def setup(self): mkey = [ {"type": "RSA", "use": ["sig"]}, {"type": "RSA", "use": ["sig"]}, {"type": "RSA", "use": ["sig"]}, ] skey = [{"type": "RSA", "use": ["sig"]}] # Alice has multiple keys self.alice_keyjar = build_keyjar(mkey) # Bob has one single keys self.bob_keyjar = build_keyjar(skey) self.alice_keyjar["Alice"] = self.alice_keyjar[""] self.bob_keyjar["Bob"] = self.bob_keyjar[""] # To Alice's keyjar add Bob's public keys self.alice_keyjar.import_jwks(self.bob_keyjar.export_jwks(issuer="Bob"), "Bob") # To Bob's keyjar add Alice's public keys self.bob_keyjar.import_jwks(self.alice_keyjar.export_jwks(issuer="Alice"), "Alice") _jws = JWS('{"aud": "Bob", "iss": "Alice"}', alg="RS256") sig_key = self.alice_keyjar.get_signing_key("rsa", owner="Alice")[0] self.sjwt_a = _jws.sign_compact([sig_key]) _jws = JWS('{"aud": "Alice", "iss": "Bob"}', alg="RS256") sig_key = self.bob_keyjar.get_signing_key("rsa", owner="Bob")[0] self.sjwt_b = _jws.sign_compact([sig_key])
def test_unknown_alg(): jws = JWS(msg="Please take a moment to register today", jwk=JWKS_b["keys"][0], alg="RS768") with pytest.raises(UnknownAlgorithm): jws.sign_compact()
def test_mismatch_alg_and_key(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg="ES256") with pytest.raises(NoSuitableSigningKeys): _jws.sign_compact(keys)
def test_sign_2(): keyset = { "keys": [{ "alg": "RS512", "kty": "RSA", "d": "ckLyXxkbjC4szg8q8G0ERBZV" "-9CszeOxpRtx1KM9BLl0Do3li_Km2vvFvfXJ7MxQpiZ18pBoCcyYQEU262ym8wI22JWMPrZe24HCNxLxqzr_JEuBhpKFxQF6EFTSvJEJD1FkoTuCTvN0zD7YHGaJQG6JzVEuFUY3ewxjH0FYNa_ppTnPP3LC-T9u_GX9Yqyuw1KOYoHSzhWSWQOeAgs4dH9-iAxN1wdZ6eH1jFWAs43svk_rhwdgyJMlihFtV9MAInBlfi_Zu8wRVhVl5urkJrLf0tGFnMbnzb6dYSlUXxEYClpY12W7kXW9aePDqkCwI4oZyxmOmgq4hunKGR1dAQ", "e": "AQAB", "use": "sig", "kid": "af22448d-4c7b-464d-b63a-f5bd90f6d7d1", "n": "o9g8DpUwBW6B1qmcm-TfEh4rNX7n1t38jdo4Gkl_cI3q" "--7n0Blg0kN88LHZvyZjUB2NhBdFYNxMP8ucy0dOXvWGWzaPmGnq3DM__lN8P4WjD1cCTAVEYKawNBAmGKqrFj1SgpPNsSqiqK-ALM1w6mZ-QGimjOgwCyJy3l9lzZh5D8tKnS2t1pZgE0X5P7lZQWHYpHPqp4jKhETzrCpPGfv0Rl6nmmjp7NlRYBkWKf_HEKE333J6M039m2FbKgxrBg3zmYYpmHuMzVgxxb8LSiv5aqyeyJjxM-YDUAgNQBfKNhONqXyu9DqtSprNkw6sqmuxK0QUVrNYl3b03PgS5Q", }] } keys = KeyBundle(keyset) jws = JWS("payload", alg="RS512") jws.sign_compact(keys=keys)
def test_no_alg_and_alg_none_same(): payload = "Please take a moment to register today" _jws = JWS(payload, alg="none") # Create a JWS (signed JWT) _jwt0 = _jws.sign_compact([]) # The class instance that sets up the signing operation _jws = JWS(payload, alg="none") # Create a JWS (signed JWT) _jwt1 = _jws.sign_compact([]) assert _jwt0 == _jwt1
def test_jws_mac_authenticator_and_verifier(): algs = ['HS256', 'HS384', 'HS512'] for alg in algs: calgs = algs[:] calgs.remove(alg) json_hmac_key = json.loads(test_vector.json_hmac_key) json_hmac_key['alg'] = alg json_hmac_key = json.dumps(json_hmac_key) json_header_hmac = json.loads(test_vector.test_header_hmac) json_header_hmac['alg'] = alg json_header_hmac = json.dumps(json_header_hmac) # Authenticator mac_key = key_from_jwk_dict(json.loads(json_hmac_key)) authenticator = JWS(test_vector.test_payload, **json.loads(json_header_hmac)) signed_token = authenticator.sign_compact([mac_key]) # Verify verifier = JWS(alg=alg) assert verifier.verify_compact(signed_token, [mac_key]) for modified_token in modify_token(signed_token, calgs): with pytest.raises(JWKESTException): assert verifier.verify_compact(modified_token, [mac_key])
