def verify(self, signer_requirements, path, sgn_value):
"""Verify the authenticity of the incoming data
:param signer_requirements: what we expect of the key; right now,
the CN of the signer
:param path: path where the JSON object was found
:param sgn_value: The datastructure found at that path
:return: confirmed original value from JWT token.
:raise A JWTSigningFailed is raised if the verification fails.
"""
if sgn_value is None:
raise JWTSigningFailed(
_("Invalid empty value at path %s") % (path))
try:
# Load the certificate and verify that it is both a suitable
# certificate for this key and one we trust the origin of
vcert_str = sgn_value.get("certificate", "")
# ("" is an invalid key)
# TODO(ijw): why?
vcert_str = vcert_str.encode('ascii', 'ignore')
# TODO(ijw): how does this fail?
vcert_obj = load_pem_x509_certificate(
vcert_str,
default_backend())
vpublic_key = vcert_obj.public_key()
self._check_node_name(signer_requirements, vcert_obj)
# TODO(ijw): what checks the cert is signed with the CA?
self._verify_certificate(vcert_str)
# Unpack the JWT to its raw data
jwtok = sgn_value.get("jwt", "")
# ("" is an invalid token)
dval = jwt.decode(jwtok, vpublic_key, algorithm='RS256')
# Check the ancillary tags of the raw data
self._check_path(dval, path)
# TODO(ijw): check delta
# Get and return the originally provided value
return dval["value"]
except jwt.InvalidTokenError:
raise JWTSigningFailed(_("InvalidTokenError: path :%s") % path)
评论列表
文章目录
