CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-josepy

JOSE protocol implementation in Python with support for JSON Web Algorithms, Keys, and Signatures

73

1.15x
Overview
Eval results
Files

jwa.mddocs/

JSON Web Algorithms (JWA)

Cryptographic signature algorithms implementing the JSON Web Algorithms specification (RFC 7518). Provides HMAC, RSA, and ECDSA signature algorithms with different hash functions for secure token signing and verification.

Capabilities

Signature Algorithm Instances

Pre-configured algorithm instances ready for immediate use in signing and verification operations.

# RSASSA-PKCS1-v1_5 algorithms
RS256: JWASignature  # RSA with SHA-256
RS384: JWASignature  # RSA with SHA-384  
RS512: JWASignature  # RSA with SHA-512

# RSASSA-PSS algorithms
PS256: JWASignature  # RSA-PSS with SHA-256 and MGF1
PS384: JWASignature  # RSA-PSS with SHA-384 and MGF1
PS512: JWASignature  # RSA-PSS with SHA-512 and MGF1

# ECDSA algorithms
ES256: JWASignature  # ECDSA with P-256 curve and SHA-256
ES384: JWASignature  # ECDSA with P-384 curve and SHA-384
ES512: JWASignature  # ECDSA with P-521 curve and SHA-512

# HMAC algorithms
HS256: JWASignature  # HMAC with SHA-256
HS384: JWASignature  # HMAC with SHA-384
HS512: JWASignature  # HMAC with SHA-512

Usage Examples

from josepy import RS256, ES256, HS256, JWKRSA, JWKEC, JWKOct
from cryptography.hazmat.primitives.asymmetric import rsa, ec
from cryptography.hazmat.backends import default_backend

# RSA signing
private_key = rsa.generate_private_key(65537, 2048, default_backend())
jwk_rsa = JWKRSA(key=private_key)
message = b"Hello, World!"

# Sign with RS256
signature = RS256.sign(jwk_rsa.key, message)
print(f"RSA signature: {signature.hex()}")

# Verify signature
is_valid = RS256.verify(jwk_rsa.public_key().key, message, signature)
print(f"Signature valid: {is_valid}")

# ECDSA signing
ec_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
jwk_ec = JWKEC(key=ec_private_key)

# Sign with ES256
ec_signature = ES256.sign(jwk_ec.key, message)
is_ec_valid = ES256.verify(jwk_ec.public_key().key, message, ec_signature)
print(f"ECDSA signature valid: {is_ec_valid}")

# HMAC signing
hmac_key = b"secret-key-bytes"
jwk_oct = JWKOct(key=hmac_key)

# Sign with HS256
hmac_signature = HS256.sign(jwk_oct.key, message)
is_hmac_valid = HS256.verify(jwk_oct.key, message, hmac_signature)
print(f"HMAC signature valid: {is_hmac_valid}")

Base Algorithm Class

Abstract base class for all signature algorithms providing the core interface for signing and verification operations.

class JWASignature:
    """Base class for JSON Web Signature Algorithms"""
    
    def __init__(self, name: str): ...
    
    def sign(self, key: Any, msg: bytes) -> bytes:
        """
        Sign the message using the provided key.
        
        Parameters:
        - key: Cryptographic key appropriate for the algorithm
        - msg: Message bytes to sign
        
        Returns:
        bytes: Digital signature
        
        Raises:
        cryptography.exceptions.InvalidSignature: If signing fails
        """
    
    def verify(self, key: Any, msg: bytes, sig: bytes) -> bool:
        """
        Verify the message and signature using the provided key.
        
        Parameters:
        - key: Cryptographic key appropriate for the algorithm
        - msg: Original message bytes
        - sig: Signature bytes to verify
        
        Returns:
        bool: True if signature is valid, False otherwise
        """
    
    @classmethod
    def from_json(cls, jobj: Any) -> 'JWASignature':
        """Deserialize algorithm from JSON string (algorithm name)"""
    
    def to_partial_json(self) -> Any:
        """Serialize algorithm to JSON (returns algorithm name)"""
    
    @classmethod
    def register(cls, signature_cls: 'JWASignature') -> 'JWASignature':
        """Register algorithm class for JSON deserialization"""
    
    name: str  # Algorithm name (e.g., "RS256", "ES256", "HS256")

Algorithm Details

RSA Algorithms (RS256, RS384, RS512, PS256, PS384, PS512)

RSA-based signature algorithms supporting both PKCS#1 v1.5 and PSS padding schemes.

Key Requirements:

  • RSA private key for signing
  • RSA public key for verification
  • Minimum 2048-bit key size recommended

Algorithm Variations:

  • RS series: RSASSA-PKCS1-v1_5 with SHA hash functions
  • PS series: RSASSA-PSS with SHA hash functions and MGF1 mask generation

ECDSA Algorithms (ES256, ES384, ES512)

Elliptic Curve Digital Signature Algorithm with different curve sizes and hash functions.

Key Requirements:

  • EC private key for signing
  • EC public key for verification
  • Curve must match algorithm specification:
    • ES256: P-256 (secp256r1)
    • ES384: P-384 (secp384r1)
    • ES512: P-521 (secp521r1)

HMAC Algorithms (HS256, HS384, HS512)

Hash-based Message Authentication Code using symmetric keys.

Key Requirements:

  • Symmetric key (bytes) for both signing and verification
  • Key should be at least as long as the hash output
  • Same key used for both signing and verification

Error Handling

All algorithms may raise cryptographic exceptions during signing and verification:

import cryptography.exceptions

try:
    signature = RS256.sign(key, message)
except cryptography.exceptions.InvalidSignature:
    print("Signing failed - invalid key or message")

# Verification returns False on failure rather than raising exceptions
is_valid = RS256.verify(key, message, signature)
if not is_valid:
    print("Signature verification failed")

Install with Tessl CLI

npx tessl i tessl/pypi-josepy

docs

errors.md

index.md

interfaces.md

jwa.md

jwk.md

jws.md

utilities.md

tile.json