def test_verify_protected_headers(): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec.SECP256R1(), default_backend()) _key = ECKey().load_key(eck) keys = [_key] _jws = JWS(payload, alg="ES256") protected = dict(header1=u"header1 is protected", header2="header2 is protected too", a=1) _jwt = _jws.sign_compact(keys, protected=protected) protectedHeader, enc_payload, sig = _jwt.split(".") data = dict( payload=enc_payload, signatures=[ dict( header=dict(alg=u"ES256", jwk=_key.serialize()), protected=protectedHeader, signature=sig, ) ], ) # _pub_key = ECKey().load_key(eck.public_key()) _jws = JWS() assert _jws.verify_json(json.dumps(data)) == payload
def test_back_channel_logout_request(): val = { "iss": ISS, "aud": [CLIENT_ID], "iat": NOW, "jti": "bWJq", "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", "events": { BACK_CHANNEL_LOGOUT_EVENT: {} } } lt = LogoutToken(**val) signer = JWS(lt.to_json(), alg='ES256') _jws = signer.sign_compact(keys=ISS_KEY.get_signing_key(issuer_id=ISS)) bclr = BackChannelLogoutRequest(logout_token=_jws) # This is how it is posted _req = bclr.to_urlencoded() _request = BackChannelLogoutRequest().from_urlencoded(_req) assert 'logout_token' in _request _verified = _request.verify(keyjar=CLI_KEY, iss=ISS, aud=CLIENT_ID, skew=30) assert _verified assert set(_request.keys()) == {'logout_token', '__verified_logout_token'}
def test_signer_protected_headers(): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec.SECP256R1(), default_backend()) _key = ECKey().load_key(eck) keys = [_key] _jws = JWS(payload, alg="ES256") protected = dict(header1=u"header1 is protected", header2="header2 is protected too", a=1) _jwt = _jws.sign_compact(keys, protected=protected) exp_protected = protected.copy() exp_protected["alg"] = "ES256" enc_header, enc_payload, sig = _jwt.split(".") assert json.loads(b64d( enc_header.encode("utf-8")).decode("utf-8")) == exp_protected assert b64d(enc_payload.encode("utf-8")).decode("utf-8") == payload _pub_key = ECKey().load_key(eck.public_key()) _rj = JWS(alg="ES256") info = _rj.verify_compact(_jwt, [_pub_key]) assert info == payload # Protected by default protected["alg"] = "ES256" assert _rj.protected_headers() == protected
def test_jws_rsa_signer_and_verifier(): algs = ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'] for alg in algs: calgs = algs[:] calgs.remove(alg) json_priv_key = json.loads(test_vector.json_rsa_priv_key) json_priv_key['alg'] = alg json_priv_key = json.dumps(json_priv_key) json_pub_key = json.loads(test_vector.json_rsa_pub_key) json_pub_key['alg'] = alg json_pub_key = json.dumps(json_pub_key) json_header_rsa = json.loads(test_vector.test_header_rsa) json_header_rsa['alg'] = alg # Sign priv_key = key_from_jwk_dict(json.loads(json_priv_key)) jws = JWS(msg=test_vector.test_payload, **json_header_rsa) signed_token = jws.sign_compact([priv_key]) # Verify pub_key = key_from_jwk_dict(json.loads(json_pub_key)) verifier = JWS(alg=[alg]) assert verifier.verify_compact(signed_token, [pub_key]) for modified_token in modify_token(signed_token, calgs): with pytest.raises(JWKESTException): verifier.verify_compact(modified_token, [pub_key])
def test_dj_usage(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg="RS256") sjwt = _jws.sign_compact(keys) _jwt = factory(sjwt) assert _jwt.jwt.headers["alg"] == "RS256"
def store_signed_jwks(keyjar, sign_keyjar, path, alg, iss=''): _jwks = keyjar.export_jwks() _jws = JWS(_jwks, alg=alg) _jwt = _jws.sign_compact( sign_keyjar.get_signing_key(owner=iss, key_type=alg2keytype(alg))) fp = open(path, 'w') fp.write(_jwt) fp.close()
