def test_rsa_without_kty_fails(self): jwk_set = RS256_JWK_SET.replace('"kty":"RSA",', '') # PKCS1 with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set) # PSS jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"') with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_with_invalid_use_fails(self): jwk_set = RS256_JWK_SET.replace('"use":"sig"', '"use":"invalid"') # PKCS1 with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set) # PSS jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"') with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_with_string_key_ops_fails(self): jwk_set = RS256_JWK_SET.replace('"key_ops":["verify"]', '"key_ops":"verify"') # PKCS1 with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set) # PSS jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"') with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_without_use_or_key_ops_to_public_keyset_handle_success(self): jwk_set = """{"keys":[ { "kty":"EC", "crv":"P-256", "x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY", "y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI", "alg":"ES256" }]}""" # ignore returned value, we only test that it worked. jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_key_without_crv_to_public_keyset_handle_fails(self): jwk_set = """{"keys":[ { "kty":"EC", "x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY", "y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI", "alg":"ES256", "use":"sig", "key_ops":["verify"] }]}""" with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_key_with_unknown_field_to_public_keyset_handle_success(self): jwk_set = """{"keys":[ { "kty":"EC", "crv":"P-256", "x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY", "y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI", "alg":"ES256", "unknown":1234, "use":"sig", "key_ops":["verify"] }]}""" jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_private_key_to_public_keyset_handle_fails(self): # Example from https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.2 jwk_set = """{"keys":[ { "kty":"EC", "crv":"P-256", "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "d":"870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE", "alg":"ES256" }]}""" with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_private_key_to_public_keyset_handle_fails(self): # Example from https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.2 jwk_set = """ {"keys": [ {"kty":"RSA", "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4 cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst n64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2Q vzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbIS D08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw 0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "e":"AQAB", "d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9 M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d _cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q", "p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPV nwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqV WlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs", "q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyum qjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgx kIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk", "dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oim YwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_Nmtu YZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0", "dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUU vMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9 GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk", "qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzg UIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rx yR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU", "alg":"RS256", "kid":"2011-04-29"} ] }""" # remove spaces and line breaks jwk_set = jwk_set.replace(' ', '').replace('\n', '') # PKCS1 with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set) # PSS jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"') with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_with_small_n_primitive_fails(self): jwk_set = """{"keys":[{ "kty":"RSA", "n":"AAAwOQ", "e":"AQAB", "use":"sig", "alg":"RS256", "key_ops":["verify"]}]}""" # PKCS1 handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) with self.assertRaises(tink.TinkError): handle.primitive(jwt.JwtPublicKeyVerify) # test PSS jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"') handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) with self.assertRaises(tink.TinkError): handle.primitive(jwt.JwtPublicKeyVerify)
def test_convert_jwk_set_to_public_keyset_handle_and_back(self, jwk_set): keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(output_jwk_set, jwk_set) # check that all keys are raw. for key in keyset_handle._keyset.key: self.assertEqual(key.output_prefix_type, tink_pb2.RAW) # test deprecated to/from keyset_handle functions. self.assertEqual( jwt.jwk_set_from_keyset_handle(jwt.jwk_set_to_keyset_handle(jwk_set)), jwk_set)
def main(argv): del argv # Unused. # Initialise Tink try: jwt.register_jwt_signature() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a KeysetHandle if _PUBLIC_KEYSET_PATH.present: with open(_PUBLIC_KEYSET_PATH.value, 'rt') as public_keyset_file: try: text = public_keyset_file.read() keyset_handle = tink.read_no_secret_keyset_handle( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading public keyset: %s', e) return 1 elif _PUBLIC_JWK_SET_PATH.present: with open(_PUBLIC_JWK_SET_PATH.value, 'rt') as public_jwk_set_file: try: text = public_jwk_set_file.read() keyset_handle = jwt.jwk_set_to_public_keyset_handle(text) except tink.TinkError as e: logging.exception('Error reading public JWK set: %s', e) return 1 else: logging.info( 'Either --public_keyset_path or --public_jwk_set_path must be set') now = datetime.datetime.now(tz=datetime.timezone.utc) try: jwt_verify = keyset_handle.primitive(jwt.JwtPublicKeyVerify) except tink.TinkError as e: logging.exception('Error creating JwtPublicKeyVerify: %s', e) return 1 # Verify token with open(_TOKEN_PATH.value, 'rt') as token_file: token = token_file.read() validator = jwt.new_validator(expected_audience=_AUDIENCE.value) try: verified_jwt = jwt_verify.verify_and_decode(token, validator) expires_in = verified_jwt.expiration() - now logging.info('Token is valid and expires in %s seconds', expires_in.seconds) return 0 except tink.TinkError as e: logging.info('JWT verification failed: %s', e) return 1
def test_ecdsa_key_with_small_x_primitive_fails(self): jwk_set = """{"keys":[ { "kty":"EC", "crv":"P-256", "x":"AAAwOQ", "y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI", "alg":"ES256", "use":"sig", "key_ops":["verify"] }]}""" handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) with self.assertRaises(tink.TinkError): handle.primitive(jwt.JwtPublicKeyVerify)
def test_ecdsa_key_with_small_y_primitive_fails(self): jwk_set = """{"keys":[ { "kty":"EC", "crv":"P-256", "x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY", "y":"AAAwOQ", "alg":"ES256", "use":"sig", "key_ops":["verify"] }]}""" handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) with self.assertRaises(tink.TinkError): handle.primitive(jwt.JwtPublicKeyVerify)
def FromJwkSet( self, request: testing_api_pb2.JwtFromJwkSetRequest, context: grpc.ServicerContext ) -> testing_api_pb2.JwtFromJwkSetResponse: """Converts a JWK set into a Tink Keyset.""" try: keyset_handle = jwt.jwk_set_to_public_keyset_handle( request.jwk_set) keyset = io.BytesIO() cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.JwtFromJwkSetResponse( keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.JwtFromJwkSetResponse(err=str(e))
def test_jwk_set_to_public_keyset_handle_with_invalid_json_raises_tink_error( self): with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle('invalid')
def test_es_conserves_empty_kid(self): jwk_set_with_empty_kid = ES256_JWK_SET_KID.replace('"ENgjPA"', '""') keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set_with_empty_kid) output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(output_jwk_set, jwk_set_with_empty_kid)
def test_rsa_ssa_pss_without_use_and_key_ops_to_keyset_handle_success(self): jwk_set = PS256_JWK_SET.replace(',"use":"sig"', '').replace(',"key_ops":["verify"]', '') keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(output_jwk_set, PS256_JWK_SET)
def test_rsa_ssa_pss_with_unknown_property_keyset_handle_success(self): jwk_set = PS256_JWK_SET.replace(',"use":"sig"', ',"use":"sig","unknown":1234') keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set) output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(output_jwk_set, PS256_JWK_SET)
def test_rsa_without_alg_fails(self): jwk_set = RS256_JWK_SET.replace(',"alg":"RS256"', '') with self.assertRaises(tink.TinkError): jwt.jwk_set_to_public_keyset_handle(jwk_set)