def test_jwe_header_contains_kid(self):
jwe_protected_header = bytes('{"alg":"RSA-OAEP","enc":"A256GCM"}',
'utf-8')
encoder = Encoder(*self.encoder_args)
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
self.kid,
jwe_protected_header=jwe_protected_header)
self.assert_in_decrypt_exception(jwe.decode(), "Missing kid")
def test_invalid_enc(self):
jwe_protected_header = bytes(
'{"alg":"PBES2_HS256_A128KW","enc":"A128GCM","kid":"' + self.kid +
'"}', 'utf-8')
encoder = Encoder(*self.encoder_args)
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
self.kid,
jwe_protected_header=jwe_protected_header)
self.assert_in_decrypt_exception(jwe.decode(), "Algorithm not allowed")
def test_jwe_key_not_2048_bits(self):
cek = os.urandom(32)
encoder = Encoder(*self.encoder_args)
encoder.cek = cek
encrypted_key = encoder._encrypted_key(cek) # pylint: disable=protected-access
encrypted_key = encrypted_key[0:-2]
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
self.kid,
encrypted_key=encrypted_key)
self.assert_in_decrypt_exception(jwe.decode(), "ValueError")
def test_cipher_text_corrupted(self):
encoder = Encoder(*self.encoder_args)
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(), self.kid)
tokens = jwe.decode().split('.')
jwe_protected_header = tokens[0]
encrypted_key = tokens[1]
encoded_iv = tokens[2]
encoded_cipher_text = tokens[3]
encoded_tag = tokens[4]
corrupted_cipher = encoded_cipher_text[0:-1]
reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag
with pytest.raises(InvalidTokenException):
JWEHelper.decrypt(reassembled, self.key_store,
KEY_PURPOSE_AUTHENTICATION)