def test_extra_headers_1(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg="RS256") sjwt = _jws.sign_compact(keys, foo="bar") _jwt = factory(sjwt) assert set(_jwt.jwt.headers.keys()) == {"alg", "foo"}
def setup(self): mkey = [ { "type": "RSA", "use": ["sig"] }, { "type": "RSA", "use": ["sig"] }, { "type": "RSA", "use": ["sig"] }, ] skey = [ { "type": "RSA", "use": ["sig"] }, ] # Alice has multiple keys self.alice_keyjar = build_keyjar(mkey) # Bob has one single keys self.bob_keyjar = build_keyjar(skey) self.alice_keyjar['Alice'] = self.alice_keyjar[''] self.bob_keyjar['Bob'] = self.bob_keyjar[''] # To Alice's keyjar add Bob's public keys self.alice_keyjar.import_jwks( self.bob_keyjar.export_jwks(issuer='Bob'), 'Bob') # To Bob's keyjar add Alice's public keys self.bob_keyjar.import_jwks( self.alice_keyjar.export_jwks(issuer='Alice'), 'Alice') _jws = JWS('{"aud": "Bob", "iss": "Alice"}', alg='RS256') sig_key = self.alice_keyjar.get_signing_key('rsa', owner='Alice')[0] self.sjwt_a = _jws.sign_compact([sig_key]) _jws = JWS('{"aud": "Alice", "iss": "Bob"}', alg='RS256') sig_key = self.bob_keyjar.get_signing_key('rsa', owner='Bob')[0] self.sjwt_b = _jws.sign_compact([sig_key])
def test_extra_headers_3(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg='RS256') _jws.set_header_claim('foo', 'bar') sjwt = _jws.sign_compact(keys, abc=123) _jwt = factory(sjwt) assert set(_jwt.jwt.headers.keys()) == {'alg', 'foo', 'abc'}
def test_hmac_from_keyrep(): payload = "Please take a moment to register today" symkeys = [k for k in SIGJWKS if k.kty == "oct"] _jws = JWS(payload, alg="HS512") _jwt = _jws.sign_compact(symkeys) _rj = JWS(alg="HS512") info = _rj.verify_compact(_jwt, symkeys) assert info == payload
def test_jws_1(): msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True} key = SYMKey(key=intarr2bin(HMAC_KEY)) _jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize()) res = _jws.sign_compact() _jws2 = JWS(alg="HS256") _jws2.verify_compact(res, keys=[key]) assert _jws2.msg == msg
def test_hmac_256(): payload = "Please take a moment to register today" keys = [SYMKey(key=intarr2bin(HMAC_KEY))] _jws = JWS(payload, alg="HS256") _jwt = _jws.sign_compact(keys) info = JWS(alg="HS256").verify_compact(_jwt, keys) assert info == payload
def test_factory_verify_alg(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _signer = JWS(payload, alg="RS256") _signer.set_header_claim("foo", "bar") _jws = _signer.sign_compact(keys, abc=123) _verifier = factory(_jws) assert _verifier.jwt.verify_headers(alg="RS512") is False
def test_hmac_512(): payload = "Please take a moment to register today" keys = [SYMKey(key=b"My hollow echo chamber", alg="HS512")] _jws = JWS(payload, alg="HS512") _jwt = _jws.sign_compact(keys) _rj = JWS(alg="HS512") info = _rj.verify_compact(_jwt, keys) assert info == payload
def test_jws_mm(): msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True} key = SYMKey(key=intarr2bin(HMAC_KEY)) _jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize()) res = _jws.sign_compact() _jws2 = JWS(alg="HS512") with pytest.raises(SignerAlgError): _jws2.verify_compact(res, keys=[key])
def test_signer_es(ec_func, alg): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec_func(), default_backend()) keys = [ECKey().load_key(eck)] _jws = JWS(payload, alg=alg) _jwt = _jws.sign_compact(keys) _pubkey = ECKey().load_key(eck.public_key()) _rj = JWS(alg=alg) info = _rj.verify_compact(_jwt, [_pubkey]) assert info == payload
