def test_verify_protected_headers(): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec.SECP256R1(), default_backend()) _key = ECKey().load_key(eck) keys = [_key] _jws = JWS(payload, alg="ES256") protected = dict(header1=u"header1 is protected", header2="header2 is protected too", a=1) _jwt = _jws.sign_compact(keys, protected=protected) protectedHeader, enc_payload, sig = _jwt.split(".") data = dict(payload=enc_payload, signatures=[ dict( header=dict(alg=u"ES256", jwk=_key.serialize()), protected=protectedHeader, signature=sig, ) ]) #_pub_key = ECKey().load_key(eck.public_key()) _jws = JWS() assert _jws.verify_json(json.dumps(data)) == payload
def test_create_eckey(): ec_key = generate_private_key(NIST2SEC['P-256'], default_backend()) ec = ECKey(key=ec_key) exp_key = ec.serialize() assert _eq(list(exp_key.keys()), ["y", "x", "crv", "kty"])
def enc_setup(self, msg, key=None, auth_data=b'', **kwargs): """ :param msg: Message to be encrypted :param auth_data: :param key: An EC key :param kwargs: :return: """ encrypted_key = "" self.msg = msg self.auth_data = auth_data # Generate the input parameters try: apu = b64d(kwargs["apu"]) except KeyError: apu = get_random_bytes(16) try: apv = b64d(kwargs["apv"]) except KeyError: apv = get_random_bytes(16) # Handle Local Key and Ephemeral Public Key if not key: raise Exception("EC Key Required for ECDH-ES JWE Encryption Setup") # epk is either an Elliptic curve key instance or a JWK description of # one. This key belongs to the entity on the other side. try: _epk = kwargs['epk'] except KeyError: _epk = ec.generate_private_key(NIST2SEC[as_unicode(key.crv)], default_backend()) epk = ECKey().load_key(_epk.public_key()) else: if isinstance(_epk, ec.EllipticCurvePublicKey): epk = ECKey().load_key(_epk) elif isinstance(_epk, ECKey): epk = _epk else: raise ValueError("epk of a type I can't handle") params = { "apu": b64e(apu), "apv": b64e(apv), "epk": epk.serialize(False) } cek = iv = None if 'cek' in kwargs and kwargs['cek']: cek = kwargs['cek'] if 'iv' in kwargs and kwargs['iv']: iv = kwargs['iv'] iv = self._generate_iv(self.enc, iv=iv) if self.alg == "ECDH-ES": try: dk_len = KEY_LEN[self.enc] except KeyError: raise Exception( "Unknown key length for algorithm %s" % self.enc) cek = ecdh_derive_key(_epk, key.key, apu, apv, str(self.enc).encode(), dk_len) elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]: _pre, _post = self.alg.split("+") klen = int(_post[1:4]) kek = ecdh_derive_key(_epk, key.key, apu, apv, str(_post).encode(), klen) cek = self._generate_key(self.enc, cek=cek) encrypted_key = aes_key_wrap(kek, cek, default_backend()) else: raise Exception("Unsupported algorithm %s" % self.alg) return cek, encrypted_key, iv, params, epk