def test_add_signing_keys():
kj = build_keyjar(KEYDEFS)[1]
sign_serv = InternalSigningService('https://signer.example.com',
keyjar=kj)
ent = FederationEntityOOB(None, self_signer=sign_serv)
req = MetadataStatement(foo='bar')
ent.add_signing_keys(req)
assert 'signing_keys' in req
def test_add_sms_spec_to_request():
jb = JWKSBundle('')
for iss in ['https://example.org/', 'https://example.com/']:
jb[iss] = build_keyjar(KEYDEFS)[1]
kj = build_keyjar(KEYDEFS)[1]
sign_serv = InternalSigningService('https://signer.example.com',
keyjar=kj)
ent = FederationEntityOOB(None, self_signer=sign_serv,
fo_bundle=public_jwks_bundle(jb),
context='response')
ent.metadata_statements = {
'response': {
'https://example.org/': 'https://example.org/sms1'
}
}
req = MetadataStatement(foo='bar')
ent.add_sms_spec_to_request(req, ['https://example.org/'])
assert 'metadata_statement_uris' in req
def test_create_verify():
sign_keyjar = build_keyjar(KEYDEFS)[1]
jb = make_jwks_bundle('https://example.com', ['fo0', 'fo1', 'fo2', 'fo3'],
sign_keyjar, KEYDEFS)
_jws = jb.create_signed_bundle()
_jwks = sign_keyjar.export_jwks()
kj = KeyJar()
kj.import_jwks(_jwks, 'https://example.com')
bundle = verify_signed_bundle(_jws, kj)
assert bundle
def test_get_metadata_statement():
jb = JWKSBundle('')
for iss in ['https://example.org/', 'https://example.com/']:
jb[iss] = build_keyjar(KEYDEFS)[1]
self_signer = InternalSigningService(keyjar=jb['https://example.com/'],
iss='https://example.com/')
op = Operator(self_signer=self_signer, iss='https://example.com/')
req = MetadataStatement(foo='bar')
sms = op.pack_metadata_statement(req, sign_alg='RS256')
sms_dir = {'https://example.com': sms}
req['metadata_statements'] = Message(**sms_dir)
ent = FederationEntity(None, fo_bundle=public_jwks_bundle(jb))
loe = ent.get_metadata_statement(req)
assert loe
def test_pack_metadata_statement_other_alg():
_keyjar = build_keyjar(KEYDEFS)[1]
self_signer = InternalSigningService('https://example.com/op',
keyjar=_keyjar)
op = Operator(self_signer=self_signer, iss=self_signer.iss)
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req, sign_alg='ES256')
assert sms # Should be a signed JWT
_jwt = factory(sms)
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == self_signer.iss
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
def test_private_key_jwt():
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)[1]
# The servers keys
client_keyjar[conf['issuer']] = KEYJAR.issuer_keys['']
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg='RS256')
_assertion = _jwt.pack({'aud': [conf['issuer']]})
request = {'client_assertion': _assertion,
'client_assertion_type': JWT_BEARER}
authn_info = PrivateKeyJWT(endpoint_context).verify(request)
assert authn_info['client_id'] == client_id
assert 'jwt' in authn_info
def get_jwks(private_path, keydefs, public_path):
if os.path.isfile(private_path):
_jwks = open(private_path, 'r').read()
_kj = KeyJar()
_kj.import_jwks(json.loads(_jwks), '')
else:
_kj = build_keyjar(keydefs)[1]
jwks = _kj.export_jwks(private=True)
head, tail = os.path.split(private_path)
if not os.path.isdir(head):
os.makedirs(head)
fp = open(private_path, 'w')
fp.write(json.dumps(jwks))
fp.close()
jwks = _kj.export_jwks() # public part
fp = open(public_path, 'w')
fp.write(json.dumps(jwks))
fp.close()
return _kj
def test_pack_metadata_statement():
