signedshot 0.1.1__tar.gz → 0.1.3__tar.gz

{signedshot-0.1.1 → signedshot-0.1.3}/Cargo.lock

@@ -1331,7 +1331,7 @@ dependencies = [
 
 [[package]]
 name = "signedshot-validator"
-version = "0.1.1"
+version = "0.1.3"
 dependencies = [
  "anyhow",
  "base64",

{signedshot-0.1.1 → signedshot-0.1.3}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "signedshot-validator"
-version = "0.1.1"
+version = "0.1.3"
 edition = "2021"
 description = "Validator for SignedShot media authenticity proofs"
 license = "MIT"

{signedshot-0.1.1 → signedshot-0.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: signedshot
-Version: 0.1.1
+Version: 0.1.3
 Classifier: Development Status :: 4 - Beta
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{signedshot-0.1.1 → signedshot-0.1.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "signedshot"
-version = "0.1.1"
+version = "0.1.3"
 description = "Validator for SignedShot media authenticity proofs"
 readme = "README.md"
 license = { text = "MIT" }

{signedshot-0.1.1 → signedshot-0.1.3}/python/signedshot/__init__.py

@@ -3,7 +3,8 @@ from signedshot.signedshot import (
     ValidationResult,
     validate,
     validate_files,
+    validate_with_jwks,
 )
 
-__all__ = ["ValidationResult", "validate", "validate_files"]
-__version__ = "0.1.0"
+__all__ = ["ValidationResult", "validate", "validate_files", "validate_with_jwks"]
+__version__ = "0.1.3"

{signedshot-0.1.1 → signedshot-0.1.3}/python/signedshot/__init__.pyi

@@ -82,6 +82,33 @@ def validate(sidecar_json: str, media_bytes: bytes) -> ValidationResult:
     """
     ...
 
+def validate_with_jwks(
+    sidecar_json: str, media_bytes: bytes, jwks_json: str
+) -> ValidationResult:
+    """Validate a SignedShot sidecar against media content using pre-loaded JWKS.
+
+    Use this when you already have the JWKS available locally, avoiding HTTP fetch.
+    This is useful for API services that want to validate using their own keys.
+
+    Args:
+        sidecar_json: The sidecar JSON as a string
+        media_bytes: The media file content as bytes
+        jwks_json: The JWKS JSON as a string (from /.well-known/jwks.json)
+
+    Returns:
+        ValidationResult with detailed information about the validation
+
+    Raises:
+        ValueError: If the sidecar or JWKS cannot be parsed
+
+    Example:
+        >>> jwks_json = '{"keys": [...]}'
+        >>> result = validate_with_jwks(sidecar_json, media_bytes, jwks_json)
+        >>> if result.valid:
+        ...     print(f"Publisher: {result.capture_trust['publisher_id']}")
+    """
+    ...
+
 def validate_files(sidecar_path: str, media_path: str) -> ValidationResult:
     """Validate a SignedShot sidecar from file paths.
 

{signedshot-0.1.1 → signedshot-0.1.3}/src/jwt.rs

@@ -126,6 +126,14 @@ pub fn fetch_jwks(issuer: &str) -> Result<Jwks> {
         .map_err(|e| ValidationError::JwksFetchError(format!("Failed to parse JWKS: {}", e)))
 }
 
+/// Parse JWKS from a JSON string.
+///
+/// Useful when the JWKS is already available locally (e.g., from the API's own keys).
+pub fn parse_jwks_json(jwks_json: &str) -> Result<Jwks> {
+    serde_json::from_str(jwks_json)
+        .map_err(|e| ValidationError::JwksFetchError(format!("Failed to parse JWKS JSON: {}", e)))
+}
+
 pub fn verify_signature(token: &str, jwks: &Jwks, kid: &str) -> Result<()> {
     let jwk = jwks
         .keys

{signedshot-0.1.1 → signedshot-0.1.3}/src/python.rs

@@ -6,7 +6,9 @@
 use pyo3::prelude::*;
 use pyo3::types::PyDict;
 
