insufficient validation in `JWKSet.from_json` (`import_keyset`)

[huwcbjones]

One would expect to get an InvalidJWKValue value from loading an invalid JWKSet. This is not the case...

import traceback
from jwcrypto.common import JWException
from jwcrypto.jwk import JWKSet

values = [
    'foobar',
    '"keys"',
    '["keys"]',
    '{}',
    '{"keys": {}}',
    '{"keys": {{}}}',
    '{"keys": {"foo": "bar"}}',
    '{"keys": [{"foo": "bar"}]}',
    '{"keys": []}',
    '{"keys": [[]]}',
]

for value in values:
    print(f"'{value}' - ", end="")
    try:
        JWKSet.from_json(value)
        print("valid")
    except JWException as e:
        print(f"valid")
    except Exception as e:
        print(f"invalid")
        print(traceback.format_exc())

The above gives us a selection of TypeError and AttributeError from import_keyset.

jwcrypto/jwcrypto/jwk.py

Lines 1357 to 1370 in db03d4c

	try:
	jwkset = json_decode(keyset)
	except Exception as e: # pylint: disable=broad-except
	raise InvalidJWKValue from e
	if 'keys' not in jwkset:
	raise InvalidJWKValue
	for k, v in jwkset.items():
	if k == 'keys':
	for jwk in v:
	self['keys'].add(JWK(**jwk))
	else:
	self[k] = v

[simo5]

So the problem here is that you are geting Exceptions that are not exactly InvalidJWKValue ?

[huwcbjones]

Yes, I would not expect to get a TypeError or AttributeError from invalid data, I would expect to see an InvalidJWKValue .

[simo5]

Please see if #379 is a satisfactory change in that direction.