def verify(self, msg, sig, key):
h = self.digest.new(msg)
verifier = PKCS1_v1_5.new(key)
try:
if verifier.verify(h, sig):
return True
else:
raise BadSignature()
except ValueError as e:
raise BadSignature(str(e))
def validate(self, jwt, iss, aud):
parts = jwt.split('.')
if len(parts) != 3:
raise BadSignature('Invalid JWT. Only JWS supported.')
header = json.loads(base64_urldecode(parts[0]))
payload = json.loads(base64_urldecode(parts[1]))
if iss != payload['iss']:
raise JwtValidatorException("Invalid issuer %s, expected %s" %
(payload['iss'], iss))
if payload["aud"]:
if (isinstance(payload["aud"], str)
and payload["aud"] != aud) or aud not in payload['aud']:
raise JwtValidatorException(
"Invalid audience %s, expected %s" % (payload['aud'], aud))
jws = JWS(alg=header['alg'])
# Raises exception when signature is invalid
try:
jws.verify_compact(jwt, self.jwks)
except Exception as e:
print "Exception validating signature"
raise JwtValidatorException(e)
print "Successfully validated signature."
def verify(self, msg, sig, key):
if sys.version < '3':
if safe_str_cmp(self.sign(msg, key), sig):
return True
elif constant_time_compare(self.sign(msg, key), sig):
return True
raise BadSignature(repr(sig))
def validate(self, jwt, iss, aud):
parts = jwt.split('.')
if len(parts) != 3:
raise BadSignature('Invalid JWT. Only JWS supported.')
header = json.loads(base64_urldecode(parts[0]))
payload = json.loads(base64_urldecode(parts[1]))
# FIXME: Microsoft returns {tenantid} in issuer, we must replace
_iss = iss
if '{tenantid}' in _iss:
if 'tid' in payload:
_iss = _iss.replace('{tenantid}', payload['tid'])
else:
raise JwtValidatorException(
"Tenant {tenantid} specified in issuer, but no tid in payload"
)
if _iss != payload['iss']:
raise JwtValidatorException("Invalid issuer %s, expected %s" %
(payload['iss'], _iss))
if payload["aud"]:
if (isinstance(payload["aud"], str)
and payload["aud"] != aud) or aud not in payload['aud']:
raise JwtValidatorException(
"Invalid audience %s, expected %s" % (payload['aud'], aud))
jws = JWS(alg=header['alg'])
# Raises exception when signature is invalid
try:
jws.verify_compact(jwt, self.jwks)
except Exception as e:
print "Exception validating signature"
raise JwtValidatorException(e)
print "Successfully validated signature."
def verify_compact(self, jws, keys=None):
_header, _payload, _sig = jws.split(".")
self.parse_header(_header)
if "alg" in self:
if self["alg"] == "none":
self.msg = self._decode(_payload)
return self.msg
if keys:
_keys = self._pick_keys(keys)
else:
_keys = self._pick_keys(self._get_keys())
verifier = SIGNER_ALGS[self["alg"]]
for key in _keys:
try:
verifier.verify(_header + '.' + _payload, b64d(str(_sig)),
key.get_key(private=False))
except BadSignature:
pass
else:
self.msg = self._decode(_payload)
return self.msg
raise BadSignature()
def verify(self, msg, sig, key):
h = self.digest.new(msg)
verifier = PKCS1_v1_5.new(key)
if verifier.verify(h, sig):
return True
else:
raise BadSignature()
def verify_compact(self, jws, keys=None, allow_none=False, sigalg=None):
"""
Verify a JWT signature
:param jws:
:param keys:
:param allow_none: If signature algorithm 'none' is allowed
:param sigalg: Expected sigalg
:return:
"""
jwt = JWSig().unpack(jws)
self.jwt = jwt
if "alg" in self and "alg" in jwt.headers:
if self["alg"] != jwt.headers["alg"]:
raise SignerAlgError("Wrong signing algorithm")
if "alg" in jwt.headers:
if jwt.headers["alg"].lower() == "none":
if allow_none:
self.msg = jwt.payload()
return self.msg
else:
raise SignerAlgError("none not allowed")
if sigalg and sigalg != jwt.headers["alg"]:
raise SignerAlgError("Expected {} got {}".format(
sigalg, jwt.headers["alg"]))
self["alg"] = _alg = jwt.headers["alg"]
if keys:
_keys = self._pick_keys(keys)
else:
_keys = self._pick_keys(self._get_keys())
verifier = SIGNER_ALGS[_alg]
if not _keys:
if "kid" in self:
raise NoSuitableSigningKeys(
"No key for algorithm: %s with kid: %s" %
(_alg, self["kid"]))
else:
raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg)
for key in _keys:
try:
res = verifier.verify(jwt.sign_input(), jwt.signature(),
key.get_key(alg=_alg, private=False))
except BadSignature:
pass
else:
if res is True:
logger.debug("Verified message using key with kid=%s" %
key.kid)
self.msg = jwt.payload()
return self.msg
raise BadSignature()
def verify(self, msg, sig, key):
h = self.digest.new(msg)
verifier = PKCS1_PSS.new(key)
res = verifier.verify(h, sig)
if not res:
raise BadSignature()
else:
return True
def jwtValidate(self, token):
"""
jwt方式解析token
:param token: 需要解析的token.
