def test_only_tink_output_prefix_type_encodes_a_kid_header(self):
handle = tink.new_keyset_handle(jwt.raw_jwt_hs256_template())
jwt_mac = handle.primitive(jwt.JwtMac)
tink_handle = _change_output_prefix_to_tink(handle)
tink_jwt_mac = tink_handle.primitive(jwt.JwtMac)
raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
token = jwt_mac.compute_mac_and_encode(raw_jwt)
token_with_kid = tink_jwt_mac.compute_mac_and_encode(raw_jwt)
_, header, _, _ = _jwt_format.split_signed_compact(token)
self.assertNotIn('kid', _json_util.json_loads(header))
_, header_with_kid, _, _ = _jwt_format.split_signed_compact(
token_with_kid)
self.assertIn('kid', _json_util.json_loads(header_with_kid))
validator = jwt.new_validator(expected_issuer='issuer',
allow_missing_expiration=True)
jwt_mac.verify_mac_and_decode(token, validator)
tink_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
# With output prefix type RAW, a kid header is ignored
jwt_mac.verify_mac_and_decode(token_with_kid, validator)
# With output prefix type TINK, a kid header is required.
with self.assertRaises(tink.TinkError):
tink_jwt_mac.verify_mac_and_decode(token, validator)
other_handle = _change_key_id(tink_handle)
other_jwt_mac = other_handle.primitive(jwt.JwtMac)
# A token with a wrong kid is rejected, even if the signature is ok.
with self.assertRaises(tink.TinkError):
other_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
def test_raw_key_with_custom_kid_header(self, template):
# normal key with output prefix RAW
handle = tink.new_keyset_handle(template)
raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
validator = jwt.new_validator(
expected_issuer='issuer', allow_missing_expiration=True)
sign = handle.primitive(jwt.JwtPublicKeySign)
token = sign.sign_and_encode(raw_jwt)
verify = handle.public_keyset_handle().primitive(jwt.JwtPublicKeyVerify)
verify.verify_and_decode(token, validator)
_, json_header, _, _ = _jwt_format.split_signed_compact(token)
self.assertNotIn('kid', _json_util.json_loads(json_header))
# key with a custom_kid set
custom_kid_handle = _set_custom_kid(handle, custom_kid=LONG_CUSTOM_KID)
custom_kid_sign = custom_kid_handle.primitive(jwt.JwtPublicKeySign)
token_with_kid = custom_kid_sign.sign_and_encode(raw_jwt)
custom_kid_verify = custom_kid_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
custom_kid_verify.verify_and_decode(token_with_kid, validator)
_, header_with_kid, _, _ = _jwt_format.split_signed_compact(token_with_kid)
self.assertEqual(_json_util.json_loads(header_with_kid)['kid'],
LONG_CUSTOM_KID)
# The primitive with a custom_kid set accepts tokens without kid header.
custom_kid_verify.verify_and_decode(token, validator)
# The primitive without a custom_kid set ignores the kid header.
verify.verify_and_decode(token_with_kid, validator)
# key with a different custom_kid set
other_handle = _set_custom_kid(handle, custom_kid='other kid')
other_verify = other_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
# Fails because the kid value do not match.
with self.assertRaises(tink.TinkError):
other_verify.verify_and_decode(token_with_kid, validator)
tink_handle = _change_output_prefix_to_tink(custom_kid_handle)
tink_sign = tink_handle.primitive(jwt.JwtPublicKeySign)
tink_verify = tink_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
# Having custom_kid set with output prefix TINK is not allowed.
with self.assertRaises(tink.TinkError):
tink_sign.sign_and_encode(raw_jwt)
with self.assertRaises(tink.TinkError):
tink_verify.verify_and_decode(token, validator)
with self.assertRaises(tink.TinkError):
tink_verify.verify_and_decode(token_with_kid, validator)
def test_create_header_with_type(self):
encoded_header = _jwt_format.create_header('HS256', 'typeHeader', None)
json_header = _jwt_format.decode_header(encoded_header)
self.assertEqual(json_header, '{"alg":"HS256","typ":"typeHeader"}')
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
self.assertEqual(_jwt_format.get_type_header(header), 'typeHeader')
def test_signed_compact_create_split_with_kid(self):
raw_jwt = _raw_jwt.raw_jwt_from_json(None, '{"iss":"joe"}')
signature = _jwt_format.decode_signature(
b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
unsigned_compact = _jwt_format.create_unsigned_compact(
'RS256', 'AZxkm2U', raw_jwt)
signed_compact = _jwt_format.create_signed_compact(
unsigned_compact, signature)
un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(
signed_compact)
self.assertEqual(
unsigned_compact,
b'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ')
self.assertEqual(
signed_compact,
'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ'
'.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
self.assertEqual(un_comp, unsigned_compact)
self.assertEqual(sig, signature)
self.assertEqual(hdr, '{"kid":"AZxkm2U","alg":"RS256"}')
header = _json_util.json_loads(hdr)
_jwt_format.validate_header(header, 'RS256')
self.assertEqual(pay, '{"iss":"joe"}')
self.assertIsNone(_jwt_format.get_type_header(header))
def test_validate_header_with_other_kid_fails(self):
json_header = '{"kid":"GsapRA","alg":"HS256"}'
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256', tink_kid='otherKid')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256', custom_kid='otherKid')
def test_validate_header_with_missing_kid_missing(self):
json_header = '{"alg":"HS256"}'
header = _json_util.json_loads(json_header)
with self.assertRaises(_jwt_error.JwtInvalidError):
