pyeudiw.jwt package

Submodules

pyeudiw.jwt.exceptions module

exception pyeudiw.jwt.exceptions.JWEDecryptionError[source]

Bases: Exception

exception pyeudiw.jwt.exceptions.JWEEncryptionError[source]

Bases: Exception

exception pyeudiw.jwt.exceptions.JWSSigningError[source]

Bases: Exception

exception pyeudiw.jwt.exceptions.JWSVerificationError[source]

Bases: Exception

exception pyeudiw.jwt.exceptions.JWTDecodeError[source]

Bases: Exception

exception pyeudiw.jwt.exceptions.JWTInvalidElementPosition[source]

Bases: Exception

exception pyeudiw.jwt.exceptions.LifetimeException[source]

Bases: ValidationError

Exception raised for errors related to lifetime validation.

pyeudiw.jwt.helper module

class pyeudiw.jwt.helper.JWHelperInterface(jwks: list[ECKey | RSAKey | OKPKey | SYMKey | dict] | ECKey | RSAKey | OKPKey | SYMKey | dict)[source]

Bases: object

get_jwk_by_kid(kid: str) ECKey | RSAKey | OKPKey | SYMKey | None[source]

Returns the JWK with the given kid from the list of JWKs.

Parameters:

kid (str) – The key ID of the JWK to retrieve.

Returns:

The JWK with the given kid, or None if not found.

Return type:

KeyLike | None

pyeudiw.jwt.helper.find_self_contained_key(header: dict) tuple[set[str], JWK] | None[source]

Function find_self_contained_key evaluates a token header and attempts at finding a self contained key (a self contained contained header is a header that contains the full public material of the verifying key that should be used to verify a token).

Currently recognized self contained headers are x5c, jwk, jku, x5u, x5t and trust_chain. It is responsability of the called to decide wether a self contained key representation is to be trusted.

The functions returns the key and the set of claim used to infer the self contained key. In no self contained key can be found, None is returned instead.

pyeudiw.jwt.helper.is_jwt_expired(token: str) bool[source]

Check if a JWT token is expired.

Parameters:

token (str) – The JWT token.

Returns:

True if the token is expired, False otherwise.

Return type:

bool

pyeudiw.jwt.helper.is_payload_expired(token_payload: dict) bool[source]

Check if a JWT payload is expired.

Parameters:

token_payload (dict) – The decoded JWT payload.

Returns:

True if the payload is expired, False otherwise.

Return type:

bool

pyeudiw.jwt.helper.serialize_payload(payload: dict | str | int | None) bytes | str | int[source]
pyeudiw.jwt.helper.validate_jwt_timestamps_claims(payload: dict, tolerance_s: int = 0) None[source]

Validates the ‘iat’, ‘exp’, and ‘nbf’ claims in a JWT payload, comparing them with the current time. The function assumes that the time in the payload claims is expressed as seconds since the epoch, as required by rfc 7519. To account for a clock skew between the token issuer and the token verifier, the optional argument tolerance_s can be used. As suggested by rfc 7519, it is recommended to keep the tolerance window to no more than a few minutes.

Parameters:

  • payload (dict) – The decoded JWT payload.

  • tolerance_s (int) – optional tolerance window, in seconds, which can be used to account for some clock skew between the token issuer and the token verifier.

Raises:

LifetimeException – If any of the claims are invalid.

pyeudiw.jwt.jwe_helper module

class pyeudiw.jwt.jwe_helper.JWEHelper(jwks: list[ECKey | RSAKey | OKPKey | SYMKey | dict] | ECKey | RSAKey | OKPKey | SYMKey | dict)[source]

Bases: JWHelperInterface

The helper class for work with JWEs.

decrypt(jwe: str) dict[source]

Generate a dict containing the content of decrypted JWE string.

Parameters:

jwe (str) – A string representing the jwe.

Raises:

JWEDecryptionError – if jwe field is not in a JWE Format

Returns:

A dict that represents the payload of decrypted JWE.

Return type:

dict

encrypt(plain_dict: dict | str | int | None, **kwargs) str[source]

Generate a encrypted JWE string.

Parameters:

  • plain_dict (Union[dict, str, int, None]) – The payload of JWE.

  • kwargs – Other optional fields to generate the JWE.

Returns:

A string that represents the JWE.

Return type:

str

pyeudiw.jwt.jws_helper module

class pyeudiw.jwt.jws_helper.JWSHelper(jwks: list[ECKey | RSAKey | OKPKey | SYMKey | dict] | ECKey | RSAKey | OKPKey | SYMKey | dict)[source]

Bases: JWHelperInterface

Helper class for working with JWS, extended to support SD-JWT.

is_sd_jwt(token: str) bool[source]

Determines if the provided JWT is an SD-JWT.

Parameters:

token (str) – The JWT token to inspect.

Returns:

True if the token is an SD-JWT, False otherwise.

