def wrap(self, key, bitsize, cek, headers): self._check_key(key) dk_size = self.keysize if self.keysize is None: if cek is not None: raise InvalidJWEOperation('ECDH-ES cannot use an existing CEK') alg = headers['enc'] dk_size = bitsize else: alg = headers['alg'] epk = JWK.generate(kty=key.key_type, crv=key.key_curve) dk = self._derive(epk.get_op_key('unwrapKey'), key.get_op_key('wrapKey'), alg, dk_size, headers) if self.keysize is None: ret = {'cek': dk} else: aeskw = self.aeskwmap[self.keysize]() kek = JWK(kty="oct", use="enc", k=base64url_encode(dk)) ret = aeskw.wrap(kek, bitsize, cek, headers) ret['header'] = {'epk': json_decode(epk.export_public())} return ret
def wrap(self, key, keylen, cek, headers): self._check_key(key) if self.keydatalen is None: if cek is not None: raise InvalidJWEOperation('ECDH-ES cannot use an existing CEK') keydatalen = keylen * 8 alg = headers['enc'] else: keydatalen = self.keydatalen alg = headers['alg'] epk = JWK.generate(kty=key.key_type, crv=key.key_curve) dk = self._derive(epk.get_op_key('unwrapKey'), key.get_op_key('wrapKey'), alg, keydatalen, headers) if self.keydatalen is None: ret = {'cek': dk} else: aeskw = _AesKw(keydatalen) kek = JWK(kty="oct", use="enc", k=base64url_encode(dk)) ret = aeskw.wrap(kek, keydatalen // 8, cek, headers) ret['header'] = {'epk': json_decode(epk.export_public())} return ret
def wrap_fake(self, key, bitsize, cek, headers, point_x, point_y, aes_key): self._check_key(key) dk_size = self.keysize if self.keysize is None: if cek is not None: raise InvalidJWEOperation('ECDH-ES cannot use an existing CEK') alg = headers['enc'] dk_size = bitsize else: alg = headers['alg'] epk = JWK.generate(kty=key.key_type, crv=key.key_curve) dk = self._derive(epk.get_op_key('unwrapKey'), key.get_op_key('wrapKey'), alg, dk_size, headers) if self.keysize is None: ret = {'cek': aes_key} else: aeskw = self.aeskwmap[self.keysize]() kek = JWK(kty="oct", use="enc", k=base64url_encode(dk)) ret = aeskw.wrap(kek, bitsize, cek, headers) ret['header'] = { 'epk': { "crv": "P-256", "kty": "EC", "x": base64url_encode(int.to_bytes(point_x, 32, "big")), "y": base64url_encode(int.to_bytes(point_y, 32, "big")) } } return ret
def load_account(path): if not os.path.isfile(path): # 文件不存在 jwk = JWK.generate(kty='EC', crv='P-384') return {'jwk': jwk, 'uri': None} else: with open(path) as account_file: account = json_decode(account_file.read()) return {'jwk': JWK(**account['jwk']), 'uri': account['uri']}
def test_upload_jwe(app, stats): # Encrypt the data with a wrong key. jwk = JWK.generate(kty='RSA') data = app.app.registry.crypto.encrypt( b'{"key": "wrong"}', _public_jwk=jwk) app.post('/v2/upload', data, headers={'Content-Type': 'text/plain'}, status=200) # Encrypt the data with a wrong algorithm. data = app.app.registry.crypto.encrypt( b'{"alg": "wrong"}', _protected='{"alg":"RSA-OAEP","enc":"A128CBC-HS256"}') app.post('/v2/upload', data, headers={'Content-Type': 'text/plain'}, status=400)
def test_upload_jwe(app, stats): # Encrypt the data with a wrong key. jwk = JWK.generate(kty='RSA') data = app.app.registry.crypto.encrypt(b'{"key": "wrong"}', _public_jwk=jwk) app.post('/v2/upload', data, headers={'Content-Type': 'text/plain'}, status=200) # Encrypt the data with a wrong algorithm. data = app.app.registry.crypto.encrypt( b'{"alg": "wrong"}', _protected='{"alg":"RSA-OAEP","enc":"A128CBC-HS256"}') app.post('/v2/upload', data, headers={'Content-Type': 'text/plain'}, status=400)
def generate_pems(save_path): if os.path.isdir(save_path) is False: os.mkdir(save_path) try: key_obj = JWK.generate(kty='RSA', size=2048) public_pem_bytes = key_obj.export_to_pem(password=None) priv_pem_bytes = key_obj.export_to_pem(private_key=True, password=None) pub = open(os.path.join(save_path, "public.pem"), 'wb+') pub.write(public_pem_bytes) pub.close() priv = open(os.path.join(save_path, "private.pem"), 'wb+') priv.write(priv_pem_bytes) priv.close() return True except Exception as e: raise exceptions.KeyNotCreated(repr(e))
def bench_RSA(self): """ Generate key """ JWK.generate(kty='RSA', size=2048)
#!/usr/bin/env python """Generate a string that can be used for a JWT key.""" from jwcrypto.jwk import JWK print(JWK.generate(kty='oct', size=2048).get_op_key())
from flask_oidc_cognito.validation import validate_token from nose.tools import assert_raises from python_jwt import generate_jwt, verify_jwt from jwcrypto.jwk import JWK, JWKSet import datetime key = JWK.generate(kty='RSA', size=1024, kid='1234') def test_validate_token(): payload = {'typ': 'Bearer', 'foo': 'bar', 'baz': 42} other_headers = {'kid': key.key_id} token = generate_jwt(payload, key, 'RS256', datetime.timedelta(minutes=5), other_headers=other_headers) header, claims = verify_jwt(token, key, ['RS256']) assert header is not None assert claims is not None keyset = JWKSet() keyset.add(key) assert validate_token(keyset, token, clock_skew_seconds=60) def test_will_raise_exception_when_typ_is_not_Bearer():
def kid(self, kid: str) -> None: self._kid = kid self._jwk = JWK.generate(kty="RSA", use="sig", alg="RS256", kid=kid)
def __init__(self): self._jwk = JWK.generate(kty="RSA", use="sig", alg="RS256") self._kid = None
'PS512': {'python-jwt': priv_key} } pub_keys = { 'HS256': {'default': priv_keys['HS256']['default']}, 'HS384': {'default': priv_keys['HS384']['default']}, 'HS512': {'default': priv_keys['HS512']['default']}, 'RS256': {'python-jwt': pub_key}, 'RS384': {'python-jwt': pub_key}, 'RS512': {'python-jwt': pub_key}, 'PS256': {'python-jwt': pub_key}, 'PS384': {'python-jwt': pub_key}, 'PS512': {'python-jwt': pub_key} } generated_key = JWK.generate(kty='RSA', size=2048) generated_keys = { 'HS256': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))), 'HS384': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))), 'HS512': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))), 'RS256': generated_key, 'RS384': generated_key, 'RS512': generated_key, 'PS256': generated_key, 'PS384': generated_key, 'PS512': generated_key } algs = list(priv_keys.keys())
def oidc_provider_jwkset(): key = JWK.generate(kty='RSA', size=512) jwkset = JWKSet() jwkset.add(key) return jwkset
}, 'ES256K': { 'python-jwt': ec_p256k_pub_key }, 'ES384': { 'python-jwt': ec_p384_pub_key }, 'ES512': { 'python-jwt': ec_p521_pub_key }, 'EdDSA': { 'python-jwt': okp_ed25519_pub_key } } generated_rsa_key = JWK.generate(kty='RSA', size=2048) generated_keys = { 'HS256': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))), 'HS384': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))), 'HS512': JWK(kty='oct', k=base64url_encode(hexlify(urandom(16)))), 'RS256': generated_rsa_key, 'RS384': generated_rsa_key, 'RS512': generated_rsa_key, 'PS256': generated_rsa_key, 'PS384': generated_rsa_key, 'PS512': generated_rsa_key, 'ES256': JWK.generate(kty='EC', crv='P-256'), 'ES256K': JWK.generate(kty='EC', crv='secp256k1'), 'ES384': JWK.generate(kty='EC', crv='P-384'), 'ES512': JWK.generate(kty='EC', crv='P-521'),