Exemple #1
0
    def test_ps256_key_with_a_custom_kid_header(self):
        keyset_handle = tink.new_keyset_handle(
            jwt.raw_jwt_ps256_2048_f4_template())

        # Add a custom kid to the key in keyset_handle
        value = keyset_handle._keyset.key[0].key_data.value
        pss_key = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssPrivateKey.FromString(value)
        pss_key.public_key.custom_kid.value = 'my kid'
        keyset_handle._keyset.key[
            0].key_data.value = pss_key.SerializeToString()

        sign = keyset_handle.primitive(jwt.JwtPublicKeySign)

        raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
        signed_compact = sign.sign_and_encode(raw_jwt)

        _, json_header, _, _ = _jwt_format.split_signed_compact(signed_compact)
        header = _jwt_format.json_loads(json_header)
        self.assertEqual(header['kid'], 'my kid')

        # Now, change the output prefix type to TINK. This should fail.
        keyset_handle._keyset.key[0].output_prefix_type = tink_pb2.TINK
        with self.assertRaises(tink.TinkError):
            tink_sign = keyset_handle.primitive(jwt.JwtPublicKeySign)
            tink_sign.sign_and_encode(raw_jwt)
Exemple #2
0
 def test_create_header_with_type(self):
     encoded_header = _jwt_format.create_header('HS256', 'typeHeader')
     json_header = _jwt_format.decode_header(encoded_header)
     self.assertEqual(json_header, '{"alg":"HS256","typ":"typeHeader"}')
     header = _jwt_format.json_loads(json_header)
     _jwt_format.validate_header(header, 'HS256')
     self.assertEqual(_jwt_format.get_type_header(header), 'typeHeader')
Exemple #3
0
 def test_decode_encode_header_rs256(self):
     # Example from https://tools.ietf.org/html/rfc7515#appendix-A.2
     encoded_header = b'eyJhbGciOiJSUzI1NiJ9'
     json_header = _jwt_format.decode_header(encoded_header)
     header = _jwt_format.json_loads(json_header)
     self.assertEqual(header['alg'], 'RS256')
     self.assertEqual(
         _jwt_format.decode_header(_jwt_format.encode_header(json_header)),
         json_header)
Exemple #4
0
    def test_tink_output_prefix_type_encodes_a_kid_header(self):
        keyset_handle = tink.new_keyset_handle(jwt_es256_tink_template())
        sign = keyset_handle.primitive(jwt.JwtPublicKeySign)

        raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
        signed_compact = sign.sign_and_encode(raw_jwt)

        _, json_header, _, _ = _jwt_format.split_signed_compact(signed_compact)
        header = _jwt_format.json_loads(json_header)
        self.assertIn('kid', header)
Exemple #5
0
 def test_decode_encode_header_hs256(self):
     # Example from https://tools.ietf.org/html/rfc7515#appendix-A.1
     encoded_header = b'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9'
     json_header = _jwt_format.decode_header(encoded_header)
     header = _jwt_format.json_loads(json_header)
     self.assertEqual(header['alg'], 'HS256')
     self.assertEqual(header['typ'], 'JWT')
     self.assertEqual(
         _jwt_format.decode_header(_jwt_format.encode_header(json_header)),
         json_header)
Exemple #6
0
 def test_decode_encode_payload(self):
   # Example from https://tools.ietf.org/html/rfc7519#section-3.1
   encoded_payload = (b'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0'
                      b'dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ')
   json_payload = _jwt_format.decode_payload(encoded_payload)
   payload = _jwt_format.json_loads(json_payload)
   self.assertEqual(payload['iss'], 'joe')
   self.assertEqual(payload['exp'], 1300819380)
   self.assertEqual(payload['http://example.com/is_root'], True)
   self.assertEqual(
       _jwt_format.decode_payload(_jwt_format.encode_payload(json_payload)),
       json_payload)
Exemple #7
0
 def test_json_loads_with_invalid_utf16(self):
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.json_loads(u'{"a":{"b":{"c":"\\uD834"}}}')
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.json_loads(u'{"\\uD834":"b"}')
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.json_loads(u'{"a":["a":{"b":["c","\\uD834"]}]}')
Exemple #8
0
 def verify_and_decode(
         self, compact: Text, validator: _jwt_validator.JwtValidator
 ) -> _verified_jwt.VerifiedJwt:
     """Verifies, validates and decodes a signed compact JWT token."""
     parts = _jwt_format.split_signed_compact(compact)
     unsigned_compact, json_header, json_payload, signature = parts
     self._verify(signature, unsigned_compact)
     header = _jwt_format.json_loads(json_header)
     _jwt_format.validate_header(header, self._algorithm)
     raw_jwt = _raw_jwt.RawJwt.from_json(
         _jwt_format.get_type_header(header), json_payload)
     _jwt_validator.validate(validator, raw_jwt)
     return _verified_jwt.VerifiedJwt._create(raw_jwt)  # pylint: disable=protected-access
Exemple #9
0
  def test_signed_compact_create_split(self):
    payload = '{"iss":"joe"}'
    signature = _jwt_format.decode_signature(
        b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
    unsigned_compact = _jwt_format.create_unsigned_compact(
        'RS256', 'JWT', None, payload)
    signed_compact = _jwt_format.create_signed_compact(unsigned_compact,
                                                       signature)
    un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(signed_compact)

