Ejemplo n.º 1
0
    def test_jws_verifier_with_kid(self):
        # Sign
        priv_key1 = jws.CleartextJwkSetReader.from_json(
            self.test_json_ecdsa_priv_key_kid1)
        signer1 = jws.JwsPublicKeySign(priv_key1)
        signed_token_kid1 = signer1.sign(self.test_header_es256_kid1,
                                         self.test_payload)
        priv_key2 = jws.CleartextJwkSetReader.from_json(
            self.test_json_ecdsa_priv_key_kid2)
        signer2 = jws.JwsPublicKeySign(priv_key2)
        signed_token_kid2 = signer2.sign(self.test_header_es256_kid2,
                                         self.test_payload)

        # Verify
        pub_key = jws.CleartextJwkSetReader.from_json(
            self.test_json_ecdsa_pub_key_kid1)
        verifier = jws.JwsPublicKeyVerify(pub_key)
        try:
            verifier.verify(signed_token_kid1)
        except SecurityException:
            self.fail('Valid token, should not throw exception')
        for modified_token in _modify_token(signed_token_kid1):
            self.assertRaises(SecurityException, verifier.verify,
                              modified_token)
        # The signature is valid but the kids don't match.
        self.assertRaises(SecurityException, verifier.verify,
                          signed_token_kid2)
Ejemplo n.º 2
0
    def test_jws_ec_from_cryptography_key(self):
        # Sign the token.
        priv_key = load_pem_private_key(
            self.test_pem_ec_p256_priv_key.encode('utf-8'),
            None,
            backend=backends.default_backend())
        jwk_priv_key = jws.CleartextJwkSetReader.from_cryptography_key(
            priv_key, 'ES256')
        signer = jws.JwsPublicKeySign(jwk_priv_key)
        signed_token = signer.sign(self.test_header_es256, self.test_payload)

        # Verify the token.
        # The real use case is that cryptography supports extracting public key from
        # certificate, but we simulate it here by reading it from PEM.
        pub_key = load_pem_public_key(
            self.test_pem_ec_p256_pub_key.encode('utf-8'),
            backend=backends.default_backend())
        jwk_pub_key = jws.CleartextJwkSetReader.from_cryptography_key(
            pub_key, 'ES256')
        verifier = jws.JwsPublicKeyVerify(jwk_pub_key)
        try:
            verifier.verify(signed_token)
        except SecurityException:
            self.fail('Valid token, should not throw exception')
        for modified_token in _modify_token(signed_token):
            self.assertRaises(SecurityException, verifier.verify,
                              modified_token)
Ejemplo n.º 3
0
    def test_jws_rsa_signer_and_verifier(self):
        algs = ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512']
        for alg in algs:
            json_priv_key = json.loads(self.json_rsa_priv_key)
            json_priv_key['alg'] = alg
            json_priv_key = json.dumps(json_priv_key)
            json_pub_key = json.loads(self.json_rsa_pub_key)
            json_pub_key['alg'] = alg
            json_pub_key = json.dumps(json_pub_key)
            json_header_rsa = dict(self.test_header_rsa)
            json_header_rsa['alg'] = alg

            # Sign
            priv_key = jws.CleartextJwkSetReader.from_json(json_priv_key)
            signer = jws.JwsPublicKeySign(priv_key)
            signed_token = signer.sign(json_header_rsa, self.test_payload)

            # Verify
            pub_key = jws.CleartextJwkSetReader.from_json(json_pub_key)
            verifier = jws.JwsPublicKeyVerify(pub_key)
            try:
                verifier.verify(signed_token)
            except SecurityException:
                self.fail('Valid token, should not throw exception')
            for modified_token in _modify_token(signed_token):
                self.assertRaises(SecurityException, verifier.verify,
                                  modified_token)
Ejemplo n.º 4
0
    def __init__(self, jwk_set):
        """Constructor for JwtPublicKeySign.

    Args:
      jwk_set: a JwkSet.

    Raises:
      UnsupportedAlgorithm: if the algorihtm is not defined at
      https://tools.ietf.org/html/rfc7518#section-3.1 or if jwk is not Rsa or
      Ecdsa key.
    """
        self.signer = jws.JwsPublicKeySign(jwk_set)
Ejemplo n.º 5
0
    def test_jws_ecdsa_signer_verifier_es256(self):
        # Sign
        priv_key = jws.CleartextJwkSetReader.from_json(
            self.es256_ecdsa_priv_key)
        signer = jws.JwsPublicKeySign(priv_key)
        signed_token = signer.sign(self.test_header_es256, self.test_payload)

        # Verify
        pub_key = jws.CleartextJwkSetReader.from_json(self.es256_ecdsa_pub_key)
        verifier = jws.JwsPublicKeyVerify(pub_key)
        try:
            verifier.verify(signed_token)
        except SecurityException:
            self.fail('Valid token, should not throw exception')
        for modified_token in _modify_token(signed_token):
            self.assertRaises(SecurityException, verifier.verify,
                              modified_token)
Ejemplo n.º 6
0
    def test_jws_ec_from_pem_key(self):
        # Sign the token
        rsa_priv_key = jws.CleartextJwkSetReader.from_pem(
            self.test_pem_ec_p256_priv_key.encode('utf-8'), 'ES256')
        signer = jws.JwsPublicKeySign(rsa_priv_key)
        signed_token = signer.sign(self.test_header_es256, self.test_payload)

        # Verify the token
        rsa_pub_key = jws.CleartextJwkSetReader.from_pem(
            self.test_pem_ec_p256_pub_key.encode('utf-8'), 'ES256')
        verifier = jws.JwsPublicKeyVerify(rsa_pub_key)
        try:
            verifier.verify(signed_token)
        except SecurityException:
            self.fail('Valid token, should not throw exception')
        for modified_token in _modify_token(signed_token):
            self.assertRaises(SecurityException, verifier.verify,
                              modified_token)
Ejemplo n.º 7
0
    def test_jws_with_mismatch_kid_or_algorithm(self):
        hmac_key = jws.CleartextJwkSetReader.from_json(self.json_hmac_key)
        authenticator = jws.JwsMacAuthenticator(hmac_key)
        json_header_hmac = dict(self.test_header_hmac)
        # Change the algorithm to a wrong one.
        json_header_hmac['alg'] = 'HS512'
        self.assertRaises(SecurityException, authenticator.authenticate,
                          json_header_hmac, self.test_payload)
        priv_key = jws.CleartextJwkSetReader.from_json(
            self.test_json_ecdsa_priv_key_kid1)
        signer = jws.JwsPublicKeySign(priv_key)
        json_header_es256 = dict(self.test_header_es256_kid1)
        # Change the algorithm to a wrong one.
        json_header_es256['alg'] = 'ES512'
        self.assertRaises(SecurityException, signer.sign, json_header_es256,
                          self.test_payload)

        json_header_es256 = dict(self.test_header_es256_kid1)
        # Change kid to a wrong one.
        json_header_es256['kid'] = 'kid0'
        self.assertRaises(SecurityException, signer.sign, json_header_es256,
                          self.test_payload)