def test_mismatch_alg_and_key():
pkey = import_private_rsa_key_from_file(full_path("./size2048.key"))
payload = "Please take a moment to register today"
keys = [RSAKey(priv_key=pkey)]
_jws = JWS(payload, alg="ES256")
with pytest.raises(NoSuitableSigningKeys):
_jws.sign_compact(keys)
def test_dj_usage():
pkey = import_private_rsa_key_from_file(full_path("./size2048.key"))
payload = "Please take a moment to register today"
keys = [RSAKey(priv_key=pkey)]
_jws = JWS(payload, alg="RS256")
sjwt = _jws.sign_compact(keys)
_jwt = factory(sjwt)
assert _jwt.jwt.headers["alg"] == "RS256"
def test_extra_headers_1():
pkey = import_private_rsa_key_from_file(full_path("./size2048.key"))
payload = "Please take a moment to register today"
keys = [RSAKey(priv_key=pkey)]
_jws = JWS(payload, alg="RS256")
sjwt = _jws.sign_compact(keys, foo="bar")
_jwt = factory(sjwt)
assert set(_jwt.jwt.headers.keys()) == {"alg", "foo"}
def test_extra_headers_3():
pkey = import_private_rsa_key_from_file(full_path("./size2048.key"))
payload = "Please take a moment to register today"
keys = [RSAKey(priv_key=pkey)]
_jws = JWS(payload, alg='RS256')
_jws.set_header_claim('foo', 'bar')
sjwt = _jws.sign_compact(keys, abc=123)
_jwt = factory(sjwt)
assert set(_jwt.jwt.headers.keys()) == {'alg', 'foo', 'abc'}
def test_factory_verify_alg():
pkey = import_private_rsa_key_from_file(full_path("./size2048.key"))
payload = "Please take a moment to register today"
keys = [RSAKey(priv_key=pkey)]
_signer = JWS(payload, alg="RS256")
_signer.set_header_claim("foo", "bar")
_jws = _signer.sign_compact(keys, abc=123)
_verifier = factory(_jws)
assert _verifier.jwt.verify_headers(alg="RS512") is False
def test_import_rsa_key():
_ckey = import_private_rsa_key_from_file(full_path(KEY))
assert isinstance(_ckey, rsa.RSAPrivateKey)
djwk = jwk_wrap(_ckey).to_dict()
assert _eq(djwk.keys(), ["kty", "e", "n", "p", "q", "d"])
assert djwk[
"n"] == '5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKTVtuu3VvxrpOWvwnFV' \
'-NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6bHgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR-gxDbh_D5TXuUqScOOqR47vSpIbUH-nc'
assert djwk['e'] == 'AQAB'
def decrypt_from_jwe(jwe):
RSA_KEY = settings.UNITICKET_JWT_RSA_KEY_PATH
JWE_ALG = settings.UNITICKET_JWE_ALG
JWE_ENC = settings.UNITICKET_JWE_ENC
priv_key = import_private_rsa_key_from_file(RSA_KEY)
_decryptor = factory(jwe, alg=JWE_ALG, enc=JWE_ENC)
_dkey = RSAKey(priv_key=priv_key)
msg = _decryptor.decrypt(jwe, [_dkey])
return msg
def test_serialize_rsa_priv_key():
rsakey = RSAKey(
priv_key=import_private_rsa_key_from_file(full_path("rsa.key")))
assert rsakey.d
d_rsakey = rsakey.serialize(private=True)
restored_key = RSAKey(**d_rsakey)
assert restored_key == rsakey
assert rsakey.has_private_key()
assert restored_key.has_private_key()
def test_signer_ps384():
payload = "Please take a moment to register today"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="PS384")
_jwt = _jws.sign_compact(keys)
vkeys = [RSAKey(pub_key=_pkey.public_key())]
_rj = JWS(alg="PS384")
info = _rj.verify_compact(_jwt, vkeys)
assert info == payload
def pem2rsa(filename: str,
kid: Optional[str] = None,
private: bool = False,
passphrase: Optional[str] = None) -> JWK:
"""Convert RSA key from PEM to JWK"""
if private:
key = import_private_rsa_key_from_file(filename, passphrase)
else:
key = import_public_rsa_key_from_file(filename)
jwk = RSAKey(kid=kid)
jwk.load_key(key)
return jwk
def test_signer_ps512():
payload = "Please take a moment to register today"
