From 7dff2a266eb8c33224069176aa243894a4a92e4a Mon Sep 17 00:00:00 2001 From: Jakob Schlyter Date: Thu, 13 Jun 2024 12:48:13 +0200 Subject: [PATCH] verify JWS with specific key if kid is set in protected header --- evrec/server.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/evrec/server.py b/evrec/server.py index b67b2f4..0550adc 100644 --- a/evrec/server.py +++ b/evrec/server.py @@ -1,5 +1,6 @@ import argparse import asyncio +import json import logging import logging.config import os @@ -144,7 +145,12 @@ async def handle_payload( def verify_jws_with_keys(jws: JWS, keys: JWKSet) -> JWK: """Verify JWS using keys and return key (or raise JWKeyNotFound)""" - for key in keys: + protected_header = json.loads(jws.objects["protected"]) + if kid := protected_header.get("kid"): + logger.debug("Signature by kid=%s", kid) + else: + logger.debug("Signature by unknown key") + for key in keys.get_keys(kid) or keys: try: jws.verify(key=key) return key