def test_verify_success(self): to_sign = b"foo" signer = PyCryptoSigner.from_string(self._load_private_key_bytes()) actual_signature = signer.sign(to_sign) verifier = PyCryptoVerifier.from_string(self._load_public_cert_bytes(), is_x509_cert=True) self.assertTrue(verifier.verify(to_sign, actual_signature))
def test_verify_success(self): to_sign = b'foo' signer = PyCryptoSigner.from_string(self._load_private_key_bytes()) actual_signature = signer.sign(to_sign) verifier = PyCryptoVerifier.from_string(self._load_public_key_bytes(), is_x509_cert=True) self.assertTrue(verifier.verify(to_sign, actual_signature))
def test_from_string_unicode_key(self): public_key = self._load_public_key_bytes() public_key = public_key.decode('utf-8') verifier = PyCryptoVerifier.from_string(public_key, is_x509_cert=True) self.assertTrue(isinstance(verifier, PyCryptoVerifier))
def test_verify_bad_key(self): verifier = PyCryptoVerifier.from_string(self._load_public_key_bytes(), is_x509_cert=True) bad_signature = b'' self.assertFalse(verifier.verify(b'foo', bad_signature))
def verify_signed_jwt_with_keys(jwt, keys, audience): """Verify a JWT against public keys. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError if any checks are failed. """ segments = jwt.split('.') if len(segments) != 3: raise AppIdentityError('Wrong number of segments in token: %s' % jwt) signed = '%s.%s' % (segments[0], segments[1]) header = simplejson.loads(_urlsafe_b64decode(segments[0])) signature = _urlsafe_b64decode(segments[2]) # Parse token. json_body = _urlsafe_b64decode(segments[1]) try: parsed = json.loads(json_body) except: raise AppIdentityError('Can\'t parse token: %s' % json_body) # Check signature. verified = False for pem in keys: verifier = PyCryptoVerifier.from_string(pem, False) if verifier.verify(signed, signature): verified = True break if not verified: raise AppIdentityError('Invalid token signature: %s' % jwt) # Check creation timestamp. iat = parsed.get('iat') if iat is None: raise AppIdentityError('No iat field in token: %s' % json_body) earliest = iat - CLOCK_SKEW_SECS # Check expiration timestamp. now = long(time.time()) exp = parsed.get('exp') if exp is None: raise AppIdentityError('No exp field in token: %s' % json_body) if exp >= now + MAX_TOKEN_LIFETIME_SECS: raise AppIdentityError('exp field too far in future: %s' % json_body) latest = exp + CLOCK_SKEW_SECS if now < earliest: raise AppIdentityError('Token used too early, %d < %d: %s' % (now, earliest, json_body)) if now > latest: raise AppIdentityError('Token used too late, %d > %d: %s' % (now, latest, json_body)) # Check audience. if audience is not None: aud = parsed.get('aud') if aud is None: raise AppIdentityError('No aud field in token: %s' % json_body) if aud != audience: raise AppIdentityError('Wrong recipient, %s != %s: %s' % (aud, audience, json_body)) return {'header' : header, 'body' : parsed}
def test_verify_failure(self): verifier = PyCryptoVerifier.from_string(self._load_public_cert_bytes(), is_x509_cert=True) bad_signature = b"" self.assertFalse(verifier.verify(b"foo", bad_signature))