def test_jwe(self):
bad_key = {'k': RSA.generate(2048).exportKey('PEM')}
for (alg, jwk), enc in product(self.algs, self.encs):
jwe = jose.encrypt(claims, rsa_pub_key, enc=enc, alg=alg)
# make sure the body can't be loaded as json (should be encrypted)
try:
json.loads(jose.b64decode_url(jwe.ciphertext))
self.fail()
except ValueError:
pass
token = jose.serialize_compact(jwe)
jwt = jose.decrypt(jose.deserialize_compact(token), rsa_priv_key)
self.assertNotIn(jose._TEMP_VER_KEY, claims)
self.assertEqual(jwt.claims, claims)
# invalid key
try:
jose.decrypt(jose.deserialize_compact(token), bad_key)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe(self):
bad_key = {'k': RSA.generate(2048).exportKey('PEM')}
for (alg, jwk), enc in product(self.algs, self.encs):
jwe = jose.encrypt(claims, rsa_pub_key, enc=enc, alg=alg)
# make sure the body can't be loaded as json (should be encrypted)
try:
json.loads(jose.b64decode_url(jwe.ciphertext))
self.fail()
except ValueError:
pass
token = jose.serialize_compact(jwe)
jwt = jose.decrypt(jose.deserialize_compact(token), rsa_priv_key)
self.assertNotIn(jose._TEMP_VER_KEY, claims)
self.assertEqual(jwt.claims, claims)
# invalid key
try:
jose.decrypt(jose.deserialize_compact(token), bad_key)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe_direct_encryption(self):
symmetric_key = "tisasymmetrickey"
jwe = jose.encrypt(claims, "", alg = "dir",enc="A128CBC-HS256",
dir_key = symmetric_key)
# make sure the body can't be loaded as json (should be encrypted)
try:
json.loads(jose.b64decode_url(jwe.ciphertext))
self.fail()
except ValueError:
pass
token = jose.serialize_compact(jwe)
jwt = jose.decrypt(jose.deserialize_compact(token),"",
dir_key = symmetric_key)
self.assertNotIn(jose._TEMP_VER_KEY, claims)
self.assertEqual(jwt.claims, claims)
# invalid key
badkey = "1234123412341234"
try:
jose.decrypt(jose.deserialize_compact(token), '', dir_key=badkey)
self.fail()
except jose.Error as e:
self.assertEqual(e.message, 'Mismatched authentication tags')
def authorization_request(self, id, name, server_nonce, responses):
auth_req = {"type":"authorizationRequest",
"sessionID":id,
"nonce":server_nonce}
auth_req["signature"] = crypto_util.create_sig(
name + jose.b64decode_url(server_nonce), self.key_file)
auth_req["responses"] = responses
return auth_req
def authorization_request(self, id, name, server_nonce, responses):
auth_req = {
"type": "authorizationRequest",
"sessionID": id,
"nonce": server_nonce
}
auth_req["signature"] = crypto_util.create_sig(
name + jose.b64decode_url(server_nonce), self.key_file)
auth_req["responses"] = responses
return auth_req
def perform(self, quiet=False):
"""
Sets up and reloads Apache server to handle SNI challenges
listSNITuple: List of tuples with form (addr, r, nonce)
addr (string), r (base64 string), nonce (hex string)
key: string - File path to key
configurator: Configurator obj
"""
# Save any changes to the configuration as a precaution
# About to make temporary changes to the config
self.configurator.save()
addresses = []
default_addr = "*:443"
for tup in self.listSNITuple:
vhost = self.configurator.choose_virtual_host(tup[0])
if vhost is None:
print "No vhost exists with servername or alias of:", tup[0]
print "No _default_:443 vhost exists"
print "Please specify servernames in the Apache config"
return None
if not self.configurator.make_server_sni_ready(vhost, default_addr):
return None
for a in vhost.addrs:
if "_default_" in a:
addresses.append([default_addr])
break
else:
addresses.append(vhost.addrs)
# Generate S
s = Random.get_random_bytes(S_SIZE)
# Create all of the challenge certs
for tup in self.listSNITuple:
# Need to decode from base64
r = jose.b64decode_url(tup[1])
ext = self.generateExtension(r, s)
self.createChallengeCert(tup[0], ext, tup[2], self.key)
self.modifyApacheConfig(self.configurator.user_config_file, addresses)
# Save reversible changes and restart the server
self.configurator.save("SNI Challenge", True)
self.configurator.restart(quiet)
self.s = jose.b64encode_url(s)
return self.s
def test_b64encode_url_ascii(self):
istr = 'eric idle'
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_utf8(self):
istr = 'eric idle'.encode('utf8')
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_ascii(self):
istr = 'eric idle'
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def test_b64encode_url_utf8(self):
istr = 'eric idle'.encode('utf8')
encoded = jose.b64encode_url(istr)
self.assertEqual(jose.b64decode_url(encoded), istr)
def b64_cert_to_pem(b64_der_cert):
x = M2Crypto.X509.load_cert_der_string(jose.b64decode_url(b64_der_cert))
return x.as_pem()
def b64_cert_to_pem(b64_der_cert):
x = M2Crypto.X509.load_cert_der_string(jose.b64decode_url(b64_der_cert))
return x.as_pem()
