def public_jwks_bundle(jwks_bundle):
jb_copy = JWKSBundle('')
for fo, kj in jwks_bundle.bundle.items():
kj_copy = KeyJar()
for owner in kj.owners():
public_keys_keyjar(kj, owner, kj_copy, owner)
jb_copy.bundle[fo] = kj_copy
return jb_copy
def test_create_verify_fo_keys_bundle():
jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar)
jb[FOP.iss] = FOP.keyjar
jb[FO1P.iss] = FO1P.keyjar
sb = jb.create_signed_bundle()
kj = public_keys_keyjar(ORGOP.keyjar, '', None, ORGOP.iss)
_jwt = verify_signed_bundle(sb, kj)
bundle = _jwt["bundle"]
assert set(bundle.keys()) == {FOP.iss, FO1P.iss}
def test_pack_metadata_statement_other_alg():
_keyjar = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=_keyjar, iss='https://example.com/')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req, alg='ES256')
assert sms # Should be a signed JWT
_jwt = factory(sms)
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == 'https://example.com/'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
def test_unpack_aggregated_response(self):
claims = {
"address": {
"street_address": "1234 Hollywood Blvd.",
"locality": "Los Angeles",
"region": "CA",
"postal_code": "90210",
"country": "US"
},
"phone_number": "+1 (555) 123-4567"
}
_keyjar = build_keyjar(KEYSPEC)[1]
srv = JWT(_keyjar, iss='https://example.org/op/', sign_alg='ES256')
_jwt = srv.pack(payload=claims)
resp = OpenIDSchema(sub='diana',
given_name='Diana',
family_name='krall',
_claim_names={
'address': 'src1',
'phone_number': 'src1'
},
_claim_sources={'src1': {
'JWT': _jwt
}})
public_keys_keyjar(_keyjar, '', self.cli_info.keyjar,
'https://example.org/op/')
_resp = self.req.parse_response(resp.to_json(), self.cli_info)
assert set(_resp.keys()) == {
'sub', 'given_name', 'family_name', '_claim_names',
'_claim_sources', 'address', 'phone_number'
}
def test_pack_and_unpack_ms_lev0():
cms = ClientMetadataStatement(signing_keys=json.dumps(
FOP.keyjar.export_jwks_as_json()),
contacts=['*****@*****.**'])
_jwt = FOP.pack_metadata_statement(cms, alg='RS256', scope=['openid'])
assert _jwt
json_ms = unfurl(_jwt)
# print(json_ms.keys())
assert set(json_ms.keys()) == {
'signing_keys', 'iss', 'iat', 'exp', 'kid', 'scope', 'contacts', 'aud'
}
# Unpack what you have packed
_kj = public_keys_keyjar(FOP.keyjar, '', None, FOP.iss)
op = Operator(_kj, jwks_bundle=public_jwks_bundle(FOP.jwks_bundle))
pr = op.unpack_metadata_statement(jwt_ms=_jwt)
assert pr.result
def test_sign_verify():
bundle = JWKSBundle(ISS, SIGN_KEYS)
bundle['https://www.swamid.se'] = KEYJAR['https://www.swamid.se']
bundle['https://www.sunet.se'] = KEYJAR['https://www.sunet.se']
bundle['https://www.feide.no'] = KEYJAR['https://www.feide.no']
_jws = bundle.create_signed_bundle()
bundle2 = JWKSBundle(ISS2)
verify_keys = public_keys_keyjar(SIGN_KEYS.copy(), '', None, ISS)
bundle2.upload_signed_bundle(_jws, verify_keys)
assert set(bundle.keys()) == set(bundle2.keys())
# Again can't compare straight off because bundle contains private keys
# while bundle2 contains the public equivalents.
for iss, kj in bundle.items():
assert len(kj.get_issuer_keys(iss)) == len(
bundle2[iss].get_issuer_keys(iss))
def test_pack_metadata_statement():
jb = FSJWKSBundle('',
None,
'fo_jwks',
key_conv={
'to': quote_plus,
'from': unquote_plus
})
_keyjar = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=_keyjar, jwks_bundle=jb, iss='https://example.com/')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req)
assert sms # Should be a signed JWT
_jwt = factory(sms)
assert _jwt
assert _jwt.jwt.headers['alg'] == 'RS256'
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == op.iss
assert _body['issuer'] == 'https://example.org/op'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
"type": "RSA",
"use": ["enc"]
},
{
"type": "EC",
"crv": "P-256",
"use": ["enc"]
},
]
RECEIVER = 'https://example.org/op'
keyjar = build_keyjar(KEYSPEC)[1]
# reading and writing to the same KeyJAr instance
public_keys_keyjar(keyjar, '', keyjar, RECEIVER)
def test_request_object_encryption():
msg = AuthorizationRequest(state='ABCDE',
redirect_uri='https://example.com/cb',
response_type='code')
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
}
client_info = ClientInfo(keyjar=keyjar, config=conf)
client_info.behaviour["request_object_encryption_alg"] = 'RSA1_5'
client_info.behaviour["request_object_encryption_enc"] = "A128CBC-HS256"