def from_jwt(self, txt, key=None, verify=True, keyjar=None, **kwargs):
"""
Given a signed and/or encrypted JWT, verify its correctness and then
create a class instance from the content.
:param txt: The JWT
:param key: keys that might be used to decrypt and/or verify the
signature of the JWT
:param verify: Whether the signature should be verified or not
:return: A class instance
"""
if key is None and keyjar is not None:
key = keyjar.get_verify_key(owner="")
elif key is None:
key = {}
header = json.loads(b64d(str(txt.split(".")[0])))
try:
htype = header["typ"]
except KeyError:
htype = None
jso = None
if htype == "JWE" or ("alg" in header and "enc" in header): # encrypted
if keyjar:
dkeys = keyjar.get_decrypt_key(owner="")
else:
dkeys = {}
txt = jwe.decrypt(txt, dkeys, "private")
try:
jso = json.loads(txt)
except Exception:
pass
# assume htype == 'JWS'
if not jso:
try:
jso = jwkest.unpack(txt)[1]
if isinstance(jso, basestring):
jso = json.loads(jso)
if verify:
if keyjar:
for ent in ["iss", "aud", "client_id"]:
if ent not in jso:
continue
if ent == "aud":
for _e in jso[ent]:
self._add_key(keyjar, _e, key)
else:
self._add_key(keyjar, jso[ent], key)
jws.verify(txt, key)
except Exception:
raise
return self.from_dict(jso)
def unpack_aggregated_claims(self, userinfo):
if userinfo._claim_sources:
for csrc, spec in userinfo._claim_sources.items():
if "JWT" in spec:
if not csrc in self.keyjar:
self.provider_config(csrc, endpoints=False)
keycol = self.keyjar.get_verify_key(owner=csrc)
for typ, keyl in self.keyjar.get_verify_key().items():
try:
keycol[typ].extend(keyl)
except KeyError:
keycol[typ] = keyl
info = json.loads(jws.verify(str(spec["JWT"]), keycol))
attr = [n for n, s in userinfo._claim_names.items() if s ==
csrc]
assert attr == info.keys()
for key, vals in info.items():
userinfo[key] = vals
return userinfo
help="File containing a public RSA key")
parser.add_argument('-k', dest="hmac_key",
help="If using a HMAC algorithm this is the key")
parser.add_argument('-x', dest="x509_file",
help="File containing a X509 certificate")
parser.add_argument("message", nargs="?",
help="The message to verify signature on")
args = parser.parse_args()
keys = {}
if args.rsa_file:
keys = {"rsa": [rsa_load(args.rsa_file)]}
elif args.hmac_key:
keys = {"hmac": [args.hmac_key]}
elif args.x509_file:
keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]}
elif args.rsa_pub_file:
keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]}
if args.message == "-":
message = sys.stdin.read()
else:
message = args.message
if keys:
print verify(message, keys)
else:
print unpack(message)[1]
dest="hmac_key",
help="If using a HMAC algorithm this is the key")
parser.add_argument('-x',
dest="x509_file",
help="File containing a X509 certificate")
parser.add_argument("message",
nargs="?",
help="The message to verify signature on")
args = parser.parse_args()
keys = {}
if args.rsa_file:
keys = {"rsa": [rsa_load(args.rsa_file)]}
elif args.hmac_key:
keys = {"hmac": [args.hmac_key]}
elif args.x509_file:
keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]}
elif args.rsa_pub_file:
keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]}
if args.message == "-":
message = sys.stdin.read()
else:
message = args.message
if keys:
print verify(message, keys)
else:
print unpack(message)[1]
