def test_only_tink_output_prefix_type_encodes_a_kid_header(self): handle = tink.new_keyset_handle(jwt.raw_jwt_hs256_template()) jwt_mac = handle.primitive(jwt.JwtMac) tink_handle = _change_output_prefix_to_tink(handle) tink_jwt_mac = tink_handle.primitive(jwt.JwtMac) raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True) token = jwt_mac.compute_mac_and_encode(raw_jwt) token_with_kid = tink_jwt_mac.compute_mac_and_encode(raw_jwt) _, header, _, _ = _jwt_format.split_signed_compact(token) self.assertNotIn('kid', _json_util.json_loads(header)) _, header_with_kid, _, _ = _jwt_format.split_signed_compact( token_with_kid) self.assertIn('kid', _json_util.json_loads(header_with_kid)) validator = jwt.new_validator(expected_issuer='issuer', allow_missing_expiration=True) jwt_mac.verify_mac_and_decode(token, validator) tink_jwt_mac.verify_mac_and_decode(token_with_kid, validator) # With output prefix type RAW, a kid header is ignored jwt_mac.verify_mac_and_decode(token_with_kid, validator) # With output prefix type TINK, a kid header is required. with self.assertRaises(tink.TinkError): tink_jwt_mac.verify_mac_and_decode(token, validator) other_handle = _change_key_id(tink_handle) other_jwt_mac = other_handle.primitive(jwt.JwtMac) # A token with a wrong kid is rejected, even if the signature is ok. with self.assertRaises(tink.TinkError): other_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
def test_raw_key_with_custom_kid_header(self, template): # normal key with output prefix RAW handle = tink.new_keyset_handle(template) raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True) validator = jwt.new_validator( expected_issuer='issuer', allow_missing_expiration=True) sign = handle.primitive(jwt.JwtPublicKeySign) token = sign.sign_and_encode(raw_jwt) verify = handle.public_keyset_handle().primitive(jwt.JwtPublicKeyVerify) verify.verify_and_decode(token, validator) _, json_header, _, _ = _jwt_format.split_signed_compact(token) self.assertNotIn('kid', _json_util.json_loads(json_header)) # key with a custom_kid set custom_kid_handle = _set_custom_kid(handle, custom_kid=LONG_CUSTOM_KID) custom_kid_sign = custom_kid_handle.primitive(jwt.JwtPublicKeySign) token_with_kid = custom_kid_sign.sign_and_encode(raw_jwt) custom_kid_verify = custom_kid_handle.public_keyset_handle().primitive( jwt.JwtPublicKeyVerify) custom_kid_verify.verify_and_decode(token_with_kid, validator) _, header_with_kid, _, _ = _jwt_format.split_signed_compact(token_with_kid) self.assertEqual(_json_util.json_loads(header_with_kid)['kid'], LONG_CUSTOM_KID) # The primitive with a custom_kid set accepts tokens without kid header. custom_kid_verify.verify_and_decode(token, validator) # The primitive without a custom_kid set ignores the kid header. verify.verify_and_decode(token_with_kid, validator) # key with a different custom_kid set other_handle = _set_custom_kid(handle, custom_kid='other kid') other_verify = other_handle.public_keyset_handle().primitive( jwt.JwtPublicKeyVerify) # Fails because the kid value do not match. with self.assertRaises(tink.TinkError): other_verify.verify_and_decode(token_with_kid, validator) tink_handle = _change_output_prefix_to_tink(custom_kid_handle) tink_sign = tink_handle.primitive(jwt.JwtPublicKeySign) tink_verify = tink_handle.public_keyset_handle().primitive( jwt.JwtPublicKeyVerify) # Having custom_kid set with output prefix TINK is not allowed. with self.assertRaises(tink.TinkError): tink_sign.sign_and_encode(raw_jwt) with self.assertRaises(tink.TinkError): tink_verify.verify_and_decode(token, validator) with self.assertRaises(tink.TinkError): tink_verify.verify_and_decode(token_with_kid, validator)
def test_create_header_with_type(self): encoded_header = _jwt_format.create_header('HS256', 'typeHeader', None) json_header = _jwt_format.decode_header(encoded_header) self.assertEqual(json_header, '{"alg":"HS256","typ":"typeHeader"}') header = _json_util.json_loads(json_header) _jwt_format.validate_header(header, 'HS256') self.assertEqual(_jwt_format.get_type_header(header), 'typeHeader')
