feat: sign header x5c usage and validation

Author: Zicchio

pyeudiw/jwt/jws_helper.py

@@ -349,7 +349,7 @@ def _validate_key_with_header_kid(key: dict, header: dict) -> None:
         raise Exception(
             f"token header contains a kid {header_kid} that does not match the signing key kid {key_kid}"
         )
-    return None
+    return
 
 
 def _validate_key_with_header_x5c(key: dict, header: dict) -> None:
@@ -363,7 +363,7 @@ def _validate_key_with_header_x5c(key: dict, header: dict) -> None:
     :raises Exception: if the key is not compatible with the header content x5c (if any)
     """
     x5c: list[str] | None = header.get("x5c")
-    if x5c is None:
+    if not x5c:
         return
     leaf_cert: str = x5c[0]
 
@@ -374,13 +374,13 @@ def _validate_key_with_header_x5c(key: dict, header: dict) -> None:
             raise Exception(
                 f"token header containes a chain whose leaf certificate {leaf_cert} does not match the signing key leaf certificate {leaf_x5c_cert}"\
             )
-        return None
+        return
     header_key = parse_b64der(leaf_cert)
     if header_key.thumbprint != JWK(key).thumbprint:
         raise Exception(
             f"public material of the key does not matches the key in the leaf certificate {leaf_cert}"
         )
-    return None
+    return
 
 
 def _validate_key_with_jws_header(key: dict, protected_jws_header: dict, unprotected_jws_header: dict) -> None:

pyeudiw/openid4vp/presentation_submission/__init__.py

@@ -179,7 +179,6 @@ def validate(
 
         for descriptor in validated_submission.descriptor_map:
             handler = self.handlers.get(descriptor.format)
-
             if not handler:
                 raise MissingHandler(f"Handler for format '{descriptor.format}' not found.")
 

pyeudiw/tests/satosa/test_backend.py

@@ -192,7 +192,7 @@ def _generate_payload(self, issuer_jwk, holder_jwk, nonce, state, aud, x509=Fals
 
         if x509:
             additional_headers = {
-                "x5c": self.chain
+                "x5c": [PEM_cert_to_B64DER_cert(pem) for pem in self.chain]
             }
         else:
             additional_headers = {
@@ -622,7 +622,6 @@ def test_response_endpoint_x5c_chain(self, context):
         }
         context.request_method = "POST"
         context.http_headers = {"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded"}
-        
         response_endpoint = self.backend.response_endpoint(context)
         assert response_endpoint.status == "200"
         assert "redirect_uri" in response_endpoint.message

pyeudiw/x509/verify.py

@@ -111,6 +111,14 @@ def B64DER_cert_to_PEM_cert(cert: str) -> str:
     return DER_cert_to_PEM_cert(base64.b64decode(cert))
 
 
+def B64DER_cert_to_DER_cert(cert: str) -> bytes:
+    """
+    Takes a certificate Base64 encoded DER and returns the
+    certificate in DER format.
+    """
+    return base64.b64decode(cert)
+
+
 def to_DER_cert(cert: str | bytes) -> bytes:
     """
     This function takes in a certificate with unknown representation
@@ -134,7 +142,7 @@ def to_DER_cert(cert: str | bytes) -> bytes:
 
     cert_s = cert_s.replace('\n\r', '')
     if _BASE64_RE.fullmatch(cert_s):
-        return B64DER_cert_to_PEM_cert(cert_s)
+        return B64DER_cert_to_DER_cert(cert_s)
 
     raise ValueError("unable to recognize input [cert] as a ccertifficate")