Commit db4c6bc4 authored by Simo Sorce's avatar Simo Sorce

JWT: Add support for allowed algorithms

Allow to pass in a list of allowed algorithms. If provided this list
will be enforced on token verification/decryption.
Signed-off-by: default avatarSimo Sorce <simo@redhat.com>
parent b1f923d8
......@@ -11,7 +11,8 @@ class JWT(object):
This object represent a generic token.
"""
def __init__(self, header=None, claims=None, jwt=None, key=None):
def __init__(self, header=None, claims=None, jwt=None, key=None,
algs=None):
"""Creates a JWT object.
:param header: A dict or a JSON string with the JWT Header data.
......@@ -19,6 +20,7 @@ class JWT(object):
:param jwt: a 'raw' JWT token
:param key: A (:class:`jwcrypto.jwk.JWK`) key to deserialize
the token.
:param algs: An optional list of allowed algorithms
Note: either the header,claims or jwt,key parameters should be
provided as a deserialization operation (which occurs if the jwt
......@@ -29,6 +31,7 @@ class JWT(object):
self._header = None
self._claims = None
self._token = None
self._algs = algs
if header:
self.header = header
......@@ -122,6 +125,10 @@ class JWT(object):
else:
raise ValueError("Token format unrecognized")
# Apply algs restrictions if any, before performing any operation
if self._algs:
self.token.allowed_algs = self._algs
# now deserialize and also decrypt/verify (or raise) if we
# have a key
self.token.deserialize(jwt, key)
......
......@@ -711,6 +711,10 @@ class TestJWT(unittest.TestCase):
Tinner = jwt.JWT(jwt=Touter.claims, key=sigkey)
self.assertEqual(A1_claims, json_decode(Tinner.claims))
with self.assertRaises(jwe.InvalidJWEData):
jwt.JWT(jwt=A2_token, key=E_A2_ex['key'],
algs=['RSA_1_5', 'AES256GCM'])
class ConformanceTests(unittest.TestCase):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment