def test_new_keydata_primitive_success(self, template):
key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager()
key_data = key_manager.new_key_data(template)
jwt_hmac = key_manager.primitive(key_data)
raw_jwt = jwt.new_raw_jwt(
type_header='typeHeader', issuer='issuer', without_expiration=True)
validator = jwt.new_validator(
expected_type_header='typeHeader',
expected_issuer='issuer',
allow_missing_expiration=True,
fixed_now=DATETIME_1970)
token_with_kid = jwt_hmac.compute_mac_and_encode_with_kid(
raw_jwt, kid='kid-123')
token_without_kid = jwt_hmac.compute_mac_and_encode_with_kid(
raw_jwt, kid=None)
# Verification of a token with a kid only fails if the wrong kid is passed.
verified_jwt = jwt_hmac.verify_mac_and_decode_with_kid(
token_with_kid, validator, kid='kid-123')
self.assertEqual(verified_jwt.type_header(), 'typeHeader')
self.assertEqual(verified_jwt.issuer(), 'issuer')
jwt_hmac.verify_mac_and_decode_with_kid(token_with_kid, validator, kid=None)
with self.assertRaises(tink.TinkError):
jwt_hmac.verify_mac_and_decode_with_kid(
token_with_kid, validator, kid='other-kid')
# A token without kid is only valid if no kid is passed.
jwt_hmac.verify_mac_and_decode_with_kid(
token_without_kid, validator, kid=None)
with self.assertRaises(tink.TinkError):
jwt_hmac.verify_mac_and_decode_with_kid(
token_without_kid, validator, kid='kid-123')
def test_new_keydata_primitive_success(self, template):
key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager()
key_data = key_manager.new_key_data(template)
jwt_hmac = key_manager.primitive(key_data)
raw_jwt = jwt.new_raw_jwt(issuer='issuer')
signed_compact = jwt_hmac.compute_mac_and_encode(raw_jwt)
verified_jwt = jwt_hmac.verify_mac_and_decode(
signed_compact, jwt.new_validator(fixed_now=DATETIME_1970))
self.assertEqual(verified_jwt.issuer(), 'issuer')
def create_fixed_jwt_hmac() -> jwt.JwtMac:
# test example in https://tools.ietf.org/html/rfc7515#appendix-A.1.1
key_encoded = (b'AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_'
b'T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow')
padded_key_encoded = key_encoded + b'=' * (-len(key_encoded) % 4)
key_value = base64.urlsafe_b64decode(padded_key_encoded)
jwt_hmac_key = jwt_hmac_pb2.JwtHmacKey(version=0,
hash_type=common_pb2.SHA256,
key_value=key_value)
key_data = tink_pb2.KeyData(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
key_material_type=tink_pb2.KeyData.SYMMETRIC,
value=jwt_hmac_key.SerializeToString())
key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager()
return key_manager.primitive(key_data)
def test_new_keydata_primitive_success(self, template):
key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager()
key_data = key_manager.new_key_data(template)
jwt_hmac = key_manager.primitive(key_data)
raw_jwt = jwt.new_raw_jwt(
type_header='typeHeader', issuer='issuer', without_expiration=True)
signed_compact = jwt_hmac.compute_mac_and_encode_with_kid(raw_jwt, None)
verified_jwt = jwt_hmac.verify_mac_and_decode(
signed_compact,
jwt.new_validator(
expected_type_header='typeHeader',
expected_issuer='issuer',
allow_missing_expiration=True,
fixed_now=DATETIME_1970))
self.assertEqual(verified_jwt.type_header(), 'typeHeader')
self.assertEqual(verified_jwt.issuer(), 'issuer')
def test_basic(self):
key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager()
self.assertEqual(key_manager.primitive_class(), jwt.JwtMac)
self.assertEqual(key_manager.key_type(),
'type.googleapis.com/google.crypto.tink.JwtHmacKey')
def create_fixed_jwt_hmac() -> _jwt_mac.JwtMacInternal: key_data = _fixed_key_data() key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() return key_manager.primitive(key_data)
