def wrap(self, key, bitsize, cek, headers):
self._check_key(key)
dk_size = self.keysize
if self.keysize is None:
if cek is not None:
raise InvalidJWEOperation('ECDH-ES cannot use an existing CEK')
alg = headers['enc']
dk_size = bitsize
else:
alg = headers['alg']
epk = JWK.generate(kty=key.key_type, crv=key.key_curve)
dk = self._derive(epk.get_op_key('unwrapKey'),
key.get_op_key('wrapKey'),
alg, dk_size, headers)
if self.keysize is None:
ret = {'cek': dk}
else:
aeskw = self.aeskwmap[self.keysize]()
kek = JWK(kty="oct", use="enc", k=base64url_encode(dk))
ret = aeskw.wrap(kek, bitsize, cek, headers)
ret['header'] = {'epk': json_decode(epk.export_public())}
return ret
def wrap(self, key, keylen, cek, headers):
self._check_key(key)
if self.keydatalen is None:
if cek is not None:
raise InvalidJWEOperation('ECDH-ES cannot use an existing CEK')
keydatalen = keylen * 8
alg = headers['enc']
else:
keydatalen = self.keydatalen
alg = headers['alg']
epk = JWK.generate(kty=key.key_type, crv=key.key_curve)
dk = self._derive(epk.get_op_key('unwrapKey'),
key.get_op_key('wrapKey'),
alg, keydatalen, headers)
if self.keydatalen is None:
ret = {'cek': dk}
else:
aeskw = _AesKw(keydatalen)
kek = JWK(kty="oct", use="enc", k=base64url_encode(dk))
ret = aeskw.wrap(kek, keydatalen // 8, cek, headers)
ret['header'] = {'epk': json_decode(epk.export_public())}
return ret
def wrap_fake(self, key, bitsize, cek, headers, point_x, point_y, aes_key):
self._check_key(key)
dk_size = self.keysize
if self.keysize is None:
if cek is not None:
raise InvalidJWEOperation('ECDH-ES cannot use an existing CEK')
alg = headers['enc']
dk_size = bitsize
else:
alg = headers['alg']
epk = JWK.generate(kty=key.key_type, crv=key.key_curve)
dk = self._derive(epk.get_op_key('unwrapKey'),
key.get_op_key('wrapKey'),
alg, dk_size, headers)
if self.keysize is None:
ret = {'cek': aes_key}
else:
aeskw = self.aeskwmap[self.keysize]()
kek = JWK(kty="oct", use="enc", k=base64url_encode(dk))
ret = aeskw.wrap(kek, bitsize, cek, headers)
ret['header'] = {
'epk': {
"crv": "P-256", "kty": "EC",
"x": base64url_encode(int.to_bytes(point_x, 32, "big")),
"y": base64url_encode(int.to_bytes(point_y, 32, "big"))
}
}
return ret
def load_account(path):
if not os.path.isfile(path): # 文件不存在
jwk = JWK.generate(kty='EC', crv='P-384')
return {'jwk': jwk, 'uri': None}
else:
with open(path) as account_file:
account = json_decode(account_file.read())
return {'jwk': JWK(**account['jwk']), 'uri': account['uri']}
def test_upload_jwe(app, stats):
# Encrypt the data with a wrong key.
jwk = JWK.generate(kty='RSA')
data = app.app.registry.crypto.encrypt(
b'{"key": "wrong"}', _public_jwk=jwk)
app.post('/v2/upload', data,
headers={'Content-Type': 'text/plain'},
status=200)
# Encrypt the data with a wrong algorithm.
data = app.app.registry.crypto.encrypt(
b'{"alg": "wrong"}',
_protected='{"alg":"RSA-OAEP","enc":"A128CBC-HS256"}')
app.post('/v2/upload', data,
headers={'Content-Type': 'text/plain'},
status=400)
def test_upload_jwe(app, stats):
# Encrypt the data with a wrong key.
jwk = JWK.generate(kty='RSA')
data = app.app.registry.crypto.encrypt(b'{"key": "wrong"}',
_public_jwk=jwk)
app.post('/v2/upload',
data,
headers={'Content-Type': 'text/plain'},
status=200)