:type field: str
:returns: 解析成功返回None;解析失败返回错误信息.
:rtype: object
.. versionadded:: 1.0
"""
parts = token.split('.')
if len(parts) != 3:
raise BadSignature('Invalid JWT. Only JWS supported.')
header = json.loads(base64_urldecode(parts[0]))
payload = json.loads(base64_urldecode(parts[1]))
# 校验 issuer
if self.expectedIssuer != payload['iss']:
return "Invalid issuer %s, expected %s" % (payload['iss'],
self.expectedIssuer)
# 校验 client_id
if payload["aud"]:
if (isinstance(payload["aud"], str) and payload["aud"] !=
self.clientId) or self.clientId not in payload['aud']:
return "Invalid audience %s, expected %s" % (payload['aud'],
self.clientId)
# 校验过期时间
if int(time.time()) >= int(payload['exp']):
return "Token has expired"
# 校验生效时间
if int(time.time()) <= int(payload['iat']):
return "Token issued in the past"
jws = JWS(alg=header['alg'])
try:
jws.verify_compact(token, self.jwks)
return
except Exception as e:
# 第一次解析异常时,更新jwks信息重新解析
try:
self.jwks = self.load_keys()
jws.verify_compact(token, self.jwks)
return
except Exception as e:
return 'Invalid token!'
def verify_compact(self, jws, keys=None):
_header, _payload, _sig = jws.split(".")
self.parse_header(_header)
if "alg" in self:
if self["alg"] == "none":
self.msg = self._decode(_payload)
return self.msg
_alg = self["alg"]
if keys:
_keys = self._pick_keys(keys)
else:
_keys = self._pick_keys(self._get_keys())
verifier = SIGNER_ALGS[self["alg"]]
if not _keys:
if "kid" in self:
raise NoSuitableSigningKeys(
"No key for algorithm: %s with kid: %s" %
(_alg, self["kid"]))
else:
raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg)
for key in _keys:
try:
res = verifier.verify(_header + '.' + _payload,
b64d(str(_sig)),
key.get_key(alg=_alg, private=False))
except BadSignature:
pass
else:
if res is True:
logger.debug("Verified message using key with kid=%s" %
key.kid)
self.msg = self._decode(_payload)
return self.msg
raise BadSignature()
def verify_compact_verbose(self,
jws,
keys=None,
allow_none=False,
sigalg=None):
"""
Verify a JWT signature and return dict with validation results
:param jws:
:param keys:
:param allow_none: If signature algorithm 'none' is allowed
:param sigalg: Expected sigalg
:return:
"""
jwt = JWSig().unpack(jws)
if len(jwt) != 3:
raise WrongNumberOfParts(len(jwt))
self.jwt = jwt
try:
_alg = jwt.headers["alg"]
except KeyError:
_alg = None
else:
if _alg is None or _alg.lower() == "none":
if allow_none:
self.msg = jwt.payload()
return {'msg': self.msg}
else:
raise SignerAlgError("none not allowed")
if "alg" in self and _alg:
if self["alg"] != _alg:
raise SignerAlgError("Wrong signing algorithm")
if sigalg and sigalg != _alg:
raise SignerAlgError("Expected {0} got {1}".format(
sigalg, jwt.headers["alg"]))
self["alg"] = _alg
if keys:
_keys = self.pick_keys(keys)
else:
_keys = self.pick_keys(self._get_keys())
if not _keys:
if "kid" in self:
raise NoSuitableSigningKeys("No key with kid: %s" %
(self["kid"]))
elif "kid" in self.jwt.headers:
raise NoSuitableSigningKeys("No key with kid: %s" %
(self.jwt.headers["kid"]))
else:
raise NoSuitableSigningKeys("No key for algorithm: %s" % _alg)
verifier = SIGNER_ALGS[_alg]
for key in _keys:
try:
res = verifier.verify(jwt.sign_input(), jwt.signature(),
key.get_key(alg=_alg, private=False))
except (BadSignature, IndexError):
pass
else:
if res is True:
logger.debug("Verified message using key with kid=%s" %
key.kid)
self.msg = jwt.payload()
self.key = key
return {'msg': self.msg, 'key': key}
raise BadSignature()
def verify(self, msg, sig, key):
h = bytes_to_long(self.digest.new(msg).digest())
if self._sign.verify(h, sig, key):
return True
else:
raise BadSignature()
def verify(self, msg, sig, key):
if not safe_str_cmp(self.sign(msg, key), sig):
raise BadSignature(repr(sig))
return
