def test_key_ops():
sk = SYMKey(key='df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b',
alg="HS256",
key_ops=["sign", "verify"])
_jwk = sk.serialize(private=True)
assert set(_jwk.keys()) == {"kty", "alg", "key_ops", "k"}
def main():
""" Main function"""
parser = argparse.ArgumentParser(
description="JSON Web Key (JWK) Generator")
parser.add_argument("--kty",
dest="kty",
metavar="type",
help="Key type",
required=True)
parser.add_argument("--size",
dest="keysize",
type=int,
metavar="size",
help="Key size")
parser.add_argument(
"--crv",
dest="crv",
metavar="curve",
help="EC curve",
choices=NIST2SEC.keys(),
default=DEFAULT_EC_CURVE,
)
parser.add_argument(
"--exp",
dest="rsa_exp",
type=int,
metavar="exponent",
help="RSA public key exponent (default {})".format(DEFAULT_RSA_EXP),
default=DEFAULT_RSA_EXP,
)
parser.add_argument("--kid", dest="kid", metavar="id", help="Key ID")
args = parser.parse_args()
if args.kty.upper() == "RSA":
if args.keysize is None:
args.keysize = DEFAULT_RSA_KEYSIZE
jwk = new_rsa_key(public_exponent=args.rsa_exp,
key_size=args.keysize,
kid=args.kid)
elif args.kty.upper() == "EC":
if args.crv not in NIST2SEC:
print("Unknown curve: {0}".format(args.crv), file=sys.stderr)
exit(1)
jwk = new_ec_key(crv=args.crv, kid=args.kid)
elif args.kty.upper() == "SYM":
if args.keysize is None:
args.keysize = DEFAULT_SYM_KEYSIZE
randomkey = os.urandom(args.keysize)
jwk = SYMKey(key=randomkey, kid=args.kid)
else:
print("Unknown key type: {}".format(args.kty), file=sys.stderr)
exit(1)
jwk_dict = jwk.serialize(private=True)
print(json.dumps(jwk_dict, sort_keys=True, indent=4))
print("SHA-256: " + jwk.thumbprint("SHA-256").decode(), file=sys.stderr)
def test_jws_1():
msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True}
key = SYMKey(key=intarr2bin(HMAC_KEY))
_jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize())
res = _jws.sign_compact()
_jws2 = JWS(alg="HS256")
_jws2.verify_compact(res, keys=[key])
assert _jws2.msg == msg
def make_cookie_handler(self):
cookie_conf = {
"sign_key":
SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"),
"enc_key":
SYMKey(k="NXi6HD473d_YS4exVRn7z9z23mGmvU641MuvKqH0o7Y"),
}
self.cookie_handler = CookieHandler(**cookie_conf)
def test_jws_mm():
msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True}
key = SYMKey(key=intarr2bin(HMAC_KEY))
_jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize())
res = _jws.sign_compact()
_jws2 = JWS(alg="HS512")
with pytest.raises(SignerAlgError):
_jws2.verify_compact(res, keys=[key])
def main():
""" Main function"""
parser = argparse.ArgumentParser(description='JSON Web Key (JWK) Generator')
parser.add_argument('--kty',
dest='kty',
metavar='type',
help='Key type',
required=True)
parser.add_argument('--size',
dest='keysize',
type=int,
metavar='size',
help='Key size')
parser.add_argument('--crv',
dest='crv',
metavar='curve',
help='EC curve',
choices=NIST2SEC.keys(),
default=DEFAULT_EC_CURVE)
parser.add_argument('--exp',
dest='rsa_exp',
type=int,
metavar='exponent',
help='RSA public key exponent (default {})'.format(DEFAULT_RSA_EXP),
default=DEFAULT_RSA_EXP)
parser.add_argument('--kid',
dest='kid',
metavar='id',
help='Key ID')
args = parser.parse_args()
if args.kty.upper() == 'RSA':
if args.keysize is None:
args.keysize = DEFAULT_RSA_KEYSIZE
jwk = new_rsa_key(public_exponent=args.rsa_exp, key_size=args.keysize, kid=args.kid)
elif args.kty.upper() == 'EC':
if args.crv not in NIST2SEC:
print("Unknown curve: {0}".format(args.crv), file=sys.stderr)
exit(1)
jwk = new_ec_key(crv=args.crv, kid=args.kid)
elif args.kty.upper() == 'SYM':
if args.keysize is None:
args.keysize = DEFAULT_SYM_KEYSIZE
randomkey = os.urandom(args.keysize)
jwk = SYMKey(key=randomkey, kid=args.kid)
else:
print("Unknown key type: {}".format(args.kty), file=sys.stderr)
exit(1)
jwk_dict = jwk.serialize(private=True)
print(json.dumps(jwk_dict, sort_keys=True, indent=4))
print("SHA-256: " + jwk.thumbprint('SHA-256').decode(), file=sys.stderr)
def create_cookie_dealer(self):
cookie_conf = {
"sign_key":
SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"),
"enc_key":
