Skip to content

Commit dc60b0f

Browse files
committed
Raise InvalidDPoPError instead of generic JWTError in DPoP verification
- Use domain-specific InvalidDPoPError for all DPoP signature validation failures (format, unsupported algorithm, signature length, invalid sig)
1 parent 0716c41 commit dc60b0f

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

teaagent/oauth21.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -229,7 +229,7 @@ def _verify_dpop_signature(proof_jwt: str, jwk: dict[str, Any]) -> None:
229229
"""Verify the signature of a DPoP proof JWT using the embedded JWK."""
230230
parts = proof_jwt.split('.')
231231
if len(parts) != 3:
232-
raise JWTError('Invalid DPoP proof format')
232+
raise InvalidDPoPError('Invalid DPoP proof format')
233233
signing_input = f'{parts[0]}.{parts[1]}'.encode('ascii')
234234
signature_bytes = _b64url_decode(parts[2])
235235

@@ -241,7 +241,7 @@ def _verify_dpop_signature(proof_jwt: str, jwk: dict[str, Any]) -> None:
241241
elif kty == 'RSA' and alg in ('RS256', 'RS384', 'RS512'):
242242
_verify_dpop_rsa(signing_input, signature_bytes, jwk, alg)
243243
else:
244-
raise JWTError(
244+
raise InvalidDPoPError(
245245
f'Unsupported DPoP key type / algorithm: kty={kty} alg={alg}'
246246
)
247247

@@ -267,7 +267,7 @@ def _verify_dpop_ec(
267267
# key_size is in bits; each component is ceil(key_size/8) bytes
268268
byte_len = (key_size + 7) // 8
269269
if len(signature) != byte_len * 2:
270-
raise JWTError(
270+
raise InvalidDPoPError(
271271
f'Invalid DPoP EC signature length: {len(signature)} '
272272
f'(expected {byte_len * 2})'
273273
)
@@ -277,7 +277,7 @@ def _verify_dpop_ec(
277277
try:
278278
pub_key.verify(der_sig, signing_input, _crypto_ec.ECDSA(_ec_alg_to_hash(alg)))
279279
except InvalidSignature:
280-
raise JWTError('Invalid DPoP proof signature') from None
280+
raise InvalidDPoPError('Invalid DPoP proof signature') from None
281281

282282

283283
def _verify_dpop_rsa(
@@ -310,7 +310,7 @@ def _verify_dpop_rsa(
310310
Prehashed(hash_alg),
311311
)
312312
except InvalidSignature:
313-
raise JWTError('Invalid DPoP proof signature') from None
313+
raise InvalidDPoPError('Invalid DPoP proof signature') from None
314314

315315

316316
def _encode_dpop_proof_payload(method: str, url: str, nonce: str) -> bool:

0 commit comments

Comments
 (0)