diff options
| author | Danny Hermes <daniel.j.hermes@gmail.com> | 2015-08-25 16:49:39 -0700 |
|---|---|---|
| committer | Danny Hermes <daniel.j.hermes@gmail.com> | 2015-09-01 09:58:33 -0700 |
| commit | b0c459f040e977e9e957ede3f592b281b6cec53d (patch) | |
| tree | 2bbd37098d29757181f3dbc6037edc84ffa5b665 /oauth2client/crypt.py | |
| parent | 4c56131ea2966c6772d47fb1020bbf899ff8d3bf (diff) | |
| download | oauth2client-b0c459f040e977e9e957ede3f592b281b6cec53d.tar.gz | |
Refactor certificate checking in crypt.verify_signed_jwt_with_certs.
Moved check into protected function _verify_signature.
Diffstat (limited to 'oauth2client/crypt.py')
| -rw-r--r-- | oauth2client/crypt.py | 33 |
1 files changed, 24 insertions, 9 deletions
diff --git a/oauth2client/crypt.py b/oauth2client/crypt.py index f36d18d..6bb6e9f 100644 --- a/oauth2client/crypt.py +++ b/oauth2client/crypt.py @@ -97,6 +97,28 @@ def make_signed_jwt(signer, payload): return b'.'.join(segments) +def _verify_signature(message, signature, certs): + """Verifies signed content using a list of certificates. + + Args: + message: string or bytes, The message to verify. + signature: string or bytes, The signature on the message. + certs: dict, with the keys as certificate ID strings and the values + certificates in PEM format. + + Raises: + AppIdentityError: If none of the certificates can verify the message + against the signature. + """ + for pem in certs.values(): + verifier = Verifier.from_string(pem, is_x509_cert=True) + if verifier.verify(message, signature): + return + + # If we have not returned, no certificate confirms the signature. + raise AppIdentityError('Invalid token signature') + + def verify_signed_jwt_with_certs(jwt, certs, audience): """Verify a JWT against public certs. @@ -119,7 +141,7 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): if len(segments) != 3: raise AppIdentityError('Wrong number of segments in token: %s' % jwt) - signed = segments[0] + b'.' + segments[1] + message_to_sign = segments[0] + b'.' + segments[1] signature = _urlsafe_b64decode(segments[2]) @@ -131,14 +153,7 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): raise AppIdentityError('Can\'t parse token: %s' % json_body) # Check signature. - verified = False - for pem in certs.values(): - verifier = Verifier.from_string(pem, True) - if verifier.verify(signed, signature): - verified = True - break - if not verified: - raise AppIdentityError('Invalid token signature: %s' % jwt) + _verify_signature(message_to_sign, signature, certs) # Check creation timestamp. iat = parsed.get('iat') |