def test():
key = ECKey(**JWK)
ret_jwe = factory(maliciousJWE)
jwdec = JWE_EC()
with pytest.raises(ValueError):
jwdec.dec_setup(ret_jwe.jwt, key=key.keys())
def test_ecdh_no_setup_dynamic_epk():
jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM")
jwt = jwenc.encrypt([eck_bob])
assert jwt
ret_jwe = factory(jwt)
res = ret_jwe.decrypt(jwt, [eck_bob])
assert res == plain
def test_ecdh_encrypt_decrypt_direct_key():
# Alice starts of
jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
key=eck_bob)
kwargs = {
'params': params,
'cek': cek,
'iv': iv,
'encrypted_key': encrypted_key
}
assert "epk" in params
assert not encrypted_key
jwt = jwenc.encrypt(**kwargs)
# Bob decrypts
ret_jwe = factory(jwt)
jwdec = JWE_EC()
jwdec.dec_setup(ret_jwe.jwt, key=bob)
msg = jwdec.decrypt(ret_jwe.jwt)
assert msg == plain
def test_encrypt_decrypt_rsa_cbc():
_key = RSAKey(key=pub_key)
_key._keytype = "public"
_jwe0 = JWE(plain, alg="RSA1_5", enc="A128CBC-HS256")
jwt = _jwe0.encrypt([_key])
_jwe1 = factory(jwt)
_dkey = RSAKey(key=priv_key)
_dkey._keytype = "private"
msg = _jwe1.decrypt(jwt, [_dkey])
assert msg == plain
def test_ecdh_encrypt_decrypt_keywrapped_key():
jwenc = JWE_EC(plain, alg="ECDH-ES+A128KW", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
key=eck_bob)
kwargs = {}
kwargs['params'] = params
kwargs['cek'] = cek
kwargs['iv'] = iv
kwargs['encrypted_key'] = encrypted_key
assert "epk" in params
assert encrypted_key
jwt = jwenc.encrypt(**kwargs)
ret_jwe = factory(jwt)
jwdec = JWE_EC()
jwdec.dec_setup(ret_jwe.jwt, key=bob)
msg = jwdec.decrypt(ret_jwe.jwt)
assert msg == plain
def test_request_object_encryption():
msg = AuthorizationRequest(state='ABCDE',
redirect_uri='https://example.com/cb',
response_type='code')
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
}
client_info = ClientInfo(keyjar=keyjar, config=conf)
client_info.behaviour["request_object_encryption_alg"] = 'RSA1_5'
client_info.behaviour["request_object_encryption_enc"] = "A128CBC-HS256"
_jwe = request_object_encryption(msg.to_json(),
client_info,
target=RECEIVER)
assert _jwe
_jw = factory(_jwe)
assert _jw.jwt.headers['alg'] == 'RSA1_5'
assert _jw.jwt.headers['enc'] == 'A128CBC-HS256'
def unpack(self, token):
"""
Unpack a received signed or signed and encrypted Json Web Token
:param token: The Json Web Token
:return: If decryption and signature verification work the payload
will be returned as a Message instance if possible.
"""
if not token:
raise KeyError
_content_type = 'jwt'
_jwe_header = _jws_header = None
# Check if it's an encrypted JWT
_rj = jwe.factory(token)
if _rj:
# Yes, try to decode
_info = self._decrypt(_rj, token)
_jwe_header = _rj.jwt.headers
# Try to find out if the information encrypted was a signed JWT
try:
_content_type = _rj.jwt.headers['cty']
except KeyError:
pass
else:
_info = token
# If I have reason to believe the information I have is a signed JWT
if _content_type.lower() == 'jwt':
# Check that is a signed JWT
_rj = jws.factory(_info)
if _rj:
_info = self._verify(_rj, _info)
else:
raise Exception()
_jws_header = _rj.jwt.headers
else:
# So, not a signed JWT
try:
# A JSON document ?
_info = json.loads(_info)
except JSONDecodeError: # Oh, no ! Not JSON
return _info
# If I know what message class the info should be mapped into
if self.msg_cls:
_msg_cls = self.msg_cls
else:
try:
# try to find a issuer specific message class
_msg_cls = self.iss2msg_cls[_info['iss']]
except KeyError:
_msg_cls = None
if _msg_cls:
vp_args = {'skew': self.skew}
if self.iss:
vp_args['aud'] = self.iss
_info = self.verify_profile(_msg_cls, _info, **vp_args)
_info.jwe_header = _jwe_header
_info.jws_header = _jws_header
return _info
else:
return _info