def test_pass(self, verify_certificate_chain, check_signature):
check_signature.return_value = True
self.verifier = certs.ReceiptVerifier(valid_issuers='f.c')
self.verifier.certs = {'http://f.c': {
'jwk': [{'alg': 'RSA', 'exp':'AQAB', 'mod': 'AQAB'}]
}
}
self.verifier.verify(self.combine(self.get_cert(),
self.get_receipt()))
def test_chain(self):
self.verifier = certs.ReceiptVerifier(valid_issuers='f.c')
self.verifier.certs = {'http://f.c': {
'jwk': [{'alg': 'RSA', 'exp':'AQAB', 'mod': 'AQAB'}]
}}
cert = mock.Mock()
cert.payload = {'iss': 'http://f.c', 'exp': time() + 100,
'jwk': [cert]}
ok_(self.verifier.verify_certificate_chain([cert]))
def test_chain_expired(self):
self.verifier = certs.ReceiptVerifier(valid_issuers='f.c')
self.verifier.certs = {'http://f.c': {
'jwk': [{'alg': 'RSA', 'exp':'AQAB', 'mod': 'AQAB'}]
}}
cert = mock.Mock()
cert.payload = {'iss': 'http://f.c', 'exp': time() - 100,
'jwk': [cert]}
self.failUnlessRaises(ExpiredSignatureError,
self.verifier.verify_certificate_chain,
[cert])
def decode_receipt(receipt):
"""
Cracks the receipt using the private key. This will probably change
to using the cert at some point, especially when we get the HSM.
"""
with statsd.timer('services.decode'):
if settings.SIGNING_SERVER_ACTIVE:
verifier = certs.ReceiptVerifier()
if not verifier.verify(receipt):
raise VerificationError()
return jwt.decode(receipt.split('~')[1], verify=False)
else:
key = jwt.rsa_load(settings.WEBAPPS_RECEIPT_KEY)
raw = jwt.decode(receipt, key)
return raw
def decode_receipt(receipt):
"""
Cracks the receipt using the private key. This will probably change
to using the cert at some point, especially when we get the HSM.
"""
with statsd.timer('services.decode'):
if settings.SIGNING_SERVER_ACTIVE:
verifier = certs.ReceiptVerifier()
try:
result = verifier.verify(receipt)
except ExpiredSignatureError:
# Until we can do something meaningful with this, just ignore.
return jwt.decode(receipt.split('~')[1], verify=False)
if not result:
raise VerificationError()
return jwt.decode(receipt.split('~')[1], verify=False)
else:
key = jwt.rsa_load(settings.WEBAPPS_RECEIPT_KEY)
raw = jwt.decode(receipt, key)
return raw
def test_chain_empty(self):
self.verifier = certs.ReceiptVerifier(valid_issuers='f.c')
self.failUnlessRaises(ValueError,
self.verifier.verify_certificate_chain,
None
)
def test_not_certificate_issuer(self):
self.verifier = certs.ReceiptVerifier(valid_issuers='f.c')
ok_(self.verifier.check_certificate_issuer, 'http://f.b')
def test_expired(self):
self.verifier = certs.ReceiptVerifier()
self.failUnlessRaises(certs.ExpiredSignatureError,
self.verifier.verify,
self.combine(self.get_cert(), self.get_receipt(exp=1))
)