def _verify_crypto_keys(self):
"""
verifies whether or not valid crypto keys were provided to the signer.
if both keys are valid, encodes and decodes a JWT to make sure the keys match.
if both private and public keys are valid and are matching => signer is enabled
if both private and public keys are None => signer is disabled (self.enabled == False)
if only one key is valid/not-None => throws ValueError
any other case => throws ValueError
"""
if self._private_key is not None and self._public_key is not None:
# both keys provided, let's make sure these keys were generated correctly
token = jwt.encode({"some": "payload"}, self._private_key, algorithm=self._algorithm)
try:
jwt.decode(token, self._public_key, algorithms=[self._algorithm])
except jwt.PyJWTError as exc:
logger.info("JWT Signer key verification failed with error: {err}", err=exc)
raise InvalidJWTCryptoKeysException("private key and public key do not match!") from exc
# save jwk
self._jwk: PyJWK = PyJWK.from_json(self.get_jwk(), algorithm=self._algorithm)
elif (self._private_key != self._public_key) and (self._private_key is None or self._public_key is None):
raise ValueError("JWT Signer not valid, only one of private key / public key pair was provided!")
elif self._private_key is None and self._public_key is None:
# valid situation, running in dev mode and api security is off
self._enabled = False
logger.info("OPAL was not provided with JWT encryption keys, cannot verify api requests!")
else:
raise ValueError("Invalid JWT Signer input!")
def test_should_load_key_from_jwk_data_json_string(self):
algo = RSAAlgorithm(RSAAlgorithm.SHA256)
with open(key_path("jwk_rsa_pub.json"), "r") as keyfile:
pub_key = algo.from_jwk(keyfile.read())
key_data_str = algo.to_jwk(pub_key)
key_data = json.loads(key_data_str)
# TODO Should `to_jwk` set these?
key_data["alg"] = "RS256"
key_data["use"] = "sig"
key_data["kid"] = "keyid-abc123"
jwk = PyJWK.from_json(json.dumps(key_data))
assert jwk.key_type == "RSA"
assert jwk.key_id == "keyid-abc123"
assert jwk.public_key_use == "sig"