def verify(self, msg, sig, key): h = self.digest.new(msg) verifier = PKCS1_v1_5.new(key) try: if verifier.verify(h, sig): return True else: raise BadSignature() except ValueError as e: raise BadSignature(str(e))
def validate(self, jwt, iss, aud): parts = jwt.split('.') if len(parts) != 3: raise BadSignature('Invalid JWT. Only JWS supported.') header = json.loads(base64_urldecode(parts[0])) payload = json.loads(base64_urldecode(parts[1])) if iss != payload['iss']: raise JwtValidatorException("Invalid issuer %s, expected %s" % (payload['iss'], iss)) if payload["aud"]: if (isinstance(payload["aud"], str) and payload["aud"] != aud) or aud not in payload['aud']: raise JwtValidatorException( "Invalid audience %s, expected %s" % (payload['aud'], aud)) jws = JWS(alg=header['alg']) # Raises exception when signature is invalid try: jws.verify_compact(jwt, self.jwks) except Exception as e: print "Exception validating signature" raise JwtValidatorException(e) print "Successfully validated signature."
def verify(self, msg, sig, key): if sys.version < '3': if safe_str_cmp(self.sign(msg, key), sig): return True elif constant_time_compare(self.sign(msg, key), sig): return True raise BadSignature(repr(sig))
def validate(self, jwt, iss, aud): parts = jwt.split('.') if len(parts) != 3: raise BadSignature('Invalid JWT. Only JWS supported.') header = json.loads(base64_urldecode(parts[0])) payload = json.loads(base64_urldecode(parts[1])) # FIXME: Microsoft returns {tenantid} in issuer, we must replace _iss = iss if '{tenantid}' in _iss: if 'tid' in payload: _iss = _iss.replace('{tenantid}', payload['tid']) else: raise JwtValidatorException( "Tenant {tenantid} specified in issuer, but no tid in payload" ) if _iss != payload['iss']: raise JwtValidatorException("Invalid issuer %s, expected %s" % (payload['iss'], _iss)) if payload["aud"]: if (isinstance(payload["aud"], str) and payload["aud"] != aud) or aud not in payload['aud']: raise JwtValidatorException( "Invalid audience %s, expected %s" % (payload['aud'], aud)) jws = JWS(alg=header['alg']) # Raises exception when signature is invalid try: jws.verify_compact(jwt, self.jwks) except Exception as e: print "Exception validating signature" raise JwtValidatorException(e) print "Successfully validated signature."
def verify_compact(self, jws, keys=None): _header, _payload, _sig = jws.split(".") self.parse_header(_header) if "alg" in self: if self["alg"] == "none": self.msg = self._decode(_payload) return self.msg if keys: _keys = self._pick_keys(keys) else: _keys = self._pick_keys(self._get_keys()) verifier = SIGNER_ALGS[self["alg"]] for key in _keys: try: verifier.verify(_header + '.' + _payload, b64d(str(_sig)), key.get_key(private=False)) except BadSignature: pass else: self.msg = self._decode(_payload) return self.msg raise BadSignature()
def verify(self, msg, sig, key): h = self.digest.new(msg) verifier = PKCS1_v1_5.new(key) if verifier.verify(h, sig): return True else: raise BadSignature()
def verify_compact(self, jws, keys=None, allow_none=False, sigalg=None): """ Verify a JWT signature :param jws: :param keys: :param allow_none: If signature algorithm 'none' is allowed :param sigalg: Expected sigalg :return: """ jwt = JWSig().unpack(jws) self.jwt = jwt if "alg" in self and "alg" in jwt.headers: if self["alg"] != jwt.headers["alg"]: raise SignerAlgError("Wrong signing algorithm") if "alg" in jwt.headers: if jwt.headers["alg"].lower() == "none": if allow_none: self.msg = jwt.payload() return self.msg else: raise SignerAlgError("none not allowed") if sigalg and sigalg != jwt.headers["alg"]: raise SignerAlgError("Expected {} got {}".format( sigalg, jwt.headers["alg"])) self["alg"] = _alg = jwt.headers["alg"] if keys: _keys = self._pick_keys(keys) else: _keys = self._pick_keys(self._get_keys()) verifier = SIGNER_ALGS[_alg] if not _keys: if "kid" in self: raise NoSuitableSigningKeys( "No key for algorithm: %s with kid: %s" % (_alg, self["kid"])) else: raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg) for key in _keys: try: res = verifier.verify(jwt.sign_input(), jwt.signature(), key.get_key(alg=_alg, private=False)) except BadSignature: pass else: if res is True: logger.debug("Verified message using key with kid=%s" % key.kid) self.msg = jwt.payload() return self.msg raise BadSignature()
