Can't access JWS payload if signature is unverified

[smacz42]

Hello all,

I am trying to use a JWS to transfer unverified data between applications. My understanding is that an unsecured JWT is a JWS object where in the JOSE header the value of the alg element is set to none. In other words, an unsecured JWT is a JWS without a signature.

So the first thing I tried was creating a JWT without a signature:

        # Create a signed JWT with the keys and payload for the initial
        # connection to the wallet
        token = jwt.JWT(header={"alg": 'ES256K'},
                        claims=payload)
        #token.make_signed_token(app_client_key)

        # Send the token over the socket serialized
        sock.sendall(bytes(token.serialize() + "\n", 'utf-8'))

I got this response:

Traceback (most recent call last):                                                                                  
  File "/home/andrewcz/Projects/python_poc/./app_client.py", line 89, in <module>                                   
    main()                                                
  File "/home/andrewcz/Projects/python_poc/./app_client.py", line 77, in main                                       
    sock.sendall(bytes(token.serialize() + "\n", 'utf-8'))                                                          
  File "/usr/lib/python3.10/site-packages/jwcrypto/jwt.py", line 537, in serialize                                  
    return self.token.serialize(compact)                  
AttributeError: 'NoneType' object has no attribute 'serialize'                                                      

So, ok, it won't let me serialize without a signature, so let's sign it and send it over:

        # Create a signed JWT with the keys and payload for the initial
        # connection to the wallet
        token = jwt.JWT(header={"alg": 'ES256K'},
                        claims=payload)
        token.make_signed_token(app_client_key)
        #token.make_signed_token()

        # Send the token over the socket serialized
        sock.sendall(bytes(token.serialize() + "\n", 'utf-8'))

Cool, that works. Let's take a look at what's on the other side of the socket:

    self.data = self.rfile.readline().strip()
    payload_jws = jws.JWS()                               
    payload_jws.deserialize(raw_jws=self.data.decode('utf-8'))                                                           
    print(vars(payload_jws))                              
    print(payload_jws.payload)                                                                                      

That results in the following:

Traceback (most recent call last):
  File "/usr/lib/python3.10/socketserver.py", line 316, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.10/socketserver.py", line 347, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.10/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.10/socketserver.py", line 747, in __init__
    self.handle()
  File "/home/andrewcz/Projects/python_poc/./wallet_server.py", line 76, in handle
    response = get_jwt_response(self.data)
  File "/home/andrewcz/Projects/python_poc/./wallet_server.py", line 39, in get_jwt_response
    print(payload_jws.payload)
  File "/usr/lib/python3.10/site-packages/jwcrypto/jws.py", line 591, in payload
    raise InvalidJWSOperation("Payload not verified")
jwcrypto.jws.InvalidJWSOperation: Payload not verified

Of course the payload is not verified, this is just supposed to be a simple transfer of data, using JWT as a common format to use. I just don't know how to specify that I don't want it to be verified.

[simo5]

@smacz42 the API is purposefully built to prevent using it without signing and verification steps, so that it is hard to make errors that would be disastrous in security applications. The None algorithm is disabled by default, for example. And as you can see no payload is released without verification.

That said I can't possibly understand what is the point of constructing a JWT if you do not want to sign it. What properties are you looking at? What gain do you have from using this formatting if you do not use it for what it is intended to do?

[smacz42]

I am using it as a standardized way to pass information between two applications via a socket. However, I can just as well use json that's base64url-encoded rather than including a header and signature; which as you pointed out above doesn't make sense to have if I'm not making use of it.

[rayer456]

To get an unverified payload:

payload = jwstoken.objects.get("payload")

This isn't recommended for obvious reasons. In my case I needed the option to view any payload, verified or not.