master Adding argument for RS256, and splitting handling of HS and RS in verifying.

2 files changed, 11 insertions, 4 deletions

diff --git a/AUTHORS b/AUTHORS
index d069086..69077c2 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -7,3 +7,6 @@ Patches and Suggestions
 -----------------------
 
  - FELD Boris <boris.feld@novapost.fr> <lothiraldan@gmail.com>
+
+ - Åsmund Ødegård <asmund@xal.no> <ao@mcash.no> 
+   Adding support for RSA-SHA256 privat/public signature.
diff --git a/jwt/__init__.py b/jwt/__init__.py
index 7f010db..407ac8c 100644
--- a/jwt/__init__.py
+++ b/jwt/__init__.py
@@ -41,7 +41,7 @@ verify_methods = {
     'HS256': lambda msg, key: hmac.new(key, msg, hashlib.sha256).digest(),
     'HS384': lambda msg, key: hmac.new(key, msg, hashlib.sha384).digest(),
     'HS512': lambda msg, key: hmac.new(key, msg, hashlib.sha512).digest(),
-    'RS256': lambda msg, key: PKCS1_v1_5.new(key).verify(SHA256.new(msg)),
+    'RS256': lambda msg, key, sig: PKCS1_v1_5.new(key).verify(SHA256.new(msg), sig),
     }
 
 
@@ -137,9 +137,13 @@ def decode(jwt, key='', verify=True, verify_expiration=True, leeway=0):
         try:
             if isinstance(key, unicode):
                 key = key.encode('utf-8')
-            expected = verify_methods[header['alg']](signing_input, key)
-            if not constant_time_compare(signature, expected):
-                raise DecodeError("Signature verification failed")
+            if header['alg'].startswith('HS'):
+                expected = verify_methods[header['alg']](signing_input, key)
+                if not constant_time_compare(signature, expected):
+                    raise DecodeError("Signature verification failed")
+            else:
+                if not verify_methods[header['alg']](signing_input, key, signature):
+                    raise DecodeError("Signature verification failed")
         except KeyError:
             raise DecodeError("Algorithm not supported")