Commit 3323b32e authored by Simo Sorce's avatar Simo Sorce

JWE: Add explicit decrypt step

It may be useful to perform the deserialization and decryption steps
separately.

The decrypt() step assumes the caller already called the deserialize()
function, and accepts only one key.

The decrypt step will allow a caller to try multiple keys, by simply
calling decrypt() multiple times.
Signed-off-by: default avatarSimo Sorce <simo@redhat.com>
parent 03b2c54e
......@@ -606,6 +606,29 @@ class JWE(object):
else:
raise ValueError('Unknown compression')
def decrypt(self, key):
if not isinstance(key, JWK):
raise ValueError('key is not a JWK object')
if 'ciphertext' not in self.objects:
raise InvalidJWEOperation("No available ciphertext")
self.decryptlog = list()
if 'recipients' in self.objects:
for rec in self.objects['recipients']:
try:
self._decrypt(key, rec)
except Exception as e: # pylint: disable=broad-except
self.decryptlog.append('Failed: [%s]' % repr(e))
else:
try:
self._decrypt(key, self.objects)
except Exception as e: # pylint: disable=broad-except
self.decryptlog.append('Failed: [%s]' % repr(e))
if not self.plaintext:
raise InvalidJWEData('No recipient matched the provided '
'key' + repr(self.decryptlog))
def deserialize(self, raw_jwe, key=None):
""" Destroys any current status and tries to import the raw
JWS provided.
......@@ -664,24 +687,4 @@ class JWE(object):
raise InvalidJWEData('Invalid format', repr(e))
if key:
if not isinstance(key, JWK):
raise ValueError('key is not a JWK object')
if 'ciphertext' not in self.objects:
raise InvalidJWEOperation("No available ciphertext")
self.decryptlog = list()
if 'recipients' in self.objects:
for rec in self.objects['recipients']:
try:
self._decrypt(key, rec)
except Exception as e: # pylint: disable=broad-except
self.decryptlog.append('Failed: [%s]' % repr(e))
else:
try:
self._decrypt(key, self.objects)
except Exception as e: # pylint: disable=broad-except
self.decryptlog.append('Failed: [%s]' % repr(e))
if not self.plaintext:
raise InvalidJWEData('No recipient matched the provided '
'key' + repr(self.decryptlog))
self.decrypt(key)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment