def test_add_signing_keys(): kj = build_keyjar(KEYDEFS)[1] sign_serv = InternalSigningService('https://signer.example.com', keyjar=kj) ent = FederationEntityOOB(None, self_signer=sign_serv) req = MetadataStatement(foo='bar') ent.add_signing_keys(req) assert 'signing_keys' in req
def test_add_sms_spec_to_request(): jb = JWKSBundle('') for iss in ['https://example.org/', 'https://example.com/']: jb[iss] = build_keyjar(KEYDEFS)[1] kj = build_keyjar(KEYDEFS)[1] sign_serv = InternalSigningService('https://signer.example.com', keyjar=kj) ent = FederationEntityOOB(None, self_signer=sign_serv, fo_bundle=public_jwks_bundle(jb), context='response') ent.metadata_statements = { 'response': { 'https://example.org/': 'https://example.org/sms1' } } req = MetadataStatement(foo='bar') ent.add_sms_spec_to_request(req, ['https://example.org/']) assert 'metadata_statement_uris' in req
def test_create_verify(): sign_keyjar = build_keyjar(KEYDEFS)[1] jb = make_jwks_bundle('https://example.com', ['fo0', 'fo1', 'fo2', 'fo3'], sign_keyjar, KEYDEFS) _jws = jb.create_signed_bundle() _jwks = sign_keyjar.export_jwks() kj = KeyJar() kj.import_jwks(_jwks, 'https://example.com') bundle = verify_signed_bundle(_jws, kj) assert bundle
def test_get_metadata_statement(): jb = JWKSBundle('') for iss in ['https://example.org/', 'https://example.com/']: jb[iss] = build_keyjar(KEYDEFS)[1] self_signer = InternalSigningService(keyjar=jb['https://example.com/'], iss='https://example.com/') op = Operator(self_signer=self_signer, iss='https://example.com/') req = MetadataStatement(foo='bar') sms = op.pack_metadata_statement(req, sign_alg='RS256') sms_dir = {'https://example.com': sms} req['metadata_statements'] = Message(**sms_dir) ent = FederationEntity(None, fo_bundle=public_jwks_bundle(jb)) loe = ent.get_metadata_statement(req) assert loe
def test_pack_metadata_statement_other_alg(): _keyjar = build_keyjar(KEYDEFS)[1] self_signer = InternalSigningService('https://example.com/op', keyjar=_keyjar) op = Operator(self_signer=self_signer, iss=self_signer.iss) req = MetadataStatement(issuer='https://example.org/op') sms = op.pack_metadata_statement(req, sign_alg='ES256') assert sms # Should be a signed JWT _jwt = factory(sms) _body = json.loads(as_unicode(_jwt.jwt.part[1])) assert _body['iss'] == self_signer.iss # verify signature _kj = public_keys_keyjar(_keyjar, '', None, op.iss) r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss)) assert r
def test_private_key_jwt(): # Own dynamic keys client_keyjar = build_keyjar(KEYDEFS)[1] # The servers keys client_keyjar[conf['issuer']] = KEYJAR.issuer_keys[''] _jwks = client_keyjar.export_jwks() endpoint_context.keyjar.import_jwks(_jwks, client_id) _jwt = JWT(client_keyjar, iss=client_id, sign_alg='RS256') _assertion = _jwt.pack({'aud': [conf['issuer']]}) request = {'client_assertion': _assertion, 'client_assertion_type': JWT_BEARER} authn_info = PrivateKeyJWT(endpoint_context).verify(request) assert authn_info['client_id'] == client_id assert 'jwt' in authn_info
def get_jwks(private_path, keydefs, public_path): if os.path.isfile(private_path): _jwks = open(private_path, 'r').read() _kj = KeyJar() _kj.import_jwks(json.loads(_jwks), '') else: _kj = build_keyjar(keydefs)[1] jwks = _kj.export_jwks(private=True) head, tail = os.path.split(private_path) if not os.path.isdir(head): os.makedirs(head) fp = open(private_path, 'w') fp.write(json.dumps(jwks)) fp.close() jwks = _kj.export_jwks() # public part fp = open(public_path, 'w') fp.write(json.dumps(jwks)) fp.close() return _kj
