From c68b97089bc8c6bbf1aa595dcdc1de3092234a9f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 5 May 2026 14:02:21 -0400
Subject: [PATCH] Wrap JWKSet parsing errors in InvalidJWKValue

Moved the dictionary iteration and key creation logic inside the try-except
block. This ensures that any exceptions raised during the instantiation of
individual JWK objects or validation checks are properly caught and safely re-
raised as an InvalidJWKValue exception, rather than leaking unhandled errors.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
---
 jwcrypto/jwk.py   | 19 +++++++++----------
 jwcrypto/tests.py | 15 +++++++++++++++
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/jwcrypto/jwk.py b/jwcrypto/jwk.py
index 0dbc11a..5f26930 100644
--- a/jwcrypto/jwk.py
+++ b/jwcrypto/jwk.py
@@ -1356,19 +1356,18 @@ def import_keyset(self, keyset):
         """
         try:
             jwkset = json_decode(keyset)
+            if 'keys' not in jwkset:
+                raise ValueError("'keys' not in set")
+
+            for k, v in jwkset.items():
+                if k == 'keys':
+                    for jwk in v:
+                        self['keys'].add(JWK(**jwk))
+                else:
+                    self[k] = v
         except Exception as e:  # pylint: disable=broad-except
             raise InvalidJWKValue from e
 
-        if 'keys' not in jwkset:
-            raise InvalidJWKValue
-
-        for k, v in jwkset.items():
-            if k == 'keys':
-                for jwk in v:
-                    self['keys'].add(JWK(**jwk))
-            else:
-                self[k] = v
-
     @classmethod
     def from_json(cls, keyset):
         """Creates a RFC 7517 key set from the standard JSON format.
diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
index 3fc4b16..2e020c6 100644
--- a/jwcrypto/tests.py
+++ b/jwcrypto/tests.py
@@ -562,6 +562,21 @@ def test_jwkset_issue_208(self):
         self.assertEqual(len(ks['keys']), 2)
         self.assertEqual(len(ks['keys']), len(ks2['keys']))
 
+    def test_import_keyset_invalid(self):
+        ks = jwk.JWKSet()
+        invalid_inputs = [
+            '',
+            'null',
+            '[]',
+            '{}',
+            '{"keys": 1}',
+            '{"keys": [1]}',
+            '{"keys": [{"kty": "invalid"}]}'
+        ]
+        for inp in invalid_inputs:
+            with self.assertRaises(jwk.InvalidJWKValue):
+                ks.import_keyset(inp)
+
     def test_thumbprint(self):
         for i in range(0, len(PublicKeys['keys'])):
             k = jwk.JWK(**PublicKeys['keys'][i])