def test_signed_compact_create_split_with_kid(self): raw_jwt = _raw_jwt.raw_jwt_from_json(None, '{"iss":"joe"}') signature = _jwt_format.decode_signature( b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk') unsigned_compact = _jwt_format.create_unsigned_compact( 'RS256', 'AZxkm2U', raw_jwt) signed_compact = _jwt_format.create_signed_compact( unsigned_compact, signature) un_comp, hdr, pay, sig = _jwt_format.split_signed_compact( signed_compact) self.assertEqual( unsigned_compact, b'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ') self.assertEqual( signed_compact, 'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ' '.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk') self.assertEqual(un_comp, unsigned_compact) self.assertEqual(sig, signature) self.assertEqual(hdr, '{"kid":"AZxkm2U","alg":"RS256"}') header = _json_util.json_loads(hdr) _jwt_format.validate_header(header, 'RS256') self.assertEqual(pay, '{"iss":"joe"}') self.assertIsNone(_jwt_format.get_type_header(header))
def test_validate_header_with_other_kid_fails(self): json_header = '{"kid":"GsapRA","alg":"HS256"}' header = _json_util.json_loads(json_header) _jwt_format.validate_header(header, 'HS256') with self.assertRaises(_jwt_error.JwtInvalidError): _jwt_format.validate_header(header, 'HS256', tink_kid='otherKid') with self.assertRaises(_jwt_error.JwtInvalidError): _jwt_format.validate_header(header, 'HS256', custom_kid='otherKid')
def test_validate_header_with_missing_kid_missing(self): json_header = '{"alg":"HS256"}' header = _json_util.json_loads(json_header) with self.assertRaises(_jwt_error.JwtInvalidError): # if tink_kid is set, a kid header is required. _jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA') # if custom_kid is set, a kid header is *not* required. _jwt_format.validate_header(header, 'HS256', custom_kid='GsapRA')
def test_raw_output_prefix_type_encodes_a_custom_kid_header(self): # normal HMAC jwt_mac with output prefix RAW handle = tink.new_keyset_handle(jwt.raw_jwt_hs256_template()) raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True) validator = jwt.new_validator(expected_issuer='issuer', allow_missing_expiration=True) jwt_mac = handle.primitive(jwt.JwtMac) token = jwt_mac.compute_mac_and_encode(raw_jwt) jwt_mac.verify_mac_and_decode(token, validator) _, json_header, _, _ = _jwt_format.split_signed_compact(token) self.assertNotIn('kid', _json_util.json_loads(json_header)) # HMAC jwt_mac with a custom_kid set custom_kid_handle = _set_custom_kid(handle, custom_kid='my kid') custom_kid_jwt_mac = custom_kid_handle.primitive(jwt.JwtMac) token_with_kid = custom_kid_jwt_mac.compute_mac_and_encode(raw_jwt) custom_kid_jwt_mac.verify_mac_and_decode(token_with_kid, validator) _, header_with_kid, _, _ = _jwt_format.split_signed_compact( token_with_kid) self.assertEqual( _json_util.json_loads(header_with_kid)['kid'], 'my kid') # Even when custom_kid is set, its not required to be set in the header. custom_kid_jwt_mac.verify_mac_and_decode(token, validator) # An additional kid header is ignored. jwt_mac.verify_mac_and_decode(token_with_kid, validator) other_handle = _set_custom_kid(handle, custom_kid='other kid') other_jwt_mac = other_handle.primitive(jwt.JwtMac) with self.assertRaises(tink.TinkError): # The custom_kid does not match the kid header. other_jwt_mac.verify_mac_and_decode(token_with_kid, validator) tink_handle = _change_output_prefix_to_tink(custom_kid_handle) tink_jwt_mac = tink_handle.primitive(jwt.JwtMac) # having custom_kid set with output prefix TINK is not allowed with self.assertRaises(tink.TinkError): tink_jwt_mac.compute_mac_and_encode(raw_jwt) with self.assertRaises(tink.TinkError): tink_jwt_mac.verify_mac_and_decode(token, validator) with self.assertRaises(tink.TinkError): tink_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