def test_pack_metadata_statement(): jb = FSJWKSBundle('', None, 'fo_jwks', key_conv={'to': quote_plus, 'from': unquote_plus}) _keyjar = build_keyjar(KEYDEFS)[1] self_signer = InternalSigningService('https://example.com/op', keyjar=_keyjar) op = Operator(self_signer=self_signer, jwks_bundle=jb, iss='https://example.com/op') req = MetadataStatement(issuer='https://example.org/op') sms = op.pack_metadata_statement(req) assert sms # Should be a signed JWT _jwt = factory(sms) assert _jwt assert _jwt.jwt.headers['alg'] == 'RS256' _body = json.loads(as_unicode(_jwt.jwt.part[1])) assert _body['iss'] == op.iss assert _body['issuer'] == 'https://example.org/op' # verify signature _kj = public_keys_keyjar(_keyjar, '', None, op.iss) r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss)) assert r
from oidcmsg.key_jar import build_keyjar from oidcmsg.key_jar import public_keys_keyjar ISS = 'https://example.com' ISS2 = 'https://example.org' KEYDEFS = [{ "type": "RSA", "key": '', "use": ["sig"] }, { "type": "EC", "crv": "P-256", "use": ["sig"] }] SIGN_KEYS = build_keyjar(KEYDEFS)[1] KEYJAR = {} for iss in [ 'https://www.swamid.se', 'https://www.sunet.se', 'https://www.feide.no', 'https://www.uninett.no' ]: KEYJAR[iss] = build_keyjar(KEYDEFS)[1] def test_create(): bundle = JWKSBundle(ISS, SIGN_KEYS) assert bundle
import os import shutil from cryptojwt.jws import factory from oidcmsg.key_jar import KeyJar from oidcmsg.key_jar import build_keyjar from fedoidcmsg import test_utils from fedoidcmsg.operator import Operator from fedoidcmsg.signing_service import InternalSigningService from fedoidcmsg.test_utils import MetaDataStore from fedoidcmsg.test_utils import unpack_using_metadata_store TEST_ISS = "https://test.example.com" KEYDEFS = [ {"type": "RSA", "key": '', "use": ["sig"]}, {"type": "EC", "crv": "P-256", "use": ["sig"]} ] SIGN_KEYJAR = build_keyjar(KEYDEFS)[1] FO = { 'swamid': 'https://swamid.sunet.se', 'feide': 'https://www.feide.no', 'edugain': 'https://edugain.com', 'example': 'https://example.com' } OA = {'sunet': 'https://sunet.se', 'uninett': 'https://uninett.no'} EO = {'foodle.rp': 'https://foodle.uninett.no'}
#!/usr/bin/env python3 import json from oidcmsg.key_jar import build_keyjar KEYDEFS = [{ "type": "RSA", "key": '', "use": ["sig"] }, { "type": "EC", "crv": "P-256", "use": ["sig"] }] _jwks, _keyjar, _ = build_keyjar(KEYDEFS) print(json.dumps(_keyjar.export_jwks(private=True)))
from fedoidcmsg.bundle import jwks_to_keyjar from fedoidcmsg.utils import request_signed_by_signing_keys from fedoidcmsg.utils import self_sign_jwks from fedoidcmsg.utils import verify_request_signed_by_signing_keys from fedoidcmsg.utils import verify_self_signed_jwks from oidcmsg.key_jar import KeyJar from oidcmsg.key_jar import build_keyjar KEYDEFS = [ {"type": "RSA", "use": ["sig"]}, {"type": "RSA", "use": ["sig"]}, {"type": "EC", "crv": "P-256", "use": ["sig"]} ] JWKS, KEYJAR, _ = build_keyjar(KEYDEFS) def test_jwks_to_keyjar(): _kj = jwks_to_keyjar(JWKS) assert list(_kj.owners()) == [''] assert len(_kj.get_signing_key('RSA',owner='')) == 2 assert len(_kj.get_signing_key('EC',owner='')) == 1 def test_self_signed_jwks(): kj = KeyJar() kj.issuer_keys['abc'] = KEYJAR.issuer_keys[''] ssj = self_sign_jwks(kj, 'abc', kid='', lifetime=3600) assert ssj
#!/usr/bin/env python3 import json from oidcmsg.key_jar import build_keyjar KEYDEFS = [ {"type": "RSA", "key": '', "use": ["sig"]}, {"type": "EC", "crv": "P-256", "use": ["sig"]} ] _keyjar = build_keyjar(KEYDEFS)[1] print(json.dumps(_keyjar.export_jwks(private=True)))