def test_jws_verifier_with_kid(self):
# Sign
priv_key1 = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_priv_key_kid1)
signer1 = jws.JwsPublicKeySign(priv_key1)
signed_token_kid1 = signer1.sign(self.test_header_es256_kid1,
self.test_payload)
priv_key2 = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_priv_key_kid2)
signer2 = jws.JwsPublicKeySign(priv_key2)
signed_token_kid2 = signer2.sign(self.test_header_es256_kid2,
self.test_payload)
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_pub_key_kid1)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verifier.verify(signed_token_kid1)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token_kid1):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
# The signature is valid but the kids don't match.
self.assertRaises(SecurityException, verifier.verify,
signed_token_kid2)
def test_jws_ec_from_cryptography_key(self):
# Sign the token.
priv_key = load_pem_private_key(
self.test_pem_ec_p256_priv_key.encode('utf-8'),
None,
backend=backends.default_backend())
jwk_priv_key = jws.CleartextJwkSetReader.from_cryptography_key(
priv_key, 'ES256')
signer = jws.JwsPublicKeySign(jwk_priv_key)
signed_token = signer.sign(self.test_header_es256, self.test_payload)
# Verify the token.
# The real use case is that cryptography supports extracting public key from
# certificate, but we simulate it here by reading it from PEM.
pub_key = load_pem_public_key(
self.test_pem_ec_p256_pub_key.encode('utf-8'),
backend=backends.default_backend())
jwk_pub_key = jws.CleartextJwkSetReader.from_cryptography_key(
pub_key, 'ES256')
verifier = jws.JwsPublicKeyVerify(jwk_pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_rsa_signer_and_verifier(self):
algs = ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512']
for alg in algs:
json_priv_key = json.loads(self.json_rsa_priv_key)
json_priv_key['alg'] = alg
json_priv_key = json.dumps(json_priv_key)
json_pub_key = json.loads(self.json_rsa_pub_key)
json_pub_key['alg'] = alg
json_pub_key = json.dumps(json_pub_key)
json_header_rsa = dict(self.test_header_rsa)
json_header_rsa['alg'] = alg
# Sign
priv_key = jws.CleartextJwkSetReader.from_json(json_priv_key)
signer = jws.JwsPublicKeySign(priv_key)
signed_token = signer.sign(json_header_rsa, self.test_payload)
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(json_pub_key)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def __init__(self, jwk_set):
"""Constructor for JwtPublicKeySign.
Args:
jwk_set: a JwkSet.
Raises:
UnsupportedAlgorithm: if the algorihtm is not defined at
https://tools.ietf.org/html/rfc7518#section-3.1 or if jwk is not Rsa or
Ecdsa key.
"""
self.signer = jws.JwsPublicKeySign(jwk_set)
def test_jws_ecdsa_signer_verifier_es256(self):
# Sign
priv_key = jws.CleartextJwkSetReader.from_json(
self.es256_ecdsa_priv_key)
signer = jws.JwsPublicKeySign(priv_key)
signed_token = signer.sign(self.test_header_es256, self.test_payload)
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(self.es256_ecdsa_pub_key)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_ec_from_pem_key(self):
# Sign the token
rsa_priv_key = jws.CleartextJwkSetReader.from_pem(
self.test_pem_ec_p256_priv_key.encode('utf-8'), 'ES256')
signer = jws.JwsPublicKeySign(rsa_priv_key)
signed_token = signer.sign(self.test_header_es256, self.test_payload)
# Verify the token
rsa_pub_key = jws.CleartextJwkSetReader.from_pem(
self.test_pem_ec_p256_pub_key.encode('utf-8'), 'ES256')
verifier = jws.JwsPublicKeyVerify(rsa_pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_with_mismatch_kid_or_algorithm(self):
hmac_key = jws.CleartextJwkSetReader.from_json(self.json_hmac_key)
authenticator = jws.JwsMacAuthenticator(hmac_key)
json_header_hmac = dict(self.test_header_hmac)
# Change the algorithm to a wrong one.
json_header_hmac['alg'] = 'HS512'
self.assertRaises(SecurityException, authenticator.authenticate,
json_header_hmac, self.test_payload)
priv_key = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_priv_key_kid1)
signer = jws.JwsPublicKeySign(priv_key)
json_header_es256 = dict(self.test_header_es256_kid1)
# Change the algorithm to a wrong one.
json_header_es256['alg'] = 'ES512'
self.assertRaises(SecurityException, signer.sign, json_header_es256,
self.test_payload)
json_header_es256 = dict(self.test_header_es256_kid1)
# Change kid to a wrong one.
json_header_es256['kid'] = 'kid0'
self.assertRaises(SecurityException, signer.sign, json_header_es256,
self.test_payload)