def fetch_rsa_pub_key(header, **kw):
## if 'test' defined, use that value for the returned pub key (blech)
## extract the target machine from the header.
if keytype is None and keyname is None:
raise JWSException('Must specify either keytype or keyname')
try:
if 'pem' in header and header.get('pem', None):
key = base64.urlsafe_b64decode(header.get('pem')).strip()
bio = BIO.MemoryBuffer(key)
pubbit = RSA.load_key_bio(bio).pub()
pub = {
'n': int(pubbits[0].encode('hex'), 16),
'e': int(pubbits[1].encode('hex'), 16)
}
elif 'jku' in header and header.get('jku', None):
key = header['jku']
if key.lower().startswith('data:'):
pub = cjson.decode(key[key.index('base64,')+7:])
return pub
"""
pub = {
'n': key.get('modulus', None),
'e': key.get('exponent', None)
}
#"""
# return pub
except (AttributeError, KeyError), ex:
logger.error("Internal RSA error: %s" % str(ex))
raise(JWSException("Could not extract key"))
def sign(self, payload, header = None, alg = None, **kw):
if payload is None:
raise (JWSException("Cannot encode empty payload"))
header = self.header(alg = alg)
if alg is None:
alg = header.get('alg', 'NONE')
try:
signer = self._sign.get(alg[:2].upper())
except KeyError, ex:
logger.error("Invalid JWS Sign method specified %s", str(ex))
raise(JWSException("Unsupported encoding method specified"))
def verify(self, jws, alg = None, **kw):
if not jws:
raise (JWSException("Cannot verify empty JWS"))
try:
(header_str, payload_str, signature) = jws.split('.')
header = cjson.decode(base64.b64decode(header_str))
if alg is None:
alg = header.get('alg', 'NONE')
try:
sigcheck = self._verify.get(alg[:2].upper())
except KeyError, ex:
logger.error("Invalid JWS Sign method specified %s", str(ex))
raise(JWSException("Unsupported encoding method specified"))
return sigcheck(alg,
header,
'%s.%s' % (header_str, payload_str),
signature)
def check_cert(self, uid, cert_info, acceptible = None):
address_info = None
if 'id' not in cert_info:
logger.error("No email address found in certificate")
return (False, address_info)
address_info = self.app.storage.get_address_info(uid,
cert_info.get('id'))
if address_info is None:
logger.warn("No address info for certificate id %s, uid: %s " %
(cert_info.get('id'), uid))
return (False, address_info)
if acceptible is None:
acceptible = ('verified')
if address_info.get('state', None) not in acceptible:
logger.warn("Email address is not in acceptible states %s.",
acceptible)
return (False, address_info)
return (True, address_info)
def refresh_certificate(self, request, **kw):
""" Refresh a given's certificate """
jws = JWS(config = self.app.config)
error = None
response = None
(content_type, template) = self.get_template_from_request(request)
uid = self.get_session_uid(request)
pub_key = request.params.get('pubkey')
if pub_key is None:
logger.warn("Request missing pubkey argument")
raise HTTPBadRequest()
try:
cert_info = jws.parse(request.params.get('certificate', None))
if cert_info is None:
logger.error('Certificat information missing from request')
raise HTTPBadRequest()
except JWSException, ex:
logger.error('Could not parse JWS object: %s ' % str(ex))
raise HTTPBadRequest()
def validate(self, request, **kw):
""" Validate a user email token
"""
(content_type, tempate) = self.get_template_from_request(request)
token = request.sync_info.get('validate',
request.params.get('validate',
None))
if token is None:
logger.error('No validation token discovered in request')
raise HTTPBadRequest()
uid = self.get_uid(request, strict = False)
if not uid:
extra = {'validate': token}
return self.login(request, extra)
body = ""
try:
email = self.app.storage.check_validation(uid, token)
except OIDStorageException, ex:
logger.error('Could not check token for user %s, %s' %
(uid, str(ex)))
raise HTTPBadRequest()
try:
(header_str, payload_str, signature) = jws.split('.')
header = cjson.decode(base64.b64decode(header_str))
if alg is None:
alg = header.get('alg', 'NONE')
try:
sigcheck = self._verify.get(alg[:2].upper())
except KeyError, ex:
logger.error("Invalid JWS Sign method specified %s", str(ex))
raise(JWSException("Unsupported encoding method specified"))
return sigcheck(alg,
header,
'%s.%s' % (header_str, payload_str),
signature)
except ValueError, ex:
logger.error("JWS Verification error: %s", ex)
raise(JWSException("JWS has invalid format"))
def _sign_NONE(self, alg, header, sbs):
""" No encryption has no encryption.
duh.
"""
return None;
def _get_sha(self, depth):
depths = {'256': sha256,
'384': sha384,
'512': sha512}
if depth not in depths:
raise(JWSException('Invalid Depth specified for HS'))
return depths.get(depth)
if token is None:
logger.error('No validation token discovered in request')
raise HTTPBadRequest()
uid = self.get_uid(request, strict = False)
if not uid:
extra = {'validate': token}
return self.login(request, extra)
body = ""
try:
email = self.app.storage.check_validation(uid, token)
except OIDStorageException, ex:
logger.error('Could not check token for user %s, %s' %
(uid, str(ex)))
raise HTTPBadRequest()
if not email:
logger.error('No email associated with uid:%s and token:% ' %
(uid, token))
raise HTTPBadRequest()
template = get_template('validation_confirm')
user = self.app.storage.get_user_info(uid)
body = template.render(request = request,
user = user,
email = email,
config = self.app.config)
return Response(str(body), content_type = 'text/html')
def verify_address(self, request, **kw):
""" Verify a given address (unused?)
"""
if not self.is_internal(request):
raise HTTPForbidden()
## Only logged in users can play
