fix: support es256 raw format signature (#490)
es256 signature in id_token has raw format, however, cryptography library verification/signing only works for asn1 encoded format. Therefore in verification/signing process, we need to convert between the ans1 encoded format and the raw format.
diff --git a/tests/crypt/test_es256.py b/tests/crypt/test_es256.py
index 087ce6e..5bb9050 100644
--- a/tests/crypt/test_es256.py
+++ b/tests/crypt/test_es256.py
@@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+import base64
import json
import os
@@ -72,6 +73,17 @@
bad_signature2 = b"a"
assert not verifier.verify(b"foo", bad_signature2)
+ def test_verify_failure_with_wrong_raw_signature(self):
+ to_sign = b"foo"
+
+ # This signature has a wrong "r" value in the "(r,s)" raw signature.
+ wrong_signature = base64.urlsafe_b64decode(
+ b"m7oaRxUDeYqjZ8qiMwo0PZLTMZWKJLFQREpqce1StMIa_yXQQ-C5WgeIRHW7OqlYSDL0XbUrj_uAw9i-QhfOJQ=="
+ )
+
+ verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES)
+ assert not verifier.verify(to_sign, wrong_signature)
+
def test_from_string_pub_key(self):
verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES)
assert isinstance(verifier, es256.ES256Verifier)