# Key has to be big enough > 512+512+2
_pkey = import_private_rsa_key_from_file(full_path("./size2048.key"))
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="PS512")
_jwt = _jws.sign_compact(keys)
vkeys = [RSAKey(pub_key=_pkey.public_key())]
_rj = factory(_jwt, alg="PS512")
info = _rj.verify_compact(_jwt, vkeys)
assert info == payload
assert _rj.verify_alg("PS512")
def test_signer_ps256_fail():
payload = "Please take a moment to register today"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="PS256")
_jwt = _jws.sign_compact(keys)[:-5] + "abcde"
vkeys = [RSAKey(pub_key=_pkey.public_key())]
_rj = JWS(alg="PS256")
try:
_rj.verify_compact(_jwt, vkeys)
except BadSignature:
pass
else:
assert False
def encrypt_to_jwe(content):
"""Returns a string
a serialized encryption from cryptojwt.jwe.jwe_rsa.JWE_RSA
"""
if isinstance(content, dict):
content = json.dumps(content).encode()
elif isinstance(content, str):
content = content.encode()
if not isinstance(content, bytes):
raise Exception('encrypt_to_jwe content must be a bytes object')
priv_key = import_private_rsa_key_from_file(RSA_KEY)
pub_key = priv_key.public_key()
_rsa = JWE_RSA(content, alg=JWE_ALG, enc=JWE_ENC)
jwe = _rsa.encrypt(pub_key)
return jwe
def test_rs256_rm_signature():
payload = "Please take a moment to register today"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="RS256")
_jwt = _jws.sign_compact(keys)
p = _jwt.split(".")
_jwt = ".".join(p[:-1])
vkeys = [RSAKey(key=_pkey.public_key())]
_rj = JWS()
try:
_ = _rj.verify_compact(_jwt, vkeys)
except WrongNumberOfParts:
pass
else:
assert False
def test_get_asym_key_all():
# When not marked for a special usage this key can be use for everything
rsakey = RSAKey(
priv_key=import_private_rsa_key_from_file(full_path("rsa.key")))
assert rsakey.appropriate_for("sign")
assert rsakey.appropriate_for("verify")
assert rsakey.appropriate_for("encrypt")
assert rsakey.appropriate_for("decrypt")
rsakey.use = "sig"
# Now it can only be used for signing and signature verification
assert rsakey.appropriate_for("sign")
assert rsakey.appropriate_for("verify")
for usage in ["encrypt", "decrypt"]:
assert rsakey.appropriate_for(usage) is None
rsakey.use = "enc"
# Now it can only be used for encrypting and decrypting
assert rsakey.appropriate_for("encrypt")
assert rsakey.appropriate_for("decrypt")
for usage in ["sign", "verify"]:
assert rsakey.appropriate_for(usage) is None
def test_get_asym_key_all():
# When not marked for a special usage this key can be use for everything
rsakey = RSAKey(
priv_key=import_private_rsa_key_from_file(full_path("rsa.key")))
assert rsakey.appropriate_for('sign')
assert rsakey.appropriate_for('verify')
assert rsakey.appropriate_for('encrypt')
assert rsakey.appropriate_for('decrypt')
rsakey.use = 'sig'
# Now it can only be used for signing and signature verification
assert rsakey.appropriate_for('sign')
assert rsakey.appropriate_for('verify')
for usage in ['encrypt', 'decrypt']:
assert rsakey.appropriate_for(usage) is None
rsakey.use = 'enc'
# Now it can only be used for encrypting and decrypting
assert rsakey.appropriate_for('encrypt')
assert rsakey.appropriate_for('decrypt')
for usage in ['sign', 'verify']:
assert rsakey.appropriate_for(usage) is None
def import_keys(self, keyspec):
"""
The client needs it's own set of keys. It can either dynamically
create them or load them from local storage.
This method can also fetch other entities keys provided the
URL points to a JWKS.
