def parse(self, msg, name): """Parses the message. We check that the message is properly formatted. :param msg: a json-encoded value containing a JWS or JWE+JWS token :raises InvalidMessage: if the message cannot be parsed or validated :returns: A verified payload """ try: jtok = JWT(jwt=msg) except Exception as e: raise InvalidMessage('Failed to parse message: %s' % str(e)) try: token = jtok.token if isinstance(token, JWE): token.decrypt(self.kkstore.server_keys[KEY_USAGE_ENC]) # If an encrypted payload is received then there must be # a nested signed payload to verify the provenance. payload = token.payload.decode('utf-8') token = JWS() token.deserialize(payload) elif isinstance(token, JWS): pass else: raise TypeError("Invalid Token type: %s" % type(jtok)) # Retrieve client keys for later use self.client_keys = [ JWK(**self._get_key(token.jose_header, KEY_USAGE_SIG)), JWK(**self._get_key(token.jose_header, KEY_USAGE_ENC)) ] # verify token and get payload token.verify(self.client_keys[KEY_USAGE_SIG]) claims = json_decode(token.payload) except Exception as e: logger.debug('Failed to validate message', exc_info=True) raise InvalidMessage('Failed to validate message: %s' % str(e)) check_kem_claims(claims, name) self.name = name self.payload = claims.get('value') self.msg_type = 'kem' return { 'type': self.msg_type, 'value': { 'kid': self.client_keys[KEY_USAGE_ENC].key_id, 'claims': claims } }
def verify_proof(did_document: list, proof: jws.JWS, signer: str): document_sha256 = hashlib.sha256() document_sha256.update(json.dumps(did_document).encode('utf-8')) document_sha256_b64 = base64url_encode(document_sha256.digest()) payload = json.loads(proof.objects['payload'].decode()) if (document_sha256_b64 != payload['sha-256']): raise Exception("The sha-256 field of the proof payload is not valid") return -1 signer_jwk = did_to_jwk(signer) proof.verify(signer_jwk)
def parse(self, msg, name): """Parses the message. We check that the message is properly formatted. :param msg: a json-encoded value containing a JWS or JWE+JWS token :raises InvalidMessage: if the message cannot be parsed or validated :returns: A verified payload """ try: jtok = JWT(jwt=msg) except Exception as e: raise InvalidMessage('Failed to parse message: %s' % str(e)) try: token = jtok.token if isinstance(token, JWE): token.decrypt(self.kkstore.server_keys[KEY_USAGE_ENC]) # If an encrypted payload is received then there must be # a nested signed payload to verify the provenance. payload = token.payload.decode('utf-8') token = JWS() token.deserialize(payload) elif isinstance(token, JWS): pass else: raise TypeError("Invalid Token type: %s" % type(jtok)) # Retrieve client keys for later use self.client_keys = [ JWK(**self._get_key(token.jose_header, KEY_USAGE_SIG)), JWK(**self._get_key(token.jose_header, KEY_USAGE_ENC))] # verify token and get payload token.verify(self.client_keys[KEY_USAGE_SIG]) claims = json_decode(token.payload) except Exception as e: logger.debug('Failed to validate message', exc_info=True) raise InvalidMessage('Failed to validate message: %s' % str(e)) check_kem_claims(claims, name) self.name = name self.payload = claims.get('value') self.msg_type = 'kem' return {'type': self.msg_type, 'value': {'kid': self.client_keys[KEY_USAGE_ENC].key_id, 'claims': claims}}
def _validateSignature(self, cvs): if cvs.antecedent is None: # Special cased to bootstrap data structures cvs.ratchet(self) jws = JWS() jws.deserialize(self.serialize()) tprint = jws.jose_header["kid"] if (cvs.antecedent.pkt == tprint): key = keystore()[tprint] jws.verify(key) else: # XXX: This case is only revavent on the GodBlock # TODO: support cases where block isn't signed by preceding key # (key recovery, issuer tombstone) raise NotImplementedError("TODO") # pragma: no cover
def _validateSignature(self, cvs): if cvs.antecedent is None: # Special cased to bootstrap data structures cvs.ratchet(self) jws = JWS() jws.deserialize(self.serialize()) tprint = jws.jose_header["kid"] idchain = chainstore()[self.creator] if self.creator not in cvs._recent_thumbprints: raise ChainValidationError("No grants for creator: " + self.creator) creator_print = cvs._recent_thumbprints[self.creator] if idchain.isSameOrSubsequent(tprint, creator_print): key = keystore()[tprint] jws.verify(key) else: raise ChainValidationError("Out of date key.")