def test_verify_protected_headers():
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
_key = ECKey().load_key(eck)
keys = [_key]
_jws = JWS(payload, alg="ES256")
protected = dict(header1=u"header1 is protected",
header2="header2 is protected too", a=1)
_jwt = _jws.sign_compact(keys, protected=protected)
protectedHeader, enc_payload, sig = _jwt.split(".")
data = dict(payload=enc_payload, signatures=[
dict(
header=dict(alg=u"ES256", jwk=_key.serialize()),
protected=protectedHeader,
signature=sig,
)
])
#_pub_key = ECKey().load_key(eck.public_key())
_jws = JWS()
assert _jws.verify_json(json.dumps(data)) == payload
def test_create_eckey():
ec_key = generate_private_key(NIST2SEC['P-256'], default_backend())
ec = ECKey(key=ec_key)
exp_key = ec.serialize()
assert _eq(list(exp_key.keys()), ["y", "x", "crv", "kty"])
def enc_setup(self, msg, key=None, auth_data=b'', **kwargs):
"""
:param msg: Message to be encrypted
:param auth_data:
:param key: An EC key
:param kwargs:
:return:
"""
encrypted_key = ""
self.msg = msg
self.auth_data = auth_data
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = get_random_bytes(16)
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = get_random_bytes(16)
# Handle Local Key and Ephemeral Public Key
if not key:
raise Exception("EC Key Required for ECDH-ES JWE Encryption Setup")
# epk is either an Elliptic curve key instance or a JWK description of
# one. This key belongs to the entity on the other side.
try:
_epk = kwargs['epk']
except KeyError:
_epk = ec.generate_private_key(NIST2SEC[as_unicode(key.crv)],
default_backend())
epk = ECKey().load_key(_epk.public_key())
else:
if isinstance(_epk, ec.EllipticCurvePublicKey):
epk = ECKey().load_key(_epk)
elif isinstance(_epk, ECKey):
epk = _epk
else:
raise ValueError("epk of a type I can't handle")
params = {
"apu": b64e(apu),
"apv": b64e(apv),
"epk": epk.serialize(False)
}
cek = iv = None
if 'cek' in kwargs and kwargs['cek']:
cek = kwargs['cek']
if 'iv' in kwargs and kwargs['iv']:
iv = kwargs['iv']
iv = self._generate_iv(self.enc, iv=iv)
if self.alg == "ECDH-ES":
try:
dk_len = KEY_LEN[self.enc]
except KeyError:
raise Exception(
"Unknown key length for algorithm %s" % self.enc)
cek = ecdh_derive_key(_epk, key.key, apu, apv,
str(self.enc).encode(), dk_len)
elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(_epk, key.key, apu, apv,
str(_post).encode(), klen)
cek = self._generate_key(self.enc, cek=cek)
encrypted_key = aes_key_wrap(kek, cek, default_backend())
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params, epk
