def parse(self, msg, name):
"""Parses the message.
We check that the message is properly formatted.
:param msg: a json-encoded value containing a JWS or JWE+JWS token
:raises InvalidMessage: if the message cannot be parsed or validated
:returns: A verified payload
"""
try:
jtok = JWT(jwt=msg)
except Exception as e:
raise InvalidMessage('Failed to parse message: %s' % str(e))
try:
token = jtok.token
if isinstance(token, JWE):
token.decrypt(self.kkstore.server_keys[KEY_USAGE_ENC])
# If an encrypted payload is received then there must be
# a nested signed payload to verify the provenance.
payload = token.payload.decode('utf-8')
token = JWS()
token.deserialize(payload)
elif isinstance(token, JWS):
pass
else:
raise TypeError("Invalid Token type: %s" % type(jtok))
# Retrieve client keys for later use
self.client_keys = [
JWK(**self._get_key(token.jose_header, KEY_USAGE_SIG)),
JWK(**self._get_key(token.jose_header, KEY_USAGE_ENC))
]
# verify token and get payload
token.verify(self.client_keys[KEY_USAGE_SIG])
claims = json_decode(token.payload)
except Exception as e:
logger.debug('Failed to validate message', exc_info=True)
raise InvalidMessage('Failed to validate message: %s' % str(e))
check_kem_claims(claims, name)
self.name = name
self.payload = claims.get('value')
self.msg_type = 'kem'
return {
'type': self.msg_type,
'value': {
'kid': self.client_keys[KEY_USAGE_ENC].key_id,
'claims': claims
}
}
def verify_proof(did_document: list, proof: jws.JWS, signer: str):
document_sha256 = hashlib.sha256()
document_sha256.update(json.dumps(did_document).encode('utf-8'))
document_sha256_b64 = base64url_encode(document_sha256.digest())
payload = json.loads(proof.objects['payload'].decode())
if (document_sha256_b64 != payload['sha-256']):
raise Exception("The sha-256 field of the proof payload is not valid")
return -1
signer_jwk = did_to_jwk(signer)
proof.verify(signer_jwk)
def parse(self, msg, name):
"""Parses the message.
We check that the message is properly formatted.
:param msg: a json-encoded value containing a JWS or JWE+JWS token
:raises InvalidMessage: if the message cannot be parsed or validated
:returns: A verified payload
"""
try:
jtok = JWT(jwt=msg)
except Exception as e:
raise InvalidMessage('Failed to parse message: %s' % str(e))
try:
token = jtok.token
if isinstance(token, JWE):
token.decrypt(self.kkstore.server_keys[KEY_USAGE_ENC])
# If an encrypted payload is received then there must be
# a nested signed payload to verify the provenance.
payload = token.payload.decode('utf-8')
token = JWS()
token.deserialize(payload)
elif isinstance(token, JWS):
pass
else:
raise TypeError("Invalid Token type: %s" % type(jtok))
# Retrieve client keys for later use
self.client_keys = [
JWK(**self._get_key(token.jose_header, KEY_USAGE_SIG)),
JWK(**self._get_key(token.jose_header, KEY_USAGE_ENC))]
# verify token and get payload
token.verify(self.client_keys[KEY_USAGE_SIG])
claims = json_decode(token.payload)
except Exception as e:
logger.debug('Failed to validate message', exc_info=True)
raise InvalidMessage('Failed to validate message: %s' % str(e))
check_kem_claims(claims, name)
self.name = name
self.payload = claims.get('value')
self.msg_type = 'kem'
return {'type': self.msg_type,
'value': {'kid': self.client_keys[KEY_USAGE_ENC].key_id,
'claims': claims}}
def _validateSignature(self, cvs):
if cvs.antecedent is None:
# Special cased to bootstrap data structures
cvs.ratchet(self)
jws = JWS()
jws.deserialize(self.serialize())
tprint = jws.jose_header["kid"]
if (cvs.antecedent.pkt == tprint):
key = keystore()[tprint]
jws.verify(key)
else:
# XXX: This case is only revavent on the GodBlock
# TODO: support cases where block isn't signed by preceding key
# (key recovery, issuer tombstone)
raise NotImplementedError("TODO") # pragma: no cover
def _validateSignature(self, cvs):
if cvs.antecedent is None:
# Special cased to bootstrap data structures
cvs.ratchet(self)
jws = JWS()
jws.deserialize(self.serialize())
tprint = jws.jose_header["kid"]
idchain = chainstore()[self.creator]
if self.creator not in cvs._recent_thumbprints:
raise ChainValidationError("No grants for creator: " + self.creator)
creator_print = cvs._recent_thumbprints[self.creator]
if idchain.isSameOrSubsequent(tprint, creator_print):
key = keystore()[tprint]
jws.verify(key)
else:
raise ChainValidationError("Out of date key.")
