Deal with alg specification in JWKS and keys in JWKS that is not supported.

rohe · rohe · commit 0e011bda93b0 · 2020-04-06T10:05:10.000+02:00
diff --git a/src/cryptojwt/exception.py b/src/cryptojwt/exception.py
@@ -105,3 +105,7 @@ class WrongUsage(JWKESTException):
 
 class HTTPException(JWKESTException):
     pass
+
+
+class UnsupportedECurve(Unsupported):
+    pass
diff --git a/src/cryptojwt/jwk/__init__.py b/src/cryptojwt/jwk/__init__.py
@@ -47,13 +47,24 @@ def __init__(self, kty="", alg="", use="", kid="", x5c=None,
             if not isinstance(alg, str):
                 alg = as_unicode(alg)
 
-            # The list comes from https://tools.ietf.org/html/rfc7518#page-6
-            # Should map against SIGNER_ALGS in cryptojwt.jws.jws
-            if alg not in ["HS256", "HS384", "HS512", "RS256", "RS384",
-                           "RS512", "ES256", "ES384", "ES512", "PS256",
-                           "PS384", "PS512", "none"]:
-                raise UnsupportedAlgorithm("Unknown algorithm: {}".format(alg))
-
+            if use == 'enc':
+                if alg not in ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW",
+                               "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
+                    raise UnsupportedAlgorithm("Unknown algorithm: {}".format(alg))
+            elif use == 'sig':
+                # The list comes from https://tools.ietf.org/html/rfc7518#page-6
+                # Should map against SIGNER_ALGS in cryptojwt.jws.jws
+                if alg not in ["HS256", "HS384", "HS512", "RS256", "RS384",
+                               "RS512", "ES256", "ES384", "ES512", "PS256",
+                               "PS384", "PS512", "none"]:
+                    raise UnsupportedAlgorithm("Unknown algorithm: {}".format(alg))
+            else:  # potentially used both for encryption and signing
+                if alg not in ["HS256", "HS384", "HS512", "RS256", "RS384",
+                               "RS512", "ES256", "ES384", "ES512", "PS256",
+                               "PS384", "PS512", "none", "RSA1_5", "RSA-OAEP", "RSA-OAEP-256",
+                               "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW",
+                               "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
+                    raise UnsupportedAlgorithm("Unknown algorithm: {}".format(alg))
         self.alg = alg
 
         if isinstance(use, str):
diff --git a/src/cryptojwt/jwk/ec.py b/src/cryptojwt/jwk/ec.py
@@ -4,6 +4,7 @@
 
 from ..exception import DeSerializationNotPossible
 from ..exception import JWKESTException
+from ..exception import UnsupportedECurve
 from ..utils import as_unicode
 from ..utils import deser
 from ..utils import long_to_base64
@@ -38,8 +39,12 @@ def ec_construct_public(num):
     :return: A cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey
         instance.
     """
-    ecpn = ec.EllipticCurvePublicNumbers(num['x'], num['y'],
-                                         NIST2SEC[as_unicode(num['crv'])]())
+    try:
+        _sec_crv = NIST2SEC[as_unicode(num['crv'])]
+    except KeyError:
+        raise UnsupportedECurve("Unsupported elliptic curve: {}".format(num['crv']))
+
+    ecpn = ec.EllipticCurvePublicNumbers(num['x'], num['y'], _sec_crv())
     return ecpn.public_key(default_backend())
 
 
