import json import base64 from utils.crypto_utils import decrypt_symmetric_key, decrypt_data, encrypt_data, CLIENT_PUBLIC_KEY from cryptography.exceptions import InvalidSignature import logging def validate_token(auth_header, encrypted_data): if not auth_header or not auth_header.startswith("Bearer "): raise ValueError("Invalid Authorization header") # Extract JWE token jwe_token = auth_header.split(" ")[1] payload = json.loads(base64.b64decode(jwe_token.split('.')[1])) # Extract the encrypted symmetric key from the token payload encrypted_symmetric_key = base64.b64decode(payload['enc_sym_key']) # Decrypt the symmetric key symmetric_key = decrypt_symmetric_key(encrypted_symmetric_key) # Decrypt the data using the symmetric key decrypted_data = decrypt_data(encrypted_data, symmetric_key) # Verify client's signature signature = base64.b64decode(payload['signature']) try: CLIENT_PUBLIC_KEY.verify( signature, decrypted_data.encode(), ec.ECDSA(hashes.SHA256()) ) except InvalidSignature: raise ValueError("Invalid client signature") # Return both decrypted data and the symmetric key for response encryption return json.loads(decrypted_data), symmetric_key