Update keyjar when needed.

rohe · rohe · commit 71ff1e2251a0 · 2021-09-22T09:20:11.000+02:00
diff --git a/src/oidcmsg/message.py b/src/oidcmsg/message.py
@@ -468,6 +468,28 @@ def to_jwt(self, key=None, algorithm="", lev=0, lifetime=0):
         _jws = JWS(self.to_json(lev), alg=algorithm)
         return _jws.sign_compact(key)
 
+    def _gather_keys(self, keyjar, jwt, header, **kwargs):
+        key = []
+
+        if keyjar:
+            _keys = keyjar.get_jwt_verify_keys(jwt, **kwargs)
+            if not _keys:
+                keyjar.update()
+                _keys = keyjar.get_jwt_verify_keys(jwt, **kwargs)
+            key.extend(_keys)
+
+        if "alg" in header and header["alg"] != "none":
+            if not key:
+                if keyjar:
+                    keyjar.update()
+                    key = keyjar.get_jwt_verify_keys(jwt, **kwargs)
+                    if not key:
+                        raise MissingSigningKey("alg=%s" % header["alg"])
+                else:
+                    raise MissingSigningKey("alg=%s" % header["alg"])
+
+        return key
+
     def from_jwt(self, txt, keyjar, verify=True, **kwargs):
         """
         Given a signed and/or encrypted JWT, verify its correctness and then
@@ -515,7 +537,6 @@ def from_jwt(self, txt, keyjar, verify=True, **kwargs):
             jso = _jwt.payload()
             _header = _jwt.headers
 
-            key = []
             # if "sender" in kwargs:
             #     key.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
 
@@ -524,21 +545,13 @@ def from_jwt(self, txt, keyjar, verify=True, **kwargs):
             if _header["alg"] == "none":
                 pass
             elif verify:
-                if keyjar:
-                    key.extend(keyjar.get_jwt_verify_keys(_jwt, **kwargs))
+                key = self._gather_keys(keyjar, _jwt, _header, **kwargs)
 
-                if "alg" in _header and _header["alg"] != "none":
-                    if not key:
-                        raise MissingSigningKey("alg=%s" % _header["alg"])
+                if not key:
+                    raise MissingSigningKey("alg=%s" % _header["alg"])
 
                 logger.debug("Found signing key.")
-                try:
-                    _verifier.verify_compact(txt, key)
-                except NoSuitableSigningKeys:
-                    if keyjar:
-                        keyjar.update()
-                        key = keyjar.get_jwt_verify_keys(_jwt, **kwargs)
-                        _verifier.verify_compact(txt, key)
+                _verifier.verify_compact(txt, key)
 
             self.jws_header = _jwt.headers
         else:
