def test_jws_verify_with_wrong_keypair(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(utils.base64url_decode(jws["signatures"][0]["protected"])))
header["alg"] = "bog"
jws["signatures"][0]["protected"] = utils.to_string(utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_jws_verify_no_signatures(self):
jws = jwts.make_jws({"a": 1}, [])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
def test_jws_verify_mismatched_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
# this test requires equal-length arrays, with some overlap
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:3])
jwts.verify_jws(jws, self.keypairs[1:3], verify_all=False)
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(utils.base64url_decode(jws["signatures"][0]["protected"])))
del header["kid"]
jws["signatures"][0]["protected"] = utils.to_string(utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_jws_verify_no_signatures(self):
jws = jwts.make_jws({"a": 1}, [])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
def test_jws_verify_with_wrong_keypair(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
def test_jws_verify_mismatched_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
# this test requires equal-length arrays, with some overlap
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:3])
jwts.verify_jws(jws, self.keypairs[1:3], verify_all=False)
def test_extend_jws_signatures_from_jwt_no_kid(self):
keypair = service.create_secret_key()
kid = str(uuid.uuid4())
jwt = jwts.make_jwt({'a': 1}, keypair)
jws = jwts.extend_jws_signatures(jwt, self.keypairs, kid)
keypair.identity = kid
keypairs = self.keypairs + [keypair]
jwts.verify_jws(jws, keypairs).should.be.a(dict)
def test_invalid_message_not_a_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws_dict = json.loads(jws)
no_payload = {k: v for k, v in jws_dict.items() if k != 'payload'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_payload), self.keypairs[:2])
no_sigs = {k: v for k, v in jws_dict.items() if k != 'signatures'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_sigs), self.keypairs[:2])
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(
utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])))
del header['kid']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(
utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])))
header['alg'] = 'bog'
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_message_not_a_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws_dict = json.loads(jws)
no_payload = {k: v for k, v in jws_dict.items() if k != 'payload'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_payload), self.keypairs[:2])
no_sigs = {k: v for k, v in jws_dict.items() if k != 'signatures'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_sigs), self.keypairs[:2])
def test_prepare_message(self):
sess = session.ServerSession(identity_credentials=self.server_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials)
authenticated_data = sess.prepare_message(oneid_response=self.oneid_response)
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
]
jwts.verify_jws(authenticated_data, keypairs).should.be.a(dict)
def test_missing_typ_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
del header['typ']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
header['alg'] = 'bog'
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def _create_and_verify_good_jws(self, claims, keypairs=None):
keypairs = keypairs or self.keypairs
jws = jwts.make_jws(claims, keypairs)
self.assertIsInstance(jws, str)
verifications = [jwts.verify_jws(jws, keypairs), jwts.verify_jws(jws), jwts.verify_jws(utils.to_bytes(jws))]
for verification in verifications:
self.assertTrue(verification)
for claim in claims:
self.assertIn(claim, verification)
self.assertEqual(verification.get(claim), claims[claim])
def test_reset_keys(self):
sess = session.ServerSession(
identity_credentials=self.server_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials
