def test_jwe_no_error_with_iat_claim(self):
claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et),
rsa_priv_key,
expiry_seconds=20)
def test_jwe(self):
bad_key = {'k': RSA.generate(2048).exportKey('PEM')}
for (alg, jwk), enc in product(self.algs, self.encs):
jwe = jose.encrypt(claims, rsa_pub_key, enc=enc, alg=alg)
# make sure the body can't be loaded as json (should be encrypted)
try:
json.loads(jose.b64decode_url(jwe.ciphertext))
self.fail()
except ValueError:
pass
token = jose.serialize_compact(jwe)
jwt = jose.legacy_decrypt(jose.deserialize_compact(token), rsa_priv_key)
self.assertNotIn(jose._TEMP_VER_KEY, claims)
self.assertEqual(jwt.claims, claims)
# invalid key
try:
jose.legacy_decrypt(jose.deserialize_compact(token), bad_key)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe(self):
bad_key = {'k': RSA.generate(2048).exportKey('PEM')}
for (alg, jwk), enc in product(self.algs, self.encs):
jwe = jose.encrypt(claims, rsa_pub_key, enc=enc, alg=alg)
# make sure the body can't be loaded as json (should be encrypted)
try:
json.loads(jose.b64decode_url(jwe.ciphertext))
self.fail()
except ValueError:
pass
token = jose.serialize_compact(jwe)
jwt = jose.legacy_decrypt(jose.deserialize_compact(token), rsa_priv_key)
self.assertNotIn(jose._TEMP_VER_KEY, claims)
self.assertEqual(jwt.claims, claims)
# invalid key
try:
jose.legacy_decrypt(jose.deserialize_compact(token), bad_key)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe_invalid_base64(self):
try:
jose.legacy_decrypt('aaa', rsa_priv_key)
self.fail() # expecting error due to invalid base64
except jose.Error as e:
pass
self.assertEqual(e.args[0],
'Unable to decode base64: Incorrect padding')
def test_jwe_invalid_base64(self):
try:
jose.legacy_decrypt('aaa', rsa_priv_key)
self.fail() # expecting error due to invalid base64
except jose.Error as e:
pass
self.assertEquals(
e.args[0],
'Unable to decode base64: Incorrect padding'
)
def test_jwe_not_yet_valid_error_with_nbf_claim(self):
claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
try:
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
self.fail() # expecting not valid yet
except jose.NotYetValid as e:
pass
self.assertEqual(
e.args[0], 'Token not valid until {}'.format(
jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE])))
def test_jwe_expired_error_with_exp_claim(self):
claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
try:
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
self.fail() # expecting expired token
except jose.Expired as e:
pass
self.assertEqual(
e.args[0], 'Token expired at {}'.format(
jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME])))
def test_decrypt_invalid_compression_error(self):
jwe = jose.encrypt(claims, rsa_pub_key, compression='DEF')
header = jose.b64encode_url(
jose.json_encode(
{"alg": "RSA-OAEP", "enc": "A128CBC-HS256",
jose._TEMP_VER_KEY: jose._TEMP_VER, "zip": "BAD"}
)
)
try:
jose.legacy_decrypt(jose.JWE(*((header,) + (jwe[1:]))),
rsa_priv_key)
self.fail()
except jose.Error as e:
self.assertEqual(
e.message, 'Unsupported compression algorithm: BAD')
def test_jwe_not_yet_valid_error_with_nbf_claim(self):
claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
try:
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
self.fail() # expecting not valid yet
except jose.NotYetValid as e:
pass
self.assertEquals(
e.args[0],
'Token not valid until {}'.format(
jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE])
)
)
def test_jwe_expired_error_with_exp_claim(self):
claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
try:
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
self.fail() # expecting expired token
except jose.Expired as e:
pass
self.assertEquals(
e.args[0],
'Token expired at {}'.format(
jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME])
)
)
def test_decrypt_invalid_compression_error(self):
jwe = jose.encrypt(claims, rsa_pub_key, compression='DEF')
header = jose.b64encode_url(
jose.json_encode(
{"alg": "RSA-OAEP", "enc": "A128CBC-HS256",
jose._TEMP_VER_KEY: jose._TEMP_VER, "zip": "BAD"}
)
)
try:
jose.legacy_decrypt(jose.JWE(*((header,) + (jwe[1:]))),
rsa_priv_key)
self.fail()
except jose.Error as e:
self.assertEqual(
e.message, 'Unsupported compression algorithm: BAD')
def test_jwe_adata(self):
adata = '42'
for (alg, jwk), enc in product(self.algs, self.encs):
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key,
adata=adata))
jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key,
adata=adata)