SYMKey(k="NXi6HD473d_YS4exVRn7z9z23mGmvU641MuvKqH0o7Y"),
"default_values": {
"name": "oidc_op",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
}
self.cookie_dealer = CookieDealer(**cookie_conf)
def test_unknown_alg():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwenc = JWE(plain, alg="BCD", enc="A128GCM")
with pytest.raises(ValueError):
jwenc.encrypt([encryption_key])
def test_a_1_3b():
_jwt = ("eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJl"
"eHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0c"
"nVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")
keys = [SYMKey(key=intarr2bin(HMAC_KEY))]
_jws2 = JWS(alg="")
_jws2.verify_compact(_jwt, keys)
def test_wrong_key_type():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM")
with pytest.raises(NoSuitableEncryptionKey):
jwenc.encrypt([encryption_key])
def make_cookie_content_handler(self):
cookie_conf = {
"sign_key":
SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"),
}
self.cookie_handler = CookieHandler(**cookie_conf)
def test_verify_json_missing_key():
ec_key = ECKey().load_key(P256())
sym_key = SYMKey(key=b"My hollow echo chamber", alg="HS384")
protected_headers_1 = {"foo": "bar", "alg": "ES256"}
unprotected_headers_1 = {"abc": "xyz"}
protected_headers_2 = {"foo": "bar", "alg": "HS384"}
unprotected_headers_2 = {"abc": "zeb"}
payload = "hello world"
_jwt = JWS(msg=payload).sign_json(
headers=[
(protected_headers_1, unprotected_headers_1),
(protected_headers_2, unprotected_headers_2),
],
keys=[ec_key, sym_key],
)
# Only the EC key
vkeys = [ECKey().load_key(ec_key.public_key())]
with pytest.raises(NoSuitableSigningKeys):
JWS().verify_json(_jwt, keys=vkeys)
assert JWS().verify_json(_jwt, keys=vkeys, at_least_one=True)
# Only the SYM key
with pytest.raises(NoSuitableSigningKeys):
JWS().verify_json(_jwt, keys=[sym_key])
assert JWS().verify_json(_jwt, keys=[sym_key], at_least_one=True)
# With both
assert JWS().verify_json(_jwt, keys=[vkeys[0], sym_key])
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-r",
dest="rsa_file",
help="File containing a RSA key")
parser.add_argument("-k",
dest="hmac_key",
help="If using a HMAC algorithm this is the key")
parser.add_argument("-i", dest="kid", help="key id")
parser.add_argument("-j", dest="jwk", help="JSON Web Key")
parser.add_argument("-J", dest="jwks", help="JSON Web Keys")
parser.add_argument("-u", dest="jwks_url", help="JSON Web Keys URL")
parser.add_argument("-f", dest="msg", help="The message")
parser.add_argument(
"-q",
dest="quiet",
help="Quiet mode -- only show the RAW but prettified JSON",
action="store_true",
)
args = parser.parse_args()
if args.kid:
_kid = args.kid
else:
_kid = ""
keys = []
if args.rsa_file:
keys.append(RSAKey(key=import_rsa_key(args.rsa_file), kid=_kid))
if args.hmac_key:
keys.append(SYMKey(key=args.hmac_key, kid=_kid))
if args.jwk:
_key = key_from_jwk_dict(open(args.jwk).read())
keys.append(_key)
if args.jwks:
_iss = KeyIssuer()
_iss.import_jwks(open(args.jwks).read())
keys.extend(_iss.all_keys())
if args.jwks_url:
_kb = KeyBundle(source=args.jwks_url)
keys.extend(_kb.get())
if not args.msg: # If nothing specified assume stdin
message = sys.stdin.read()
elif args.msg == "-":
message = sys.stdin.read()
else:
if os.path.isfile(args.msg):
message = open(args.msg).read().strip("\n")
else:
message = args.msg
message = message.strip()
message = message.strip('"')
process(message, keys, args.quiet)
def test_key_ops_and_use():
with pytest.raises(ValueError):
SYMKey(
key="df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b",
alg="HS256",
key_ops=["sign", "verify"],
use="sig",
)
def test_invalid():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
decrypter = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
with pytest.raises(BadSyntax):
decrypter.decrypt('a.b.c.d.e', keys=[encryption_key])
def test_nothing():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
decrypter = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
with pytest.raises(ValueError):
decrypter.decrypt(keys=[encryption_key])
def test_get_all():
kb = rsa_init({"use": ["enc", "sig"], "size": 1024, "name": "rsa", "path": "keys"})
