def test_kid_header_not_present_when_not_provided(self): enc = ALGORITHMS.A256CBC_HS512 alg = ALGORITHMS.RSA_OAEP_256 encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg) header = json.loads( six.ensure_str(base64url_decode(encrypted.split(".")[0]))) assert "kid" not in header
def test_alg_enc_headers(self): enc = ALGORITHMS.A256CBC_HS512 alg = ALGORITHMS.RSA_OAEP_256 encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg) header = json.loads(base64url_decode(encrypted.split(b".")[0])) assert header["enc"] == enc assert header["alg"] == alg
def test_zip_header_present_when_provided(self): enc = ALGORITHMS.A256CBC_HS512 alg = ALGORITHMS.RSA_OAEP_256 encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF) header = json.loads( six.ensure_str(base64url_decode(encrypted.split(".")[0]))) assert header["zip"] == ZIPS.DEF
def test_zip_header_not_present_when_none(self): enc = ALGORITHMS.A256CBC_HS512 alg = ALGORITHMS.RSA_OAEP_256 encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.NONE) header = json.loads(six.ensure_str(base64url_decode(encrypted.split(b".")[0]))) assert "zip" not in header
def test_cty_header_present_when_provided(self): enc = ALGORITHMS.A256CBC_HS512 alg = ALGORITHMS.RSA_OAEP_256 encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg, cty="expected") header = json.loads(six.ensure_str(base64url_decode(encrypted.split(b".")[0]))) assert header["cty"] == "expected"
def test_encrypt_decrypt_aes_kw(self, alg, enc, zip): if alg == ALGORITHMS.A128KW: key = OCT_128_BIT_KEY elif alg == ALGORITHMS.A192KW: key = OCT_192_BIT_KEY elif alg == ALGORITHMS.A256KW: key = OCT_256_BIT_KEY else: pytest.fail(f"I don't know how to handle enc {alg}") expected = b"Live long and prosper." jwe_value = jwe.encrypt(expected[:], key, enc, alg, zip) actual = jwe.decrypt(jwe_value, key) assert actual == expected
def test_rfc7516_appendix_b_direct(self, monkeypatch): algorithm = ALGORITHMS.DIR encryption = ALGORITHMS.A128CBC_HS256 key = bytes( bytearray( [ 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207, ] ) ) plain_text = b"Live long and prosper." expected_iv = bytes(bytearray([3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101])) for backend in backends: monkeypatch.setattr(backend, "get_random_bytes", lambda x: expected_iv if x == 16 else key) expected = b"eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..AxY8DCtDaGlsbGljb3RoZQ.KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.BIiCkt8mWOVyJOqDMwNqaQ" actual = jwe.encrypt(plain_text, key, encryption, algorithm) assert actual == expected
def test_encrypt_decrypt_dir_kw(self, enc, zip): if enc == ALGORITHMS.A128GCM: key = OCT_128_BIT_KEY elif enc == ALGORITHMS.A192GCM: key = OCT_192_BIT_KEY elif enc in (ALGORITHMS.A128CBC_HS256, ALGORITHMS.A256GCM): key = OCT_256_BIT_KEY elif enc == ALGORITHMS.A192CBC_HS384: key = OCT_384_BIT_KEY elif enc == ALGORITHMS.A256CBC_HS512: key = OCT_512_BIT_KEY else: pytest.fail(f"I don't know how to handle enc {enc}") expected = b"Live long and prosper." jwe_value = jwe.encrypt(expected[:], key, enc, ALGORITHMS.DIR, zip) actual = jwe.decrypt(jwe_value, key) assert actual == expected
def generate_password_reset_token(email: str, password: str) -> str: delta = timedelta(hours=settings.EMAIL_RESET_TOKEN_EXPIRE_HOURS) now = datetime.utcnow() expires = now + delta exp = expires.timestamp() encoded_password = jwe.encrypt( password, settings.SECRET_KEY, encryption=constants.Algorithms.A256CBC_HS512) encoded_jwt = jwt.encode( { "exp": exp, "nbf": now, "sub": email, "password": encoded_password.decode("utf-8"), }, settings.SECRET_KEY, algorithm="HS256", ) return encoded_jwt
async def login(credentials: Credentials, request: Request): if credentials.username is not None and credentials.password is not None: authentication_api_hosts = \ await get_authentication_endpoint(credentials.username) for authentication_api_host in authentication_api_hosts: if authentication_api_host: headers = {'content-type': 'application/json'} authentication_response = requests.post( authentication_api_host, data=credentials.json(), headers=headers) if authentication_response.status_code == 200: exp: datetime = \ datetime.now(tz=pytz.UTC) + timedelta(days=1) token = jwe.encrypt(plaintext=Token( username=credentials.username, password=credentials.password, exp=exp.timestamp()).json(), key=request.state.secret_key, algorithm='dir', encryption='A256GCM') return token raise HTTPException(detail='authentication failed', status_code=403)
def test_encrypt_decrypt_rsa_kw(self, alg, enc, zip): expected = b"Live long and prosper." jwe_value = jwe.encrypt(expected[:], PUBLIC_KEY_PEM, enc, alg, zip) actual = jwe.decrypt(jwe_value, PRIVATE_KEY_PEM) assert actual == expected