def test_verify_signature(): to_sign = b'foo' signer = crypt.Signer.from_string(PRIVATE_KEY_BYTES) signature = signer.sign(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES) # List of certs assert crypt.verify_signature(to_sign, signature, [OTHER_CERT_BYTES, PUBLIC_CERT_BYTES])
def test_sign_bytes(self): credentials = self.make_credentials() to_sign = b"123" signature = credentials.sign_bytes(to_sign) assert crypt.verify_signature( to_sign, signature, test_service_account.PUBLIC_CERT_BYTES )
def decode(token, certs=None, verify=True, audience=None): """Decode and verify a JWT. Args: token (str): The encoded JWT. certs (Union[str, bytes, Mapping[str, Union[str, bytes]]]): The certificate used to validate the JWT signatyre. If bytes or string, it must the the public key certificate in PEM format. If a mapping, it must be a mapping of key IDs to public key certificates in PEM format. The mapping must contain the same key ID that's specified in the token's header. verify (bool): Whether to perform signature and claim validation. Verification is done by default. audience (str): The audience claim, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: Mapping[str, str]: The deserialized JSON payload in the JWT. Raises: ValueError: if any verification checks failed. """ header, payload, signed_section, signature = _unverified_decode(token) if not verify: return payload # If certs is specified as a dictionary of key IDs to certificates, then # use the certificate identified by the key ID in the token header. if isinstance(certs, collections.Mapping): key_id = header.get('kid') if key_id: if key_id not in certs: raise ValueError( 'Certificate for key id {} not found.'.format(key_id)) certs_to_check = [certs[key_id]] # If there's no key id in the header, check against all of the certs. else: certs_to_check = certs.values() else: certs_to_check = certs # Verify that the signature matches the message. if not crypt.verify_signature(signed_section, signature, certs_to_check): raise ValueError('Could not verify token signature.') # Verify the issued at and created times in the payload. _verify_iat_and_exp(payload) # Check audience. if audience is not None: claim_audience = payload.get('aud') if audience != claim_audience: raise ValueError( 'Token has wrong audience {}, expected {}'.format( claim_audience, audience)) return payload
def decode(token, certs=None, verify=True, audience=None): """Decode and verify a JWT. Args: token (str): The encoded JWT. certs (Union[str, bytes, Mapping[str, Union[str, bytes]]]): The certificate used to validate the JWT signature. If bytes or string, it must the the public key certificate in PEM format. If a mapping, it must be a mapping of key IDs to public key certificates in PEM format. The mapping must contain the same key ID that's specified in the token's header. verify (bool): Whether to perform signature and claim validation. Verification is done by default. audience (str or list): The audience claim, 'aud', that this JWT should contain. Or a list of audience claims. If None then the JWT's 'aud' parameter is not verified. Returns: Mapping[str, str]: The deserialized JSON payload in the JWT. Raises: ValueError: if any verification checks failed. """ header, payload, signed_section, signature = _unverified_decode(token) if not verify: return payload # Pluck the key id and algorithm from the header and make sure we have # a verifier that can support it. key_alg = header.get("alg") key_id = header.get("kid") try: verifier_cls = _ALGORITHM_TO_VERIFIER_CLASS[key_alg] except KeyError as exc: if key_alg in _CRYPTOGRAPHY_BASED_ALGORITHMS: six.raise_from( ValueError( "The key algorithm {} requires the cryptography package " "to be installed.".format(key_alg)), exc, ) else: six.raise_from( ValueError( "Unsupported signature algorithm {}".format(key_alg)), exc) # If certs is specified as a dictionary of key IDs to certificates, then # use the certificate identified by the key ID in the token header. if isinstance(certs, Mapping): if key_id: if key_id not in certs: raise ValueError( "Certificate for key id {} not found.".format(key_id)) certs_to_check = [certs[key_id]] # If there's no key id in the header, check against all of the certs. else: certs_to_check = certs.values() else: certs_to_check = certs # Verify that the signature matches the message. if not crypt.verify_signature(signed_section, signature, certs_to_check, verifier_cls): raise ValueError("Could not verify token signature.") # Verify the issued at and created times in the payload. _verify_iat_and_exp(payload) # Check audience. if audience is not None: claim_audience = payload.get("aud") if isinstance(audience, str): audience = [audience] if claim_audience not in audience: raise ValueError( "Token has wrong audience {}, expected one of {}".format( claim_audience, audience)) return payload
def test_verify_signature_failure(): to_sign = b'foo' signer = crypt.Signer.from_string(PRIVATE_KEY_BYTES) signature = signer.sign(to_sign) assert not crypt.verify_signature(to_sign, signature, OTHER_CERT_BYTES)
def test_sign_bytes(self): to_sign = b"123" signature = self.credentials.sign_bytes(to_sign) assert crypt.verify_signature(to_sign, signature, test_jwt.PUBLIC_CERT_BYTES)
def test_sign_bytes(self): credentials = self.make_credentials() to_sign = b'123' signature = credentials.sign_bytes(to_sign) assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)