)
authenticated_data = sess.prepare_message(
oneid_response=self.oneid_response,
rekey_credentials=[
self.resetA_credentials,
self.resetB_credentials,
self.resetC_credentials,
]
)
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
self.resetA_credentials.keypair,
self.resetB_credentials.keypair,
self.resetC_credentials.keypair,
]
verified = jwts.verify_jws(authenticated_data, keypairs)
self.assertIsInstance(verified, dict)
def test_reset_keys(self, mock_request):
sess = session.ServerSession(
identity_credentials=self.id_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials,
config=self.fake_config,
)
authenticated_data = sess.prepare_message(a=1,
b=2,
rekey_credentials=[
self.resetA_credentials,
self.resetB_credentials,
self.resetC_credentials,
])
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
self.resetA_credentials.keypair,
self.resetB_credentials.keypair,
self.resetC_credentials.keypair,
]
verified = jwts.verify_jws(authenticated_data, keypairs)
self.assertIsInstance(verified, dict)
def test_extend_jws_signatures_from_jwt_single_key(self):
jwt = jwts.make_jwt({'a': 1}, self.keypairs[0])
jws = jwts.extend_jws_signatures(jwt, self.keypairs[1],
self.keypairs[1].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs[:2])
self.assertIsInstance(verified_msg, dict)
def test_prepare_message_encrypted_session(self, mock_request):
peer_credentials = self.alt_credentials
sess = session.ServerSession(
identity_credentials=self.id_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials,
peer_credentials=peer_credentials,
config=self.fake_config,
)
jws = sess.prepare_message(
a=1,
b=2,
)
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
]
jwe = jwts.verify_jws(jws, keypairs)
claims = jwes.decrypt_jwe(jwe, peer_credentials.keypair)
self.assertIsInstance(claims, dict)
self.assertIn('a', claims)
self.assertIn('b', claims)
def test_reset_keys(self, mock_request):
sess = session.ServerSession(
identity_credentials=self.id_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials,
config=self.fake_config,
)
authenticated_data = sess.prepare_message(
a=1, b=2,
rekey_credentials=[
self.resetA_credentials,
self.resetB_credentials,
self.resetC_credentials,
]
)
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
self.resetA_credentials.keypair,
self.resetB_credentials.keypair,
self.resetC_credentials.keypair,
]
verified = jwts.verify_jws(authenticated_data, keypairs)
self.assertIsInstance(verified, dict)
def _create_and_verify_good_jws(self, claims, keypairs=None):
keypairs = keypairs or self.keypairs
jws = jwts.make_jws(claims, keypairs)
jws.should.be.a(str)
verifications = [
jwts.verify_jws(jws, keypairs),
jwts.verify_jws(jws),
jwts.verify_jws(utils.to_bytes(jws)),
]
for verification in verifications:
verification.should.be.truthy
for claim in claims:
verification.should.have.key(claim).equal_to(claims[claim])
def _handle_auth_endpoint(headers=None, data=None):
logger.debug('data=%s', data)
try:
oneid_key = keychain.Keypair.from_secret_pem(
key_bytes=TestSession.oneid_key_bytes, )
oneid_key.identity = 'oneID'
jwts.verify_jws(data)
jws = jwts.extend_jws_signatures(data, oneid_key)
logger.debug('jws=%s', jws)
return MockResponse(jws, 200)
except InvalidSignature:
logger.debug('invalid signature', exc_info=True)
return MockResponse('Forbidden', 403)
return MockResponse('Internal Server Error', 500)
def test_extend_jws_signatures_from_jwt(self):
jwt = jwts.make_jwt({"a": 1}, self.keypairs[0])
jws = jwts.extend_jws_signatures(jwt, self.keypairs[1:],
self.keypairs[0].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs)
self.assertIsInstance(verified_msg, dict)
def test_jws_verify_any_signature_is_ok(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
verified_msg = jwts.verify_jws(jws,
self.keypairs[:2],
verify_all=False)
self.assertIn("a", verified_msg)
def test_extend_jws_signatures_from_jwt_single_key(self):
jwt = jwts.make_jwt({'a': 1}, self.keypairs[0])
jws = jwts.extend_jws_signatures(jwt,
self.keypairs[1],
self.keypairs[1].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs[:2])
self.assertIsInstance(verified_msg, dict)
def test_extend_jws_signatures_from_jwt(self):
jwt = jwts.make_jwt({"a": 1}, self.keypairs[0])
jws = jwts.extend_jws_signatures(jwt,
self.keypairs[1:],
self.keypairs[0].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs)
self.assertIsInstance(verified_msg, dict)
def test_prepare_message(self):
sess = session.DeviceSession(self.id_credentials)
jws = sess.prepare_message(a=1)
claims = jwts.verify_jws(jws, self.id_credentials.keypair)
claims.should.be.a(dict)
claims.should.have.key('a').equal_to(1)
def test_prepare_message(self):
sess = session.DeviceSession(self.id_credentials)
jws = sess.prepare_message(a=1)
claims = jwts.verify_jws(jws, self.id_credentials.keypair)
self.assertIsInstance(claims, dict)
self.assertIn("a", claims)
self.assertEqual(claims.get("a"), 1)
def _create_and_verify_good_jws(self, claims, keypairs=None):
keypairs = keypairs or self.keypairs
jws = jwts.make_jws(claims, keypairs)
self.assertIsInstance(jws, str)
verifications = [
jwts.verify_jws(jws, keypairs),
jwts.verify_jws(jws),
jwts.verify_jws(utils.to_bytes(jws)),
]
for verification in verifications:
self.assertTrue(verification)
for claim in claims:
self.assertIn(claim, verification)
self.assertEqual(verification.get(claim), claims[claim])
def test_prepare_message(self):
sess = session.DeviceSession(self.id_credentials)
jws = sess.prepare_message(a=1)
claims = jwts.verify_jws(jws, self.id_credentials.keypair)
self.assertIsInstance(claims, dict)
self.assertIn("a", claims)
self.assertEqual(claims.get("a"), 1)
def test_extend_jws_signatures_from_jwt_no_kid(self):
keypair = service.create_secret_key()
kid = str(uuid.uuid4())
jwt = jwts.make_jwt({'a': 1}, keypair)
jws = jwts.extend_jws_signatures(jwt, self.keypairs, kid)
keypair.identity = kid
keypairs = self.keypairs + [keypair]
verified_msg = jwts.verify_jws(jws, keypairs)
self.assertIsInstance(verified_msg, dict)
def test_extend_jws_signatures_from_jwt_no_kid(self):
keypair = service.create_secret_key()
kid = str(uuid.uuid4())
jwt = jwts.make_jwt({'a': 1}, keypair)
jws = jwts.extend_jws_signatures(jwt, self.keypairs, kid)
keypair.identity = kid
keypairs = self.keypairs + [keypair]
verified_msg = jwts.verify_jws(jws, keypairs)
self.assertIsInstance(verified_msg, dict)
def test_missing_nonce(self):
jws = json.dumps({
"payload":
"eyJhIjogMX0",
"signatures": [{
"protected": ("eyJ0eXAiOiAiSk9TRStKU09OIiwgImFsZyI6ICJFUzI1"
"NiIsICJraWQiOiAiMTIzNDUifQ"),
"signature": ("9PXHibGclG2wNT5f6BZhkk6YGFI0kUSITBWlmBQIKipL"
"N-UMPKvKUMvelhZX7EIqNpmZB7b9LvIiiNYZ6NFkJg")
}]
})
self.assertTrue(jwts.verify_jws(jws, self.keypair))
def test_prepare_message_encrypted_to_other(self):
sess = session.DeviceSession(self.id_credentials)
jws = sess.prepare_message(a=1,
other_recipients=[self.peer_credentials])
jwe = jwts.verify_jws(jws, self.id_credentials.keypair)
self.assertTrue(jose.is_jwe(jwe))
claims = jwes.decrypt_jwe(jwe, self.peer_credentials.keypair)
self.assertIsInstance(claims, dict)
self.assertIn("a", claims)
self.assertEqual(claims.get("a"), 1)
def test_add_signature_to_jws(self):
claims = {
'a': 1,
}
sess = session.DeviceSession(self.id_credentials)
jws1 = jwts.make_jws(claims, self.alt_credentials.keypair)
jws2 = sess.add_signature(jws1)
claims = jwts.verify_jws(
jws2, [self.alt_credentials.keypair, self.id_credentials.keypair])
self.assertIsInstance(claims, dict)
self.assertIn("a", claims)
self.assertEqual(claims.get("a"), 1)
def test_prepare_message(self):
sess = session.ServerSession(
identity_credentials=self.server_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials)
authenticated_data = sess.prepare_message(
oneid_response=self.oneid_response)
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
]
verified = jwts.verify_jws(authenticated_data, keypairs)
self.assertIsInstance(verified, dict)