# make sure signatures don't match when adata isn't passed in
try:
hdr, dt = jose.legacy_decrypt(jose.deserialize_compact(et),
rsa_priv_key)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Mismatched authentication tags')
self.assertEqual(jwt.claims, claims)
def test_jwe_adata(self):
adata = '42'
for (alg, jwk), enc in product(self.algs, self.encs):
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key,
adata=adata))
jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key,
adata=adata)
# make sure signaures don't match when adata isn't passed in
try:
hdr, dt = jose.legacy_decrypt(jose.deserialize_compact(et),
rsa_priv_key)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Mismatched authentication tags')
self.assertEqual(jwt.claims, claims)
def test_jwe_expired_error_with_iat_claim(self):
expiry_seconds = 10
claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
try:
jose.legacy_decrypt(jose.deserialize_compact(et),
rsa_priv_key,
expiry_seconds=expiry_seconds)
self.fail() # expecting expired token
except jose.Expired as e:
pass
expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds
self.assertEqual(
e.args[0], 'Token expired at {}'.format(
jose._format_timestamp(expiration_time)))
def test_jwe_add_header(self):
add_header = {'foo': 'bar'}
for (alg, jwk), enc in product(self.algs, self.encs):
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key,
add_header=add_header))
jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
self.assertEqual(jwt.header['foo'], add_header['foo'])
def test_jwe_add_header(self):
add_header = {'foo': 'bar'}
for (alg, jwk), enc in product(self.algs, self.encs):
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key,
add_header=add_header))
jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
self.assertEqual(jwt.header['foo'], add_header['foo'])
def test_jwe_expired_error_with_iat_claim(self):
expiry_seconds = 10
claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
try:
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key,
expiry_seconds=expiry_seconds)
self.fail() # expecting expired token
except jose.Expired as e:
pass
expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds
self.assertEquals(
e.args[0],
'Token expired at {}'.format(
jose._format_timestamp(expiration_time)
)
)
def test_jwe_compression(self):
local_claims = copy(claims)
for v in xrange(1000):
local_claims['dummy_' + str(v)] = '0' * 100
jwe = jose.serialize_compact(jose.encrypt(local_claims, rsa_pub_key))
_, _, _, uncompressed_ciphertext, _ = jwe.split('.')
jwe = jose.serialize_compact(jose.encrypt(local_claims, rsa_pub_key,
compression='DEF'))
_, _, _, compressed_ciphertext, _ = jwe.split('.')
self.assertTrue(len(compressed_ciphertext) <
len(uncompressed_ciphertext))
jwt = jose.legacy_decrypt(jose.deserialize_compact(jwe), rsa_priv_key)
self.assertEqual(jwt.claims, local_claims)
def test_jwe_compression(self):
local_claims = copy(claims)
for v in xrange(1000):
local_claims['dummy_' + str(v)] = '0' * 100
jwe = jose.serialize_compact(jose.encrypt(local_claims, rsa_pub_key))
_, _, _, uncompressed_ciphertext, _ = jwe.split('.')
jwe = jose.serialize_compact(jose.encrypt(local_claims, rsa_pub_key,
compression='DEF'))
_, _, _, compressed_ciphertext, _ = jwe.split('.')
self.assertTrue(len(compressed_ciphertext) <
len(uncompressed_ciphertext))
jwt = jose.legacy_decrypt(jose.deserialize_compact(jwe), rsa_priv_key)
self.assertEqual(jwt.claims, local_claims)
def test_jwe_ignores_expired_token_if_validate_claims_is_false(self):
claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key,
validate_claims=False)
def test_jwe_no_error_with_nbf_claim(self):
claims = {jose.CLAIM_NOT_BEFORE: int(time()) - 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_no_error_with_exp_claim(self):
claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) + 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_ignores_expired_token_if_validate_claims_is_false(self):
claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key,
validate_claims=False)
def test_jwe_no_error_with_iat_claim(self):
claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key,
expiry_seconds=20)
def test_jwe_no_error_with_exp_claim(self):
claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) + 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_no_error_with_nbf_claim(self):
claims = {jose.CLAIM_NOT_BEFORE: int(time()) - 5}
et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key))
jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)