(self, payload_segment, payload, header_obj, key)
| 310 | raise InvalidCritHeaderParameterNameError(k) |
| 311 | |
| 312 | def _validate_json_jws(self, payload_segment, payload, header_obj, key): |
| 313 | protected_segment = header_obj.get("protected") |
| 314 | if not protected_segment: |
| 315 | raise DecodeError('Missing "protected" value') |
| 316 | |
| 317 | signature_segment = header_obj.get("signature") |
| 318 | if not signature_segment: |
| 319 | raise DecodeError('Missing "signature" value') |
| 320 | |
| 321 | protected_segment = to_bytes(protected_segment) |
| 322 | protected = _extract_header(protected_segment) |
| 323 | header = header_obj.get("header") |
| 324 | if header and not isinstance(header, dict): |
| 325 | raise DecodeError('Invalid "header" value') |
| 326 | # RFC 7515 §4.1.11: 'crit' MUST be integrity-protected. If present in |
| 327 | # the unprotected header object, reject the JWS. |
| 328 | self._reject_unprotected_crit(header) |
| 329 | |
| 330 | # Enforce must-understand semantics for names listed in protected |
| 331 | # 'crit'. This will also ensure each listed name is present in the |
| 332 | # protected header. |
| 333 | self._validate_crit_headers(protected) |
| 334 | jws_header = JWSHeader(protected, header) |
| 335 | algorithm, key = self._prepare_algorithm_key(jws_header, payload, key) |
| 336 | signing_input = b".".join([protected_segment, payload_segment]) |
| 337 | signature = _extract_signature(to_bytes(signature_segment)) |
| 338 | if algorithm.verify(signing_input, signature, key): |
| 339 | return jws_header, True |
| 340 | return jws_header, False |
| 341 | |
| 342 | |
| 343 | def _extract_header(header_segment): |
no test coverage detected