def test_update_mark_inactive():
rsa_key = new_rsa_key()
_jwks = {"keys": [rsa_key.serialize()]}
fname = "tmp_jwks.json"
with open(fname, "w") as fp:
fp.write(json.dumps(_jwks))
kb = KeyBundle(source="file://{}".format(fname), fileformat="jwks")
assert len(kb) == 1
# new set of keys
rsa_key = new_rsa_key(alg="RS256")
ec_key = new_ec_key(crv="P-256")
_jwks = {"keys": [rsa_key.serialize(), ec_key.serialize()]}
with open(fname, "w") as fp:
fp.write(json.dumps(_jwks))
kb.update()
# 2 active and 1 inactive
assert len(kb) == 3
assert len(kb.active_keys()) == 2
assert len(kb.get("rsa")) == 1
assert len(kb.get("rsa", only_active=False)) == 2
def create_jwks():
from cryptojwt.jwk.rsa import new_rsa_key
rsa_key = new_rsa_key()
jwk_priv = rsa_key.serialize(private=True)
# public
jwk_pub = rsa_key.serialize()
return jwk_priv, jwk_pub
def test_key_from_jwk_dict_rsa():
rsa_key = new_rsa_key()
jwk = rsa_key.serialize(private=True)
_key = key_from_jwk_dict(jwk)
assert isinstance(_key, RSAKey)
assert _key.has_private_key()
_key2 = RSAKey(**jwk)
assert isinstance(_key2, RSAKey)
assert _key2.has_private_key()
def main():
""" Main function"""
parser = argparse.ArgumentParser(
description="JSON Web Key (JWK) Generator")
parser.add_argument("--kty",
dest="kty",
metavar="type",
help="Key type",
required=True)
parser.add_argument("--size",
dest="keysize",
type=int,
metavar="size",
help="Key size")
parser.add_argument(
"--crv",
dest="crv",
metavar="curve",
help="EC curve",
choices=NIST2SEC.keys(),
default=DEFAULT_EC_CURVE,
)
parser.add_argument(
"--exp",
dest="rsa_exp",
type=int,
metavar="exponent",
help="RSA public key exponent (default {})".format(DEFAULT_RSA_EXP),
default=DEFAULT_RSA_EXP,
)
parser.add_argument("--kid", dest="kid", metavar="id", help="Key ID")
args = parser.parse_args()
if args.kty.upper() == "RSA":
if args.keysize is None:
args.keysize = DEFAULT_RSA_KEYSIZE
jwk = new_rsa_key(public_exponent=args.rsa_exp,
key_size=args.keysize,
kid=args.kid)
elif args.kty.upper() == "EC":
if args.crv not in NIST2SEC:
print("Unknown curve: {0}".format(args.crv), file=sys.stderr)
exit(1)
jwk = new_ec_key(crv=args.crv, kid=args.kid)
elif args.kty.upper() == "SYM":
if args.keysize is None:
args.keysize = DEFAULT_SYM_KEYSIZE
randomkey = os.urandom(args.keysize)
jwk = SYMKey(key=randomkey, kid=args.kid)
else:
print("Unknown key type: {}".format(args.kty), file=sys.stderr)
exit(1)
jwk_dict = jwk.serialize(private=True)
print(json.dumps(jwk_dict, sort_keys=True, indent=4))
print("SHA-256: " + jwk.thumbprint("SHA-256").decode(), file=sys.stderr)
def test_ignore_invalid_keys():
rsa_key_dict = new_rsa_key().serialize()
rsa_key_dict["kty"] = "b0rken"
kb = KeyBundle(keys={"keys": [rsa_key_dict]}, ignore_invalid_keys=True)
assert len(kb) == 0
with pytest.raises(UnknownKeyType):
KeyBundle(keys={"keys": [rsa_key_dict]}, ignore_invalid_keys=False)
def main():
""" Main function"""
parser = argparse.ArgumentParser(description='JSON Web Key (JWK) Generator')
parser.add_argument('--kty',
dest='kty',
metavar='type',
help='Key type',
required=True)
parser.add_argument('--size',
dest='keysize',
type=int,
metavar='size',
help='Key size')
parser.add_argument('--crv',
dest='crv',
metavar='curve',
