Commits

Daniel Holth committed 535c4b5

use jwk instead of key in signatures

Comments (0)

Files changed (7)

+0.14.0
+======
+- Changed the signature format to better comply with the current JWS spec.
+  Breaks all existing signatures.
+- Include ``wheel unsign`` command to remove RECORD.jws from an archive.
+- Put the description in the newly allowed payload section of PKG-INFO
+  (METADATA) files.
+
 0.13.0
 ======
 - Use distutils instead of sysconfig to get installation paths; can install
 
 The wheel project provides a `bdist_wheel` command for setuptools
 (requires distribute >= 0.6.28). Wheel files can be installed with a
-patched `pip`.
+patched `pip` from https://github.com/qwcode/pip
 
-*The pip patch is in flux. See http://wheel.rtfd.org/ for the details.*
+*The pip patch is in flux.*
 
 The wheel documentation is at http://wheel.rtfd.org/. The
 file format is documented in the draft PEP 427
         pip install wheel
 
         # Build a directory of wheels for pyramid and all its dependencies
-        pip install --wheel-dir=/tmp/wheelhouse pyramid
+        pip wheel --wheel-dir=/tmp/wheelhouse pyramid
         
         # Install from cached wheels
         pip install --use-wheel --no-index --find-links=/tmp/wheelhouse pyramid
 
 Wheel's builtin utility can be invoked directly from wheel's own wheel::
 
-    $ python wheel-0.13.0-py2.py3-none-any.whl/wheel -h
+    $ python wheel-0.14.0-py2.py3-none-any.whl/wheel -h
     usage: wheel [-h] {keygen,sign,verify,unpack,install,convert,help} ...
 
     positional arguments:
                             commands
         keygen              Generate signing key
         sign                Sign wheel
+        unsign              Remove signature from wheel
         verify              Verify signed wheel
         unpack              Unpack wheel
         install             Install wheels
 ------
 
 The wheel format is being documented as PEP 427 "The Wheel Binary Package
-Format 1.0" (http://www.python.org/dev/peps/pep-0427/).
+Format..." (http://www.python.org/dev/peps/pep-0427/).
 
 Slogans
 -------

entry_points.txt

-[console_scripts]
-wininst2wheel = wheel.wininst2wheel:main
-egg2wheel = wheel.egg2wheel:main
-wheel = wheel.__main__:main
-
-[distutils.commands]
-bdist_wheel = wheel.bdist_wheel:bdist_wheel
 requires-dist = 
     distribute >= 0.6.28
     markerlib
-    argparse; python_version < '2.7'
+    argparse; python_version == '2.6'
     keyring; extra == 'signatures'
     dirspec; sys.platform != 'win32' and extra == 'signatures'
     ed25519ll; extra == 'faster-signatures'
       include_package_data=True,
       zip_safe=False,
       test_suite = 'nose.collector',
-      entry_points = open(os.path.join(here, 'entry_points.txt')).read()
+      entry_points = """\
+[console_scripts]
+wininst2wheel = wheel.wininst2wheel:main
+egg2wheel = wheel.egg2wheel:main
+wheel = wheel.__main__:main
+
+[distutils.commands]
+bdist_wheel = wheel.bdist_wheel:bdist_wheel"""
       )
 

wheel/signatures/__init__.py

 
 ed25519ll = None
 
+ALG = "Ed25519"
+
 def get_ed25519ll():
     """Lazy import-and-test of ed25519 module"""
     global ed25519ll
     an Ed25519 keypair."""
     get_ed25519ll()
     #
-    header = {"typ": "JWT",
-              "alg": "Ed25519",
-              "key": {"alg": "Ed25519",
-                      "vk": native(urlsafe_b64encode(keypair.vk))}}
+    header = {
+                "alg": ALG,
+                "jwk": {
+                    "alg": ALG,
+                    "vk": native(urlsafe_b64encode(keypair.vk))
+                }
+             }
     
     encoded_header = urlsafe_b64encode(binary(json.dumps(header, sort_keys=True)))
     encoded_payload = urlsafe_b64encode(binary(json.dumps(payload, sort_keys=True)))
     signature = sig_msg[:ed25519ll.SIGNATUREBYTES]
     encoded_signature = urlsafe_b64encode(signature)
     
-    return {"headers": [native(encoded_header)],
-            "payload": native(encoded_payload),
-            "signatures": [native(encoded_signature)]}
+    return {"recipients": 
+            [{"header":native(encoded_header),
+             "signature":native(encoded_signature)}],
+            "payload": native(encoded_payload)}
+
+def assertTrue(condition, message=""):
+    if not condition:
+        raise ValueError(message)
     
 def verify(jwsjs):
     """Return (decoded headers, payload) if all signatures in jwsjs are
     
     Caller must decide whether the keys are actually trusted."""
     get_ed25519ll()    
-    # XXX forbid duplicate keys in JSON input using object_pairs_hook
-    encoded_headers = jwsjs["headers"]
+    # XXX forbid duplicate keys in JSON input using object_pairs_hook (2.7+)
+    recipients = jwsjs["recipients"]
     encoded_payload = binary(jwsjs["payload"])
-    encoded_signatures = jwsjs["signatures"]
     headers = []
-    for h, s in zip(encoded_headers, encoded_signatures):
-        h = binary(h)
-        s = binary(s)
+    for recipient in recipients:
+        assertTrue(len(recipient) == 2, "Unknown recipient key {0}".format(recipient))
+        h = binary(recipient["header"])
+        s = binary(recipient["signature"])
         header = json.loads(native(urlsafe_b64decode(h)))
-        assert header["alg"] == "Ed25519"
-        assert header["key"]["alg"] == "Ed25519"
-        vk = urlsafe_b64decode(binary(header["key"]["vk"]))
+        assertTrue(header["alg"] == ALG, 
+                "Unexpected algorithm {0}".format(header["alg"]))
+        assertTrue(header["jwk"]["alg"] == ALG, 
+                "Unexpected key algorithm {0}".format(header["jwk"]["alg"]))
+        vk = urlsafe_b64decode(binary(header["jwk"]["vk"]))
         secured_input = b".".join((h, encoded_payload))
         sig = urlsafe_b64decode(s)
         sig_msg = sig+secured_input
         verified_input = native(ed25519ll.crypto_sign_open(sig_msg, vk))
         verified_header, verified_payload = verified_input.split('.')
         verified_header = binary(verified_header)
-        decoded_payload = native(urlsafe_b64decode(verified_header))
-        headers.append(json.loads(decoded_payload))
+        decoded_header = native(urlsafe_b64decode(verified_header))
+        headers.append(json.loads(decoded_header))
 
     verified_payload = binary(verified_payload)
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.