def test_key_ops(): sk = SYMKey(key='df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b', alg="HS256", key_ops=["sign", "verify"]) _jwk = sk.serialize(private=True) assert set(_jwk.keys()) == {"kty", "alg", "key_ops", "k"}
def main(): """ Main function""" parser = argparse.ArgumentParser( description="JSON Web Key (JWK) Generator") parser.add_argument("--kty", dest="kty", metavar="type", help="Key type", required=True) parser.add_argument("--size", dest="keysize", type=int, metavar="size", help="Key size") parser.add_argument( "--crv", dest="crv", metavar="curve", help="EC curve", choices=NIST2SEC.keys(), default=DEFAULT_EC_CURVE, ) parser.add_argument( "--exp", dest="rsa_exp", type=int, metavar="exponent", help="RSA public key exponent (default {})".format(DEFAULT_RSA_EXP), default=DEFAULT_RSA_EXP, ) parser.add_argument("--kid", dest="kid", metavar="id", help="Key ID") args = parser.parse_args() if args.kty.upper() == "RSA": if args.keysize is None: args.keysize = DEFAULT_RSA_KEYSIZE jwk = new_rsa_key(public_exponent=args.rsa_exp, key_size=args.keysize, kid=args.kid) elif args.kty.upper() == "EC": if args.crv not in NIST2SEC: print("Unknown curve: {0}".format(args.crv), file=sys.stderr) exit(1) jwk = new_ec_key(crv=args.crv, kid=args.kid) elif args.kty.upper() == "SYM": if args.keysize is None: args.keysize = DEFAULT_SYM_KEYSIZE randomkey = os.urandom(args.keysize) jwk = SYMKey(key=randomkey, kid=args.kid) else: print("Unknown key type: {}".format(args.kty), file=sys.stderr) exit(1) jwk_dict = jwk.serialize(private=True) print(json.dumps(jwk_dict, sort_keys=True, indent=4)) print("SHA-256: " + jwk.thumbprint("SHA-256").decode(), file=sys.stderr)
def test_jws_1(): msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True} key = SYMKey(key=intarr2bin(HMAC_KEY)) _jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize()) res = _jws.sign_compact() _jws2 = JWS(alg="HS256") _jws2.verify_compact(res, keys=[key]) assert _jws2.msg == msg
def make_cookie_handler(self): cookie_conf = { "sign_key": SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"), "enc_key": SYMKey(k="NXi6HD473d_YS4exVRn7z9z23mGmvU641MuvKqH0o7Y"), } self.cookie_handler = CookieHandler(**cookie_conf)
def test_jws_mm(): msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True} key = SYMKey(key=intarr2bin(HMAC_KEY)) _jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize()) res = _jws.sign_compact() _jws2 = JWS(alg="HS512") with pytest.raises(SignerAlgError): _jws2.verify_compact(res, keys=[key])
def main(): """ Main function""" parser = argparse.ArgumentParser(description='JSON Web Key (JWK) Generator') parser.add_argument('--kty', dest='kty', metavar='type', help='Key type', required=True) parser.add_argument('--size', dest='keysize', type=int, metavar='size', help='Key size') parser.add_argument('--crv', dest='crv', metavar='curve', help='EC curve', choices=NIST2SEC.keys(), default=DEFAULT_EC_CURVE) parser.add_argument('--exp', dest='rsa_exp', type=int, metavar='exponent', help='RSA public key exponent (default {})'.format(DEFAULT_RSA_EXP), default=DEFAULT_RSA_EXP) parser.add_argument('--kid', dest='kid', metavar='id', help='Key ID') args = parser.parse_args() if args.kty.upper() == 'RSA': if args.keysize is None: args.keysize = DEFAULT_RSA_KEYSIZE jwk = new_rsa_key(public_exponent=args.rsa_exp, key_size=args.keysize, kid=args.kid) elif args.kty.upper() == 'EC': if args.crv not in NIST2SEC: print("Unknown curve: {0}".format(args.crv), file=sys.stderr) exit(1) jwk = new_ec_key(crv=args.crv, kid=args.kid) elif args.kty.upper() == 'SYM': if args.keysize is None: args.keysize = DEFAULT_SYM_KEYSIZE randomkey = os.urandom(args.keysize) jwk = SYMKey(key=randomkey, kid=args.kid) else: print("Unknown key type: {}".format(args.kty), file=sys.stderr) exit(1) jwk_dict = jwk.serialize(private=True) print(json.dumps(jwk_dict, sort_keys=True, indent=4)) print("SHA-256: " + jwk.thumbprint('SHA-256').decode(), file=sys.stderr)
