# Verifying the validity of the certificate for the access token

Only for Internal testing

Supported Algorithm "RS256", "RS512"

Replace Access Token and certificate strings (PEM encoded X.509 certificate)

Run each cell one by one starting from the Topmost.








**Run below code first to make sure all the required libraries are loaded.**
Use "Control+Enter" or "shift+Enter" to run each code block.


In [1]:
!pip install pyjwt
!pip install cryptography
!pip install crypto
!pip install pyopenssl

Collecting pyjwt
  Downloading https://files.pythonhosted.org/packages/2a/4d/67cc66a0c49003dc216fc73db2d05a3b80c7193167fd113da1f2c678ac2a/PyJWT-2.3.0-py3-none-any.whl
Installing collected packages: pyjwt
Successfully installed pyjwt-2.3.0
Collecting crypto
  Downloading https://files.pythonhosted.org/packages/fc/bb/0b812dc02e6357606228edfbf5808f5ca0a675a84273578c3a199e841cd8/crypto-1.4.1-py2.py3-none-any.whl
Collecting shellescape
  Downloading https://files.pythonhosted.org/packages/d0/f4/0081137fceff5779cd4205c1e96657e41cc2d2d56c940dc8eeb6111780f7/shellescape-3.8.1-py2.py3-none-any.whl
Collecting Naked
  Downloading https://files.pythonhosted.org/packages/02/36/b8107b51adca73402ec1860d88f41d958e275e60eea6eeaa9c39ddb89a40/Naked-0.1.31-py2.py3-none-any.whl (590kB)
Installing collected packages: shellescape, Naked, crypto
Successfully installed Naked-0.1.31 crypto-1.4.1 shellescape-3.8.1


**Run below code first to make sure all the functions are ready.**

In [4]:
import json
import jwt
from cryptography import x509
from cryptography.hazmat.backends import default_backend


#global definitions
algorithms_options = ['RS256','RS512']
check_options = {
   'verify_signature': True,
   'verify_exp': False,
   'verify_nbf': True,
   'verify_iat': True,
   'verify_aud': False,
   'require_exp': False,
   'require_iat': False,
   'require_nbf': False
}

def validate_access_token_signature(cert_str: str, access_token: str) ->bool:
    is_valid_sig = False        
    try:        
        key_bytes = cert_str.encode()
        certificate = x509.load_pem_x509_certificate(key_bytes, backend=default_backend())
        public_key = certificate.public_key()
        
        header_dict = jwt.get_unverified_header(access_token)
        if header_dict:
            json_formatted_str = json.dumps(header_dict, indent=2)
            print(json_formatted_str)            
        
        decoded_string = jwt.decode(
            access_token,
            public_key,
            algorithms=algorithms_options,
            options=check_options
            )  
        #print("decoded_string:", decoded_string, "\n")
        if decoded_string:
            is_valid_sig = True
            json_formatted_str = json.dumps(decoded_string, indent=2)
            print(json_formatted_str)
    except Exception as e:
          print("An exception occurred:",e, "\n")                           
    
    return is_valid_sig


def getPublcKeyFromCertString(st_cert: str) ->str:
    from OpenSSL import crypto     
    try:      
      crtObj = crypto.load_certificate(crypto.FILETYPE_PEM, st_cert)
      pubKeyObject = crtObj.get_pubkey()
      pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM,pubKeyObject)         
      return pubKeyString
    except Exception as e:
          print("An exception occurred:",e, "\n")
    return "" 

def decode_access_token(access_token: str):         
    try:
        print_options = {
       'verify_signature': False,  #do not check certificate
       'verify_exp': False,
       'verify_nbf': True,
       'verify_iat': True,
       'verify_aud': False,
       'require_exp': False,
       'require_iat': False,
       'require_nbf': False
        }

        public_key = ""
        
        header_dict = jwt.get_unverified_header(access_token)
        if header_dict:
            json_formatted_str = json.dumps(header_dict, indent=2)
            print(json_formatted_str)            
        
        decoded_string = jwt.decode(
            access_token,
            public_key,
            algorithms=algorithms_options,
            options=print_options
            )  
        
        #print("Access Token decoded_string:", decoded_string, "\n")
        if decoded_string:
            is_valid_sig = True
            json_formatted_str = json.dumps(decoded_string, indent=2)
            print(json_formatted_str)
            
    except Exception as e:
          print("An exception occurred:",e, "\n")  

**Run below code to decode the access token.**

In [5]:
#test access token: https://auth0.com/docs/secure/tokens/access-tokens/use-access-tokens
myaccesstoken = """eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuYXV0aDAuY29tLyIsImF1ZCI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tL2NhbGFuZGFyL3YxLyIsInN1YiI6InVzcl8xMjMiLCJpYXQiOjE0NTg3ODU3OTYsImV4cCI6MTQ1ODg3MjE5Nn0.CA7eaHjIHz5NxeIJoFK9krqaeZrPLwmMmgI_XiQiIkQ"""
decode_access_token(myaccesstoken)

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "iss": "https://example.auth0.com/",
  "aud": "https://api.example.com/calandar/v1/",
  "sub": "usr_123",
  "iat": 1458785796,
  "exp": 1458872196
}


**Run below to check whether the access token match with the certificate.**

Note: If you see the error "An exception occurred: Unable to load certificate". That means, your certificate string format is incorrect.

In [None]:
keykaccesstoken = """"""
keykcertstring ="""-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----"""

is_valid_cert = validate_access_token_signature(keykcertstring,keykaccesstoken)
print("*******Is certificate Valid:" , is_valid_cert , " *******", "\n")