def validSignature(self, jwt):

        print "Passport-social. validSignature. Checking JWT token signature"
        valid = False

        # security vulnerability - we need to validate
        sigAlgorithm = jwt.getHeader().getAlgorithm().getName()
        if ( sigAlgorithm != "RS512" ):
            return False

        try:
            appConfiguration = AppConfiguration()
            appConfiguration.setWebKeysStorage(WebKeyStorage.KEYSTORE)
            appConfiguration.setKeyStoreFile(self.keyStoreFile)
            appConfiguration.setKeyStoreSecret(self.keyStorePassword)
            appConfiguration.setKeyRegenerationEnabled(False)

            cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration)
            valid = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(),
                                                        None, None, jwt.getHeader().getAlgorithm())
        except:
            print "Exception: ", sys.exc_info()[1]

        print "Passport-social. validSignature. Validation result was %s" % valid
        return valid
    def validSignature(self, jwt):

        print "Passport. validSignature. Checking JWT token signature"
        valid = False

        try:

            appConfiguration = AppConfiguration()
            appConfiguration.setWebKeysStorage(WebKeyStorage.KEYSTORE)
            appConfiguration.setKeyStoreFile(self.keyStoreFile)
            appConfiguration.setKeyStoreSecret(self.keyStorePassword)
            appConfiguration.setKeyRegenerationEnabled(False)

            cryptoProvider = CryptoProviderFactory.getCryptoProvider(
                appConfiguration)

            alg_string = str(jwt.getHeader().getAlgorithm())
            signature_string = str(jwt.getEncodedSignature())

            if alg_string == "none" or alg_string == "None" or alg_string == "NoNe" or alg_string == "nONE" or alg_string == "NONE" or alg_string == "NonE" or alg_string == "nOnE":
                # blocks none attack

                print "WARNING: JWT Signature algorithm is none"
                valid = False

            elif alg_string != "RS512":
                # blocks anything that's not RS512

                print "WARNING: JWT Signature algorithm is NOT RS512"
                valid = False

            elif signature_string == "":
                # blocks empty signature string
                print "WARNING: JWT Signature not sent"
                valid = False

            else:

                # class extends AbstractCryptoProvider
                ''' on version 4.2 .getAlgorithm() method was renamed to .getSignatureAlgorithm()
                for older versions:
                valid = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(),
                                                            None, None, jwt.getHeader().getAlgorithm())
                '''

                # working on 4.2:
                valid = cryptoProvider.verifySignature(
                    jwt.getSigningInput(), jwt.getEncodedSignature(),
                    jwt.getHeader().getKeyId(), None, None,
                    jwt.getHeader().getSignatureAlgorithm())

        except:
            print "Exception: ", sys.exc_info()[1]

        print "Passport. validSignature. Validation result was %s" % valid

        return valid
Exemple #3
0
    def init(self, configurationAttributes, scriptName):

        print("Passport. init called from " + scriptName)

        self.telemetryClient = TelemetryClient()

        try:
            # Instantiate a Crypto Provider to verify token signatures
            self.keyStoreFile = configurationAttributes.get(
                "key_store_file").getValue2()
            self.keyStorePassword = configurationAttributes.get(
                "key_store_password").getValue2()

            appConfiguration = AppConfiguration()
            appConfiguration.setWebKeysStorage(WebKeyStorage.KEYSTORE)
            appConfiguration.setKeyStoreFile(self.keyStoreFile)
            appConfiguration.setKeyStoreSecret(self.keyStorePassword)
            appConfiguration.setRejectJwtWithNoneAlg(True)
            appConfiguration.setKeyRegenerationEnabled(False)

            self.cryptoProvider = CryptoProviderFactory.getCryptoProvider(
                appConfiguration)

            # Load the passport config
            with open('/etc/gluu/conf/passport-config.json',
                      'r') as configFile:
                self.passportConfig = json.load(configFile)
                if StringHelper.isEmpty(
                        self.passportConfig["keyAlg"]) or StringHelper.isEmpty(
                            self.passportConfig["keyId"]):
                    print(
                        "Passport. init for %s. Failed to read key information from passport-config"
                        % scriptName)
                    return False

            # Load all provider configurations
            self.registeredProviders = self.parseProviders()

        except:
            print("Passport. init for %s. Initialization failed:" % scriptName)
            print(sys.exc_info())
            return False

        print("Passport. init for %s. Initialization success" % scriptName)
        return True