in functions/source/api/manifest.py [0:0]
def run(self):
"""Manifest item public key validator."""
print('uniqueId: {}'.format(self.signed_se['header']['uniqueId']))
self.identifier = self.signed_se['header']['uniqueId']
# Decode the protected header
protected = json.loads(
base64url_decode(self.signed_se['protected'].encode('ascii')))
if protected['kid'] != self.verification_cert_kid_b64:
raise ValueError('kid does not match certificate value')
if protected['x5t#S256'] != self.verification_cert_x5t_s256_b64:
raise ValueError('x5t#S256 does not match certificate value')
# Convert JWS to compact form as required by python-jose
jws_compact = '.'.join([
self.signed_se['protected'], self.signed_se['payload'],
self.signed_se['signature']
])
# Verify and decode the payload. If verification fails an exception will
# be raised.
secure_element = json.loads(
jose.jws.verify(token=jws_compact,
key=self.verification_public_key_pem,
algorithms=verification_algorithms))
try:
public_keys = secure_element['publicKeySet']['keys']
except KeyError:
public_keys = []
for jwk in public_keys:
cert = ''
for cert_b64 in jwk.get('x5c', []):
cert = x509.load_der_x509_certificate(
data=b64decode(cert_b64), backend=default_backend())
self.certificate_chain = self.certificate_chain + cert.public_bytes(
encoding=serialization.Encoding.PEM).decode('ascii')