def verify(self, msg, sig, key): h = self.digest.new(msg) verifier = PKCS1_PSS.new(key) res = verifier.verify(h, sig) if not res: raise BadSignature() else: return True
def jwtValidate(self, token): """ jwt方式解析token :param token: 需要解析的token. :type field: str :returns: 解析成功返回None;解析失败返回错误信息. :rtype: object .. versionadded:: 1.0 """ parts = token.split('.') if len(parts) != 3: raise BadSignature('Invalid JWT. Only JWS supported.') header = json.loads(base64_urldecode(parts[0])) payload = json.loads(base64_urldecode(parts[1])) # 校验 issuer if self.expectedIssuer != payload['iss']: return "Invalid issuer %s, expected %s" % (payload['iss'], self.expectedIssuer) # 校验 client_id if payload["aud"]: if (isinstance(payload["aud"], str) and payload["aud"] != self.clientId) or self.clientId not in payload['aud']: return "Invalid audience %s, expected %s" % (payload['aud'], self.clientId) # 校验过期时间 if int(time.time()) >= int(payload['exp']): return "Token has expired" # 校验生效时间 if int(time.time()) <= int(payload['iat']): return "Token issued in the past" jws = JWS(alg=header['alg']) try: jws.verify_compact(token, self.jwks) return except Exception as e: # 第一次解析异常时,更新jwks信息重新解析 try: self.jwks = self.load_keys() jws.verify_compact(token, self.jwks) return except Exception as e: return 'Invalid token!'
def verify_compact(self, jws, keys=None): _header, _payload, _sig = jws.split(".") self.parse_header(_header) if "alg" in self: if self["alg"] == "none": self.msg = self._decode(_payload) return self.msg _alg = self["alg"] if keys: _keys = self._pick_keys(keys) else: _keys = self._pick_keys(self._get_keys()) verifier = SIGNER_ALGS[self["alg"]] if not _keys: if "kid" in self: raise NoSuitableSigningKeys( "No key for algorithm: %s with kid: %s" % (_alg, self["kid"])) else: raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg) for key in _keys: try: res = verifier.verify(_header + '.' + _payload, b64d(str(_sig)), key.get_key(alg=_alg, private=False)) except BadSignature: pass else: if res is True: logger.debug("Verified message using key with kid=%s" % key.kid) self.msg = self._decode(_payload) return self.msg raise BadSignature()
def verify_compact_verbose(self, jws, keys=None, allow_none=False, sigalg=None): """ Verify a JWT signature and return dict with validation results :param jws: :param keys: :param allow_none: If signature algorithm 'none' is allowed :param sigalg: Expected sigalg :return: """ jwt = JWSig().unpack(jws) if len(jwt) != 3: raise WrongNumberOfParts(len(jwt)) self.jwt = jwt try: _alg = jwt.headers["alg"] except KeyError: _alg = None else: if _alg is None or _alg.lower() == "none": if allow_none: self.msg = jwt.payload() return {'msg': self.msg} else: raise SignerAlgError("none not allowed") if "alg" in self and _alg: if self["alg"] != _alg: raise SignerAlgError("Wrong signing algorithm") if sigalg and sigalg != _alg: raise SignerAlgError("Expected {0} got {1}".format( sigalg, jwt.headers["alg"])) self["alg"] = _alg if keys: _keys = self.pick_keys(keys) else: _keys = self.pick_keys(self._get_keys()) if not _keys: if "kid" in self: raise NoSuitableSigningKeys("No key with kid: %s" % (self["kid"])) elif "kid" in self.jwt.headers: raise NoSuitableSigningKeys("No key with kid: %s" % (self.jwt.headers["kid"])) else: raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg) verifier = SIGNER_ALGS[_alg] for key in _keys: try: res = verifier.verify(jwt.sign_input(), jwt.signature(), key.get_key(alg=_alg, private=False)) except (BadSignature, IndexError): pass else: if res is True: logger.debug("Verified message using key with kid=%s" % key.kid) self.msg = jwt.payload() self.key = key return {'msg': self.msg, 'key': key} raise BadSignature()
def verify(self, msg, sig, key): h = bytes_to_long(self.digest.new(msg).digest()) if self._sign.verify(h, sig, key): return True else: raise BadSignature()
def verify(self, msg, sig, key): if not safe_str_cmp(self.sign(msg, key), sig): raise BadSignature(repr(sig)) return