help='EC curve',
choices=NIST2SEC.keys(),
default=DEFAULT_EC_CURVE)
parser.add_argument('--exp',
dest='rsa_exp',
type=int,
metavar='exponent',
help='RSA public key exponent (default {})'.format(DEFAULT_RSA_EXP),
default=DEFAULT_RSA_EXP)
parser.add_argument('--kid',
dest='kid',
metavar='id',
help='Key ID')
args = parser.parse_args()
if args.kty.upper() == 'RSA':
if args.keysize is None:
args.keysize = DEFAULT_RSA_KEYSIZE
jwk = new_rsa_key(public_exponent=args.rsa_exp, key_size=args.keysize, kid=args.kid)
elif args.kty.upper() == 'EC':
if args.crv not in NIST2SEC:
print("Unknown curve: {0}".format(args.crv), file=sys.stderr)
exit(1)
jwk = new_ec_key(crv=args.crv, kid=args.kid)
elif args.kty.upper() == 'SYM':
if args.keysize is None:
args.keysize = DEFAULT_SYM_KEYSIZE
randomkey = os.urandom(args.keysize)
jwk = SYMKey(key=randomkey, kid=args.kid)
else:
print("Unknown key type: {}".format(args.kty), file=sys.stderr)
exit(1)
jwk_dict = jwk.serialize(private=True)
print(json.dumps(jwk_dict, sort_keys=True, indent=4))
print("SHA-256: " + jwk.thumbprint('SHA-256').decode(), file=sys.stderr)
def test_update_2():
rsa_key = new_rsa_key()
_jwks = {"keys": [rsa_key.serialize()]}
fname = "tmp_jwks.json"
with open(fname, "w") as fp:
fp.write(json.dumps(_jwks))
kb = KeyBundle(source="file://{}".format(fname), fileformat="jwks")
assert len(kb) == 1
# Added one more key
ec_key = new_ec_key(crv="P-256", key_ops=["sign"])
_jwks = {"keys": [rsa_key.serialize(), ec_key.serialize()]}
with open(fname, "w") as fp:
fp.write(json.dumps(_jwks))
kb.update()
assert len(kb) == 2
created = alchemy_db.Column(alchemy_db.DateTime,
default=datetime.datetime.utcnow)
def __repr__(self):
return '<Thing owned by %r>' % self.owner
Base.metadata.create_all(engine)
# ======================================================================
# JWK things
from cryptojwt.jwk.rsa import new_rsa_key
from cryptojwt.jwk.jwk import key_from_jwk_dict
rsa_key = new_rsa_key()
rsa_key.serialize(private=True)
# get and set things in the alchemy_db
from sqlalchemy.orm import sessionmaker
Session = sessionmaker(bind=engine)
session = Session()
thing = Thing(owner='peppe', data=json.dumps(rsa_key.serialize(private=True)))
# store in the alchemy_db, commit means we have in a transation
session.add(thing)
session.commit()
# get an entry
("RSA", "RSA1_5", "A128CBC-HS256"),
("EC", "ECDH-ES", "A128GCM"),
],
)
def test_to_jwe(keytype, alg, enc):
msg = Message(a="foo", b="bar", c="tjoho")
_jwe = msg.to_jwe(KEYJAR.get_encrypt_key(keytype, ""), alg=alg, enc=enc)
with pytest.raises(HeaderError):
Message().from_jwt(_jwe, KEYJAR, encalg="RSA-OAEP", encenc=enc)
with pytest.raises(HeaderError):
Message().from_jwt(_jwe, KEYJAR, encenc="A256CBC-HS512", encalg=alg)
NEW_KEYJAR = KEYJAR.copy()
kb = KeyBundle()
k = new_rsa_key()
NEW_KID = k.kid
kb.append(k)
NEW_KEYJAR.add_kb("", kb)
def test_no_suitable_keys():
keytype = "RSA"
alg = "RS256"
msg = Message(a="foo", b="bar", c="tjoho")
_jwt = msg.to_jwt(NEW_KEYJAR.get_signing_key(keytype, "", kid=NEW_KID),
alg)
with pytest.raises(NoSuitableSigningKeys):
Message().from_jwt(_jwt, KEYJAR)
import os
from cryptojwt.jwk.ec import new_ec_key
from cryptojwt.jwk.hmac import SYMKey