:param keyspec:
"""
for where, spec in keyspec.items():
if where == 'file':
for typ, files in spec.items():
if typ == 'rsa':
for fil in files:
_key = RSAKey(
key=import_private_rsa_key_from_file(fil),
use='sig')
_bundle = KeyBundle()
_bundle.append(_key)
self.keyjar.add_kb('', _bundle)
elif where == 'url':
for iss, url in spec.items():
_bundle = KeyBundle(source=url)
self.keyjar.add_kb(iss, _bundle)
def test_create_signed_jwt_symmetric(self):
settings.JWTAUTH_ALGORITHM = 'HS256'
settings.JWTAUTH_KEY = b'a897dya9s78dyasdya9sdya9s7dya9sd7y'
settings.JWTAUTH_CERT = None
user = get_user_model().objects.create(**_user_dict)
data = JWTConnectAuthTokenBuilder.build(user=user)
logger.warn(json.dumps(data, indent=2))
assert data['access_token']['email'] == user.email
jwts = JWTConnectAuthTokenBuilder.create(
data, alg=settings.JWTAUTH_ALGORITHM)
logger.info(json.dumps(jwts, indent=2))
assert 'access_token' in jwts.keys()
assert 'refresh_token' in jwts.keys()
atoken = JWTConnectAuthKeyHandler.decode_jwt(jwts['access_token'])
assert isinstance(atoken, dict)
settings.JWTAUTH_ALGORITHM = 'RS256'
settings.JWTAUTH_KEY = import_private_rsa_key_from_file(
'certs/private.key')
settings.JWTAUTH_CERT = import_public_key_from_cert_file(
'certs/public.cert')
def test_rsasigner_wrong_key_variant():
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
with pytest.raises(TypeError):
RSASigner().sign(b"Message to whom it may concern", _pkey.public_key)
def test_pick_alg_dont_get_alg_from_single_key_if_already_specified():
expected_alg = "RS512"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
vkeys = [RSAKey(pub_key=_pkey.public_key())]
alg = JWS(alg=expected_alg)._pick_alg(vkeys)
assert alg == expected_alg
ctx, tag = encrypter.encrypt(orig_msg)
encrypter.key = None
with pytest.raises(MissingKey):
encrypter.decrypt(ctx, iv=encrypter.iv, tag=b'12346567890')
BASEDIR = os.path.abspath(os.path.dirname(__file__))
def full_path(local_file):
return os.path.join(BASEDIR, local_file)
KEY = full_path("rsa.key")
priv_key = import_private_rsa_key_from_file(KEY)
pub_key = priv_key.public_key()
plain = b'Now is the time for all good men to come to the aid of their country.'
def test_cek_reuse_encryption_rsaes_rsa15():
_rsa = JWE_RSA(plain, alg="RSA1_5", enc="A128CBC-HS256")
jwt = _rsa.encrypt(pub_key)
dec = JWE_RSA()
msg = dec.decrypt(jwt, priv_key)
assert msg == plain
_rsa2 = JWE_RSA(plain, alg="RSA1_5", enc="A128CBC-HS256")
jwt = _rsa2.encrypt(None, cek=dec["cek"])
dec2 = JWE_RSA()
from oidcmsg.oauth2 import AuthorizationResponse
from oidcmsg.oauth2 import RefreshAccessTokenRequest
from oidcmsg.oauth2 import ResponseMessage
from oidcmsg.oidc import IdToken
from oidcmsg.time_util import utc_time_sans_frac
from oidcservice.exception import OidcServiceError
from oidcservice.exception import ParseError
from oidcrp.oauth2 import Client
sys.path.insert(0, '.')
_dirname = os.path.dirname(os.path.abspath(__file__))
BASE_PATH = os.path.join(_dirname, "data", "keys")
_key = import_private_rsa_key_from_file(os.path.join(BASE_PATH, "rsa.key"))
KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"})
CLIENT_ID = "client_1"
IDTOKEN = IdToken(iss="http://oidc.example.org/",
sub="sub",
aud=CLIENT_ID,
exp=utc_time_sans_frac() + 86400,
nonce="N0nce",
iat=time.time())
class DB(object):
def __init__(self):
self.db = {}
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/3.1/howto/static-files/
STATIC_URL = '/static/'
# JWTCONNECT SETTINGS
JWTAUTH_KEY = import_private_rsa_key_from_file('certs/private.key')
JWTAUTH_CERT = import_public_key_from_cert_file('certs/public.cert')
JWTAUTH_ISSUER = 'http://localhost:8000'
JWTAUTH_MULTIPLE_TOKENS = False
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
# jwtconnect auth
'jwtconnect_auth.authentication.JWTConnectAuthBearer'
]
}
