tessl/pypi-josepy
JOSE protocol implementation in Python with support for JSON Web Algorithms, Keys, and Signatures
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-josepy@2.1.0index.mddocs/
JOSEPY
A comprehensive Python implementation of the JOSE (Javascript Object Signing and Encryption) standards developed by the IETF. Provides JSON Web Algorithms (JWA), JSON Web Key (JWK), and JSON Web Signature (JWS) functionality for secure token handling, digital signatures, and cryptographic key operations.
Package Information
- Package Name: josepy
- Language: Python
- Installation:
pip install josepy - License: Apache License 2.0
- Homepage: https://github.com/certbot/josepy
Core Imports
import josepyCommon usage imports:
from josepy import JWK, JWS, Header, b64encode, b64decode
from josepy import RS256, ES256, HS256 # Signature algorithms
from josepy import JWKRSA, JWKEC, JWKOct # Key typesBasic Usage
from josepy import JWKRSA, JWS, Header, RS256
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend
# Generate RSA key pair
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
# Create JWK from cryptography key
jwk = JWKRSA(key=private_key)
# Create JWS with payload
payload = b'{"msg": "Hello, JOSE!"}'
header = Header(alg=RS256)
# Sign the payload
jws = JWS.sign(payload, key=jwk, alg=RS256)
# Serialize to JSON
jws_json = jws.json_dumps()
# Verify signature (using public key)
public_jwk = jwk.public_key()
verified_jws = JWS.json_loads(jws_json)
is_valid = verified_jws.verify(public_jwk)
if is_valid:
print(verified_jws.payload.decode()) # {"msg": "Hello, JOSE!"}
else:
print("Signature verification failed")Architecture
JOSEPY follows the JOSE standard architecture with three main components:
- JSON Web Algorithms (JWA): Cryptographic algorithms for signing and verification
- JSON Web Keys (JWK): Key representation and management for RSA, ECDSA, and symmetric keys
- JSON Web Signature (JWS): Complete signing and verification workflow with headers and payloads
The library provides a type-safe, serializable interface built on the cryptography library for all cryptographic operations, with comprehensive error handling and RFC-compliant implementations.
Capabilities
JSON Web Algorithms (JWA)
Cryptographic signature algorithms supporting HMAC, RSA, and ECDSA variants with different hash functions. All algorithms provide sign() and verify() methods for secure token operations.
# Signature algorithm instances
RS256: JWASignature # RSASSA-PKCS1-v1_5 using SHA-256
RS384: JWASignature # RSASSA-PKCS1-v1_5 using SHA-384
RS512: JWASignature # RSASSA-PKCS1-v1_5 using SHA-512
PS256: JWASignature # RSASSA-PSS using SHA-256 and MGF1
PS384: JWASignature # RSASSA-PSS using SHA-384 and MGF1
PS512: JWASignature # RSASSA-PSS using SHA-512 and MGF1
ES256: JWASignature # ECDSA using P-256 and SHA-256
ES384: JWASignature # ECDSA using P-384 and SHA-384
ES512: JWASignature # ECDSA using P-521 and SHA-512
HS256: JWASignature # HMAC using SHA-256
HS384: JWASignature # HMAC using SHA-384
HS512: JWASignature # HMAC using SHA-512JSON Web Keys (JWK)
Key representation and management for RSA, Elliptic Curve, and symmetric keys with support for key loading, thumbprint generation, and public key extraction.
class JWK:
def thumbprint(self, hash_function=hashes.SHA256) -> bytes: ...
def public_key(self) -> 'JWK': ...
@classmethod
def from_json(cls, jobj) -> 'JWK': ...
class JWKRSA(JWK):
def __init__(self, key=None): ...
class JWKEC(JWK):
def __init__(self, key=None): ...
class JWKOct(JWK):
def __init__(self, key=None): ...JSON Web Signature (JWS)
Complete signing and verification workflow with header and payload management, supporting multiple serialization formats and comprehensive validation.
class JWS:
@classmethod
def sign(cls, payload: bytes, **kwargs) -> 'JWS': ...
def verify(self, key: Optional[JWK] = None) -> bool: ...
def json_dumps(self, **kwargs) -> str: ...
@classmethod
def json_loads(cls, json_string: str) -> 'JWS': ...
class Header:
def __init__(self, alg=None, **kwargs): ...Base64 and JSON Utilities
JOSE-compliant base64 encoding/decoding and JSON serialization utilities with support for certificates, CSRs, and typed field handling.
def b64encode(data: bytes) -> bytes: ...
def b64decode(data: Union[bytes, str]) -> bytes: ...
def encode_cert(cert: x509.Certificate) -> str: ...
def decode_cert(b64der: str) -> x509.Certificate: ...
def encode_csr(csr: x509.CertificateSigningRequest) -> str: ...
def decode_csr(b64der: str) -> x509.CertificateSigningRequest: ...Error Handling
Comprehensive error hierarchy for serialization, deserialization, and cryptographic operation failures with detailed error information.
class Error(Exception): ...
class DeserializationError(Error): ...
class SerializationError(Error): ...
class UnrecognizedTypeError(DeserializationError):
def __init__(self, typ: str, jobj: Any): ...JSON Serialization Interfaces
Core interfaces and base classes for JSON serialization and deserialization with support for partial and full serialization modes, implemented by all JOSE objects.
class JSONDeSerializable:
def to_partial_json(self) -> Any: ...
def to_json(self) -> Any: ...
@classmethod
def from_json(cls, jobj: Any) -> 'JSONDeSerializable': ...
@classmethod
def json_loads(cls, json_string: Union[str, bytes]) -> 'JSONDeSerializable': ...
def json_dumps(self, **kwargs) -> str: ...
def json_dumps_pretty(self) -> str: ...Types
class JSONDeSerializable:
def to_partial_json(self) -> Any: ...
def to_json(self) -> Any: ...
@classmethod
def from_json(cls, jobj: Any): ...
def json_dumps(self, **kwargs) -> str: ...
@classmethod
def json_loads(cls, json_string: Union[str, bytes]): ...
class JSONObjectWithFields(JSONDeSerializable):
"""Base class for JSON objects with field definitions"""
class Field:
"""Field descriptor for JSON object properties"""
class ComparableKey:
"""Comparable wrapper for cryptography keys"""
class ImmutableMap:
"""Immutable key-to-value mapping with attribute access"""
class MediaType:
"""Media Type field encoder/decoder for JOSE headers"""
PREFIX = "application/"
@classmethod
def decode(cls, value: str) -> str: ...
@classmethod
def encode(cls, value: str) -> str: ...