from cryptojwt.jwk.rsa import new_rsa_key
from cryptojwt.jwk.wrap import unwrap_key
from cryptojwt.jwk.wrap import wrap_key
__author__ = "jschlyter"
WRAPPING_KEYS = [
SYMKey(use="enc", key=os.urandom(32)),
new_ec_key(crv="P-256"),
new_ec_key(crv="P-384"),
new_rsa_key(size=2048),
new_rsa_key(size=4096),
]
SECRET_KEYS = [
SYMKey(use="enc", key=os.urandom(32)),
new_ec_key(crv="P-256"),
new_rsa_key(size=2048),
]
def test_wrap_default():
for wrapping_key in WRAPPING_KEYS:
for key in SECRET_KEYS:
wrapped_key = wrap_key(key, wrapping_key)
unwrapped_key = unwrap_key(wrapped_key, [wrapping_key])
assert key == unwrapped_key
self.storage.set(name, value)
def append(self, name_id, item):
_list = self.storage.get(name_id)
if _list:
_list.append(self._data_to_db(item))
self.update(name_id, _list)
else:
self.set(name_id, item)
# is it needed?
#def extend(self, name_id, items):
#_list = self.storage.get(name_id)
#_list.extend(name_id, items)
#self.update(name_id, _list)
def copy(self):
raise NotImplemented()
# POC
_list = JWKList(ABS_STORAGE_SQLALCHEMY)
_list.set('ciao', new_rsa_key())
_list
_list.append('ciao', new_rsa_key())
_list
_list.delete('ciao')
def test_new_rsa_key():
key = new_rsa_key()
assert isinstance(key, RSAKey)
assert key.priv_key
def test_get_audience_and_algorithm_default_alg(self, entity):
_service_context = entity.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
_service_context.registration_response = {}
token_service = entity.client_get("service", 'accesstoken')
# Add a RSA key to be able to handle default
_kb = KeyBundle()
_rsa_key = new_rsa_key()
_kb.append(_rsa_key)
_service_context.keyjar.add_kb("", _kb)
# Since I have a RSA key this doesn't fail
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
assert _jws.jwt.headers["alg"] == "RS256"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
# By client preferences
request = AccessTokenRequest()
_service_context.client_preferences = {
"token_endpoint_auth_signing_alg": "RS512"
}
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
assert _jws.jwt.headers["alg"] == "RS512"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
# Use provider information is everything else fails
request = AccessTokenRequest()
_service_context.client_preferences = {}
_service_context.provider_info[
"token_endpoint_auth_signing_alg_values_supported"] = [
"ES256", "RS256"
]
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
# Should be RS256 since I have no key for ES256
assert _jws.jwt.headers["alg"] == "RS256"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
def get(self):
return self._get_list()
def set(self, items):
value = [self.io.serialize(v) for v in items]
if self.storage.get(self.name):
del self.storage[self.name]
self.storage.set(self.name, value)
if __name__ == "__main__":
# POC
from cryptojwt.jwk.rsa import new_rsa_key
ABS_STORAGE_SQLALCHEMY = dict(driver='sqlalchemy',
url='sqlite:///:memory:',
params=dict(table='Thing'),
handler=AbstractStorageSQLAlchemy)
_list = ASList(ABS_STORAGE_SQLALCHEMY, io_class=JWK_IO)
_rsa1 = new_rsa_key()
_rsa2 = new_rsa_key()
_list.append(_rsa1)
_list.append(_rsa2)
# should be 2 keys by now
print('len:', len(_list))
print('Has key1:', _rsa1 in _list)
del _list