_sym = SYMKey(**{"kty": "oct", "key": "highestsupersecret", "use": "enc"})
kb.append(_sym)
assert len(kb.get()) == 3
_k = kb.keys()
assert len(_k) == 3
def test_wrong_alg():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
with pytest.raises(HeaderError):
factory(_jwe, alg="A192KW", enc="A128CBC-HS256")
def test_hmac_256():
payload = "Please take a moment to register today"
keys = [SYMKey(key=intarr2bin(HMAC_KEY))]
_jws = JWS(payload, alg="HS256")
_jwt = _jws.sign_compact(keys)
info = JWS(alg="HS256").verify_compact(_jwt, keys)
assert info == payload
def test_no_key():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
with pytest.raises(NoSuitableDecryptionKey):
decrypter.decrypt(_jwe, [])
def test_wrong_alg_2():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
with pytest.raises(WrongEncryptionAlgorithm):
decrypter.decrypt(_jwe, [encryption_key], alg='A192KW')
def test_hmac_512():
payload = "Please take a moment to register today"
keys = [SYMKey(key=b"My hollow echo chamber", alg="HS512")]
_jws = JWS(payload, alg="HS512")
_jwt = _jws.sign_compact(keys)
_rj = JWS(alg="HS512")
info = _rj.verify_compact(_jwt, keys)
assert info == payload
def test_get_all():
kb = rsa_init(
{'use': ['enc', 'sig'], 'size': 1024, 'name': 'rsa', 'path': 'keys'})
_sym = SYMKey(**{"kty": "oct", "key": "highestsupersecret", "use": "enc"})
kb.append(_sym)
assert len(kb.get()) == 3
_k = kb.keys()
assert len(_k) == 3
def test_sym_encrypt_decrypt_jwe():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id")
decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256")
resp = decrypter.decrypt(_jwe, [encryption_key])
assert resp == plain
def test_sym_encrypt_decrypt():
encryption_key = SYMKey(use="enc",
key='DukeofHazardpass',
kid="some-key-id")
jwe = JWE_SYM("some content", alg="A128KW", enc="A128CBC-HS256")
_jwe = jwe.encrypt(key=encryption_key, kid="some-key-id")
jwdec = JWE_SYM()
resp = jwdec.decrypt(_jwe, encryption_key)
assert resp == b'some content'
def __init__(
self,
sign_key="",
enc_key="",
sign_alg="SHA256",
default_values=None,
sign_jwk=None,
enc_jwk=None,
):
if sign_key:
if isinstance(sign_key, SYMKey):
self.sign_key = sign_key
else:
self.sign_key = SYMKey(k=sign_key)
elif sign_jwk:
if isinstance(sign_jwk, dict):
self.sign_key = init_key(**sign_jwk)
else:
self.sign_key = import_jwk(sign_jwk)
else:
self.sign_key = None
self.sign_alg = sign_alg
if enc_key:
if isinstance(enc_key, SYMKey):
self.enc_key = enc_key
else:
self.enc_key = SYMKey(k=enc_key)
elif enc_jwk:
if isinstance(enc_jwk, dict):
self.enc_key = init_key(**enc_jwk)
else:
self.enc_key = import_jwk(enc_jwk)
else:
self.enc_key = None
if not default_values:
default_values = {"path": "", "domain": "", "max_age": 0}
self.default_value = default_values
def test_fernet_sha512():
encryption_key = SYMKey(use="enc",
key="DukeofHazardpass",
kid="some-key-id")
encrypter = FernetEncrypter(password=encryption_key.key, hash_alg="SHA512")
_token = encrypter.encrypt(plain)
decrypter = encrypter
resp = decrypter.decrypt(_token)
assert resp == plain
def create_cookie_dealer(self):
cookie_conf = {
"enc_key": SYMKey(k="NXi6HD473d_YS4exVRn7z9z23mGmvU641MuvKqH0o7Y"),
"default_values": {
"name": "oidc_op",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
}
self.cookie_dealer = CookieDealer(**cookie_conf)
def test_get_key():
ec_key = new_ec_key("P-256")
asym_private_key = ECKey(priv_key=ec_key.priv_key)
asym_public_key = ECKey(pub_key=asym_private_key.pub_key)
key = SYMKey(key="mekmitasdigoatfo", kid="xyzzy")
assert asym_private_key.private_key()
assert asym_private_key.public_key()
assert asym_public_key.private_key() is None
assert asym_private_key.public_key()
assert key.key
def test_get_key():
ec_key = generate_private_key(NIST2SEC['P-256'], default_backend())
asym_private_key = ECKey(priv_key=ec_key)
asym_public_key = ECKey(pub_key=asym_private_key.pub_key)
key = SYMKey(key='mekmitasdigoatfo', kid='xyzzy')
assert asym_private_key.private_key()
assert asym_private_key.public_key()
assert asym_public_key.private_key() is None
assert asym_private_key.public_key()
assert key.key