def create_cookie_dealer(self): cookie_conf = { "sign_key": SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"), "enc_key": SYMKey(k="NXi6HD473d_YS4exVRn7z9z23mGmvU641MuvKqH0o7Y"), "default_values": { "name": "oidc_op", "domain": "127.0.0.1", "path": "/", "max_age": 3600, }, } self.cookie_dealer = CookieDealer(**cookie_conf)
def test_unknown_alg(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwenc = JWE(plain, alg="BCD", enc="A128GCM") with pytest.raises(ValueError): jwenc.encrypt([encryption_key])
def test_a_1_3b(): _jwt = ("eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJl" "eHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0c" "nVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk") keys = [SYMKey(key=intarr2bin(HMAC_KEY))] _jws2 = JWS(alg="") _jws2.verify_compact(_jwt, keys)
def test_wrong_key_type(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") with pytest.raises(NoSuitableEncryptionKey): jwenc.encrypt([encryption_key])
def make_cookie_content_handler(self): cookie_conf = { "sign_key": SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"), } self.cookie_handler = CookieHandler(**cookie_conf)
def test_verify_json_missing_key(): ec_key = ECKey().load_key(P256()) sym_key = SYMKey(key=b"My hollow echo chamber", alg="HS384") protected_headers_1 = {"foo": "bar", "alg": "ES256"} unprotected_headers_1 = {"abc": "xyz"} protected_headers_2 = {"foo": "bar", "alg": "HS384"} unprotected_headers_2 = {"abc": "zeb"} payload = "hello world" _jwt = JWS(msg=payload).sign_json( headers=[ (protected_headers_1, unprotected_headers_1), (protected_headers_2, unprotected_headers_2), ], keys=[ec_key, sym_key], ) # Only the EC key vkeys = [ECKey().load_key(ec_key.public_key())] with pytest.raises(NoSuitableSigningKeys): JWS().verify_json(_jwt, keys=vkeys) assert JWS().verify_json(_jwt, keys=vkeys, at_least_one=True) # Only the SYM key with pytest.raises(NoSuitableSigningKeys): JWS().verify_json(_jwt, keys=[sym_key]) assert JWS().verify_json(_jwt, keys=[sym_key], at_least_one=True) # With both assert JWS().verify_json(_jwt, keys=[vkeys[0], sym_key])
def main(): parser = argparse.ArgumentParser() parser.add_argument("-r", dest="rsa_file", help="File containing a RSA key") parser.add_argument("-k", dest="hmac_key", help="If using a HMAC algorithm this is the key") parser.add_argument("-i", dest="kid", help="key id") parser.add_argument("-j", dest="jwk", help="JSON Web Key") parser.add_argument("-J", dest="jwks", help="JSON Web Keys") parser.add_argument("-u", dest="jwks_url", help="JSON Web Keys URL") parser.add_argument("-f", dest="msg", help="The message") parser.add_argument( "-q", dest="quiet", help="Quiet mode -- only show the RAW but prettified JSON", action="store_true", ) args = parser.parse_args() if args.kid: _kid = args.kid else: _kid = "" keys = [] if args.rsa_file: keys.append(RSAKey(key=import_rsa_key(args.rsa_file), kid=_kid)) if args.hmac_key: keys.append(SYMKey(key=args.hmac_key, kid=_kid)) if args.jwk: _key = key_from_jwk_dict(open(args.jwk).read()) keys.append(_key) if args.jwks: _iss = KeyIssuer() _iss.import_jwks(open(args.jwks).read()) keys.extend(_iss.all_keys()) if args.jwks_url: _kb = KeyBundle(source=args.jwks_url) keys.extend(_kb.get()) if not args.msg: # If nothing specified assume stdin message = sys.stdin.read() elif args.msg == "-": message = sys.stdin.read() else: if os.path.isfile(args.msg): message = open(args.msg).read().strip("\n") else: message = args.msg message = message.strip() message = message.strip('"') process(message, keys, args.quiet)
def test_key_ops_and_use(): with pytest.raises(ValueError): SYMKey( key="df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b", alg="HS256", key_ops=["sign", "verify"], use="sig", )
def test_invalid(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") decrypter = JWE(plain, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(BadSyntax): decrypter.decrypt('a.b.c.d.e', keys=[encryption_key])
def test_nothing(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") decrypter = JWE(plain, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(ValueError): decrypter.decrypt(keys=[encryption_key])