def test_signer_ps384(): payload = "Please take a moment to register today" _pkey = import_private_rsa_key_from_file(PRIV_KEY) keys = [RSAKey(priv_key=_pkey)] # keys[0]._keytype = "private" _jws = JWS(payload, alg="PS384") _jwt = _jws.sign_compact(keys) vkeys = [RSAKey(pub_key=_pkey.public_key())] _rj = JWS(alg="PS384") info = _rj.verify_compact(_jwt, vkeys) assert info == payload
def to_jwt(self, key=None, algorithm="", lev=0, lifetime=0): """ Create a signed JWT representation of the class instance :param key: The signing key :param algorithm: The signature algorithm to use :param lev: :param lifetime: The lifetime of the JWS :return: A signed JWT """ _jws = JWS(self.to_json(lev), alg=algorithm) return _jws.sign_compact(key)
def test_signer_es256_verbose(): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec.SECP256R1(), default_backend()) _key = ECKey().load_key(eck) keys = [_key] _jws = JWS(payload, alg="ES256") _jwt = _jws.sign_compact(keys) _pubkey = ECKey().load_key(eck.public_key()) _rj = JWS(alg="ES256") info = _rj.verify_compact_verbose(_jwt, [_pubkey]) assert info["msg"] == payload assert info["key"] == _pubkey
def test_aud(self): self.alice_keyjar.import_jwks(JWK1, issuer="D") self.bob_keyjar.import_jwks(JWK1, issuer="D") _jws = JWS('{"iss": "D", "aud": "A"}', alg="HS256") sig_key = self.alice_keyjar.get_signing_key("oct", owner="D")[0] _sjwt = _jws.sign_compact([sig_key]) no_kid_issuer = {"D": []} _jwt = factory(_sjwt) keys = self.bob_keyjar.get_jwt_verify_keys(_jwt.jwt, no_kid_issuer=no_kid_issuer) assert len(keys) == 1
def test_jws_ecdsa_signer_verifier_es256(): # Sign priv_key = key_from_jwk_dict(json.loads(test_vector.es256_ecdsa_priv_key)) signer = JWS(msg=test_vector.test_payload, **json.loads(test_vector.test_header_ecdsa)) signed_token = signer.sign_compact([priv_key]) # Verify pub_key = key_from_jwk_dict(json.loads(test_vector.es256_ecdsa_pub_key)) verifier = JWS(alg='ES256') assert verifier.verify_compact(signed_token, [pub_key]) for modified_token in modify_token(signed_token, ['ES384', 'ES512']): with pytest.raises(JWKESTException): verifier.verify_compact(modified_token, [pub_key])
def test_signer_ps512(): payload = "Please take a moment to register today" # Key has to be big enough > 512+512+2 _pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) keys = [RSAKey(priv_key=_pkey)] # keys[0]._keytype = "private" _jws = JWS(payload, alg="PS512") _jwt = _jws.sign_compact(keys) vkeys = [RSAKey(pub_key=_pkey.public_key())] _rj = factory(_jwt, alg="PS512") info = _rj.verify_compact(_jwt, vkeys) assert info == payload assert _rj.verify_alg("PS512")
def test_jws_verifier_with_kid(): # Sign priv_key = key_from_jwk_dict( json.loads(test_vector.test_json_ecdsa_priv_key_kid1)) signer = JWS(test_vector.test_payload, **json.loads(test_vector.test_header_ecdsa_kid1)) signed_token_kid1 = signer.sign_compact([priv_key]) priv_key = key_from_jwk_dict( json.loads(test_vector.test_json_ecdsa_priv_key_kid2)) signer = JWS(test_vector.test_payload, **json.loads(test_vector.test_header_ecdsa_kid2)) signed_token_kid2 = signer.sign_compact([priv_key]) # Verify pub_key = key_from_jwk_dict( json.loads(test_vector.test_json_ecdsa_pub_key_kid1)) verifier = JWS(alg='ES256') assert verifier.verify_compact(signed_token_kid1, [pub_key]) # The signature is valid but the kids don't match. with pytest.raises(NoSuitableSigningKeys): verifier.verify_compact(signed_token_kid2, [pub_key])
def test_1(): claimset = { "iss": "joe", "exp": 1300819380, "http://example.com/is_root": True } _jws = JWS(claimset, cty="JWT", alg="none") _jwt = _jws.sign_compact() _jr = JWS() _msg = _jr.verify_compact(_jwt, allow_none=True) print(_jr) assert _jr.jwt.headers["alg"] == "none" assert _msg == claimset