Cannot add_signature to JWS

[holyoaks]

I'm guessing this is something I'm doing wrong, but I can't figure out what it is. I'm trying to use an AWS KMS generated public key to sign a JWS, but I keep getting TypeError: object of type 'NoneType' has no len() when calling the add_signature method. I'm hoping someone can help me understand where I'm going wrong.

I create the KMS key using the create_key boto3 client method as follows:

key_response_dict = self.kms_client.create_key(
    Description=f"Asymmetric Key for {key_owner.value}: {entity_name}",
    KeyUsage="SIGN_VERIFY",
    KeySpec="ECC_NIST_P256",
)

When I later retrieve that key to sign the JWS, I do so as follows:

data = json.dumps(
    {
        "key1": "key_1_value",
        "exp": expiration_date.isoformat(),
    }
).encode("utf-8")
jws_token = jws.JWS(data)

aws_pk_response = self.kms_client.get_public_key(
    KeyId=public_key.key_id
)
aws_pk = serialization.load_der_public_key(data=aws_pk_response["PublicKey"])
pub_pem = aws_pk.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
pk = jwk.JWK.from_pem(pub_pem)

So far, so good. I have a valid JWS, successfully load the JWK from the pem file and everything looks as I expect. Unfortunately, the next step is where things break

jws_token.add_signature(
    key=pk,
    alg=None,
    protected=json_encode({"alg": "HS256"}),
    header=json_encode({"kid": pk.thumbprint()}),
)

The call stack is shown below:

 jws_token.add_signature(
    ~~~~~~~~~~~~~~~~~~~~~~~^
        key=pk,
        ^^^^^^^
    ...<2 lines>...
        header=json_encode({"kid": pk.thumbprint()}),  # type: ignore
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jws.py", line 545, in add_signature
    sig = c.sign()
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jws.py", line 152, in sign
    signature = self.engine.sign(self.key, sigin)
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jwa.py", line 116, in sign
    skey = base64url_decode(key.get_op_key('sign'))
                            ~~~~~~~~~~~~~~^^^^^^^^
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jwk.py", line 952, in get_op_key
    return self._get_private_key(arg)
           ~~~~~~~~~~~~~~~~~~~~~^^^^^
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jwk.py", line 917, in _get_private_key
    return self._ec_pri(arg)
           ~~~~~~~~~~~~^^^^^
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jwk.py", line 865, in _ec_pri
    k = self._ec_pri_n(curve).private_key(default_backend())
        ~~~~~~~~~~~~~~^^^^^^^
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jwk.py", line 852, in _ec_pri_n
    d = self._decode_int(self.get('d'))
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/jwk.py", line 815, in _decode_int
    return int(hexlify(base64url_decode(n)), 16)
                       ~~~~~~~~~~~~~~~~^^^
  File "/app/.venv/lib/python3.13/site-packages/jwcrypto/common.py", line 21, in base64url_decode
    size = len(payload) % 4
           ~~~^^^^^^^^^
TypeError: object of type 'NoneType' has no len()

Somehow there's a d value expected, but I don't know where that might come from. What am I missing here? Thanks in advance for your help.

[simo5]

You have a public key here, you can only verify signatures with a public key, not apply signatures, to apply a signature you need a private key.

[holyoaks]

Well that would be what I'm doing wrong then 🤦‍♂️ . Thanks!