def verify_mac_and_decode(
self, compact: str, validator: _jwt_validator.JwtValidator
) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token.
Args:
compact: A MACed token encoded in the JWS compact serialization format.
validator: A JwtValidator that validates the token.
Returns:
A VerifiedJwt.
Raises:
tink.TinkError if the operation fails.
"""
interesting_error = None
for entries in self._primitive_set.all():
for entry in entries:
try:
kid = _jwt_format.get_kid(entry.key_id,
entry.output_prefix_type)
return entry.primitive.verify_mac_and_decode_with_kid(
compact, validator, kid)
except core.TinkError as e:
if isinstance(e, _jwt_error.JwtInvalidError):
interesting_error = e
pass
if interesting_error:
raise interesting_error
raise core.TinkError('invalid MAC')
def test_get_kid_invalid_input_fails(self):
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.get_kid(123, tink_pb2.LEGACY)
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.get_kid(-1, tink_pb2.TINK)
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.get_kid(2**33, tink_pb2.TINK)
def compute_mac_and_encode(self, raw_jwt: _raw_jwt.RawJwt) -> Text:
"""Computes a MAC and encodes the token.
Args:
raw_jwt: The RawJwt token to be MACed and encoded.
Returns:
The MACed token encoded in the JWS compact serialization format.
Raises:
tink.TinkError if the operation fails.
"""
primary = self._primitive_set.primary()
kid = _jwt_format.get_kid(primary.key_id, primary.output_prefix_type)
return primary.primitive.compute_mac_and_encode_with_kid(raw_jwt, kid)
def verify_and_decode(
self, compact: str, validator: _jwt_validator.JwtValidator
) -> _verified_jwt.VerifiedJwt:
interesting_error = None
for entries in self._primitive_set.all():
for entry in entries:
try:
kid = _jwt_format.get_kid(entry.key_id,
entry.output_prefix_type)
return entry.primitive.verify_and_decode_with_kid(
compact, validator, kid)
except core.TinkError as e:
if isinstance(e, _jwt_error.JwtInvalidError):
interesting_error = e
pass
if interesting_error:
raise interesting_error
raise core.TinkError('invalid signature')
def _convert_jwt_rsa_ssa_pss_key(
key: tink_pb2.Keyset.Key) -> Dict[str, Union[str, List[str]]]:
"""Converts a JwtRsaSsaPssPublicKey into a JWK."""
public_key = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssPublicKey.FromString(
key.key_data.value)
if public_key.algorithm not in _RSA_SSA_PSS_PARAMS:
raise tink.TinkError('unknown RSA SSA PSS algorithm')
alg = _RSA_SSA_PSS_PARAMS[public_key.algorithm]
output = {
'kty': 'RSA',
'n': _base64_encode(public_key.n),
'e': _base64_encode(public_key.e),
'use': 'sig',
'alg': alg,
'key_ops': ['verify'],
}
kid = _jwt_format.get_kid(key.key_id, key.output_prefix_type)
if kid:
output['kid'] = kid
elif public_key.HasField('custom_kid'):
output['kid'] = public_key.custom_kid.value
return output
def _convert_jwt_ecdsa_key(
key: tink_pb2.Keyset.Key) -> Dict[str, Union[str, List[str]]]:
"""Converts a JwtEcdsaPublicKey into a JWK."""
ecdsa_public_key = jwt_ecdsa_pb2.JwtEcdsaPublicKey.FromString(
key.key_data.value)
if ecdsa_public_key.algorithm not in _ECDSA_PARAMS:
raise tink.TinkError('unknown ecdsa algorithm')
alg, crv = _ECDSA_PARAMS[ecdsa_public_key.algorithm]
output = {
'kty': 'EC',
'crv': crv,
'x': _base64_encode(ecdsa_public_key.x),
'y': _base64_encode(ecdsa_public_key.y),
'use': 'sig',
'alg': alg,
'key_ops': ['verify'],
}
kid = _jwt_format.get_kid(key.key_id, key.output_prefix_type)
if kid:
output['kid'] = kid
elif ecdsa_public_key.HasField('custom_kid'):
output['kid'] = ecdsa_public_key.custom_kid.value
return output
def test_get_kid_success(self):
key_id = 0x1ac6a944
self.assertEqual(_jwt_format.get_kid(key_id, tink_pb2.TINK), 'GsapRA')
self.assertIsNone(_jwt_format.get_kid(key_id, tink_pb2.RAW), None)
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.get_kid(key_id, tink_pb2.LEGACY)
def sign_and_encode(self, raw_jwt: _raw_jwt.RawJwt) -> str:
primary = self._primitive_set.primary()
kid = _jwt_format.get_kid(primary.key_id, primary.output_prefix_type)
return primary.primitive.sign_and_encode_with_kid(raw_jwt, kid)
