def test_signer_protected_headers():
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
_key = ECKey().load_key(eck)
keys = [_key]
_jws = JWS(payload, alg="ES256")
protected = dict(header1=u"header1 is protected",
header2="header2 is protected too",
a=1)
_jwt = _jws.sign_compact(keys, protected=protected)
exp_protected = protected.copy()
exp_protected["alg"] = "ES256"
enc_header, enc_payload, sig = _jwt.split(".")
assert json.loads(b64d(
enc_header.encode("utf-8")).decode("utf-8")) == exp_protected
assert b64d(enc_payload.encode("utf-8")).decode("utf-8") == payload
_pub_key = ECKey().load_key(eck.public_key())
_rj = JWS(alg="ES256")
info = _rj.verify_compact(_jwt, [_pub_key])
assert info == payload
# Protected by default
protected["alg"] = "ES256"
assert _rj.protected_headers() == protected
def test_verify_json_missing_key():
ec_key = ECKey().load_key(P256())
sym_key = SYMKey(key=b"My hollow echo chamber", alg="HS384")
protected_headers_1 = {"foo": "bar", "alg": "ES256"}
unprotected_headers_1 = {"abc": "xyz"}
protected_headers_2 = {"foo": "bar", "alg": "HS384"}
unprotected_headers_2 = {"abc": "zeb"}
payload = "hello world"
_jwt = JWS(msg=payload).sign_json(
headers=[
(protected_headers_1, unprotected_headers_1),
(protected_headers_2, unprotected_headers_2),
],
keys=[ec_key, sym_key],
)
# Only the EC key
vkeys = [ECKey().load_key(ec_key.public_key())]
with pytest.raises(NoSuitableSigningKeys):
JWS().verify_json(_jwt, keys=vkeys)
assert JWS().verify_json(_jwt, keys=vkeys, at_least_one=True)
# Only the SYM key
with pytest.raises(NoSuitableSigningKeys):
JWS().verify_json(_jwt, keys=[sym_key])
assert JWS().verify_json(_jwt, keys=[sym_key], at_least_one=True)
# With both
assert JWS().verify_json(_jwt, keys=[vkeys[0], sym_key])
def test_key_from_jwk_dict_ec():
key = ECKey().load(full_path("570-ec-sect571r1-keypair.pem"))
assert key.has_private_key()
jwk = key.serialize(private=True)
_key = key_from_jwk_dict(jwk)
assert isinstance(_key, ECKey)
assert _key.has_private_key()
def test_verify_protected_headers():
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
_key = ECKey().load_key(eck)
keys = [_key]
_jws = JWS(payload, alg="ES256")
protected = dict(header1=u"header1 is protected",
header2="header2 is protected too",
a=1)
_jwt = _jws.sign_compact(keys, protected=protected)
protectedHeader, enc_payload, sig = _jwt.split(".")
data = dict(
payload=enc_payload,
signatures=[
dict(
header=dict(alg=u"ES256", jwk=_key.serialize()),
protected=protectedHeader,
signature=sig,
)
],
)
# _pub_key = ECKey().load_key(eck.public_key())
_jws = JWS()
assert _jws.verify_json(json.dumps(data)) == payload
def test_signer_es(ec_func, alg):
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec_func(), default_backend())
keys = [ECKey().load_key(eck)]
_jws = JWS(payload, alg=alg)
_jwt = _jws.sign_compact(keys)
_pubkey = ECKey().load_key(eck.public_key())
_rj = JWS(alg=alg)
info = _rj.verify_compact(_jwt, [_pubkey])
assert info == payload
def pem2ec(filename: str,
kid: Optional[str] = None,
private: bool = False,
passphrase: Optional[str] = None) -> JWK:
"""Convert EC key from PEM to JWK"""
if private:
key = import_private_key_from_file(filename, passphrase)
else:
key = import_public_key_from_file(filename)
jwk = ECKey(kid=kid)
jwk.load_key(key)
return jwk
def test_verify_json_flattened_syntax():
key = ECKey().load_key(P256())
protected_headers = {"foo": "bar"}
unprotected_headers = {"abc": "xyz"}
payload = "hello world"
_jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[
(protected_headers, unprotected_headers)
],
keys=[key],
flatten=True)
vkeys = [ECKey().load_key(key.public_key())]
assert JWS().verify_json(_jwt, keys=vkeys)
def test_signer_es256_verbose():
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
_key = ECKey().load_key(eck)
keys = [_key]
_jws = JWS(payload, alg="ES256")
_jwt = _jws.sign_compact(keys)
_pubkey = ECKey().load_key(eck.public_key())
_rj = JWS(alg="ES256")
