in lambda-supplier-providers/Microchip/ManifestHandler.py [0:0]
def run(self):
self.identifier = self.signed_se['header']['uniqueId']
# Decode the protected header
protected = json.loads(
base64url_decode(
self.signed_se['protected'].encode('ascii')
)
)
if protected['kid'] != self.verification_cert_kid_b64:
raise ValueError('kid does not match certificate value')
if protected['x5t#S256'] != self.verification_cert_x5t_s256_b64:
raise ValueError('x5t#S256 does not match certificate value')
# Convert JWS to compact form as required by python-jose
jws_compact = '.'.join([
self.signed_se['protected'],
self.signed_se['payload'],
self.signed_se['signature']
])
# Verify and decode the payload. If verification fails an exception will
# be raised.
se = json.loads(
jose.jws.verify(
token=jws_compact,
key=self.verification_public_key_pem,
algorithms=verification_algorithms
) )
try:
public_keys = se['publicKeySet']['keys']
except KeyError:
public_keys = []
for jwk in public_keys:
cert_chain = ''
for cert_b64 in jwk.get('x5c', []):
cert = x509.load_der_x509_certificate(
data=b64decode(cert_b64),
backend=default_backend()
)
self.certificate_chain = self.certificate_chain + cert.public_bytes(
encoding=serialization.Encoding.PEM
).decode('ascii')