def test_invalid_headers(self):
with self.assertRaises(exceptions.ReservedHeader):
jwts.make_jws({'hello': 7},
self.keypairs[0],
multiple_sig_headers=[{
'alg': 99
}])
def test_incorrect_number_of_headers(self):
with self.assertRaises(exceptions.KeyHeaderMismatch):
jwts.make_jws({'hello': 7},
self.keypairs[0],
multiple_sig_headers=[{
'z': 0
}, {
'z': 99
}])
def test_jws_verify_no_signatures(self):
jws = jwts.make_jws({'a': 1}, [])
(jwts.verify_jws.when.called_with(jws, self.keypairs[:2])
.should.throw(exceptions.InvalidSignatureError))
(jwts.verify_jws.when.called_with(jws, self.keypairs[:2], verify_all=False)
.should.throw(exceptions.InvalidSignatureError))
def test_jws_verify_with_wrong_keypair(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
(jwts.verify_jws.when.called_with(jws, self.keypairs[1:2])
.should.throw(exceptions.KeySignatureMismatch))
(jwts.verify_jws.when.called_with(jws, self.keypairs[1:2], verify_all=False)
.should.throw(exceptions.KeySignatureMismatch))
def test_jws_verify_any_signature_is_ok(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
verified_msg = jwts.verify_jws(jws,
self.keypairs[:2],
verify_all=False)
self.assertIn("a", verified_msg)
def test_verify_message_with_rekey(self):
message = jwts.make_jws({'c': 3}, [
self.mock_proj_keypair,
self.mock_oneid_keypair,
self.mock_resetA_keypair,
self.mock_resetB_keypair,
self.mock_resetC_keypair,
])
sess = session.DeviceSession(
self.id_credentials,
self.proj_credentials,
self.oneid_credentials,
)
claims = sess.verify_message(message,
rekey_credentials=[
self.resetA_credentials,
self.resetB_credentials,
self.resetC_credentials,
])
self.assertIsInstance(claims, dict)
self.assertIn("c", claims)
self.assertEqual(claims.get("c"), 3)
def test_jws_verify_mismatched_signatures(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
# this test requires equal-length arrays, with some overlap
(jwts.verify_jws.when.called_with(jws, self.keypairs[1:3])
.should.throw(exceptions.KeySignatureMismatch))
(jwts.verify_jws.when.called_with(jws, self.keypairs[1:3], verify_all=False)
.should_not.throw(Exception))
def test_jws_verify_mismatched_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
# this test requires equal-length arrays, with some overlap
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:3])
jwts.verify_jws(jws, self.keypairs[1:3], verify_all=False)
def test_jws_verify_no_signatures(self):
jws = jwts.make_jws({"a": 1}, [])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(utils.base64url_decode(jws["signatures"][0]["protected"])))
header["alg"] = "bog"
jws["signatures"][0]["protected"] = utils.to_string(utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_jws_verify_no_signatures(self):
jws = jwts.make_jws({"a": 1}, [])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(jws, self.keypairs[:2])
def test_jws_verify_mismatched_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
# this test requires equal-length arrays, with some overlap
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:3])
jwts.verify_jws(jws, self.keypairs[1:3], verify_all=False)
def test_jws_verify_with_wrong_keypair(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
def test_jws_verify_with_wrong_keypair(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[1:2])
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({"a": 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(utils.base64url_decode(jws["signatures"][0]["protected"])))
del header["kid"]
jws["signatures"][0]["protected"] = utils.to_string(utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_get_ordered_jws_key_ids(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
kids = [{
'kid': keypair.identity,
'kids': [],
'sidxs': []
} for keypair in self.keypairs]
msg_ids = jwts.get_jws_key_ids(jws, ordered=True)
self.assertEqual(msg_ids, kids)
def test_extend_incorrect_number_of_headers(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
with self.assertRaises(exceptions.KeyHeaderMismatch):
jwts.extend_jws_signatures(jws,
self.keypairs[0],
multiple_sig_headers=[{
'z': 0
}, {
'z': 99
}])
def test_invalid_message_not_a_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws_dict = json.loads(jws)
no_payload = {k: v for k, v in jws_dict.items() if k != 'payload'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_payload), self.keypairs[:2])
no_sigs = {k: v for k, v in jws_dict.items() if k != 'signatures'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_sigs), self.keypairs[:2])
def test_verify_message(self):
message = jwts.make_jws({'b': 2}, [self.mock_proj_keypair, self.mock_oneid_keypair])
sess = session.DeviceSession(
self.id_credentials, self.proj_credentials, self.oneid_credentials
)
claims = sess.verify_message(message)
claims.should.be.a(dict)
claims.should.have.key('b').equal_to(2)
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(
utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])))
del header['kid']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(
utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])))
header['alg'] = 'bog'
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header)))
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_invalid_message_not_a_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws_dict = json.loads(jws)
no_payload = {k: v for k, v in jws_dict.items() if k != 'payload'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_payload), self.keypairs[:2])
no_sigs = {k: v for k, v in jws_dict.items() if k != 'signatures'}
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(no_sigs), self.keypairs[:2])
def test_missing_kid_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
del header['kid']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
(jwts.verify_jws.when.called_with(json.dumps(jws), self.keypairs[:1])
.should.throw(exceptions.InvalidFormatError))
def test_invalid_message_not_a_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws_dict = json.loads(jws)
no_payload = {k: v for k, v in jws_dict.items() if k != 'payload'}
(jwts.verify_jws.when.called_with(json.dumps(no_payload), self.keypairs[:2])
.should.throw(exceptions.InvalidFormatError))
no_sigs = {k: v for k, v in jws_dict.items() if k != 'signatures'}
(jwts.verify_jws.when.called_with(json.dumps(no_sigs), self.keypairs[:2])
.should.throw(exceptions.InvalidFormatError))
def test_verify_message(self):
message = jwts.make_jws(
{'b': 2}, [self.mock_proj_keypair, self.mock_oneid_keypair])
sess = session.DeviceSession(self.id_credentials,
self.proj_credentials,
self.oneid_credentials)
claims = sess.verify_message(message)
self.assertIsInstance(claims, dict)
self.assertIn("b", claims)
self.assertEqual(claims.get("b"), 2)
def test_verify_message_jws(self, mock_request):
message = jwts.make_jws({'c': 3}, [self.id_credentials.keypair])
sess = session.ServerSession(
identity_credentials=self.alt_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials,
config=self.fake_config,
)
claims = sess.verify_message(message, self.id_credentials)
self.assertIsInstance(claims, dict)
self.assertIn("c", claims)
self.assertEqual(claims.get("c"), 3)
def test_get_jws_headers_invalid_json(self):
jws = jwts.make_jws({'message': 'hi'}, self.keypairs[:1])
header = json.dumps({
'typ': 'JWT',
'alg': 'NONE',
})
header_str = utils.base64url_encode(header).decode('utf-8')
bad_jws = '.'.join([header_str] + jws.split('.')[1:])
with self.assertRaises(exceptions.InvalidFormatError):
jwts.get_jws_headers(bad_jws)
def test_invalid_alg_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
header['alg'] = 'bog'
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
with self.assertRaises(exceptions.InvalidAlgorithmError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_missing_typ_in_jws_header(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
header = json.loads(utils.to_string(
utils.base64url_decode(jws['signatures'][0]['protected'])
))
del header['typ']
jws['signatures'][0]['protected'] = utils.to_string(
utils.base64url_encode(json.dumps(header))
)
with self.assertRaises(exceptions.InvalidFormatError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def setUp(self):
# self.tmpdir = tempfile.mkdtemp()
# os.environ['HOME'] = self.tmpdir
# nonces.set_nonce_handlers(lambda _n: True, lambda _n: True)
self.claim_keys = ['a', 'b', 'c', 'héllo!', '😬']
self.raw_claims = {k: 0 for k in self.claim_keys}
self.keypair = service.create_secret_key()
self.keypair.identity = str(uuid.uuid4())
self.jws = jwts.make_jws(self.raw_claims, self.keypair)
self.jwt = jwts.make_jwt(self.raw_claims, self.keypair)
def test_verify_message(self):
message = jwts.make_jws(
{'b': 2},
[self.mock_proj_keypair, self.mock_oneid_keypair]
)
sess = session.DeviceSession(
self.id_credentials, self.proj_credentials, self.oneid_credentials
)
claims = sess.verify_message(message)
self.assertIsInstance(claims, dict)
self.assertIn("b", claims)
self.assertEqual(claims.get("b"), 2)
def _create_and_verify_good_jws(self, claims, keypairs=None):
keypairs = keypairs or self.keypairs
jws = jwts.make_jws(claims, keypairs)
self.assertIsInstance(jws, str)
verifications = [jwts.verify_jws(jws, keypairs), jwts.verify_jws(jws), jwts.verify_jws(utils.to_bytes(jws))]
for verification in verifications:
self.assertTrue(verification)
for claim in claims:
self.assertIn(claim, verification)
self.assertEqual(verification.get(claim), claims[claim])
def test_verify_message_jws(self, mock_request):
message = jwts.make_jws(
{'c': 3},
[self.id_credentials.keypair]
)
sess = session.ServerSession(
identity_credentials=self.alt_credentials,
oneid_credentials=self.oneid_credentials,
project_credentials=self.project_credentials,
config=self.fake_config,
)
claims = sess.verify_message(message, self.id_credentials)
self.assertIsInstance(claims, dict)
self.assertIn("c", claims)
self.assertEqual(claims.get("c"), 3)
def test_add_signature_to_jws(self):
claims = {
'a': 1,
}
sess = session.DeviceSession(self.id_credentials)
jws1 = jwts.make_jws(claims, self.alt_credentials.keypair)
jws2 = sess.add_signature(jws1)
claims = jwts.verify_jws(
jws2, [self.alt_credentials.keypair, self.id_credentials.keypair])
self.assertIsInstance(claims, dict)
self.assertIn("a", claims)
self.assertEqual(claims.get("a"), 1)
def _create_and_verify_good_jws(self, claims, keypairs=None):
keypairs = keypairs or self.keypairs
jws = jwts.make_jws(claims, keypairs)
jws.should.be.a(str)
verifications = [
jwts.verify_jws(jws, keypairs),
jwts.verify_jws(jws),
jwts.verify_jws(utils.to_bytes(jws)),
]
for verification in verifications:
verification.should.be.truthy
for claim in claims:
verification.should.have.key(claim).equal_to(claims[claim])
def test_verify_encrypted_session_message(self):
jwe = jwes.make_jwe(
{'b': 2},
self.proj_credentials.keypair,
self.id_credentials.keypair,
jsonify=False,
)
jws = jwts.make_jws(jwe,
[self.mock_proj_keypair, self.mock_oneid_keypair])
sess = session.DeviceSession(self.id_credentials,
self.proj_credentials,
self.oneid_credentials)
claims = sess.verify_message(jws)
self.assertIsInstance(claims, dict)
self.assertIn("b", claims)
self.assertEqual(claims.get("b"), 2)
def _create_and_verify_good_jws(self, claims, keypairs=None):
keypairs = keypairs or self.keypairs
jws = jwts.make_jws(claims, keypairs)
self.assertIsInstance(jws, str)
verifications = [
jwts.verify_jws(jws, keypairs),
jwts.verify_jws(jws),
jwts.verify_jws(utils.to_bytes(jws)),
]
for verification in verifications:
self.assertTrue(verification)
for claim in claims:
self.assertIn(claim, verification)
self.assertEqual(verification.get(claim), claims[claim])
def test_verify_message_with_rekey_keys_only(self):
message = jwts.make_jws({'c': 4}, [
self.mock_resetA_keypair,
self.mock_resetB_keypair,
self.mock_resetC_keypair,
])
sess = session.DeviceSession(
self.id_credentials, self.proj_credentials, self.oneid_credentials,
)
claims = sess.verify_message(message, rekey_credentials=[
self.resetA_credentials,
self.resetB_credentials,
self.resetC_credentials,
])
claims.should.be.a(dict)
claims.should.have.key('c').equal_to(4)
def test_verify_message_with_rekey_keys_only(self):
message = jwts.make_jws({'d': 4}, [
self.mock_resetA_keypair,
self.mock_resetB_keypair,
self.mock_resetC_keypair,
])
sess = session.DeviceSession(
self.id_credentials, self.proj_credentials, self.oneid_credentials,
)
claims = sess.verify_message(message, rekey_credentials=[
self.resetA_credentials,
self.resetB_credentials,
self.resetC_credentials,
])
self.assertIsInstance(claims, dict)
self.assertIn("d", claims)
self.assertEqual(claims.get("d"), 4)
def _handle_auth_endpoint(headers=None, data=None):
logger.debug('data=%s', data)
try:
jwt_header, jwt_claims, jwt_sig = data.split('.')
except ValueError:
jws = json.loads(data)
jwt_claims = jws['payload']
sigs = jws['signatures']
if len(sigs) != 1:
raise AttributeError
jwt_header = sigs[0]['protected']
jwt_sig = sigs[0]['signature']
except:
return MockResponse('Bad Request', 400)
try:
key = keychain.Keypair.from_secret_pem(
key_bytes=TestSession.id_key_bytes,
)
key.identity = 'id'
oneid_key = keychain.Keypair.from_secret_pem(
key_bytes=TestSession.oneid_key_bytes,
)
oneid_key.identity = 'oneID'
payload = '{}.{}'.format(jwt_header, jwt_claims)
key.verify(payload, jwt_sig)
logger.debug('claims=%s', jwt_claims)
json_claims = utils.to_string(utils.base64url_decode(jwt_claims))
jws = jwts.make_jws(json.loads(json_claims), [key, oneid_key])
logger.debug('jws=%s', jws)
return MockResponse(jws, 200)
except InvalidSignature:
logger.debug('invalid signature', exc_info=True)
return MockResponse('Forbidden', 403)
return MockResponse('Internal Server Error', 500)
def test_extend_jws_missing_keypair_identity(self):
keypair = service.create_secret_key()
jws = jwts.make_jws({'a': 1}, self.keypairs[0])
with self.assertRaises(exceptions.InvalidKeyError):
jwts.extend_jws_signatures(jws, keypair)
def test_extend_jws_signatures_from_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws = jwts.extend_jws_signatures(jws, self.keypairs[2:])
verified_msg = jwts.verify_jws(jws, self.keypairs)
self.assertIsInstance(verified_msg, dict)
def test_jws_verify_invalid_signature(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
jws['signatures'][0]['signature'] = 'bogus'
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_remove_jws_signature_list(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
ids = [keypair.identity for keypair in self.keypairs[:2]]
jws = jwts.remove_jws_signatures(jws, ids)
verified_msg = jwts.verify_jws(jws, self.keypairs[2:])
self.assertIsInstance(verified_msg, dict)
def test_jwt_verify_with_redundant_keypairs(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidKeyError):
jwts.verify_jws(jws, self.keypairs[:1] * 2)
def test_get_jws_headers(self):
header = {'z': 99}
jws = jwts.make_jws({'a': 1}, self.keypairs[:1], [header])
jws_headers = jwts.get_jws_headers(jws)
self.assertTrue(jws_headers[0]['z'] == header['z'])
def test_jws_verify_invalid_signature(self):
jws = json.loads(jwts.make_jws({'a': 1}, self.keypairs[:1]))
jws['signatures'][0]['signature'] = 'bogus'
with self.assertRaises(exceptions.InvalidSignatureError):
jwts.verify_jws(json.dumps(jws), self.keypairs[:1])
def test_extend_jws_signatures_from_jws(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
jws = jwts.extend_jws_signatures(jws, self.keypairs[2:])
verified_msg = jwts.verify_jws(jws, self.keypairs)
self.assertIsInstance(verified_msg, dict)
def test_remove_bytes_jws_signature(self):
jws = utils.to_bytes(jwts.make_jws({'a': 1}, self.keypairs))
jws = jwts.remove_jws_signatures(jws, self.keypairs[0].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs[1:])
self.assertIsInstance(verified_msg, dict)
def test_missing_keypair_identity(self):
keypair = service.create_secret_key()
with self.assertRaises(exceptions.InvalidKeyError):
jwts.make_jws({"hi": 7}, keypair)
def test_extend_jws_missing_keypair_identity(self):
keypair = service.create_secret_key()
jws = jwts.make_jws({'a': 1}, self.keypairs[0])
with self.assertRaises(exceptions.InvalidKeyError):
jwts.extend_jws_signatures(jws, keypair)
def test_get_jws_key_ids(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
kids = [keypair.identity for keypair in self.keypairs]
msg_ids = jwts.get_jws_key_ids(jws)
self.assertEqual(msg_ids, kids)
def test_jwt_verify_with_redundant_keypairs(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:2])
with self.assertRaises(exceptions.InvalidKeyError):
jwts.verify_jws(jws, self.keypairs[:1] * 2)
def test_jws_verify_any_signature_is_ok(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1])
verified_msg = jwts.verify_jws(jws, self.keypairs[:2], verify_all=False)
self.assertIn("a", verified_msg)
def test_jws_verify_too_many_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[:1])
def test_none_headers(self):
jws = jwts.make_jws({'a': 1}, self.keypairs[:1], multiple_sig_headers=None)
jws_headers = jwts.get_jws_headers(jws)
self.assertIsInstance(jws_headers[0], dict)
def test_get_jws_key_ids(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
kids = [keypair.identity for keypair in self.keypairs]
msg_ids = jwts.get_jws_key_ids(jws)
self.assertEqual(msg_ids, kids)
def test_remove_jws_signature_list(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
ids = [keypair.identity for keypair in self.keypairs[:2]]
jws = jwts.remove_jws_signatures(jws, ids)
verified_msg = jwts.verify_jws(jws, self.keypairs[2:])
self.assertIsInstance(verified_msg, dict)
def test_remove_jws_signature(self):
jws = jwts.make_jws({'a': 1}, self.keypairs)
jws = jwts.remove_jws_signatures(jws, self.keypairs[0].identity)
verified_msg = jwts.verify_jws(jws, self.keypairs[1:])
self.assertIsInstance(verified_msg, dict)
def test_jws_verify_too_many_signatures(self):
jws = jwts.make_jws({"a": 1}, self.keypairs[:2])
with self.assertRaises(exceptions.KeySignatureMismatch):
jwts.verify_jws(jws, self.keypairs[:1])