info = _rj.verify_compact_verbose(_jwt, [_pubkey])
assert info["msg"] == payload
assert info["key"] == _pubkey
def test_verify_json():
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
key = ECKey().load_key(eck)
payload = "hello world"
unprotected_headers = {"abc": "xyz"}
protected_headers = {"foo": "bar"}
_jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[
(protected_headers, unprotected_headers)
],
keys=[key])
vkeys = [ECKey().load_key(eck.public_key())]
assert JWS().verify_json(_jwt, keys=vkeys)
def test_cmp_rsa_ec():
_key1 = RSAKey()
_key1.load_key(import_rsa_key_from_cert_file(CERT))
_key2 = ECKey(**ECKEY)
assert _key1 != _key2
def test_verify_json():
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
key = ECKey().load_key(eck)
payload = "hello world"
unprotected_headers = {"abc": "xyz"}
protected_headers = {"foo": "bar"}
_jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[
(protected_headers, unprotected_headers)
],
keys=[key])
vkeys = [ECKey().load_key(eck.public_key())]
_jws = JWS()
assert _jws.verify_json(_jwt, keys=vkeys)
_protected = _jws.protected_headers()
assert set(_protected.keys()) == {"foo", "alg"}
assert _protected["foo"] == protected_headers["foo"]
# alg is always protected by default
assert _protected["alg"] == "ES256"
def test_sign_json_dont_flatten_if_multiple_signatures():
key = ECKey().load_key(P256())
unprotected_headers = {"foo": "bar"}
_jwt = JWS(msg="hello world", alg="ES256").sign_json(
headers=[(None, unprotected_headers), (None, {
"abc": "xyz"
})],
keys=[key],
flatten=True,
)
assert "signatures" in json.loads(_jwt)
def test_get_key():
ec_key = generate_private_key(NIST2SEC['P-256'], default_backend())
asym_private_key = ECKey(priv_key=ec_key)
asym_public_key = ECKey(pub_key=asym_private_key.pub_key)
key = SYMKey(key='mekmitasdigoatfo', kid='xyzzy')
assert asym_private_key.private_key()
assert asym_private_key.public_key()
assert asym_public_key.private_key() is None
assert asym_private_key.public_key()
assert key.key
def read_cosekey(filename: str, private: bool = True) -> CoseKey:
"""Read key and return CoseKey"""
if filename.endswith(".json"):
with open(filename, "rt") as jwk_file:
jwk_dict = json.load(jwk_file)
elif filename.endswith(".key"):
key = import_private_key_from_pem_file(filename)
jwk = ECKey()
jwk.load_key(key)
jwk_dict = jwk.serialize(private=private)
elif filename.endswith(".crt"):
if private:
raise ValueError("No private keys in certificates")
key = import_public_key_from_cert_file(filename)
jwk = ECKey()
jwk.load_key(key)
jwk_dict = jwk.serialize(private=private)
else:
raise ValueError("Unknown key format")
return cosekey_from_jwk_dict(jwk_dict, private)
def test_get_key():
ec_key = new_ec_key("P-256")
asym_private_key = ECKey(priv_key=ec_key.priv_key)
asym_public_key = ECKey(pub_key=asym_private_key.pub_key)
key = SYMKey(key="mekmitasdigoatfo", kid="xyzzy")
assert asym_private_key.private_key()
assert asym_private_key.public_key()
assert asym_public_key.private_key() is None
assert asym_private_key.public_key()
assert key.key
def test_sign_json_dont_include_empty_unprotected_headers():
key = ECKey().load_key(P256())
protected_headers = {"foo": "bar"}
_jwt = JWS(msg="hello world",
alg="ES256").sign_json(headers=[(protected_headers, None)],
keys=[key])
json_jws = json.loads(_jwt)
assert "header" not in json_jws["signatures"][0]
jws_protected_headers = json.loads(
b64d_enc_dec(json_jws["signatures"][0]["protected"]))
assert set(protected_headers.items()).issubset(
set(jws_protected_headers.items()))
def test_sign_json_dont_include_empty_protected_headers():
key = ECKey().load_key(P256())
unprotected_headers = {"foo": "bar"}
_jwt = JWS(msg="hello world",
alg="ES256").sign_json(headers=[(None, unprotected_headers)],
keys=[key])
json_jws = json.loads(_jwt)
jws_protected_headers = json.loads(
b64d_enc_dec(json_jws["signatures"][0]["protected"]))
assert jws_protected_headers == {"alg": "ES256"}
