authlib
Inconsistent error when using KeySet
When working with keysets for decoding JWTs encoded as JWEs, the error is different than when using a single key.
When using a KeySet the raised error is a ValueError(f'No key for kid: "{kid}"'), but when working with single keys it raises a joserfc.errors.DecodeError("tag does not match"). I would expect that in both cases an error extending from joserfc.errors.JoseError is raised, as according to the docs it is the Base Exception for all errors in joserfc. Raising an error extending from JoseError is also useful, because the caller does not have an easy way to check if the keyset has a kid necessary to decrypt the given token.
Below you can see how the two different errors can be raised
>>> from joserfc import jwt, jwe, jwk
>>> claims = {"iss": "https://authlib.org"}
>>> KID="kid"
>>> header={"alg": "dir", "enc": "A256CBC-HS512", "kid": KID}
>>> key = jwk.OctKey.import_key("s"*64, {"kid": KID})
>>> key_without_kid = jwk.OctKey.import_key("s"*64)
>>> token = jwt.encode(header, claims, key, registry=jwe.JWERegistry())>>> claims = {"iss": "https://authlib.org"}
>>> invalid_key = jwk.OctKey.import_key("t"*64)
>>>
>>> jwt.decode(token, key, registry=jwe.JWERegistry()).claims
{'iss': 'https://authlib.org'}
>>>
>>> jwt.decode(token, key_without_kid, registry=jwe.JWERegistry()).claims
{'iss': 'https://authlib.org'}
>>>
>>> jwt.decode(token, jwk.KeySet([key]), registry=jwe.JWERegistry()).claims
{'iss': 'https://authlib.org'}
>>>
>>>
>>>
>>> jwt.decode(token, invalid_key, registry=jwe.JWERegistry()).claims
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 85, in decode
header, payload = _decode_jwe(_value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 102, in _decode_jwe
jwe_obj = decrypt_compact(value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwe.py", line 152, in decrypt_compact
perform_decrypt(obj, registry)
File ".venv/lib/python3.12/site-packages/joserfc/rfc7516/message.py", line 82, in perform_decrypt
_perform_decrypt(obj, registry)
File ".venv/lib/python3.12/site-packages/joserfc/rfc7516/message.py", line 124, in _perform_decrypt
msg = enc.decrypt(ciphertext, tag, cek, iv, aad)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/rfc7518/jwe_encs.py", line 71, in decrypt
raise DecodeError("tag does not match")
joserfc.errors.DecodeError: decode_error: tag does not match
>>>
>>>
>>>
>>> jwt.decode(token, jwk.KeySet([invalid_key]), registry=jwe.JWERegistry()).claims
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 85, in decode
header, payload = _decode_jwe(_value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File .venv/lib/python3.12/site-packages/joserfc/jwt.py", line 102, in _decode_jwe
jwe_obj = decrypt_compact(value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwe.py", line 147, in decrypt_compact
key = guess_key(private_key, recipient)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwk.py", line 73, in guess_key
rv_key = _norm_key.get_by_kid(kid)
^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/_keys.py", line 141, in get_by_kid
raise ValueError(f'No key for kid: "{kid}"')
ValueError: No key for kid: "kid"
Looking further at the code, there seem to be many other places where a ValueError is raised, for example when the algorithm is not supported.
