def test_wrong_alg():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
with pytest.raises(HeaderError):
factory(_jwe, alg="A192KW", enc="A128CBC-HS256")
def test_ecdh_no_setup_dynamic_epk():
jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM")
jwt = jwenc.encrypt([eck_bob])
assert jwt
ret_jwe = factory(jwt, alg="ECDH-ES", enc="A128GCM")
res = ret_jwe.decrypt(jwt, [eck_bob])
assert res == plain
def test_ecdh_encrypt_decrypt_direct_key():
# Alice starts of
jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
key=eck_bob)
kwargs = {
'params': params,
'cek': cek,
'iv': iv,
'encrypted_key': encrypted_key
}
assert "epk" in params
assert not encrypted_key
jwt = jwenc.encrypt(**kwargs)
# Bob decrypts
ret_jwe = factory(jwt, alg="ECDH-ES", enc="A128GCM")
jwdec = JWE_EC()
jwdec.dec_setup(ret_jwe.jwt, key=bob)
msg = jwdec.decrypt(ret_jwe.jwt)
assert msg == plain
def main(jwt, keys, quiet):
_jw = jwe.factory(jwt)
if _jw:
if not quiet:
print("Encrypted JSON Web Token")
print('Headers: {}'.format(_jw.jwt.headers))
if keys:
res = _jw.decrypt(keys=keys)
json_object = json.loads(res)
json_str = json.dumps(json_object, indent=2)
print(highlight(json_str, JsonLexer(), TerminalFormatter()))
else:
print("No keys can't decrypt")
sys.exit(1)
else:
_jw = jws.factory(jwt)
if _jw:
if quiet:
json_object = json.loads(_jw.jwt.part[1].decode("utf-8"))
json_str = json.dumps(json_object, indent=2)
print(highlight(json_str, JsonLexer(), TerminalFormatter()))
else:
print("Signed JSON Web Token")
print('Headers: {}'.format(_jw.jwt.headers))
if keys:
res = _jw.verify_compact(keys=keys)
print('Verified message: {}'.format(res))
else:
json_object = json.loads(_jw.jwt.part[1].decode("utf-8"))
json_str = json.dumps(json_object, indent=2)
print('Unverified message: {}'.format(
highlight(json_str, JsonLexer(), TerminalFormatter())))
def test_verify_headers():
jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM")
jwt = jwenc.encrypt([eck_bob])
assert jwt
decrypter = factory(jwt, alg="ECDH-ES", enc="A128GCM")
assert decrypter.jwt.verify_headers(alg='ECDH-ES', enc='A128GCM')
assert decrypter.jwt.verify_headers(alg='RS256') is False
assert decrypter.jwt.verify_headers(kid='RS256') is False
def test_no_key():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
with pytest.raises(NoSuitableDecryptionKey):
decrypter.decrypt(_jwe, [])
def test_wrong_alg_2():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
with pytest.raises(WrongEncryptionAlgorithm):
decrypter.decrypt(_jwe, [encryption_key], alg='A192KW')
def test_encrypt_jwk_key():
# This is a weird case. Signing the JWT with a key that is
# published in the JWT. Still it should be possible.
jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM", jwk=eck_bob)
_enc = jwenc.encrypt()
assert _enc
decrypter = factory(_enc, alg="ECDH-ES", enc="A128GCM")
res = decrypter.decrypt()
assert res == plain
def test_sym_encrypt_decrypt_jwe():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
resp = decrypter.decrypt(_jwe, [encryption_key])
assert resp == plain
def decrypt_from_jwe(jwe):
RSA_KEY = settings.UNITICKET_JWT_RSA_KEY_PATH
JWE_ALG = settings.UNITICKET_JWE_ALG
JWE_ENC = settings.UNITICKET_JWE_ENC
priv_key = import_private_rsa_key_from_file(RSA_KEY)
_decryptor = factory(jwe, alg=JWE_ALG, enc=JWE_ENC)
_dkey = RSAKey(priv_key=priv_key)
msg = _decryptor.decrypt(jwe, [_dkey])
return msg
def test_encrypt_decrypt_rsa_cbc():
_key = RSAKey(pub_key=pub_key)
_jwe0 = JWE(plain, alg="RSA1_5", enc="A128CBC-HS256")
jwt = _jwe0.encrypt([_key])
_jwe1 = factory(jwt, alg="RSA1_5", enc="A128CBC-HS256")
_dkey = RSAKey(priv_key=priv_key)
msg = _jwe1.decrypt(jwt, [_dkey])
assert msg == plain
def test_sym_jwenc():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
_jwenc = decrypter.jwt
assert _jwenc.b64_protected_header() == _jwenc.b64part[0]
assert _jwenc.b64_encrypted_key() == _jwenc.b64part[1]
assert _jwenc.b64_initialization_vector() == _jwenc.b64part[2]
assert _jwenc.b64_ciphertext() == _jwenc.b64part[3]
assert _jwenc.b64_authentication_tag() == _jwenc.b64part[4]
assert _jwenc.protected_header() == _jwenc.part[0]
assert _jwenc.encrypted_key() == _jwenc.part[1]
assert _jwenc.initialization_vector() == _jwenc.part[2]
assert _jwenc.ciphertext() == _jwenc.part[3]
assert _jwenc.authentication_tag() == _jwenc.part[4]
def test_ecdh_encrypt_decrypt_keywrapped_key():
jwenc = JWE_EC(plain, alg="ECDH-ES+A128KW", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
key=eck_bob)
kwargs = {}
kwargs['params'] = params
kwargs['cek'] = cek
kwargs['iv'] = iv
kwargs['encrypted_key'] = encrypted_key
assert "epk" in params
assert encrypted_key
jwt = jwenc.encrypt(**kwargs)
ret_jwe = factory(jwt, alg="ECDH-ES+A128KW", enc="A128GCM")
jwdec = JWE_EC()
jwdec.dec_setup(ret_jwe.jwt, key=bob)
msg = jwdec.decrypt(ret_jwe.jwt)
assert msg == plain
def test_request_object_encryption():
msg = AuthorizationRequest(state='ABCDE',
redirect_uri='https://example.com/cb',
response_type='code')
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
}
service_context = ServiceContext(keyjar=keyjar, config=conf)
service_context.behaviour["request_object_encryption_alg"] = 'RSA1_5'
service_context.behaviour[
"request_object_encryption_enc"] = "A128CBC-HS256"
_jwe = request_object_encryption(msg.to_json(),
service_context,
target=RECEIVER)
assert _jwe
_decryptor = factory(_jwe)
assert _decryptor.jwt.verify_headers(alg='RSA1_5', enc='A128CBC-HS256')
