diff options
author | Thomas Grenfell Smith <thomathom@gmail.com> | 2014-04-29 12:33:44 -0400 |
---|---|---|
committer | Thomas Grenfell Smith <thomathom@gmail.com> | 2014-04-29 12:33:44 -0400 |
commit | e73045dbddbd5e1650520a8656efd20ff6dda8be (patch) | |
tree | b2d79044f03c547d10f6f7cf3c69f18031578994 | |
parent | 0ee3ee579bd2a008d3b3a137e776a25661f2365c (diff) | |
download | pyjwt-e73045dbddbd5e1650520a8656efd20ff6dda8be.tar.gz |
Allow algorithm names to be upper- or lower-case
The standard doesn't seem to specify whether algorithm names must be
capitalized or lower-case. I had an issue with spurious failures due to
a lower-case algorithm name ("hs256"), so here is a patch that converts
the incoming name to capital letters before looking it up in the
algorithm dictionary.
-rw-r--r-- | jwt/__init__.py | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/jwt/__init__.py b/jwt/__init__.py index fd38bd1..a68055d 100644 --- a/jwt/__init__.py +++ b/jwt/__init__.py @@ -220,13 +220,14 @@ def load(jwt): def verify_signature(payload, signing_input, header, signature, key='', verify_expiration=True, leeway=0): try: - key = prepare_key_methods[header['alg']](key) - if header['alg'].startswith('HS'): - expected = verify_methods[header['alg']](signing_input, key) + algorithm = header['alg'].upper() + key = prepare_key_methods[algorithm](key) + if algorithm.startswith('HS'): + expected = verify_methods[algorithm](signing_input, key) if not constant_time_compare(signature, expected): raise DecodeError("Signature verification failed") else: - if not verify_methods[header['alg']](signing_input, key, signature): + if not verify_methods[algorithm](signing_input, key, signature): raise DecodeError("Signature verification failed") except KeyError: raise DecodeError("Algorithm not supported") |