def from_jwt(self, txt, key=None, verify=True, keyjar=None, **kwargs): """ Given a signed and/or encrypted JWT, verify its correctness and then create a class instance from the content. :param txt: The JWT :param key: keys that might be used to decrypt and/or verify the signature of the JWT :param verify: Whether the signature should be verified or not :return: A class instance """ if key is None and keyjar is not None: key = keyjar.get_verify_key(owner="") elif key is None: key = {} header = json.loads(b64d(str(txt.split(".")[0]))) try: htype = header["typ"] except KeyError: htype = None jso = None if htype == "JWE" or ("alg" in header and "enc" in header): # encrypted if keyjar: dkeys = keyjar.get_decrypt_key(owner="") else: dkeys = {} txt = jwe.decrypt(txt, dkeys, "private") try: jso = json.loads(txt) except Exception: pass # assume htype == 'JWS' if not jso: try: jso = jwkest.unpack(txt)[1] if isinstance(jso, basestring): jso = json.loads(jso) if verify: if keyjar: for ent in ["iss", "aud", "client_id"]: if ent not in jso: continue if ent == "aud": for _e in jso[ent]: self._add_key(keyjar, _e, key) else: self._add_key(keyjar, jso[ent], key) jws.verify(txt, key) except Exception: raise return self.from_dict(jso)
def unpack_aggregated_claims(self, userinfo): if userinfo._claim_sources: for csrc, spec in userinfo._claim_sources.items(): if "JWT" in spec: if not csrc in self.keyjar: self.provider_config(csrc, endpoints=False) keycol = self.keyjar.get_verify_key(owner=csrc) for typ, keyl in self.keyjar.get_verify_key().items(): try: keycol[typ].extend(keyl) except KeyError: keycol[typ] = keyl info = json.loads(jws.verify(str(spec["JWT"]), keycol)) attr = [n for n, s in userinfo._claim_names.items() if s == csrc] assert attr == info.keys() for key, vals in info.items(): userinfo[key] = vals return userinfo
help="File containing a public RSA key") parser.add_argument('-k', dest="hmac_key", help="If using a HMAC algorithm this is the key") parser.add_argument('-x', dest="x509_file", help="File containing a X509 certificate") parser.add_argument("message", nargs="?", help="The message to verify signature on") args = parser.parse_args() keys = {} if args.rsa_file: keys = {"rsa": [rsa_load(args.rsa_file)]} elif args.hmac_key: keys = {"hmac": [args.hmac_key]} elif args.x509_file: keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]} elif args.rsa_pub_file: keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]} if args.message == "-": message = sys.stdin.read() else: message = args.message if keys: print verify(message, keys) else: print unpack(message)[1]
dest="hmac_key", help="If using a HMAC algorithm this is the key") parser.add_argument('-x', dest="x509_file", help="File containing a X509 certificate") parser.add_argument("message", nargs="?", help="The message to verify signature on") args = parser.parse_args() keys = {} if args.rsa_file: keys = {"rsa": [rsa_load(args.rsa_file)]} elif args.hmac_key: keys = {"hmac": [args.hmac_key]} elif args.x509_file: keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]} elif args.rsa_pub_file: keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]} if args.message == "-": message = sys.stdin.read() else: message = args.message if keys: print verify(message, keys) else: print unpack(message)[1]