class JwtKeyTemplatesTest(parameterized.TestCase): @parameterized.parameters([ ('JWT_HS256', jwt.jwt_hs256_template()), ('JWT_HS384', jwt.jwt_hs384_template()), ('JWT_HS512', jwt.jwt_hs512_template()), ('JWT_ES256', jwt.jwt_es256_template()), ('JWT_ES384', jwt.jwt_es384_template()), ('JWT_ES512', jwt.jwt_es512_template()), ('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()), ('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()), ('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()), ('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()), ('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()), ('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()), ('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()), ('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()), ]) def test_template(self, template_name, template): self.assertEqual(template, helper.template_from_testdata(template_name, 'jwt')) @parameterized.named_parameters(('0', 0, b'\x00'), ('256', 256, b'\x01\x00'), ('65537', 65537, b'\x01\x00\x01')) def test_num_to_bytes(self, number, expected): self.assertEqual(jwt._jwt_key_templates._num_to_bytes(number), expected)
class JwtKeyTemplatesTest(parameterized.TestCase): @parameterized.parameters([ ('JWT_HS256', jwt.jwt_hs256_template()), ('JWT_HS384', jwt.jwt_hs384_template()), ('JWT_HS512', jwt.jwt_hs512_template()), ('JWT_ES256', jwt.jwt_es256_template()), ('JWT_ES384', jwt.jwt_es384_template()), ('JWT_ES512', jwt.jwt_es512_template()), ('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()), ('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()), ('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()), ('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()), ('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()), ('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()), ('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()), ('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()), ]) def test_template(self, template_name, template): self.assertEqual(template, helper.template_from_testdata(template_name, 'jwt')) @parameterized.named_parameters(('0', 0, b'\x00'), ('256', 256, b'\x01\x00'), ('65537', 65537, b'\x01\x00\x01')) def test_num_to_bytes(self, number, expected): self.assertEqual(jwt._jwt_key_templates._num_to_bytes(number), expected) @parameterized.named_parameters([ ('JWT_HS256', jwt.jwt_hs256_template()), ('JWT_HS384', jwt.jwt_hs384_template()), ('JWT_HS512', jwt.jwt_hs512_template()), ]) def test_mac_success(self, key_template): keyset_handle = tink.new_keyset_handle(key_template) jwt_hmac = keyset_handle.primitive(jwt.JwtMac) token = jwt.new_raw_jwt(issuer='issuer', subject='subject') compact = jwt_hmac.compute_mac_and_encode(token) output_token = jwt_hmac.verify_mac_and_decode(compact, jwt.new_validator()) self.assertEqual(output_token.issuer(), token.issuer()) self.assertEqual(output_token.subject(), token.subject())
signature.signature_key_templates.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4, 'RSA_SSA_PSS_4096_SHA512_SHA512_64_F4': signature.signature_key_templates.RSA_SSA_PSS_4096_SHA512_SHA512_64_F4, 'AES_CMAC_PRF': prf.prf_key_templates.AES_CMAC, 'HMAC_PRF_SHA256': prf.prf_key_templates.HMAC_SHA256, 'HMAC_PRF_SHA512': prf.prf_key_templates.HMAC_SHA512, 'HKDF_PRF_SHA256': prf.prf_key_templates.HKDF_SHA256, 'JWT_HS256': jwt.jwt_hs256_template(), 'JWT_HS256_RAW': jwt.raw_jwt_hs256_template(), 'JWT_HS384': jwt.jwt_hs384_template(), 'JWT_HS384_RAW': jwt.raw_jwt_hs384_template(), 'JWT_HS512': jwt.jwt_hs512_template(), 'JWT_HS512_RAW': jwt.raw_jwt_hs512_template(), 'JWT_ES256': jwt.jwt_es256_template(), 'JWT_ES256_RAW': jwt.raw_jwt_es256_template(), 'JWT_ES384': jwt.jwt_es384_template(), 'JWT_ES384_RAW': jwt.raw_jwt_es384_template(), 'JWT_ES512': jwt.jwt_es512_template(), 'JWT_ES512_RAW': jwt.raw_jwt_es512_template(), 'JWT_RS256_2048_F4': jwt.jwt_rs256_2048_f4_template(), 'JWT_RS256_2048_F4_RAW': jwt.raw_jwt_rs256_2048_f4_template(), 'JWT_RS256_3072_F4': jwt.jwt_rs256_3072_f4_template(), 'JWT_RS256_3072_F4_RAW': jwt.raw_jwt_rs256_3072_f4_template(), 'JWT_RS384_3072_F4': jwt.jwt_rs384_3072_f4_template(), 'JWT_RS384_3072_F4_RAW': jwt.raw_jwt_rs384_3072_f4_template(), 'JWT_RS512_4096_F4': jwt.jwt_rs512_4096_f4_template(), 'JWT_RS512_4096_F4_RAW': jwt.raw_jwt_rs512_4096_f4_template(),
