def test_rsa_without_kty_fails(self):
jwk_set = RS256_JWK_SET.replace('"kty":"RSA",', '')
# PKCS1
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
# PSS
jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"')
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_with_invalid_use_fails(self):
jwk_set = RS256_JWK_SET.replace('"use":"sig"', '"use":"invalid"')
# PKCS1
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
# PSS
jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"')
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_with_string_key_ops_fails(self):
jwk_set = RS256_JWK_SET.replace('"key_ops":["verify"]',
'"key_ops":"verify"')
# PKCS1
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
# PSS
jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"')
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_without_use_or_key_ops_to_public_keyset_handle_success(self):
jwk_set = """{"keys":[
{
"kty":"EC",
"crv":"P-256",
"x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY",
"y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI",
"alg":"ES256"
}]}"""
# ignore returned value, we only test that it worked.
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_key_without_crv_to_public_keyset_handle_fails(self):
jwk_set = """{"keys":[
{
"kty":"EC",
"x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY",
"y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI",
"alg":"ES256",
"use":"sig",
"key_ops":["verify"]
}]}"""
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_key_with_unknown_field_to_public_keyset_handle_success(self):
jwk_set = """{"keys":[
{
"kty":"EC",
"crv":"P-256",
"x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY",
"y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI",
"alg":"ES256",
"unknown":1234,
"use":"sig",
"key_ops":["verify"]
}]}"""
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_ecdsa_private_key_to_public_keyset_handle_fails(self):
# Example from https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.2
jwk_set = """{"keys":[
{
"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"d":"870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE",
"alg":"ES256"
}]}"""
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_private_key_to_public_keyset_handle_fails(self):
# Example from https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.2
jwk_set = """
{"keys":
[
{"kty":"RSA",
"n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4
cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst
n64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2Q
vzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbIS
D08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw
0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB",
"d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9
M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij
wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d
_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz
nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz
me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q",
"p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPV
nwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqV
WlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs",
"q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyum
qjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgx
kIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk",
"dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oim
YwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_Nmtu
YZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
"dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUU
vMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9
GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
"qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzg
UIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rx
yR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
"alg":"RS256",
"kid":"2011-04-29"}
]
}"""
# remove spaces and line breaks
jwk_set = jwk_set.replace(' ', '').replace('\n', '')
# PKCS1
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
# PSS
jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"')
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
def test_rsa_with_small_n_primitive_fails(self):
jwk_set = """{"keys":[{
"kty":"RSA",
"n":"AAAwOQ",
"e":"AQAB",
"use":"sig",
"alg":"RS256",
"key_ops":["verify"]}]}"""
# PKCS1
handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
with self.assertRaises(tink.TinkError):
handle.primitive(jwt.JwtPublicKeyVerify)
# test PSS
jwk_set = jwk_set.replace('"alg":"RS256"', '"alg":"PS256"')
handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
with self.assertRaises(tink.TinkError):
handle.primitive(jwt.JwtPublicKeyVerify)
def test_convert_jwk_set_to_public_keyset_handle_and_back(self, jwk_set):
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, jwk_set)
# check that all keys are raw.
for key in keyset_handle._keyset.key:
self.assertEqual(key.output_prefix_type, tink_pb2.RAW)
# test deprecated to/from keyset_handle functions.
self.assertEqual(
jwt.jwk_set_from_keyset_handle(jwt.jwk_set_to_keyset_handle(jwk_set)),
jwk_set)
def main(argv):
del argv # Unused.