-use crate::validate::{validate_from_bytes, ValidationResult as RustValidationResult};
+use crate::validate::{
+    validate_from_bytes, validate_from_bytes_with_jwks, ValidationResult as RustValidationResult,
+};
 
 /// Python-accessible validation result
 #[pyclass(name = "ValidationResult")]
@@ -150,6 +152,51 @@ fn validate(sidecar_json: &str, media_bytes: &[u8]) -> PyResult<PyValidationResu
         .map_err(|e| PyErr::new::<pyo3::exceptions::PyValueError, _>(e.to_string()))
 }
 
+/// Validate a SignedShot sidecar against media content using pre-loaded JWKS.
+///
+/// Use this when you already have the JWKS available locally, avoiding HTTP fetch.
+/// This is useful for API services that want to validate using their own keys.
+///
+/// Args:
+///     sidecar_json: The sidecar JSON as a string
+///     media_bytes: The media file content as bytes
+///     jwks_json: The JWKS JSON as a string (from /.well-known/jwks.json)
+///
+/// Returns:
+///     ValidationResult: The validation result with detailed information
+///
+/// Raises:
+///     ValueError: If the sidecar or JWKS cannot be parsed
+///
+/// Example:
+///     ```python
+///     import signedshot
+///
+///     # Get JWKS from your service's keys
+///     jwks_json = '{"keys": [...]}'
+///
+///     with open("photo.sidecar.json") as f:
+///         sidecar_json = f.read()
+///     with open("photo.jpg", "rb") as f:
+///         media_bytes = f.read()
+///
+///     result = signedshot.validate_with_jwks(sidecar_json, media_bytes, jwks_json)
+///     if result.valid:
+///         print(f"Valid! Publisher: {result.capture_trust['publisher_id']}")
+///     else:
+///         print(f"Invalid: {result.error}")
+///     ```
+#[pyfunction]
+fn validate_with_jwks(
+    sidecar_json: &str,
+    media_bytes: &[u8],
+    jwks_json: &str,
+) -> PyResult<PyValidationResult> {
+    validate_from_bytes_with_jwks(sidecar_json, media_bytes, jwks_json)
+        .map(PyValidationResult::from)
+        .map_err(|e| PyErr::new::<pyo3::exceptions::PyValueError, _>(e.to_string()))
+}
+
 /// Validate a SignedShot sidecar from file paths.
 ///
 /// Args:
@@ -220,6 +267,7 @@ fn validate_files(sidecar_path: &str, media_path: &str) -> PyResult<PyValidation
 fn signedshot(m: &Bound<'_, PyModule>) -> PyResult<()> {
     m.add_class::<PyValidationResult>()?;
     m.add_function(wrap_pyfunction!(validate, m)?)?;
+    m.add_function(wrap_pyfunction!(validate_with_jwks, m)?)?;
     m.add_function(wrap_pyfunction!(validate_files, m)?)?;
     Ok(())
 }

{signedshot-0.1.1 → signedshot-0.1.3}/src/validate.rs

@@ -9,7 +9,8 @@ use std::path::Path;
 use crate::error::{Result, ValidationError};
 use crate::integrity::{verify_capture_id_match, verify_signature as verify_media_signature};
 use crate::jwt::{
-    fetch_jwks, parse_jwt, verify_signature as verify_jwt_signature, CaptureTrustClaims,
+    fetch_jwks, parse_jwks_json, parse_jwt, verify_signature as verify_jwt_signature,
+    CaptureTrustClaims, Jwks,
 };
 use crate::sidecar::Sidecar;
 