# if tink_kid is set, a kid header is required.
_jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA')
# if custom_kid is set, a kid header is *not* required.
_jwt_format.validate_header(header, 'HS256', custom_kid='GsapRA')
def test_raw_output_prefix_type_encodes_a_custom_kid_header(self):
# normal HMAC jwt_mac with output prefix RAW
handle = tink.new_keyset_handle(jwt.raw_jwt_hs256_template())
raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
validator = jwt.new_validator(expected_issuer='issuer',
allow_missing_expiration=True)
jwt_mac = handle.primitive(jwt.JwtMac)
token = jwt_mac.compute_mac_and_encode(raw_jwt)
jwt_mac.verify_mac_and_decode(token, validator)
_, json_header, _, _ = _jwt_format.split_signed_compact(token)
self.assertNotIn('kid', _json_util.json_loads(json_header))
# HMAC jwt_mac with a custom_kid set
custom_kid_handle = _set_custom_kid(handle, custom_kid='my kid')
custom_kid_jwt_mac = custom_kid_handle.primitive(jwt.JwtMac)
token_with_kid = custom_kid_jwt_mac.compute_mac_and_encode(raw_jwt)
custom_kid_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
_, header_with_kid, _, _ = _jwt_format.split_signed_compact(
token_with_kid)
self.assertEqual(
_json_util.json_loads(header_with_kid)['kid'], 'my kid')
# Even when custom_kid is set, its not required to be set in the header.
custom_kid_jwt_mac.verify_mac_and_decode(token, validator)
# An additional kid header is ignored.
jwt_mac.verify_mac_and_decode(token_with_kid, validator)
other_handle = _set_custom_kid(handle, custom_kid='other kid')
other_jwt_mac = other_handle.primitive(jwt.JwtMac)
with self.assertRaises(tink.TinkError):
# The custom_kid does not match the kid header.
other_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
tink_handle = _change_output_prefix_to_tink(custom_kid_handle)
tink_jwt_mac = tink_handle.primitive(jwt.JwtMac)
# having custom_kid set with output prefix TINK is not allowed
with self.assertRaises(tink.TinkError):
tink_jwt_mac.compute_mac_and_encode(raw_jwt)
with self.assertRaises(tink.TinkError):
tink_jwt_mac.verify_mac_and_decode(token, validator)
with self.assertRaises(tink.TinkError):
tink_jwt_mac.verify_mac_and_decode(token_with_kid, validator)
def test_decode_encode_header_rs256(self):
# Example from https://tools.ietf.org/html/rfc7515#appendix-A.2
encoded_header = b'eyJhbGciOiJSUzI1NiJ9'
json_header = _jwt_format.decode_header(encoded_header)
header = _json_util.json_loads(json_header)
self.assertEqual(header['alg'], 'RS256')
self.assertEqual(
_jwt_format.decode_header(_jwt_format.encode_header(json_header)),
json_header)
def test_decode_encode_header_hs256(self):
# Example from https://tools.ietf.org/html/rfc7515#appendix-A.1
encoded_header = b'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9'
json_header = _jwt_format.decode_header(encoded_header)
header = _json_util.json_loads(json_header)
self.assertEqual(header['alg'], 'HS256')
self.assertEqual(header['typ'], 'JWT')
self.assertEqual(
_jwt_format.decode_header(_jwt_format.encode_header(json_header)),
json_header)
def test_validate_header_with_kid_success(self):
json_header = '{"kid":"GsapRA","alg":"HS256"}'
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
_jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA')
_jwt_format.validate_header(header, 'HS256', custom_kid='GsapRA')
with self.assertRaises(_jwt_error.JwtInvalidError):
# fails because tink_kid and custom_kid must not be set at the same time.
_jwt_format.validate_header(header,
'HS256',
tink_kid='GsapRA',
custom_kid='GsapRA')
def test_json_loads_with_invalid_utf16(self):
with self.assertRaises(_jwt_error.JwtInvalidError):
_json_util.json_loads(u'{"a":{"b":{"c":"\\uD834"}}}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_json_util.json_loads(u'{"\\uD834":"b"}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_json_util.json_loads(u'{"a":["a",{"b":["c","\\uD834"]}]}')
def test_decode_encode_payload(self):
# Example from https://tools.ietf.org/html/rfc7519#section-3.1
encoded_payload = (
b'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0'
b'dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ')
json_payload = _jwt_format.decode_payload(encoded_payload)
payload = _json_util.json_loads(json_payload)
self.assertEqual(payload['iss'], 'joe')
self.assertEqual(payload['exp'], 1300819380)
self.assertEqual(payload['http://example.com/is_root'], True)
self.assertEqual(
_jwt_format.decode_payload(
_jwt_format.encode_payload(json_payload)), json_payload)
def test_only_tink_output_prefix_type_encodes_a_kid_header(self):
handle = tink.new_keyset_handle(jwt.raw_jwt_es256_template())
sign = handle.primitive(jwt.JwtPublicKeySign)
verify = handle.public_keyset_handle().primitive(jwt.JwtPublicKeyVerify)
tink_handle = _change_output_prefix_to_tink(handle)
tink_sign = tink_handle.primitive(jwt.JwtPublicKeySign)
tink_verify = tink_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
token = sign.sign_and_encode(raw_jwt)
token_with_kid = tink_sign.sign_and_encode(raw_jwt)
_, header, _, _ = _jwt_format.split_signed_compact(token)
self.assertNotIn('kid', _json_util.json_loads(header))
_, header_with_kid, _, _ = _jwt_format.split_signed_compact(token_with_kid)
self.assertIn('kid', _json_util.json_loads(header_with_kid))
validator = jwt.new_validator(
expected_issuer='issuer', allow_missing_expiration=True)
verify.verify_and_decode(token, validator)
tink_verify.verify_and_decode(token_with_kid, validator)
other_handle = _change_key_id(tink_handle)
other_verify = other_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
verify.verify_and_decode(token_with_kid, validator)
# For output prefix type TINK, the kid header is required.
with self.assertRaises(tink.TinkError):
tink_verify.verify_and_decode(token, validator)
# This should fail because value of the kid header is wrong.
with self.assertRaises(tink.TinkError):
other_verify.verify_and_decode(token_with_kid, validator)
def verify_mac_and_decode_with_kid(
self, compact: str, validator: _jwt_validator.JwtValidator,
kid: Optional[str]) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
parts = _jwt_format.split_signed_compact(compact)
unsigned_compact, json_header, json_payload, mac = parts
self._verify_mac(mac, unsigned_compact)
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header=header,
algorithm=self._algorithm,
tink_kid=kid,
custom_kid=self._custom_kid)
raw_jwt = _raw_jwt.raw_jwt_from_json(
_jwt_format.get_type_header(header), json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_signed_compact_create_split(self):
raw_jwt = _raw_jwt.raw_jwt_from_json('JWT', '{"iss":"joe"}')
signature = _jwt_format.decode_signature(
b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
unsigned_compact = _jwt_format.create_unsigned_compact(
'RS256', None, raw_jwt)
signed_compact = _jwt_format.create_signed_compact(
unsigned_compact, signature)
un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(
signed_compact)
self.assertEqual(
unsigned_compact,
b'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqb2UifQ')
self.assertEqual(
signed_compact, 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.'
'eyJpc3MiOiJqb2UifQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
self.assertEqual(un_comp, unsigned_compact)
self.assertEqual(sig, signature)
self.assertEqual(hdr, '{"alg":"RS256","typ":"JWT"}')
header = _json_util.json_loads(hdr)
_jwt_format.validate_header(header, 'RS256')
self.assertEqual(pay, '{"iss":"joe"}')
self.assertEqual(_jwt_format.get_type_header(header), 'JWT')
def test_create_verify_different_algorithms_fails(self):
encoded_header = _jwt_format.create_header('HS256', None, None)
json_header = _jwt_format.decode_header(encoded_header)
header = _json_util.json_loads(json_header)
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'ES256')
def test_validate_header_rejects_crit(self):
header = _json_util.json_loads(
'{"alg":"HS256","crit":["http://example.invalid/UNDEFINED"],'
'"http://example.invalid/UNDEFINED":true}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_ignores_typ(self):
header = _json_util.json_loads('{"alg":"HS256","typ":"unknown"}')
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_unknown_entry_success(self):
header = _json_util.json_loads('{"alg":"HS256","unknown":"header"}')
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_unknown_algorithm_fails(self):
header = _json_util.json_loads('{"alg":"HS123"}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS123')
def test_json_loads_recursion(self):
num_recursions = 1000
recursive_json = ('{"a":' * num_recursions) + '""' + ('}' *
num_recursions)
with self.assertRaises(_jwt_error.JwtInvalidError):
_json_util.json_loads(recursive_json)
def test_create_validate_header(self, algorithm):
encoded_header = _jwt_format.create_header(algorithm, None, None)
json_header = _jwt_format.decode_header(encoded_header)
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, algorithm)
self.assertIsNone(_jwt_format.get_type_header(header))
def _from_json(cls, type_header: Optional[str], payload: str) -> 'RawJwt':
"""Creates a RawJwt from payload encoded as JSON string."""
raw_jwt = object.__new__(cls)
raw_jwt.__init__(type_header, _json_util.json_loads(payload))
return raw_jwt
def test_verify_empty_header_fails(self):
header = _json_util.json_loads('{}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'ES256')
def test_json_loads(self):
self.assertEqual(_json_util.json_loads('{"a":["b",1,true,null]}'),
{'a': ['b', 1, True, None]})
with self.assertRaises(_jwt_error.JwtInvalidError):
_json_util.json_loads('{invalid')