# Initialise Tink
try:
jwt.register_jwt_signature()
except tink.TinkError as e:
logging.exception('Error initialising Tink: %s', e)
return 1
# Read the keyset into a KeysetHandle
if _PUBLIC_KEYSET_PATH.present:
with open(_PUBLIC_KEYSET_PATH.value, 'rt') as public_keyset_file:
try:
text = public_keyset_file.read()
keyset_handle = tink.read_no_secret_keyset_handle(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading public keyset: %s', e)
return 1
elif _PUBLIC_JWK_SET_PATH.present:
with open(_PUBLIC_JWK_SET_PATH.value, 'rt') as public_jwk_set_file:
try:
text = public_jwk_set_file.read()
keyset_handle = jwt.jwk_set_to_public_keyset_handle(text)
except tink.TinkError as e:
logging.exception('Error reading public JWK set: %s', e)
return 1
else:
logging.info(
'Either --public_keyset_path or --public_jwk_set_path must be set')
now = datetime.datetime.now(tz=datetime.timezone.utc)
try:
jwt_verify = keyset_handle.primitive(jwt.JwtPublicKeyVerify)
except tink.TinkError as e:
logging.exception('Error creating JwtPublicKeyVerify: %s', e)
return 1
# Verify token
with open(_TOKEN_PATH.value, 'rt') as token_file:
token = token_file.read()
validator = jwt.new_validator(expected_audience=_AUDIENCE.value)
try:
verified_jwt = jwt_verify.verify_and_decode(token, validator)
expires_in = verified_jwt.expiration() - now
logging.info('Token is valid and expires in %s seconds',
expires_in.seconds)
return 0
except tink.TinkError as e:
logging.info('JWT verification failed: %s', e)
return 1
def test_ecdsa_key_with_small_x_primitive_fails(self):
jwk_set = """{"keys":[
{
"kty":"EC",
"crv":"P-256",
"x":"AAAwOQ",
"y":"b22m_Y4sT-jUJSxBVqjrW_DxWyBLopxYHTuFVfx70ZI",
"alg":"ES256",
"use":"sig",
"key_ops":["verify"]
}]}"""
handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
with self.assertRaises(tink.TinkError):
handle.primitive(jwt.JwtPublicKeyVerify)
def test_ecdsa_key_with_small_y_primitive_fails(self):
jwk_set = """{"keys":[
{
"kty":"EC",
"crv":"P-256",
"x":"KUPydf4k4cS5EGS82npjEUxKIiBfUGP3wlN49A2GxTY",
"y":"AAAwOQ",
"alg":"ES256",
"use":"sig",
"key_ops":["verify"]
}]}"""
handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
with self.assertRaises(tink.TinkError):
handle.primitive(jwt.JwtPublicKeyVerify)
def FromJwkSet(
self, request: testing_api_pb2.JwtFromJwkSetRequest,
context: grpc.ServicerContext
) -> testing_api_pb2.JwtFromJwkSetResponse:
"""Converts a JWK set into a Tink Keyset."""
try:
keyset_handle = jwt.jwk_set_to_public_keyset_handle(
request.jwk_set)
keyset = io.BytesIO()
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset),
keyset_handle)
return testing_api_pb2.JwtFromJwkSetResponse(
keyset=keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.JwtFromJwkSetResponse(err=str(e))
def test_jwk_set_to_public_keyset_handle_with_invalid_json_raises_tink_error(
self):
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle('invalid')
def test_es_conserves_empty_kid(self):
jwk_set_with_empty_kid = ES256_JWK_SET_KID.replace('"ENgjPA"', '""')
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set_with_empty_kid)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, jwk_set_with_empty_kid)
def test_rsa_ssa_pss_without_use_and_key_ops_to_keyset_handle_success(self):
jwk_set = PS256_JWK_SET.replace(',"use":"sig"',
'').replace(',"key_ops":["verify"]', '')
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, PS256_JWK_SET)
def test_rsa_ssa_pss_with_unknown_property_keyset_handle_success(self):
jwk_set = PS256_JWK_SET.replace(',"use":"sig"',
',"use":"sig","unknown":1234')
keyset_handle = jwt.jwk_set_to_public_keyset_handle(jwk_set)
output_jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle)
self.assertEqual(output_jwk_set, PS256_JWK_SET)
def test_rsa_without_alg_fails(self):
jwk_set = RS256_JWK_SET.replace(',"alg":"RS256"', '')
with self.assertRaises(tink.TinkError):
jwt.jwk_set_to_public_keyset_handle(jwk_set)