jws_unprotected_headers = json_jws["signatures"][0]["header"]
assert unprotected_headers == jws_unprotected_headers
def test_sign_json_flattened_syntax():
key = ECKey().load_key(P256())
protected_headers = {"foo": "bar"}
unprotected_headers = {"abc": "xyz"}
payload = "hello world"
_jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[
(protected_headers, unprotected_headers)
],
keys=[key],
flatten=True)
json_jws = json.loads(_jwt)
assert "signatures" not in json_jws
assert b64d_enc_dec(json_jws["payload"]) == payload
assert json_jws["header"] == unprotected_headers
assert json.loads(b64d_enc_dec(json_jws["protected"])) == protected_headers
def test_sign_json():
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
key = ECKey().load_key(eck)
payload = "hello world"
unprotected_headers = {"abc": "xyz"}
protected_headers = {"foo": "bar"}
_jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[
(protected_headers, unprotected_headers)
],
keys=[key])
jwt = json.loads(_jwt)
assert b64d_enc_dec(jwt["payload"]) == payload
assert len(jwt["signatures"]) == 1
assert jwt["signatures"][0]["header"] == unprotected_headers
assert json.loads(b64d_enc_dec(
jwt["signatures"][0]["protected"])) == protected_headers
def pem_to_jwk_dict(pem_data: str):
"""Read PEM certificate and return JWK dictionary"""
public_key = import_public_key_from_pem_data(pem_data)
if isinstance(public_key, rsa.RSAPublicKey):
jwk = RSAKey().load_key(public_key)
elif isinstance(public_key, ec.EllipticCurvePublicKey):
jwk = ECKey().load_key(public_key)
else:
raise ValueError("Unknown key type")
jwk_dict = jwk.serialize()
cert = x509.load_pem_x509_certificate(pem_data.encode(), default_backend())
fp = cert.fingerprint(hashes.SHA256())
jwk_dict["kid"] = b64e(fp[:8]).decode()
jwk_dict["x5t#S256"] = b64e(fp).decode()
jwk_dict["x5a"] = {
"subject": cert.subject.rfc4514_string(),
"issuer": cert.issuer.rfc4514_string(),
"serial": cert.serial_number,
}
return jwk_dict
def test_is_jws_recognize_flattened_json_serialized_jws():
key = ECKey().load_key(P256())
jws = JWS(msg="hello world", alg="ES256").sign_json([key], flatten=True)
assert JWS().is_jws(jws)
def test_load_pem_file_ec():
key = ECKey().load(full_path("570-ec-sect571r1-keypair.pem"))
assert key.has_private_key()
def test_create_eckey():
ec_key = generate_private_key(NIST2SEC['P-256'], default_backend())
ec = ECKey(priv_key=ec_key)
exp_key = ec.serialize()
assert _eq(list(exp_key.keys()), ["y", "x", "crv", "kty"])
def test_is_jws_recognize_compact_jws():
key = ECKey().load_key(P256())
jws = JWS(msg="hello world", alg="ES256").sign_compact([key])
assert JWS().is_jws(jws)
def test_cmp_eq_ec():
ec_key = generate_private_key(NIST2SEC['P-256'], default_backend())
_key1 = ECKey(priv_key=ec_key)
_key2 = ECKey(priv_key=ec_key)
assert _key1 == _key2
assert msg == plain
def test_rsa_with_kid():
encryption_keys = [RSAKey(use="enc", pub_key=pub_key, kid="some-key-id")]
jwe = JWE("some content", alg="RSA-OAEP", enc="A256CBC-HS512")
jwe.encrypt(keys=encryption_keys, kid="some-key-id")
if __name__ == "__main__":
test_rsa_with_kid()
# Test ECDH-ES
alice = ec.generate_private_key(ec.SECP256R1(), default_backend())
eck_alice = ECKey(priv_key=alice)
bob = ec.generate_private_key(ec.SECP256R1(), default_backend())
eck_bob = ECKey(priv_key=bob)
def test_ecdh_encrypt_decrypt_direct_key():
# Alice starts of
jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
key=eck_bob)
kwargs = {
'params': params,
'cek': cek,
'iv': iv,
'encrypted_key': encrypted_key
def test_import_export_eckey():
_key = ECKey(**ECKEY)
_key.deserialize()
assert _eq(list(_key.keys()), ["y", "x", "d", "crv", "kty"])
assert _key.key_len() == 521
def test_cmp_neq_ec():
ec_key = new_ec_key("P-256")
_key1 = ECKey(priv_key=ec_key.priv_key)
_key2 = ECKey(**ECKEY)
assert _key1 != _key2
def test_cmp_eq_ec():
ec_key = new_ec_key("P-256")
_key1 = ECKey(priv_key=ec_key.priv_key)
_key2 = ECKey(priv_key=ec_key.priv_key)
assert _key1 == _key2