#!/usr/bin/env python3# Thanks to @rohe Roland Hedberg for most of the lines i

1. #!/usr/bin/env python3
2.  
3. # Thanks to @rohe Roland Hedberg for most of the lines in this script :).
4.  
5. import argparse
6. import os
7. import sys
8. import json
9. from pygments import highlight
10. from pygments.lexers import JsonLexer
11. from pygments.formatters import TerminalFormatter
12.  
13. from cryptojwt.jwk import import_rsa_key, RSAKey, SYMKey, key_from_jwk_dict, \
14. KEYS
15.  
16. from cryptojwt import jwe
17. from cryptojwt import jws
18.  
19. __author__ = 'roland'
20.  
21. """
22. Tool to view, verify signature on and/or decrypt JSON Web Token.
23.  
24. Usage examples:
25.  
26. (1) read JWT from stdin, no keys
27.  
28. cat idtoken | ./jwtpeek.py -f -
29.  
30. or
31.  
32. cat idtoken | ./jwtpeek.py
33.  
34. (2) read JWT from file, use keys from file with a JWKS to verify/decrypt
35.  
36. ./jwtpeek.py -f idtoken -J keys.jwks
37.  
38. """
39.  
40.  
41. def main(jwt, keys, quiet):
42. _jw = jwe.factory(jwt)
43. if _jw:
44. if not quiet:
45. print("Encrypted JSON Web Token")
46. print('Headers: {}'.format(_jw.jwt.headers))
47. if keys:
48. res = _jw.decrypt(keys=keys)
49. json_object = json.loads(res)
50. json_str = json.dumps(json_object, indent=2)
51. print(highlight(json_str, JsonLexer(), TerminalFormatter()))
52. else:
53. print("No keys can't decrypt")
54. sys.exit(1)
55. else:
56. _jw = jws.factory(jwt)
57. if _jw:
58. if quiet:
59. json_object = json.loads(_jw.jwt.part[1].decode("utf-8"))
60. json_str = json.dumps(json_object, indent=2)
61. print(highlight(json_str, JsonLexer(), TerminalFormatter()))
62. else:
63. print("Signed JSON Web Token")
64. print('Headers: {}'.format(_jw.jwt.headers))
65. if keys:
66. res = _jw.verify_compact(keys=keys)
67. print('Verified message: {}'.format(res))
68. else:
69. print('Unverified message: {}'.format(_jw.jwt.part[1]))
70.  
71.  
72. if __name__ == "__main__":
73. parser = argparse.ArgumentParser()
74. parser.add_argument('-r', dest="rsa_file",
75. help="File containing a RSA key")
76. parser.add_argument('-k', dest="hmac_key",
77. help="If using a HMAC algorithm this is the key")
78. parser.add_argument('-i', dest="kid", help="key id")
79. parser.add_argument('-j', dest="jwk", help="JSON Web Key")
80. parser.add_argument('-J', dest="jwks", help="JSON Web Keys")
81. parser.add_argument('-u', dest="jwks_url", help="JSON Web Keys URL")
82. parser.add_argument('-f', dest="msg", help="The message")
83. parser.add_argument('-q', dest="quiet",
84. help="Quiet mode -- only show the RAW but prettified JSON",
85. action='store_true')
86.  
87. args = parser.parse_args()
88.  
89. if args.kid:
90. _kid = args.kid
91. else:
92. _kid = ''
93.  
94. keys = []
95. if args.rsa_file:
96. keys.append(RSAKey(key=import_rsa_key(args.rsa_file), kid=_kid))
97. if args.hmac_key:
98. keys.append(SYMKey(key=args.hmac_key, kid=_kid))
99.  
100. if args.jwk:
101. _key = key_from_jwk_dict(open(args.jwk).read())
102. keys.append(_key)
103.  
104. if args.jwks:
105. _k = KEYS()
106. _k.load_jwks(open(args.jwks).read())
107. keys.extend(_k._keys)
108.  
109. if args.jwks_url:
110. _k = KEYS()
111. _k.load_from_url(args.jwks_url, False)
112. keys.extend(_k._keys)
113.  
114. if not args.msg: # If nothing specified assume stdin
115. message = sys.stdin.read()
116. elif args.msg == "-":
117. message = sys.stdin.read()
118. else:
119. if os.path.isfile(args.msg):
120. message = open(args.msg).read().strip("\n")
121. else:
122. message = args.msg
123.  
124. message = message.strip()
125. main(message, keys, args.quiet)