def fetch_rsa_pub_key(header, **kw): ## if 'test' defined, use that value for the returned pub key (blech) ## extract the target machine from the header. if keytype is None and keyname is None: raise JWSException('Must specify either keytype or keyname') try: if 'pem' in header and header.get('pem', None): key = base64.urlsafe_b64decode(header.get('pem')).strip() bio = BIO.MemoryBuffer(key) pubbit = RSA.load_key_bio(bio).pub() pub = { 'n': int(pubbits[0].encode('hex'), 16), 'e': int(pubbits[1].encode('hex'), 16) } elif 'jku' in header and header.get('jku', None): key = header['jku'] if key.lower().startswith('data:'): pub = cjson.decode(key[key.index('base64,')+7:]) return pub """ pub = { 'n': key.get('modulus', None), 'e': key.get('exponent', None) } #""" # return pub except (AttributeError, KeyError), ex: logger.error("Internal RSA error: %s" % str(ex)) raise(JWSException("Could not extract key"))
def sign(self, payload, header = None, alg = None, **kw): if payload is None: raise (JWSException("Cannot encode empty payload")) header = self.header(alg = alg) if alg is None: alg = header.get('alg', 'NONE') try: signer = self._sign.get(alg[:2].upper()) except KeyError, ex: logger.error("Invalid JWS Sign method specified %s", str(ex)) raise(JWSException("Unsupported encoding method specified"))
def verify(self, jws, alg = None, **kw): if not jws: raise (JWSException("Cannot verify empty JWS")) try: (header_str, payload_str, signature) = jws.split('.') header = cjson.decode(base64.b64decode(header_str)) if alg is None: alg = header.get('alg', 'NONE') try: sigcheck = self._verify.get(alg[:2].upper()) except KeyError, ex: logger.error("Invalid JWS Sign method specified %s", str(ex)) raise(JWSException("Unsupported encoding method specified")) return sigcheck(alg, header, '%s.%s' % (header_str, payload_str), signature)
def check_cert(self, uid, cert_info, acceptible = None): address_info = None if 'id' not in cert_info: logger.error("No email address found in certificate") return (False, address_info) address_info = self.app.storage.get_address_info(uid, cert_info.get('id')) if address_info is None: logger.warn("No address info for certificate id %s, uid: %s " % (cert_info.get('id'), uid)) return (False, address_info) if acceptible is None: acceptible = ('verified') if address_info.get('state', None) not in acceptible: logger.warn("Email address is not in acceptible states %s.", acceptible) return (False, address_info) return (True, address_info)
def refresh_certificate(self, request, **kw): """ Refresh a given's certificate """ jws = JWS(config = self.app.config) error = None response = None (content_type, template) = self.get_template_from_request(request) uid = self.get_session_uid(request) pub_key = request.params.get('pubkey') if pub_key is None: logger.warn("Request missing pubkey argument") raise HTTPBadRequest() try: cert_info = jws.parse(request.params.get('certificate', None)) if cert_info is None: logger.error('Certificat information missing from request') raise HTTPBadRequest() except JWSException, ex: logger.error('Could not parse JWS object: %s ' % str(ex)) raise HTTPBadRequest()
def validate(self, request, **kw): """ Validate a user email token """ (content_type, tempate) = self.get_template_from_request(request) token = request.sync_info.get('validate', request.params.get('validate', None)) if token is None: logger.error('No validation token discovered in request') raise HTTPBadRequest() uid = self.get_uid(request, strict = False) if not uid: extra = {'validate': token} return self.login(request, extra) body = "" try: email = self.app.storage.check_validation(uid, token) except OIDStorageException, ex: logger.error('Could not check token for user %s, %s' % (uid, str(ex))) raise HTTPBadRequest()
try: (header_str, payload_str, signature) = jws.split('.') header = cjson.decode(base64.b64decode(header_str)) if alg is None: alg = header.get('alg', 'NONE') try: sigcheck = self._verify.get(alg[:2].upper()) except KeyError, ex: logger.error("Invalid JWS Sign method specified %s", str(ex)) raise(JWSException("Unsupported encoding method specified")) return sigcheck(alg, header, '%s.%s' % (header_str, payload_str), signature) except ValueError, ex: logger.error("JWS Verification error: %s", ex) raise(JWSException("JWS has invalid format")) def _sign_NONE(self, alg, header, sbs): """ No encryption has no encryption. duh. """ return None; def _get_sha(self, depth): depths = {'256': sha256, '384': sha384, '512': sha512} if depth not in depths: raise(JWSException('Invalid Depth specified for HS')) return depths.get(depth)
if token is None: logger.error('No validation token discovered in request') raise HTTPBadRequest() uid = self.get_uid(request, strict = False) if not uid: extra = {'validate': token} return self.login(request, extra) body = "" try: email = self.app.storage.check_validation(uid, token) except OIDStorageException, ex: logger.error('Could not check token for user %s, %s' % (uid, str(ex))) raise HTTPBadRequest() if not email: logger.error('No email associated with uid:%s and token:% ' % (uid, token)) raise HTTPBadRequest() template = get_template('validation_confirm') user = self.app.storage.get_user_info(uid) body = template.render(request = request, user = user, email = email, config = self.app.config) return Response(str(body), content_type = 'text/html') def verify_address(self, request, **kw): """ Verify a given address (unused?) """ if not self.is_internal(request): raise HTTPForbidden() ## Only logged in users can play