def _create_jwt_hmac_template(
algorithm: jwt_hmac_pb2.JwtHmacAlgorithm) -> tink_pb2.KeyTemplate:
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(algorithm=algorithm, key_size=32)
return tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
def test_jwt_mac(self, lang):
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(
hash_type=common_pb2.SHA256, key_size=32)
key_template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
keyset = testing_servers.new_keyset(lang, key_template)
jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(
issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now + datetime.timedelta(seconds=10),
custom_claims={'switch': True, 'pi': 3.14159})
compact = jwt_mac_primitive.compute_mac_and_encode(token)
validator = jwt.new_validator(audience='audience1', fixed_now=now)
verified_jwt = jwt_mac_primitive.verify_mac_and_decode(compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now)
with self.assertRaises(tink.TinkError):
jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def new_jwt_hmac_key_template(self, algorithm, key_size): key_format = jwt_hmac_pb2.JwtHmacKeyFormat() key_format.algorithm = algorithm key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.JwtHmacKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString()
def _create_hs_template(
hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate:
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(hash_type=hash_type,
key_size=32)
return tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
def _test_case(
algorithm: jwt_hmac_pb2.JwtHmacAlgorithm, key_size: int,
output_prefix_type: tink_pb2.OutputPrefixType
) -> Tuple[str, tink_pb2.KeyTemplate]:
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(
algorithm=algorithm, key_size=key_size)
template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=output_prefix_type)
return ('JwtHmacKey(%d,%s,%s)' %
(key_size, jwt_hmac_pb2.JwtHmacAlgorithm.Name(algorithm),
tink_pb2.OutputPrefixType.Name(output_prefix_type)), template)