# Encrypt the data with a wrong algorithm.
data = app.app.registry.crypto.encrypt(
b'{"alg": "wrong"}',
_protected='{"alg":"RSA-OAEP","enc":"A128CBC-HS256"}')
app.post('/v2/upload',
data,
headers={'Content-Type': 'text/plain'},
status=400)
def generate_pems(save_path):
if os.path.isdir(save_path) is False:
os.mkdir(save_path)
try:
key_obj = JWK.generate(kty='RSA', size=2048)
public_pem_bytes = key_obj.export_to_pem(password=None)
priv_pem_bytes = key_obj.export_to_pem(private_key=True, password=None)
pub = open(os.path.join(save_path, "public.pem"), 'wb+')
pub.write(public_pem_bytes)
pub.close()
priv = open(os.path.join(save_path, "private.pem"), 'wb+')
priv.write(priv_pem_bytes)
priv.close()
return True
except Exception as e:
raise exceptions.KeyNotCreated(repr(e))
def bench_RSA(self):
""" Generate key """
JWK.generate(kty='RSA', size=2048)
#!/usr/bin/env python """Generate a string that can be used for a JWT key.""" from jwcrypto.jwk import JWK print(JWK.generate(kty='oct', size=2048).get_op_key())
from flask_oidc_cognito.validation import validate_token
from nose.tools import assert_raises
from python_jwt import generate_jwt, verify_jwt
from jwcrypto.jwk import JWK, JWKSet
import datetime
key = JWK.generate(kty='RSA', size=1024, kid='1234')
def test_validate_token():
payload = {'typ': 'Bearer', 'foo': 'bar', 'baz': 42}
other_headers = {'kid': key.key_id}
token = generate_jwt(payload,
key,
'RS256',
datetime.timedelta(minutes=5),
other_headers=other_headers)
header, claims = verify_jwt(token, key, ['RS256'])
assert header is not None
assert claims is not None
keyset = JWKSet()
keyset.add(key)
assert validate_token(keyset, token, clock_skew_seconds=60)
def test_will_raise_exception_when_typ_is_not_Bearer():
def kid(self, kid: str) -> None:
self._kid = kid
self._jwk = JWK.generate(kty="RSA", use="sig", alg="RS256", kid=kid)
def __init__(self):
self._jwk = JWK.generate(kty="RSA", use="sig", alg="RS256")
self._kid = None
'PS512': {'python-jwt': priv_key}
}
pub_keys = {
'HS256': {'default': priv_keys['HS256']['default']},
'HS384': {'default': priv_keys['HS384']['default']},
'HS512': {'default': priv_keys['HS512']['default']},
'RS256': {'python-jwt': pub_key},
'RS384': {'python-jwt': pub_key},
'RS512': {'python-jwt': pub_key},
'PS256': {'python-jwt': pub_key},
'PS384': {'python-jwt': pub_key},
'PS512': {'python-jwt': pub_key}
}
generated_key = JWK.generate(kty='RSA', size=2048)
generated_keys = {
'HS256': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))),
'HS384': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))),
'HS512': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))),
'RS256': generated_key,
'RS384': generated_key,
'RS512': generated_key,
'PS256': generated_key,
'PS384': generated_key,
'PS512': generated_key
}
algs = list(priv_keys.keys())
def bench_RSA(self):
""" Generate key """
JWK.generate(kty='RSA', size=2048)
def oidc_provider_jwkset():
key = JWK.generate(kty='RSA', size=512)
jwkset = JWKSet()
jwkset.add(key)
return jwkset
},
'ES256K': {
'python-jwt': ec_p256k_pub_key
},
'ES384': {
'python-jwt': ec_p384_pub_key
},
'ES512': {
'python-jwt': ec_p521_pub_key
},
'EdDSA': {
'python-jwt': okp_ed25519_pub_key
}
}
generated_rsa_key = JWK.generate(kty='RSA', size=2048)
generated_keys = {
'HS256': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))),
'HS384': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))),
'HS512': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))),
'RS256': generated_rsa_key,
'RS384': generated_rsa_key,
'RS512': generated_rsa_key,
'PS256': generated_rsa_key,
'PS384': generated_rsa_key,
'PS512': generated_rsa_key,
'ES256': JWK.generate(kty='EC', crv='P-256'),
'ES256K': JWK.generate(kty='EC', crv='secp256k1'),
'ES384': JWK.generate(kty='EC', crv='P-384'),
'ES512': JWK.generate(kty='EC', crv='P-521'),
