def jws_encapsulate(key,
header,
payload,
digest=hashes.SHA256,
padder=asymmetric.padding.PKCS1v15):
if digest == hashes.SHA256:
suffix = '256'
elif digest == hashes.SHA384:
suffix = '384'
elif digest == hashes.SHA512:
suffix = '512'
else:
raise ValueError('RFC 7518 non-compliant digest: ' + digest)
if isinstance(key, bytes):
algorithm = 'HS' + suffix
signer = hmac.HMAC(key, digest(), backend)
elif isinstance(key, ec.EllipticCurvePrivateKey):
algorithm = 'ES' + suffix
signer = key.signer(ec.ECDSA(digest()))
elif isinstance(key, rsa.RSAPrivateKey):
if padder == asymmetric.padding.PSS:
algorithm = 'PS' + suffix
signer = key.signer(padder(padding.MGF1(digest()),
padder.MAX_LENGTH).
digest())
elif padder == asymmetric.padding.PKCS1v15:
algorithm = 'RS' + suffix
signer = key.signer(padder(), digest())
else:
raise ValueError('RFC 7518 non-compliant padding: ' + \
str(type(padder)))
else:
raise ValueError('RFC 7518 non-compliant key: ' + str(type(key)))
pubkey = key_to_pubkey(key)
header['alg'] = algorithm
header['jwk'] = pubkey_to_jwk(pubkey)
protected = jws_safe_obj(header)
payload = jws_safe_obj(payload)
signer.update(protected + b'.' + payload)
signature = acme_safe_b64_encode(signer.finalize())
return json.dumps({
'protected': protected.decode('ascii'),
'payload': payload.decode('ascii'),
'signature': signature.decode('ascii'),
}).encode('ascii')
评论列表
文章目录
