Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/sd jwt issuer verify iat exp #321

Merged
merged 11 commits into from
Jan 10, 2025
Merged

Feature/sd jwt issuer verify iat exp #321

merged 11 commits into from
Jan 10, 2025

Conversation

LadyCodesItBetter
Copy link
Collaborator

@LadyCodesItBetter LadyCodesItBetter commented Jan 9, 2025
edited by peppelinux
Loading

Resolve #316

@LadyCodesItBetter LadyCodesItBetter mentioned this pull request Jan 9, 2025
Closed
@LadyCodesItBetter LadyCodesItBetter mentioned this pull request Jan 9, 2025
Closed
peppelinux
peppelinux reviewed Jan 9, 2025
View reviewed changes
pyeudiw/jwt/jws_helper.py Outdated
return signed
except Exception as e:
raise JWSSigningError("Signing error: error in step", e)
return signer.sign_json(keys=[key_from_jwk_dict(signing_key)], headers=[(protected, unprotected)], flatten=True)
return signer.sign_json(
keys=[key_from_jwk_dict(signing_key)],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't repeat this twice key_from_jwk_dict(signing_key)

please assign the result to a variable and reuse it

peppelinux
peppelinux reviewed Jan 9, 2025
View reviewed changes
pyeudiw/jwt/jws_helper.py Outdated

:param payload: The original payload.
:returns: The payload with added SD-JWT claims.
def validate_jwt_claims(self, payload: dict) -> None:
Copy link
Member

@peppelinux peppelinux Jan 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would be renamed to something specific for the timestamps used in iat, exp and nbf

validate_jwt_timestamps_claims

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok

peppelinux
peppelinux reviewed Jan 9, 2025
View reviewed changes
pyeudiw/sd_jwt/verifier.py Outdated
else:
raise ValueError(
f"Unsupported serialization format: {self._serialization_format}"
)

self._holder_public_key_payload = self._sd_jwt_payload.get("cnf", None)

def validate_claims(self, payload: dict) -> None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the same code is repeated here: https://github.com/italia/eudi-wallet-it-python/pull/321/files#diff-0317cdc2af0d2f80fb9f878259e22ed628fea69148372f976a757b8bee5b0c6aR285

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moreover, note that the method does not need to be class member: self is never used and this could be a pure function instead (ivoking the pure function twice also trivially satisfy the review note above).
IMHO I would name the method validate_lifetime_claims(claims: dict), but valida_timestamp_claims is also 100% ok.

Zicchio
Zicchio reviewed Jan 10, 2025
View reviewed changes
pyeudiw/sd_jwt/verifier.py Outdated

if 'iat' in payload:
if payload['iat'] > current_time:
raise ValueError("Future issue time, token is invalid.")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure it matters but this is not a ValueError. This is a validation error. In Python a ValueError is usually used when a passed argument has a valid type, but the method in undefined on that specific value (for example a method could be defined on int but might only be able to process positive integers).
https://docs.python.org/3/library/exceptions.html#ValueError

A custom exception, such as LifetimeException or something like that, might be more suitable.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LifetimeException that inherits ValidationError

@LadyCodesItBetter LadyCodesItBetter marked this pull request as ready for review January 10, 2025 14:38
@peppelinux peppelinux merged commit 68246ab into italia:dev Jan 10, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zicchio Zicchio Zicchio left review comments

@peppelinux peppelinux peppelinux approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SD-JWT for VC should use JWSHelper to verify the issuer JWT
3 participants
@LadyCodesItBetter @peppelinux @Zicchio