def test_decode_encode_header_rs256(self): # Example from https://tools.ietf.org/html/rfc7515#appendix-A.2 encoded_header = b'eyJhbGciOiJSUzI1NiJ9' json_header = _jwt_format.decode_header(encoded_header) header = _json_util.json_loads(json_header) self.assertEqual(header['alg'], 'RS256') self.assertEqual( _jwt_format.decode_header(_jwt_format.encode_header(json_header)), json_header)
def test_decode_encode_header_hs256(self): # Example from https://tools.ietf.org/html/rfc7515#appendix-A.1 encoded_header = b'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9' json_header = _jwt_format.decode_header(encoded_header) header = _json_util.json_loads(json_header) self.assertEqual(header['alg'], 'HS256') self.assertEqual(header['typ'], 'JWT') self.assertEqual( _jwt_format.decode_header(_jwt_format.encode_header(json_header)), json_header)
def test_validate_header_with_kid_success(self): json_header = '{"kid":"GsapRA","alg":"HS256"}' header = _json_util.json_loads(json_header) _jwt_format.validate_header(header, 'HS256') _jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA') _jwt_format.validate_header(header, 'HS256', custom_kid='GsapRA') with self.assertRaises(_jwt_error.JwtInvalidError): # fails because tink_kid and custom_kid must not be set at the same time. _jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA', custom_kid='GsapRA')
def test_json_loads_with_invalid_utf16(self): with self.assertRaises(_jwt_error.JwtInvalidError): _json_util.json_loads(u'{"a":{"b":{"c":"\\uD834"}}}') with self.assertRaises(_jwt_error.JwtInvalidError): _json_util.json_loads(u'{"\\uD834":"b"}') with self.assertRaises(_jwt_error.JwtInvalidError): _json_util.json_loads(u'{"a":["a",{"b":["c","\\uD834"]}]}')
def test_decode_encode_payload(self): # Example from https://tools.ietf.org/html/rfc7519#section-3.1 encoded_payload = ( b'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0' b'dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ') json_payload = _jwt_format.decode_payload(encoded_payload) payload = _json_util.json_loads(json_payload) self.assertEqual(payload['iss'], 'joe') self.assertEqual(payload['exp'], 1300819380) self.assertEqual(payload['http://example.com/is_root'], True) self.assertEqual( _jwt_format.decode_payload( _jwt_format.encode_payload(json_payload)), json_payload)
def test_only_tink_output_prefix_type_encodes_a_kid_header(self): handle = tink.new_keyset_handle(jwt.raw_jwt_es256_template()) sign = handle.primitive(jwt.JwtPublicKeySign) verify = handle.public_keyset_handle().primitive(jwt.JwtPublicKeyVerify) tink_handle = _change_output_prefix_to_tink(handle) tink_sign = tink_handle.primitive(jwt.JwtPublicKeySign) tink_verify = tink_handle.public_keyset_handle().primitive( jwt.JwtPublicKeyVerify) raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True) token = sign.sign_and_encode(raw_jwt) token_with_kid = tink_sign.sign_and_encode(raw_jwt) _, header, _, _ = _jwt_format.split_signed_compact(token) self.assertNotIn('kid', _json_util.json_loads(header)) _, header_with_kid, _, _ = _jwt_format.split_signed_compact(token_with_kid) self.assertIn('kid', _json_util.json_loads(header_with_kid)) validator = jwt.new_validator( expected_issuer='issuer', allow_missing_expiration=True) verify.verify_and_decode(token, validator) tink_verify.verify_and_decode(token_with_kid, validator) other_handle = _change_key_id(tink_handle) other_verify = other_handle.public_keyset_handle().primitive( jwt.JwtPublicKeyVerify) verify.verify_and_decode(token_with_kid, validator) # For output prefix type TINK, the kid header is required. with self.assertRaises(tink.TinkError): tink_verify.verify_and_decode(token, validator) # This should fail because value of the kid header is wrong. with self.assertRaises(tink.TinkError): other_verify.verify_and_decode(token_with_kid, validator)
