def test_sign1_verify_unprotected_kid():
private_key, public_key = gen_keypair()
issuer = "hello"
ttl = 3600
payload = {"test": True}
signed_data = sign(private_key, issuer, ttl, payload, kid_protected=False)
res = verify(signed_data, [public_key])
assert res.eu_dgc_v1.get("test") is True
assert res.expired is False
def process_hc1_cwt(signed_data: bytes, public_keys):
res = verify(signed_data=signed_data, public_keys=public_keys)
logger.info("Signatured issued by: %s", res.iss)
logger.info("Signature verified by: %s", b64e(res.kid).decode())
logger.info("Signatured issued at: %s", res.iat)
if res.expired:
logger.warning("Signatured expired at: %s", res.exp)
else:
logger.info("Signatured expires at: %s", res.exp)
if res.eu_dgc_v1 is None:
logger.warning("No EU HCERT version 1 found in payload")
logger.info("Verified payload: %s", json.dumps(res.eu_dgc_v1, indent=4))
jwk_dict = pem_to_jwk_dict(cert_pem)
public_key = cosekey_from_jwk_dict(jwk_dict, private=False)
reference_payload = testdata.get("JSON")
optical_payload = testdata["PREFIX"]
assert optical_payload.startswith("HC1:")
if (base45_payload := testdata.get("BASE45")):
assert optical_payload[4:] == base45_payload
else:
base45_payload = optical_payload[4:]
signed_data = decode_and_decompress(base45_payload.encode())
res = verify(signed_data=signed_data, public_keys=[public_key])
logger.info("Signature verified")
if res.eu_dcc_v1 is None:
logger.warning("No EU DCC version 1 found in payload")
sys.exit(-1)
if reference_payload:
reference_serialized = canonicalize_dict(reference_payload)
verified_serialized = canonicalize_dict(res.eu_dgc_v1)
ddiff = DeepDiff(reference_serialized, verified_serialized)
if ddiff:
logger.error("Reference data does not match payload")
print(json.dumps(ddiff, indent=4))
sys.exit(-1)