    self.assertEqual(
        unsigned_compact,
        b'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqb2UifQ')
    self.assertEqual(
        signed_compact, 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.'
        'eyJpc3MiOiJqb2UifQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
    self.assertEqual(un_comp, unsigned_compact)
    self.assertEqual(sig, signature)
    self.assertEqual(hdr, '{"alg":"RS256","typ":"JWT"}')
    header = _jwt_format.json_loads(hdr)
    _jwt_format.validate_header(header, 'RS256')
    self.assertEqual(pay, payload)
    self.assertEqual(_jwt_format.get_type_header(header), 'JWT')
Exemple #10
0
  def test_signed_compact_create_split_with_kid(self):
    payload = '{"iss":"joe"}'
    signature = _jwt_format.decode_signature(
        b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
    unsigned_compact = _jwt_format.create_unsigned_compact(
        'RS256', None, 'AZxkm2U', payload)
    signed_compact = _jwt_format.create_signed_compact(unsigned_compact,
                                                       signature)
    un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(signed_compact)

    self.assertEqual(
        unsigned_compact,
        b'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ')
    self.assertEqual(
        signed_compact,
        'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ'
        '.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
    self.assertEqual(un_comp, unsigned_compact)
    self.assertEqual(sig, signature)
    self.assertEqual(hdr, '{"kid":"AZxkm2U","alg":"RS256"}')
    header = _jwt_format.json_loads(hdr)
    _jwt_format.validate_header(header, 'RS256')
    self.assertEqual(pay, payload)
    self.assertIsNone(_jwt_format.get_type_header(header))
Exemple #11
0
    def test_raw_output_prefix_type_encodes_a_custom_kid_header(self):
        keyset_handle = tink.new_keyset_handle(jwt.raw_jwt_hs256_template())

        # Add a custom kid to the key in keyset_handle
        value = keyset_handle._keyset.key[0].key_data.value
        hmac_key = jwt_hmac_pb2.JwtHmacKey.FromString(value)
        hmac_key.custom_kid.value = 'my kid'
        keyset_handle._keyset.key[
            0].key_data.value = hmac_key.SerializeToString()

        jwt_mac = keyset_handle.primitive(jwt.JwtMac)

        raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
        signed_compact = jwt_mac.compute_mac_and_encode(raw_jwt)

        _, json_header, _, _ = _jwt_format.split_signed_compact(signed_compact)
        header = _jwt_format.json_loads(json_header)
        self.assertEqual(header['kid'], 'my kid')

        # Now, change the output prefix type to TINK. This should fail.
        keyset_handle._keyset.key[0].output_prefix_type = tink_pb2.TINK
        with self.assertRaises(tink.TinkError):
            tink_jwt_mac = keyset_handle.primitive(jwt.JwtMac)
            tink_jwt_mac.compute_mac_and_encode(raw_jwt)
Exemple #12
0
 def test_validate_header_with_unknown_algorithm_fails(self):
     header = _jwt_format.json_loads('{"alg":"HS123"}')
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.validate_header(header, 'HS123')
Exemple #13
0
 def from_json_payload(cls, payload: Text) -> 'RawJwt':
     """Creates a RawJwt from payload encoded as JSON string."""
     raw_jwt = object.__new__(cls)
     raw_jwt.__init__(_jwt_format.json_loads(payload))
     return raw_jwt
Exemple #14
0
 def from_json(cls, type_header: Optional[Text], payload: Text) -> 'RawJwt':
     """Creates a RawJwt from payload encoded as JSON string."""
     raw_jwt = object.__new__(cls)
     raw_jwt.__init__(type_header, _jwt_format.json_loads(payload))
     return raw_jwt
Exemple #15
0
 def test_create_validate_header(self, algorithm):
     encoded_header = _jwt_format.create_header(algorithm, None)
     json_header = _jwt_format.decode_header(encoded_header)
     header = _jwt_format.json_loads(json_header)
     _jwt_format.validate_header(header, algorithm)
     self.assertIsNone(_jwt_format.get_type_header(header))
Exemple #16
0
 def test_json_loads_recursion(self):
     num_recursions = 1000
     recursive_json = ('{"a":' * num_recursions) + '""' + ('}' *
                                                           num_recursions)
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.json_loads(recursive_json)
Exemple #17
0
 def test_validate_header_rejects_crit(self):
     header = _jwt_format.json_loads(
         '{"alg":"HS256","crit":["http://example.invalid/UNDEFINED"],'
         '"http://example.invalid/UNDEFINED":true}')
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.validate_header(header, 'HS256')
Exemple #18
0
 def test_validate_header_ignores_typ(self):
     header = _jwt_format.json_loads('{"alg":"HS256","typ":"unknown"}')
     _jwt_format.validate_header(header, 'HS256')
Exemple #19
0
 def test_validate_header_with_unknown_entry_success(self):
     header = _jwt_format.json_loads('{"alg":"HS256","unknown":"header"}')
     _jwt_format.validate_header(header, 'HS256')
Exemple #20
0
 def test_verify_empty_header_fails(self):
     header = _jwt_format.json_loads('{}')
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.validate_header(header, 'ES256')
Exemple #21
0
 def test_create_verify_different_algorithms_fails(self):
     encoded_header = _jwt_format.create_header('HS256', None)
     json_header = _jwt_format.decode_header(encoded_header)
     header = _jwt_format.json_loads(json_header)
     with self.assertRaises(_jwt_error.JwtInvalidError):
         _jwt_format.validate_header(header, 'ES256')