_skip_rsa_key_validation = False if 'generate' in kwargs: self.generate_key(**kwargs) @@ -838,7 +839,9 @@ def _rsa_pub(self): def _rsa_pri(self): k = self._cache_pri_k if k is None: - k = self._rsa_pri_n().private_key(default_backend()) + u = self.unsafe_skip_rsa_key_validation + k = self._rsa_pri_n().private_key(default_backend(), + unsafe_skip_rsa_key_validation=u) self._cache_pri_k = k return k @@ -993,8 +996,10 @@ def import_from_pem(self, data, password=None, kid=None): """ try: + u = self.unsafe_skip_rsa_key_validation key = serialization.load_pem_private_key( - data, password=password, backend=default_backend()) + data, password=password, backend=default_backend(), + unsafe_skip_rsa_key_validation=u) except ValueError as e: if password is not None: raise e diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py index d7b3b6b..ae3b140 100644 --- a/jwcrypto/tests.py +++ b/jwcrypto/tests.py @@ -757,6 +757,16 @@ def test_thumbprint_uri(self): "urn:ietf:params:oauth:jwk-thumbprint:sha-256:{}".format( PublicKeys['thumbprints'][1])) + def test_unsafe_rsa(self): + key = jwk.JWK() + key.unsafe_skip_rsa_key_validation = True + key.import_from_pem(RSAPrivatePEM, password=RSAPrivatePassword) + self.assertTrue(key.has_private) + # finally check private works + s = jws.JWS(payload='plaintext') + s.add_signature(key, None, {"alg": "PS256"}) + s.serialize() + # RFC 7515 - A.1 A1_protected = \