fix: enc_alg_supported, enc_enc_supported

PascalDR · PascalDR · commit 523630277b7f · 2025-03-28T13:01:55.000+01:00
diff --git a/pyeudiw/openid4vp/authorization_response.py b/pyeudiw/openid4vp/authorization_response.py
@@ -13,6 +13,7 @@
     AuthorizeResponsePayload,
     ResponseMode,
 )
+from pyeudiw.jwt.utils import decode_jwt_header
 
 
 _S = TypeVar('_S', str, list[str])
@@ -117,8 +118,15 @@ class DirectPostJwtJweParser(AuthorizationResponseParser):
         https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-response-mode-direct_postjw
     """
 
-    def __init__(self, jwe_decryptor: JWEHelper):
+    def __init__(
+            self, 
+            jwe_decryptor: JWEHelper, 
+            enc_alg_supported: list[str] = [], 
+            enc_enc_supported: list[str] = []
+        ) -> None:
         self.jwe_decryptor = jwe_decryptor
+        self.enc_alg_supported = enc_alg_supported
+        self.enc_enc_supported = enc_enc_supported
 
     def parse_and_validate(
         self, context: satosa.context.Context
@@ -131,6 +139,19 @@ def parse_and_validate(
             raise AuthRespParsingException(
                 "invalid data in direct_post.jwt request body", e
             )
+        
+        header = decode_jwt_header(resp_data.response)
+
+        if not header.get("alg") in self.enc_alg_supported:
+            raise AuthRespValidationException(
+                "invalid data in direct_post.jwt: alg not supported"
+            )
+        
+        if not header.get("enc") in self.enc_enc_supported:
+            raise AuthRespValidationException(
+                "invalid data in direct_post.jwt: enc not supported"
+            )
+
         try:
             payload = self.jwe_decryptor.decrypt(resp_data.response)
         except JWEDecryptionError as e:
diff --git a/pyeudiw/satosa/default/response_handler.py b/pyeudiw/satosa/default/response_handler.py
@@ -341,7 +341,11 @@ def _parse_authorization_response(
                 return parser.parse_and_validate(context)
             case ResponseMode.direct_post_jwt:
                 jwe_decrypter = JWEHelper(self.config["metadata_jwks"])
-                parser = DirectPostJwtJweParser(jwe_decrypter)
+                parser = DirectPostJwtJweParser(
+                    jwe_decrypter, 
+                    self.config["jwt"].get("enc_alg_supported", []), 
+                    self.config["jwt"].get("enc_enc_supported", [])
+                )
                 return parser.parse_and_validate(context)
             case ResponseMode.error:
                 return ErrorResponsePayload(**context.request)
diff --git a/pyeudiw/tests/openid4vp/test_authorization_response.py b/pyeudiw/tests/openid4vp/test_authorization_response.py
@@ -11,6 +11,7 @@
     AuthRespParsingException,
     AuthRespValidationException,
 )
+from pyeudiw.tests.settings import CONFIG
 
 
 @pytest.fixture
@@ -115,7 +116,7 @@ def test_direct_post_response_bad_parse_case():
 
 def test_direct_post_jwt_jwe_parser_good_case(jwe_helper):
 
-    parser = DirectPostJwtJweParser(jwe_helper)
+    parser = DirectPostJwtJweParser(jwe_helper, CONFIG["jwt"].get("enc_alg_supported", []), CONFIG["jwt"].get("enc_enc_supported", []))
 
     ctx = satosa.context.Context()
     ctx.request_method = "POST"
@@ -144,7 +145,7 @@ def test_direct_post_jwt_jwe_parser_good_case(jwe_helper):
 
 def test_direct_post_jwt_jwe_parser_bad_parse_case(jwe_helper):
     # case 0: bad method
-    parser = DirectPostJwtJweParser(jwe_helper)
+    parser = DirectPostJwtJweParser(jwe_helper, CONFIG["jwt"].get("enc_alg_supported", []), CONFIG["jwt"].get("enc_enc_supported", []))
 
     ctx = satosa.context.Context()
     ctx.request_method = "GET"
@@ -192,7 +193,7 @@ def test_direct_post_jwt_jwe_parser_bad_parse_case(jwe_helper):
 
 
 def test_direct_post_jwt_jwe_parser_bad_validation_case(jwe_helper):
-    parser = DirectPostJwtJweParser(jwe_helper)
+    parser = DirectPostJwtJweParser(jwe_helper, CONFIG["jwt"].get("enc_alg_supported", []), CONFIG["jwt"].get("enc_enc_supported", []))
 
     wrong_public_key = {
         "kid": "ybmSufrnl3Cu6OrNcsOF_g95g5zShf2aKpg59PMcMm8",
diff --git a/pyeudiw/tests/settings.py b/pyeudiw/tests/settings.py
@@ -82,7 +82,26 @@
         "expiration_time": 120,
         "logo_path": "pyeudiw/tests/satosa/static/logo.png",
     },
-    "jwt": {"default_sig_alg": "ES256", "default_exp": 6},
+    "jwt": {
+        "default_sig_alg": "ES256", 
+        "default_exp": 6,
+        "enc_alg_supported": [
+            "RSA-OAEP",
+            "RSA-OAEP-256",
+            "ECDH-ES",
+            "ECDH-ES+A128KW",
+            "ECDH-ES+A192KW",
+            "ECDH-ES+A256KW"
+        ],
+        "enc_enc_supported": [
+            "A128CBC-HS256",
+            "A192CBC-HS384",
+            "A256CBC-HS512",
+            "A128GCM",
+            "A192GCM",
+            "A256GCM",
+        ],
+    },
     "authorization": {
         "url_scheme": "haip",  # haip://
         "scopes": ["pid-sd-jwt:unique_id+given_name+family_name"],
