def main(argv):
del argv # Unused.
# Initialise Tink
try:
jwt.register_jwt_signature()
except tink.TinkError as e:
logging.exception('Error initialising Tink: %s', e)
return 1
# Read the keyset into a KeysetHandle
with open(FLAGS.keyset_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading keyset: %s', e)
return 1
# Export Public Keyset as JWK set
public_jwk_set = jwt.jwk_set_from_public_keyset_handle(
keyset_handle.public_keyset_handle())
with open(FLAGS.public_jwk_set_path, 'wt') as public_jwk_set_file:
public_jwk_set_file.write(public_jwk_set)
logging.info('The public JWK set has been written to %s',
FLAGS.public_jwk_set_path)
def main(argv):
del argv # Unused.
# Initialise Tink
try:
jwt.register_jwt_signature()
except tink.TinkError as e:
logging.exception('Error initialising Tink: %s', e)
return 1
# Read the keyset into a KeysetHandle
with open(_PUBLIC_KEYSET_PATH.value, 'rt') as keyset_file:
try:
text = keyset_file.read()
public_keyset_handle = tink.read_no_secret_keyset_handle(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading keyset: %s', e)
return 1
# Export Public Keyset as JWK set
public_jwk_set = jwt.jwk_set_from_public_keyset_handle(
public_keyset_handle)
with open(_PUBLIC_JWK_SET_PATH.value, 'wt') as public_jwk_set_file:
public_jwk_set_file.write(public_jwk_set)
logging.info('The public JWK set has been written to %s',
_PUBLIC_JWK_SET_PATH.value)
def test_convert_jwk_set_to_public_keyset_handle_and_back(self, jwk_set):
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, jwk_set)
# check that all keys are raw.
for key in keyset_handle._keyset.key:
self.assertEqual(key.output_prefix_type, tink_pb2.RAW)
# test deprecated to/from keyset_handle functions.
self.assertEqual(
jwt.jwk_set_from_keyset_handle(jwt.jwk_set_to_keyset_handle(jwk_set)),
jwk_set)
def ToJwkSet(
self, request: testing_api_pb2.JwtToJwkSetRequest,
context: grpc.ServicerContext
) -> testing_api_pb2.JwtToJwkSetResponse:
"""Converts a Tink Keyset with JWT keys into a JWK set."""
try:
keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.keyset))
jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
return testing_api_pb2.JwtToJwkSetResponse(jwk_set=jwk_set)
except tink.TinkError as e:
return testing_api_pb2.JwtToJwkSetResponse(err=str(e))
def test_rsa_ssa_pss_with_unknown_property_keyset_handle_success(self):
jwk_set = PS256_JWK_SET.replace(',"use":"sig"',
',"use":"sig","unknown":1234')
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, PS256_JWK_SET)
def test_rsa_ssa_pss_without_use_and_key_ops_to_keyset_handle_success(self):
jwk_set = PS256_JWK_SET.replace(',"use":"sig"',
'').replace(',"key_ops":["verify"]', '')
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, PS256_JWK_SET)
def test_from_private_keyset_fails(self):
reader = tink.JsonKeysetReader(PRIVATEKEY_KEYSET)
keyset_handle = cleartext_keyset_handle.read(reader)
with self.assertRaises(tink.TinkError):
jwt.jwk_set_from_public_keyset_handle(keyset_handle)
def test_from_crunchy_ecdsa_keyset_fails(self, keyset):
crunchy_keyset = keyset.replace('RAW', 'CRUNCHY')
reader = tink.JsonKeysetReader(crunchy_keyset)
keyset_handle = cleartext_keyset_handle.read(reader)
with self.assertRaises(tink.TinkError):
jwt.jwk_set_from_public_keyset_handle(keyset_handle)
def test_primary_key_id_missing_success(self):
keyset = ES256_KEYSET.replace('"primaryKeyId":282600252,', '')
reader = tink.JsonKeysetReader(keyset)
keyset_handle = cleartext_keyset_handle.read(reader)
jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(jwk_set, ES256_JWK_SET)
def test_es_conserves_empty_kid(self):
jwk_set_with_empty_kid = ES256_JWK_SET_KID.replace('"ENgjPA"', '""')
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set_with_empty_kid)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, jwk_set_with_empty_kid)
def test_convert_from_jwt_key(self, tink_keyset, expected_jwk_set): reader = tink.JsonKeysetReader(tink_keyset) keyset_handle = cleartext_keyset_handle.read(reader) jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(jwk_set, expected_jwk_set)
