Why can't I sign these claims with my JWK?

Question

I am writing this python code to create RSA private and public keys. Then create a JWK from the private key, then sign the claims with that JWK.

#!/usr/bin/env python

import time
from jose import jwk
from jose import jws
from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend as crypto_default_backend

key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048)
private_key = key.private_bytes(crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption())
public_key = key.public_key().public_bytes(crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH)
key = jwk.construct(private_key, 'RS256')
print 'key.to_dict() = {}'.format(key.to_dict())

claims = {
    'iss': 'https://e97b8a9d672e4ce4845ec6947cd66ef6-sb.baas.nintendo.com',
    'sub': 'fdfdc610f849726e',
    'aud': '20c875ad0d4bfc94',
    'iat': time.time() - 20,
    'exp': time.time() + 20,
    'jti': '807443d3-3b27-4bf9-8e3e-e3f90e1ea055',
    'typ': 'id_token'
}
print 'About to sign'
signed = jws.sign(claims, key, algorithm='RS256')

When I run it, it fails at the signing step:

key.to_dict() = {
    'e': 'AQAB', 
    'kty': 'RSA', 
    'alg': 'RS256', 
    'n': 'uJ1_BLAH_BLAH_BLAH_veQ', 
    'q': '8Sa_BLAH_BLAH_BLAH_-Hs', 
    'p': 'w_t_BLAH_BLAH_BLAH_p5s', 
    'qi': 'OGz_BLAH_BLAH_BLAH_91U', 
    'dq': 'D2n_BLAH_BLAH_BLAH_5FM', 
    'dp': 'pDi_BLAH_BLAH_BLAH_J2k', 
    'd': 'oV0_BLAH_BLAH_BLAH_VLQ'
}
About to sign
Traceback (most recent call last):
  File "./my_file.py", line 56, in <module>
    signed = jws.sign(claims, key, algorithm='RS256')
  File "my-virtual-env/lib/python2.7/site-packages/jose/jws.py", line 47, in sign
    signed_output = _sign_header_and_claims(encoded_header, encoded_payload, algorithm, key)
  File "my-virtual-env/lib/python2.7/site-packages/jose/jws.py", line 168, in _sign_header_and_claims
    raise JWSError(e)
jose.exceptions.JWSError: Unable to parse an RSA_JWK from key: <jose.backends.pycrypto_backend.RSAKey object at 0x101761190>

What is causing this error and how can I make this work??

Answer 1

Using RS256, you need to give the private key to jws.sign(), but not with the JWK format.

Therefore, just replace

signed = jws.sign(claims, key, algorithm='RS256')

by

signed = jws.sign(claims, private_key, algorithm='RS256')

And it will work correctly.

Finally, the whole source is:

#!/usr/bin/env python

import time
from jose import jws
from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend as crypto_default_backend

key = rsa.generate_private_key(backend=crypto_default_backend(), public_exponent=65537, key_size=2048)
private_key = key.private_bytes(crypto_serialization.Encoding.PEM, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption())

claims = {
        'iss': 'https://e97b8a9d672e4ce4845ec6947cd66ef6-sb.baas.nintendo.com',
        'sub': 'fdfdc610f849726e',
        'aud': '20c875ad0d4bfc94',
        'iat': time.time() - 20,
        'exp': time.time() + 20,
        'jti': '807443d3-3b27-4bf9-8e3e-e3f90e1ea055',
        'typ': 'id_token'
}

print 'About to sign'
signed = jws.sign(claims, private_key, algorithm='RS256')
print signed

The result is something like:

About to sign
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmZGZkYzYxMGY4NDk3MjZlIiwiaXNzIjoiaHR0cHM6Ly9lOTdiOGE5ZDY3MmU0Y2U0ODQ1ZWM2OTQ3Y2Q2NmVmNi1zYi5iYWFzLm5pbnRlbmRvLmNvbSIsImp0aSI6IjgwNzQ0M2QzLTNiMjctNGJmOS04ZTNlLWUzZjkwZTFlYTA1NSIsImV4cCI6MTU0NTkzNTQ1Mi4wMzAxMTUsImlhdCI6MTU0NTkzNTQxMi4wMzAxMTMsInR5cCI6ImlkX3Rva2VuIiwiYXVkIjoiMjBjODc1YWQwZDRiZmM5NCJ9.Qfmi607XTtq8bc4daJ-GxoYy1B761nRahWSok9ga0CB8dqbDXN0FhcM38dNj0LMFoi98hxB9o0EwY1mpBEMA3rNK9C6Bbg1hKhkYE5lRFXH5_lLk2tE6YrbK7p71S54hkTfEZgPGCvkv79HBjUo3PORv6bG-fdQp5UQo8ZMvd5lobmjbMna21JCBp1ITm3QSAPy4gdvfCyzxEziVyRcKwXU45ky3g7wFnyNxr9HtzX6yDJn1LlWdhChNR4uom05U5mbIDSChHAd52nWtzNb6dvdupIKCSR1XN_jF28y1Wu4aMbmVRXAn0X87Qok93KiHMoU_wydWuG5zl-ihqQ-1RA