jb = FSJWKSBundle('', None, 'fo_jwks',
key_conv={'to': quote_plus, 'from': unquote_plus})
_keyjar = build_keyjar(KEYDEFS)[1]
self_signer = InternalSigningService('https://example.com/op',
keyjar=_keyjar)
op = Operator(self_signer=self_signer, jwks_bundle=jb,
iss='https://example.com/op')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req)
assert sms # Should be a signed JWT
_jwt = factory(sms)
assert _jwt
assert _jwt.jwt.headers['alg'] == 'RS256'
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == op.iss
assert _body['issuer'] == 'https://example.org/op'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
from oidcmsg.key_jar import build_keyjar
from oidcmsg.key_jar import public_keys_keyjar
ISS = 'https://example.com'
ISS2 = 'https://example.org'
KEYDEFS = [{
"type": "RSA",
"key": '',
"use": ["sig"]
}, {
"type": "EC",
"crv": "P-256",
"use": ["sig"]
}]
SIGN_KEYS = build_keyjar(KEYDEFS)[1]
KEYJAR = {}
for iss in [
'https://www.swamid.se', 'https://www.sunet.se',
'https://www.feide.no', 'https://www.uninett.no'
]:
KEYJAR[iss] = build_keyjar(KEYDEFS)[1]
def test_create():
bundle = JWKSBundle(ISS, SIGN_KEYS)
assert bundle
import os
import shutil
from cryptojwt.jws import factory
from oidcmsg.key_jar import KeyJar
from oidcmsg.key_jar import build_keyjar
from fedoidcmsg import test_utils
from fedoidcmsg.operator import Operator
from fedoidcmsg.signing_service import InternalSigningService
from fedoidcmsg.test_utils import MetaDataStore
from fedoidcmsg.test_utils import unpack_using_metadata_store
TEST_ISS = "https://test.example.com"
KEYDEFS = [
{"type": "RSA", "key": '', "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]}
]
SIGN_KEYJAR = build_keyjar(KEYDEFS)[1]
FO = {
'swamid': 'https://swamid.sunet.se', 'feide': 'https://www.feide.no',
'edugain': 'https://edugain.com', 'example': 'https://example.com'
}
OA = {'sunet': 'https://sunet.se', 'uninett': 'https://uninett.no'}
EO = {'foodle.rp': 'https://foodle.uninett.no'}
#!/usr/bin/env python3
import json
from oidcmsg.key_jar import build_keyjar
KEYDEFS = [{
"type": "RSA",
"key": '',
"use": ["sig"]
}, {
"type": "EC",
"crv": "P-256",
"use": ["sig"]
}]
_jwks, _keyjar, _ = build_keyjar(KEYDEFS)
print(json.dumps(_keyjar.export_jwks(private=True)))
from fedoidcmsg.bundle import jwks_to_keyjar
from fedoidcmsg.utils import request_signed_by_signing_keys
from fedoidcmsg.utils import self_sign_jwks
from fedoidcmsg.utils import verify_request_signed_by_signing_keys
from fedoidcmsg.utils import verify_self_signed_jwks
from oidcmsg.key_jar import KeyJar
from oidcmsg.key_jar import build_keyjar
KEYDEFS = [
{"type": "RSA", "use": ["sig"]},
{"type": "RSA", "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]}
]
JWKS, KEYJAR, _ = build_keyjar(KEYDEFS)
def test_jwks_to_keyjar():
_kj = jwks_to_keyjar(JWKS)
assert list(_kj.owners()) == ['']
assert len(_kj.get_signing_key('RSA',owner='')) == 2
assert len(_kj.get_signing_key('EC',owner='')) == 1
def test_self_signed_jwks():
kj = KeyJar()
kj.issuer_keys['abc'] = KEYJAR.issuer_keys['']
ssj = self_sign_jwks(kj, 'abc', kid='', lifetime=3600)
assert ssj
#!/usr/bin/env python3
import json
from oidcmsg.key_jar import build_keyjar
KEYDEFS = [
{"type": "RSA", "key": '', "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]}
]
_keyjar = build_keyjar(KEYDEFS)[1]
print(json.dumps(_keyjar.export_jwks(private=True)))
