[Python-Dev] PEP 427 comment: code signing
Dirkjan Ochtman
dirkjan at ochtman.nl
Tue Oct 23 09:14:19 CEST 2012
On Tue, Oct 23, 2012 at 7:46 AM, <martin at v.loewis.de> wrote:
> That's exactly what I want: it (PEP 427) should use one of the algorithms
> that is built-in (into web signatures). Web signatures give a choice of
> three algorithms; yet Daniel proposes to deviate and use a non-builtin
> algorithm.
>
> None of the algorithms in question are built in in Python; the two
> standard algorithms with public keys (i.e. RSA and ECDSA) are both
> built into OpenSSL.
What leads you to say that? ISTM Python has perfectly good support for
JWS/JWA's HS256 algorithm. In fact, here's an implementation that I
think would conform to the current JWS draft:
def sign(payload, key):
h = json.dumps({'alg': 'HS256'})
input = b64uencode(h) + '.' + b64uencode(json.dumps(payload))
sig = hmac.new(key, input, hashlib.sha256).digest()
return input + '.' + b64uencode(sig)
(b64u implementations elided; see
https://bitbucket.org/djc/persona-totp for the rest of the code.)
Cheers,
Dirkjan
More information about the Python-Dev
mailing list