def test_prepare_message_by_param(self, mock_request):
sess = session.ServerSession(
identity_credentials=self.id_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials,
config=self.fake_config,
)
authenticated_data = sess.prepare_message(
raw_message='hello',
)
keypairs = [
self.oneid_credentials.keypair,
self.project_credentials.keypair,
]
verified = jwts.verify_jws(authenticated_data, keypairs)
self.assertIsInstance(verified, dict)
self.assertIn('message', verified)
def test_remove_jws_signature_list(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
ids = [keypair.identity for keypair in self.keypairs[:2]]
jws = jwts.remove_jws_signatures(jws, ids)
verified_msg = jwts.verify_jws(jws, self.keypairs[2:])
self.assertIsInstance(verified_msg, dict)
def test_remove_jws_signature(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
jws = jwts.remove_jws_signatures(jws, self.keypairs[0].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs[1:])
self.assertIsInstance(verified_msg, dict)
def test_jws_verify_invalid_signature(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
jws['signatures'][0]['signature'] = 'bogus'
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_extend_jws_signatures_from_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws = jwts.extend_jws_signatures(jws, self.keypairs[2:])
verified_msg = jwts.verify_jws(jws, self.keypairs)
self.assertIsInstance(verified_msg, dict)
def test_jwt_verify_with_redundant_keypairs(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidKeyError):
jwts.verify_jws(jws, self.keypairs[:1] * 2)
def test_jws_verify_too_many_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[:1])
def test_jwt_verify_with_mult_sigs(self):
jwt = jwts.make_jwt({'a': 1}, self.keypairs[0])
with self.assertRaises(Exception):
jwts.verify_jws(jwt, self.keypairs[:2])
def test_extend_jws_signatures_from_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws = jwts.extend_jws_signatures(jws, self.keypairs[2:])
verified_msg = jwts.verify_jws(jws, self.keypairs)
self.assertIsInstance(verified_msg, dict)
def test_remove_bytes_jws_signature(self):
jws = utils.to_bytes(jwts.make_jws({'a': 1}, self.keypairs))
jws = jwts.remove_jws_signatures(jws, self.keypairs[0].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs[1:])
self.assertIsInstance(verified_msg, dict)
def test_verify_jws_from_jwt(self):
jwt = jwts.make_jwt({'a': 1}, self.keypairs[0])
verified_msg = jwts.verify_jws(jwt, self.keypairs[0])
self.assertIsInstance(verified_msg, dict)
def test_jwt_verify_with_redundant_keypairs(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidKeyError):
jwts.verify_jws(jws, self.keypairs[:1] * 2)
def test_jws_verify_invalid_signature(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
jws['signatures'][0]['signature'] = 'bogus'
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_jws_verify_any_signature_is_ok(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
verified_msg = jwts.verify_jws(jws, self.keypairs[:2], verify_all=False)
self.assertIn("a", verified_msg)
def test_jws_verify_invalid_signature(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
jws["signatures"][0]["signature"] = "bogus"
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_jws_verify_too_many_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[:1])
def test_remove_jws_signature_list(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
ids = [keypair.identity for keypair in self.keypairs[:2]]
jws = jwts.remove_jws_signatures(jws, ids)
verified_msg = jwts.verify_jws(jws, self.keypairs[2:])
self.assertIsInstance(verified_msg, dict)
def test_jwt_verify_with_mult_sigs(self):
jwt = jwts.make_jwt({'a': 1}, self.keypairs[0])
with self.assertRaises(Exception):
jwts.verify_jws(jwt, self.keypairs[:2])
def test_verify_jws_from_jwt(self):
jwt = jwts.make_jwt({'a': 1}, self.keypairs[0])
verified_msg = jwts.verify_jws(jwt, self.keypairs[0])
self.assertIsInstance(verified_msg, dict)
