Support JWK Set

jose/jws.py

@@ -205,6 +205,14 @@ def _load(jwt):
  return (header, payload, signing_input, signature)
 
 
+def _sig_matches_keys(keys, signing_input, signature, alg):
+ for key in keys:
+ key = jwk.construct(key, alg)
+ if key.verify(signing_input, signature):
+ return True
+ return False
+
+
 def _verify_signature(signing_input, header, signature, key='', algorithms=None):
 
  alg = header.get('alg')
@@ -214,12 +222,14 @@ def _verify_signature(signing_input, header, signature, key='', algorithms=None)
  if algorithms is not None and alg not in algorithms:
  raise JWSError('The specified alg value is not allowed')
 
- try:
- key = jwk.construct(key, alg)
+ if 'keys' in key: # JWK Set per RFC 7517
+ keys = key['keys']
+ else:
+ keys = [key]
 
- if not key.verify(signing_input, signature):
+ try:
+ if not _sig_matches_keys(keys, signing_input, signature, alg):
  raise JWSSignatureError()
-
  except JWSSignatureError:
  raise JWSError('Signature verification failed.')
  except JWSError: