def test_get_signing_key_use_undefined(): kj = KeyJar() kj.import_jwks(JWK1, '') keys = kj.get_signing_key(kid='rsa1') assert len(keys) == 1 keys = kj.get_signing_key(key_type='rsa') assert len(keys) == 1 keys = kj.get_signing_key(key_type='rsa', kid='rsa1') assert len(keys) == 1
def test_get_signing_key_use_undefined(): kj = KeyJar() kj.import_jwks(JWK1, "") keys = kj.get_signing_key(kid="rsa1") assert len(keys) == 1 keys = kj.get_signing_key(key_type="rsa") assert len(keys) == 1 keys = kj.get_signing_key(key_type="rsa", kid="rsa1") assert len(keys) == 1
def test_get_inactive_sig(self): """get_signing_key cannot return inactive `sig` key.""" ks = KeyJar() ks['http://example.com'] = KeyBundle([{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}]) ks['http://example.com'][0]._keys[0].inactive_since = 1 key = ks.get_signing_key(owner='http://example.com') assert len(key) == 0
def test_get_inactive_sig(self): """get_signing_key cannot return inactive `sig` key.""" ks = KeyJar() ks['http://example.com'] = KeyBundle( [{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}]) ks['http://example.com'][0]._keys[0].inactive_since = 1 key = ks.get_signing_key(owner='http://example.com') assert len(key) == 0
def test_local_jwk_file(): kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"]) assert len(kb) == 1 kj = KeyJar() kj.issuer_keys[""] = [kb] keys = kj.get_signing_key() assert len(keys) == 1 key = keys[0] assert isinstance(key, RSAKey) assert key.kid == "abc"
class KeyBundle(keyio.KeyBundle): def __init__(self, keys=None, source="", cache_time=300, verify_ssl=True, fileformat="jwk", keytype="RSA", keyusage=None, verify_keys=None): super(KeyBundle, self).__init__(keys=keys, source=source, cache_time=cache_time, verify_ssl=verify_ssl, fileformat=fileformat, keytype=keytype, keyusage=keyusage) if verify_keys is not None: if isinstance(verify_keys, KeyJar): self.verify_keys = verify_keys else: self.verify_keys = KeyJar() self.verify_keys.import_jwks(verify_keys, '') def _parse_remote_response(self, response): """ Parse simple JWKS or signed JWKS from the HTTP response. :param response: HTTP response from the 'jwks_uri' or 'signed_jwks_uri' endpoint :return: response parsed as JSON """ # Check if the content type is the right one. try: if response.headers["Content-Type"] == 'application/json': logger.debug("Loaded JWKS: %s from %s" % (response.text, self.source)) try: return json.loads(response.text) except ValueError: return None elif response.headers["Content-Type"] == 'application/jose': logger.debug("Signed JWKS: %s from %s" % (response.text, self.source)) _jws = factory(response.text) _resp = _jws.verify_compact( response.text, keys=self.verify_keys.get_signing_key()) return _resp else: logger.error('Wrong content type: {}'.format( response.headers['Content-Type'])) return None except KeyError: pass
def test_signing(): kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"]) assert len(kb) == 1 kj = KeyJar() kj.issuer_keys[""] = [kb] keys = kj.get_signing_key() payload = "Please take a moment to register today" _jws = JWS(payload, alg="RS512") try: _jwt = _jws.sign_compact(keys) assert False except (NoSuitableSigningKeys, WrongTypeOfKey): assert True
def test_signing(): # Signing is only possible if key is a private RSA key kb = keybundle_from_local_file("rsa.key", "rsa", ["ver", "sig"]) assert len(kb) == 2 kj = KeyJar() kj.issuer_keys[""] = [kb] keys = kj.get_signing_key() payload = "Please take a moment to register today" _jws = JWS(payload, alg="RS512") try: _jwt = _jws.sign_compact(keys) assert True except (NoSuitableSigningKeys, WrongTypeOfKey): assert False
class TestBackchannelLogout(object): @pytest.fixture(autouse=True) def setup(self): self.kj = KeyJar() self.kj.add_symmetric("", "dYMmrcQksKaPkhdgRNYk3zzh5l7ewdDJ", ["sig"]) self.key = self.kj.get_signing_key("oct") lt = LogoutToken( iss="https://example.com", aud=["https://rp.example.org"], events={BACK_CHANNEL_LOGOUT_EVENT: {}}, iat=utc_time_sans_frac(), jti=rndstr(16), sub="https://example.com/sub", ) self.signed_jwt = lt.to_jwt(key=self.key, algorithm="HS256") def test_verify_with_keyjar(self): bclr = BackChannelLogoutRequest(logout_token=self.signed_jwt) assert bclr.verify(keyjar=self.kj) # The signed JWT is replaced by a dictionary with all the verified values assert bclr["logout_token"]["iss"] == "https://example.com" def test_verify_with_key(self): bclr = BackChannelLogoutRequest(logout_token=self.signed_jwt) assert bclr.verify(key=self.key) # The signed JWT is replaced by a dictionary with all the verified values assert bclr["logout_token"]["iss"] == "https://example.com" def test_bogus_logout_token(self): lt = LogoutToken( iss="https://example.com", aud=["https://rp.example.org"], events={BACK_CHANNEL_LOGOUT_EVENT: {}}, iat=utc_time_sans_frac(), jti=rndstr(16), nonce=rndstr(16), ) signed_jwt = lt.to_jwt(key=self.key, algorithm="HS256") bclr = BackChannelLogoutRequest(logout_token=signed_jwt) with pytest.raises(MessageException): bclr.verify(key=self.key)
def get_signed_keys(self, uri, signing_keys): """ :param uri: Where the signed JWKS can be found :param signing_keys: Dictionary representation of a JWKS :return: list of KeyBundle instances or None """ r = self.server.http_request(uri, allow_redirects=True) if r.status_code == 200: _skj = KeyJar() _skj.import_jwks(signing_keys, '') _jws = factory(r.text) _jwks = _jws.verify_compact(r.text, Keys=_skj.get_signing_key()) _kj = KeyJar() _kj.import_jwks(json.loads(_jwks), '') return _kj.issuer_keys[''] else: return None
from jwkest.jws import alg2keytype from oic.oic.message import IdToken from oic.utils.keyio import KeyBundle, KeyJar __author__ = 'rohe0002' b0 = KeyBundle(source="http://localhost:8090/exports/jwk.json", src_type="jwk", usage=["ver", "dec", "sig"]) b1 = KeyBundle(source="http://localhost:8090/exports/cert.pem", src_type="x509", usage=["ver", "dec", "sig"]) print b0 print b1 kj = KeyJar() kj["foobar"] = [b0, b1] idt = IdToken().from_dict({"user_id": "diana", "aud": "uo5nowsdL3ck", "iss": "https://localhost:8092", "acr": "2", "exp": 1354442188, "iat": 1354359388}) ckey = kj.get_signing_key(alg2keytype("RS256"), "foobar") _signed_jwt = idt.to_jwt(key=ckey, algorithm="RS256")