def test_get_all(): kb = rsa_init({"use": ["enc", "sig"], "size": 1024, "name": "rsa", "path": "keys"}) _sym = SYMKey(**{"kty": "oct", "key": "highestsupersecret", "use": "enc"}) kb.append(_sym) assert len(kb.get()) == 3 _k = kb.keys() assert len(_k) == 3
def test_wrong_alg(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") with pytest.raises(HeaderError): factory(_jwe, alg="A192KW", enc="A128CBC-HS256")
def test_hmac_256(): payload = "Please take a moment to register today" keys = [SYMKey(key=intarr2bin(HMAC_KEY))] _jws = JWS(payload, alg="HS256") _jwt = _jws.sign_compact(keys) info = JWS(alg="HS256").verify_compact(_jwt, keys) assert info == payload
def test_no_key(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(NoSuitableDecryptionKey): decrypter.decrypt(_jwe, [])
def test_wrong_alg_2(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(WrongEncryptionAlgorithm): decrypter.decrypt(_jwe, [encryption_key], alg='A192KW')
def test_hmac_512(): payload = "Please take a moment to register today" keys = [SYMKey(key=b"My hollow echo chamber", alg="HS512")] _jws = JWS(payload, alg="HS512") _jwt = _jws.sign_compact(keys) _rj = JWS(alg="HS512") info = _rj.verify_compact(_jwt, keys) assert info == payload
def test_get_all(): kb = rsa_init( {'use': ['enc', 'sig'], 'size': 1024, 'name': 'rsa', 'path': 'keys'}) _sym = SYMKey(**{"kty": "oct", "key": "highestsupersecret", "use": "enc"}) kb.append(_sym) assert len(kb.get()) == 3 _k = kb.keys() assert len(_k) == 3
def test_sym_encrypt_decrypt_jwe(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") resp = decrypter.decrypt(_jwe, [encryption_key]) assert resp == plain
def test_sym_encrypt_decrypt(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE_SYM("some content", alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(key=encryption_key, kid="some-key-id") jwdec = JWE_SYM() resp = jwdec.decrypt(_jwe, encryption_key) assert resp == b'some content'
def __init__( self, sign_key="", enc_key="", sign_alg="SHA256", default_values=None, sign_jwk=None, enc_jwk=None, ): if sign_key: if isinstance(sign_key, SYMKey): self.sign_key = sign_key else: self.sign_key = SYMKey(k=sign_key) elif sign_jwk: if isinstance(sign_jwk, dict): self.sign_key = init_key(**sign_jwk) else: self.sign_key = import_jwk(sign_jwk) else: self.sign_key = None self.sign_alg = sign_alg if enc_key: if isinstance(enc_key, SYMKey): self.enc_key = enc_key else: self.enc_key = SYMKey(k=enc_key) elif enc_jwk: if isinstance(enc_jwk, dict): self.enc_key = init_key(**enc_jwk) else: self.enc_key = import_jwk(enc_jwk) else: self.enc_key = None if not default_values: default_values = {"path": "", "domain": "", "max_age": 0} self.default_value = default_values
def test_fernet_sha512(): encryption_key = SYMKey(use="enc", key="DukeofHazardpass", kid="some-key-id") encrypter = FernetEncrypter(password=encryption_key.key, hash_alg="SHA512") _token = encrypter.encrypt(plain) decrypter = encrypter resp = decrypter.decrypt(_token) assert resp == plain
def create_cookie_dealer(self): cookie_conf = { "enc_key": SYMKey(k="NXi6HD473d_YS4exVRn7z9z23mGmvU641MuvKqH0o7Y"), "default_values": { "name": "oidc_op", "domain": "127.0.0.1", "path": "/", "max_age": 3600, }, } self.cookie_dealer = CookieDealer(**cookie_conf)
def test_get_key(): ec_key = new_ec_key("P-256") asym_private_key = ECKey(priv_key=ec_key.priv_key) asym_public_key = ECKey(pub_key=asym_private_key.pub_key) key = SYMKey(key="mekmitasdigoatfo", kid="xyzzy") assert asym_private_key.private_key() assert asym_private_key.public_key() assert asym_public_key.private_key() is None assert asym_private_key.public_key() assert key.key
def test_get_key(): ec_key = generate_private_key(NIST2SEC['P-256'], default_backend()) asym_private_key = ECKey(priv_key=ec_key) asym_public_key = ECKey(pub_key=asym_private_key.pub_key) key = SYMKey(key='mekmitasdigoatfo', kid='xyzzy') assert asym_private_key.private_key() assert asym_private_key.public_key() assert asym_public_key.private_key() is None assert asym_private_key.public_key() assert key.key