def verify_mac_and_decode_with_kid( self, compact: str, validator: _jwt_validator.JwtValidator, kid: Optional[str]) -> _verified_jwt.VerifiedJwt: """Verifies, validates and decodes a MACed compact JWT token.""" parts = _jwt_format.split_signed_compact(compact) unsigned_compact, json_header, json_payload, mac = parts self._verify_mac(mac, unsigned_compact) header = _json_util.json_loads(json_header) _jwt_format.validate_header(header=header, algorithm=self._algorithm, tink_kid=kid, custom_kid=self._custom_kid) raw_jwt = _raw_jwt.raw_jwt_from_json( _jwt_format.get_type_header(header), json_payload) _jwt_validator.validate(validator, raw_jwt) return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_signed_compact_create_split(self): raw_jwt = _raw_jwt.raw_jwt_from_json('JWT', '{"iss":"joe"}') signature = _jwt_format.decode_signature( b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk') unsigned_compact = _jwt_format.create_unsigned_compact( 'RS256', None, raw_jwt) signed_compact = _jwt_format.create_signed_compact( unsigned_compact, signature) un_comp, hdr, pay, sig = _jwt_format.split_signed_compact( signed_compact) self.assertEqual( unsigned_compact, b'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqb2UifQ') self.assertEqual( signed_compact, 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.' 'eyJpc3MiOiJqb2UifQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk') self.assertEqual(un_comp, unsigned_compact) self.assertEqual(sig, signature) self.assertEqual(hdr, '{"alg":"RS256","typ":"JWT"}') header = _json_util.json_loads(hdr) _jwt_format.validate_header(header, 'RS256') self.assertEqual(pay, '{"iss":"joe"}') self.assertEqual(_jwt_format.get_type_header(header), 'JWT')
def test_create_verify_different_algorithms_fails(self): encoded_header = _jwt_format.create_header('HS256', None, None) json_header = _jwt_format.decode_header(encoded_header) header = _json_util.json_loads(json_header) with self.assertRaises(_jwt_error.JwtInvalidError): _jwt_format.validate_header(header, 'ES256')
def test_validate_header_rejects_crit(self): header = _json_util.json_loads( '{"alg":"HS256","crit":["http://example.invalid/UNDEFINED"],' '"http://example.invalid/UNDEFINED":true}') with self.assertRaises(_jwt_error.JwtInvalidError): _jwt_format.validate_header(header, 'HS256')
def test_validate_header_ignores_typ(self): header = _json_util.json_loads('{"alg":"HS256","typ":"unknown"}') _jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_unknown_entry_success(self): header = _json_util.json_loads('{"alg":"HS256","unknown":"header"}') _jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_unknown_algorithm_fails(self): header = _json_util.json_loads('{"alg":"HS123"}') with self.assertRaises(_jwt_error.JwtInvalidError): _jwt_format.validate_header(header, 'HS123')
def test_json_loads_recursion(self): num_recursions = 1000 recursive_json = ('{"a":' * num_recursions) + '""' + ('}' * num_recursions) with self.assertRaises(_jwt_error.JwtInvalidError): _json_util.json_loads(recursive_json)
def test_create_validate_header(self, algorithm): encoded_header = _jwt_format.create_header(algorithm, None, None) json_header = _jwt_format.decode_header(encoded_header) header = _json_util.json_loads(json_header) _jwt_format.validate_header(header, algorithm) self.assertIsNone(_jwt_format.get_type_header(header))
def _from_json(cls, type_header: Optional[str], payload: str) -> 'RawJwt': """Creates a RawJwt from payload encoded as JSON string.""" raw_jwt = object.__new__(cls) raw_jwt.__init__(type_header, _json_util.json_loads(payload)) return raw_jwt
def test_verify_empty_header_fails(self): header = _json_util.json_loads('{}') with self.assertRaises(_jwt_error.JwtInvalidError): _jwt_format.validate_header(header, 'ES256')
def test_json_loads(self): self.assertEqual(_json_util.json_loads('{"a":["b",1,true,null]}'), {'a': ['b', 1, True, None]}) with self.assertRaises(_jwt_error.JwtInvalidError): _json_util.json_loads('{invalid')