@@ -105,7 +106,20 @@ pub fn validate(sidecar_path: &Path, media_path: &Path) -> Result<ValidationResu
 ///
 /// Useful when you have the content in memory rather than files.
 pub fn validate_from_bytes(sidecar_json: &str, media_bytes: &[u8]) -> Result<ValidationResult> {
-    validate_bytes_impl(sidecar_json, media_bytes)
+    validate_bytes_impl(sidecar_json, media_bytes, None)
+}
+
+/// Validate from sidecar JSON string and media bytes with pre-loaded JWKS.
+///
+/// Use this when you already have the JWKS available locally, avoiding HTTP fetch.
+/// This is useful for the API service that wants to validate using its own keys.
+pub fn validate_from_bytes_with_jwks(
+    sidecar_json: &str,
+    media_bytes: &[u8],
+    jwks_json: &str,
+) -> Result<ValidationResult> {
+    let jwks = parse_jwks_json(jwks_json)?;
+    validate_bytes_impl(sidecar_json, media_bytes, Some(jwks))
 }
 
 fn validate_impl(sidecar_path: &Path, media_path: &Path) -> Result<ValidationResult> {
@@ -115,17 +129,25 @@ fn validate_impl(sidecar_path: &Path, media_path: &Path) -> Result<ValidationRes
     // Read media file for hash verification
     let media_bytes = std::fs::read(media_path)?;
 
-    validate_sidecar_and_media(&sidecar, &media_bytes)
+    validate_sidecar_and_media(&sidecar, &media_bytes, None)
 }
 
-fn validate_bytes_impl(sidecar_json: &str, media_bytes: &[u8]) -> Result<ValidationResult> {
+fn validate_bytes_impl(
+    sidecar_json: &str,
+    media_bytes: &[u8],
+    jwks: Option<Jwks>,
+) -> Result<ValidationResult> {
     // Parse sidecar
     let sidecar = Sidecar::from_json(sidecar_json)?;
 
-    validate_sidecar_and_media(&sidecar, media_bytes)
+    validate_sidecar_and_media(&sidecar, media_bytes, jwks)
 }
 
-fn validate_sidecar_and_media(sidecar: &Sidecar, media_bytes: &[u8]) -> Result<ValidationResult> {
+fn validate_sidecar_and_media(
+    sidecar: &Sidecar,
+    media_bytes: &[u8],
+    jwks: Option<Jwks>,
+) -> Result<ValidationResult> {
     let integrity = sidecar.media_integrity();
 
     // Parse JWT (without signature verification yet)
@@ -139,8 +161,8 @@ fn validate_sidecar_and_media(sidecar: &Sidecar, media_bytes: &[u8]) -> Result<V
     let mut capture_id_match = false;
     let mut error_message: Option<String> = None;
 
-    // Fetch JWKS and verify JWT signature
-    match fetch_and_verify_jwt(sidecar.jwt(), &parsed.claims.iss, kid.as_deref()) {
+    // Verify JWT signature (using provided JWKS or fetching from issuer)
+    match verify_jwt_with_jwks(sidecar.jwt(), &parsed.claims.iss, kid.as_deref(), jwks) {
         Ok(()) => jwt_signature_valid = true,
         Err(e) => {
             error_message = Some(format!("JWT verification failed: {}", e));
@@ -198,11 +220,22 @@ fn validate_sidecar_and_media(sidecar: &Sidecar, media_bytes: &[u8]) -> Result<V
     })
 }
 
-fn fetch_and_verify_jwt(token: &str, issuer: &str, kid: Option<&str>) -> Result<()> {
+/// Verify JWT signature using provided JWKS or by fetching from issuer.
+fn verify_jwt_with_jwks(
+    token: &str,
+    issuer: &str,
+    kid: Option<&str>,
+    jwks: Option<Jwks>,
+) -> Result<()> {
     let kid =
         kid.ok_or_else(|| ValidationError::InvalidJwt("JWT missing kid in header".to_string()))?;
 
-    let jwks = fetch_jwks(issuer)?;
+    // Use provided JWKS or fetch from issuer
+    let jwks = match jwks {
+        Some(jwks) => jwks,
+        None => fetch_jwks(issuer)?,
+    };
+
     verify_jwt_signature(token, &jwks, kid)?;
 
     Ok(())