Return type:

bool

sign(plain_dict: dict | str | int | None, protected: dict | None = None, unprotected: dict | None = None, serialization_format: Literal['compact', 'json'] = 'compact', signing_kid: str = '', kid_in_header: bool = True, signing_algs: list[str] = [], **kwargs) str[source]

Generate a signed JWS with the given payload and header. This method provides no guarantee that the input header is fully preserved, not does it guarantee that some optional but usually found header such as ‘typ’ and ‘kid’ are present. If the signing jwk has a kid claim, and the JWS header does not a have a kid claim, a kid matching the signing key ‘kid’ can be injected in the protected header by setting kid_in_header=True.

Header claim ‘alg’ is always added as it is mandated by RFC7515 and, if present, will be overridden with the actual ‘alg’ used for singing. This is done to make sure that untrusted alg values, such as none, cannot be used.

The signing key is selected among the constructor jwks based on internal heuristics. The user can force with key he can attempt to use by setting signing_key, which will then be looked in the internal set of available keys.

If the header already contains indication of a key, such as ‘kid’, ‘trust_chain’ and ‘x5c’, the method will attempt to match the signing key among the available keys based on such claims, but there is no guarantee that the correct key will be selected. We assume that is it responsibility of the class initiator to make those checks. To avoid any possible ambiguity, it is suggested to initilize the class with one (signing) key only.

Parameters:

  • plain_dict – The payload to be signed.

  • protected – Protected header for the JWS.

  • unprotected – Unprotected header for the JWS (only for JSON serialization).

  • serialization_format – The format of the signature (compact or JSON).

  • signing_kid – The key ID for signing.

  • kid_in_header – If True, include the key ID in the token header.

  • kwargs – Additional parameters for the signing process.

Returns:

The signed JWS token.

Return type:

str

Raises:

JWSSigningError – if there is any signing error, such as the signing key not being suitable for such a cryptographic operation

verify(jwt: str, tolerance_s: int = 60) dict | bytes | str | Any[source]

Verify a JWS with one of the initialized keys and validate standard standard claims if possible, such as ‘iat’ and ‘exp’. Verification of tokens in JSON serialization format is not supported.

Parameters:

  • jwt – The JWS token to be verified.

  • tolerance_s (int) – optional tolerance window, in seconds, which can be used to account for some clock skew between the token issuer and the token verifier when validating lifetime claims.

Raises:

JWSVerificationError – if jws field is not in compact jws format or if the signature is invalid

Returns:

the decoded payload of the verified tokens.

Return type:

dict | bytes | str | Any

pyeudiw.jwt.log module

pyeudiw.jwt.parse module

class pyeudiw.jwt.parse.DecodedJwt(jwt: str, header: dict, payload: dict, signature: str)[source]

Bases: object

Schema class for a decoded jwt. This class is not meant to be instantiated directly. Use instead the static method parse(str) -> DecodedJwt.

header: dict
jwt: str
static parse(jws: str) DecodedJwt[source]

Parse a token into its components.

Raises:

ValueError – if the token is not a jwt

Parameters:

jws (str) – the token to parse

payload: dict
signature: str
pyeudiw.jwt.parse.unsafe_parse_jws(token: str) DecodedJwt[source]

Parse a token into its components. Correctness of this function is not guaranteed when the token is in a derived format, such as sd-jwt and jwe.

Parameters:

token (str) – the token to parse

Raises:
Returns:

the decoded jwt

Return type:

DecodedJwt

pyeudiw.jwt.utils module

pyeudiw.jwt.utils.base64_urldecode(v: str) bytes[source]

Urlsafe base64 decoding. This function will handle missing padding symbols.

Returns:

the decoded data in bytes, format, convert to str use method ‘.decode(“utf-8”)’ on result

Return type:

bytes

pyeudiw.jwt.utils.base64_urlencode(v: bytes) str[source]

Urlsafe base64 encoding without padding symbols

Returns:

the encooded data

Return type:

str

pyeudiw.jwt.utils.decode_jwt_element(jwt: str, position: int) dict[source]

Decodes the element in a determinated position.

Parameters:

  • jwt (str) – a string that represents the jwt.

  • position (int) – the position of segment to unpad.

Raises:
Returns:

a dict with the content of the decoded section.

Return type:

dict

pyeudiw.jwt.utils.decode_jwt_header(jwt: str) dict[source]

Decodes the jwt header.

Parameters:

jwt (str) – a string that represents the jwt.

Raises:
Returns:

a dict with the content of the decoded header.

Return type:

dict

pyeudiw.jwt.utils.decode_jwt_payload(jwt: str) dict[source]

Decodes the jwt payload.

Parameters:

jwt (str) – a string that represents the jwt.

Raises:
Returns:

a dict with the content of the decoded payload.

Return type:

dict

pyeudiw.jwt.utils.is_jwe_format(jwt: str)[source]

Check if a string is in JWE format.

Parameters:

jwt (str) – a string that represents the jwt.

Returns:

True if the string is a JWE, False otherwise.

Return type:

bool

pyeudiw.jwt.utils.is_jwt_format(jwt: str) bool[source]

Check if a string is in JWT format.

Parameters:

jwt (str) – a string that represents the jwt.

Returns:

True if the string is a JWT, False otherwise.

Return type:

bool

pyeudiw.jwt.verification module

pyeudiw.jwt.verification.verify_jws_with_key(jws: str, key: JWK) None[source]
Raises:

JWSVerificationError – is signature verification fails for any reason

Module contents