Commit 9721a314 authored by Simo Sorce's avatar Simo Sorce Committed by Simo Sorce

Better validation of JWE compact serialization

Fixes #92
Signed-off-by: 's avatarSimo Sorce <simo@redhat.com>
parent 31079736
......@@ -59,7 +59,7 @@ class InvalidJWEData(JWException):
super(InvalidJWEData, self).__init__(msg)
# These have been moved to jwcrypto.common, maintain here for bacwards compat
# These have been moved to jwcrypto.common, maintain here for backwards compat
InvalidCEKeyLength = common.InvalidCEKeyLength
InvalidJWEKeyLength = common.InvalidJWEKeyLength
InvalidJWEKeyType = common.InvalidJWEKeyType
......@@ -270,7 +270,19 @@ class JWE(object):
if compact:
for invalid in 'aad', 'unprotected':
if invalid in self.objects:
raise InvalidJWEOperation("Can't use compact encoding")
raise InvalidJWEOperation(
"Can't use compact encoding when the '%s' parameter"
"is set", invalid)
if 'protected' not in self.objects:
raise InvalidJWEOperation(
"Can't use compat encoding without protected headers")
else:
ph = json_decode(self.objects['protected'])
for required in 'alg', 'enc':
if required not in ph:
raise InvalidJWEOperation(
"Can't use compat encoding, '%s' must be in the "
"protected header", required)
if 'recipients' in self.objects:
if len(self.objects['recipients']) != 1:
raise InvalidJWEOperation("Invalid number of recipients")
......
......@@ -857,6 +857,26 @@ class TestJWE(unittest.TestCase):
e = jwe.JWE(algs=['A256KW'])
e.deserialize(E_A5_ex, E_A4_ex['key2'])
def test_compact_protected_header(self):
"""Compact representation requires a protected header"""
e = jwe.JWE(E_A1_ex['plaintext'])
e.add_recipient(E_A1_ex['key'], E_A1_ex['protected'])
with self.assertRaises(jwe.InvalidJWEOperation):
e.serialize(compact=True)
def test_compact_invalid_header(self):
with self.assertRaises(jwe.InvalidJWEOperation):
e = jwe.JWE(E_A1_ex['plaintext'], E_A1_ex['protected'],
aad='XYZ', recipient=E_A1_ex['key'])
e.serialize(compact=True)
with self.assertRaises(jwe.InvalidJWEOperation):
e = jwe.JWE(E_A1_ex['plaintext'], E_A1_ex['protected'],
unprotected='{"jku":"https://example.com/keys.jwks"}',
recipient=E_A1_ex['key'])
e.serialize(compact=True)
MMA_vector_key = jwk.JWK(**E_A2_key)
MMA_vector_ok_cek = \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment