fix: check header in crit is supported

Author: lepture

.github/workflows/test.yml

@@ -80,7 +80,7 @@ jobs:
           name: GitHub
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@v5.3.1
+        uses: SonarSource/sonarqube-scan-action@v5
         continue-on-error: true
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

src/joserfc/_rfc7515/registry.py

@@ -8,7 +8,7 @@
     JWS_HEADER_REGISTRY,
     Header,
     HeaderRegistryDict,
-    validate_registry_header,
+    check_registry_header,
     check_crit_header,
     check_supported_header,
 )
@@ -82,8 +82,8 @@ def get_alg(self, name: str) -> JWSAlgModel:
 
     def check_header(self, header: Header) -> None:
         """Check and validate the fields in header part of a JWS object."""
-        check_crit_header(header)
-        validate_registry_header(self.header_registry, header)
+        check_crit_header(self.header_registry, header)
+        check_registry_header(self.header_registry, header)
         if self.strict_check_header:
             check_supported_header(self.header_registry, header)
 

src/joserfc/_rfc7516/registry.py

@@ -8,7 +8,7 @@
     HeaderRegistryDict,
     JWE_HEADER_REGISTRY,
     check_supported_header,
-    validate_registry_header,
+    check_registry_header,
     check_crit_header,
 )
 
@@ -71,12 +71,12 @@ def register(cls, model: JWEAlgorithm) -> None:
 
     def check_header(self, header: Header, check_more: bool = False) -> None:
         """Check and validate the fields in header part of a JWS object."""
-        check_crit_header(header)
-        validate_registry_header(self.header_registry, header)
+        check_crit_header(self.header_registry, header)
+        check_registry_header(self.header_registry, header)
 
         alg = self.get_alg(header["alg"])
         if alg.more_header_registry:
-            validate_registry_header(alg.more_header_registry, header, check_more)
+            check_registry_header(alg.more_header_registry, header, check_more)
 
             if self.strict_check_header:
                 allowed_registry = self.header_registry.copy()

src/joserfc/registry.py

@@ -10,7 +10,7 @@
 Header = dict[str, Any]
 
 
-def is_str(value: str) -> None:
+def is_str(value: Any) -> None:
     if not isinstance(value, str):
         raise ValueError("must be a str")
 
@@ -185,7 +185,7 @@ def check_supported_header(registry: HeaderRegistryDict, header: Header) -> None
         raise UnsupportedHeaderError(f"Unsupported {unsupported_keys} in header")
 
 
-def validate_registry_header(registry: HeaderRegistryDict, header: Header, check_required: bool = True) -> None:
+def check_registry_header(registry: HeaderRegistryDict, header: Header, check_required: bool = True) -> None:
     for key, reg in registry.items():
         if check_required and reg.required and key not in header:
             raise MissingHeaderError(key)
@@ -196,9 +196,18 @@ def validate_registry_header(registry: HeaderRegistryDict, header: Header, check
                 raise InvalidHeaderValueError(f"'{key}' in header {error}")
 
 
-def check_crit_header(header: Header) -> None:
-    # check crit header
+def check_crit_header(registry: HeaderRegistryDict, header: Header) -> None:
+    # check `crit` header
+    missing_crit_headers = []
+    unsupported_crit_headers = []
     if "crit" in header:
         for k in header["crit"]:
             if k not in header:
-                raise MissingCritHeaderError(k)
+                missing_crit_headers.append(k)
+            elif k not in registry:
+                unsupported_crit_headers.append(k)
+
+    if missing_crit_headers:
+        raise MissingCritHeaderError(",".join(missing_crit_headers))
+    elif unsupported_crit_headers:
+        raise UnsupportedHeaderError(f"Unsupported {unsupported_crit_headers} in header")

tests/jws/test_errors.py

@@ -113,6 +113,24 @@ def test_crit_header(self):
         header = {"alg": "HS256", "kid": "1", "crit": ["kid"]}
         jws.serialize_compact(header, "i", self.key)
 
+    def test_unsupported_crit_header(self):
+        header = {"alg": "HS256", "bob": "a", "crit": ["bob"]}
+        self.assertRaises(
+            UnsupportedHeaderError,
+            jws.serialize_compact,
+            header,
+            "i",
+            self.key,
+        )
+
+        registry = jws.JWSRegistry(
+            header_registry={
+                "bob": HeaderParameter("Bob", "str"),
+            }
+        )
+        # allow with custom header registry
+        jws.serialize_compact(header, "i", self.key, registry=registry)
+
     def test_extra_header(self):
         header = {"alg": "HS256", "extra": "hi"}
         self.assertRaises(