Keep It Simple Stupid. Started using the CherryPy server and made classes from the parts.

2024-10-22 22:06:19 +03:00
parent 6db5290cca
commit e620c28648
12 changed files with 600 additions and 0 deletions
--- a/kiss/toml-manager/auth/token_auth.py
+++ b/kiss/toml-manager/auth/token_auth.py
@ -0,0 +1,36 @@
+import json
+import base64
+from utils.crypto_utils import decrypt_symmetric_key, decrypt_data, encrypt_data, CLIENT_PUBLIC_KEY
+from cryptography.exceptions import InvalidSignature
+import logging
+
+def validate_token(auth_header, encrypted_data):
+    if not auth_header or not auth_header.startswith("Bearer "):
+        raise ValueError("Invalid Authorization header")
+    
+    # Extract JWE token
+    jwe_token = auth_header.split(" ")[1]
+    payload = json.loads(base64.b64decode(jwe_token.split('.')[1]))
+
+    # Extract the encrypted symmetric key from the token payload
+    encrypted_symmetric_key = base64.b64decode(payload['enc_sym_key'])
+    
+    # Decrypt the symmetric key
+    symmetric_key = decrypt_symmetric_key(encrypted_symmetric_key)
+    
+    # Decrypt the data using the symmetric key
+    decrypted_data = decrypt_data(encrypted_data, symmetric_key)
+
+    # Verify client's signature
+    signature = base64.b64decode(payload['signature'])
+    try:
+        CLIENT_PUBLIC_KEY.verify(
+            signature,
+            decrypted_data.encode(),
+            ec.ECDSA(hashes.SHA256())
+        )
+    except InvalidSignature:
+        raise ValueError("Invalid client signature")
+    
+    # Return both decrypted data and the symmetric key for response encryption
+    return json.loads(decrypted_data), symmetric_key