class JwtKeyTemplatesTest(parameterized.TestCase): @parameterized.named_parameters([ ('JWT_HS256', jwt.jwt_hs256_template()), ('JWT_HS256_RAW', jwt.raw_jwt_hs256_template()), ('JWT_HS384', jwt.jwt_hs384_template()), ('JWT_HS384_RAW', jwt.raw_jwt_hs384_template()), ('JWT_HS512', jwt.jwt_hs512_template()), ('JWT_HS512_RAW', jwt.raw_jwt_hs512_template()), ]) def test_mac_success(self, key_template): keyset_handle = tink.new_keyset_handle(key_template) jwt_hmac = keyset_handle.primitive(jwt.JwtMac) token = jwt.new_raw_jwt(issuer='issuer', subject='subject', without_expiration=True) compact = jwt_hmac.compute_mac_and_encode(token) output_token = jwt_hmac.verify_mac_and_decode( compact, jwt.new_validator(expected_issuer='issuer', allow_missing_expiration=True)) self.assertEqual(output_token.issuer(), token.issuer()) self.assertEqual(output_token.subject(), token.subject()) @parameterized.named_parameters([ ('JWT_ES256', jwt.jwt_es256_template()), ('JWT_ES256_RAW', jwt.raw_jwt_es256_template()), ('JWT_ES384', jwt.jwt_es384_template()), ('JWT_ES384_RAW', jwt.raw_jwt_es384_template()), ('JWT_ES512', jwt.jwt_es512_template()), ('JWT_ES512_RAW', jwt.raw_jwt_es512_template()), ('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()), ('JWT_RS256_2048_F4_RAW', jwt.raw_jwt_rs256_2048_f4_template()), ('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()), ('JWT_RS256_3072_F4_RAW', jwt.raw_jwt_rs256_3072_f4_template()), ('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()), ('JWT_RS384_3072_F4_RAW', jwt.raw_jwt_rs384_3072_f4_template()), ('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()), ('JWT_RS512_4096_F4_RAW', jwt.raw_jwt_rs512_4096_f4_template()), ('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()), ('JWT_PS256_2048_F4_RAW', jwt.raw_jwt_ps256_2048_f4_template()), ('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()), ('JWT_PS256_3072_F4_RAW', jwt.raw_jwt_ps256_3072_f4_template()), ('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()), ('JWT_PS384_3072_F4_RAW', jwt.raw_jwt_ps384_3072_f4_template()), ('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()), ('JWT_PS512_4096_F4_RAW', jwt.raw_jwt_ps512_4096_f4_template()), ]) def test_new_keydata_primitive_success(self, template): private_handle = tink.new_keyset_handle(template) sign = private_handle.primitive(jwt.JwtPublicKeySign) verify = private_handle.public_keyset_handle().primitive( jwt.JwtPublicKeyVerify) raw_jwt = jwt.new_raw_jwt(issuer='issuer', subject='subject', without_expiration=True) compact = sign.sign_and_encode(raw_jwt) verified_jwt = verify.verify_and_decode( compact, jwt.new_validator(expected_issuer='issuer', allow_missing_expiration=True)) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject')
'HMAC_SHA256_PRF': prf.prf_key_templates.HMAC_SHA256, 'HMAC_SHA512_PRF': prf.prf_key_templates.HMAC_SHA512, 'HKDF_SHA256': prf.prf_key_templates.HKDF_SHA256, 'JWT_HS256': jwt.jwt_hs256_template(), 'JWT_HS256_RAW': jwt.raw_jwt_hs256_template(), 'JWT_HS384': jwt.jwt_hs384_template(), 'JWT_HS384_RAW': jwt.raw_jwt_hs384_template(), 'JWT_HS512': jwt.jwt_hs512_template(), 'JWT_HS512_RAW': jwt.raw_jwt_hs512_template(), 'JWT_ES256': jwt.jwt_es256_template(), 'JWT_ES256_RAW': jwt.raw_jwt_es256_template(), 'JWT_ES384': jwt.jwt_es384_template(), 'JWT_ES384_RAW': jwt.raw_jwt_es384_template(), 'JWT_ES512': jwt.jwt_es512_template(), 'JWT_ES512_RAW': jwt.raw_jwt_es512_template(), 'JWT_RS256_2048_F4':
class JwtHmacKeyManagerTest(parameterized.TestCase): def test_basic(self): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() self.assertEqual(key_manager.primitive_class(), jwt.JwtMac) self.assertEqual(key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.JwtHmacKey') @parameterized.named_parameters([ ('JWT_HS256', jwt.jwt_hs256_template()), ('JWT_HS384', jwt.jwt_hs384_template()), ('JWT_HS512', jwt.jwt_hs512_template()), ]) def test_new_keydata_primitive_success(self, template): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() key_data = key_manager.new_key_data(template) jwt_hmac = key_manager.primitive(key_data) raw_jwt = jwt.new_raw_jwt(issuer='issuer') signed_compact = jwt_hmac.compute_mac_and_encode(raw_jwt) verified_jwt = jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator(fixed_now=DATETIME_1970)) self.assertEqual(verified_jwt.issuer(), 'issuer') def test_fixed_signed_compact(self): jwt_hmac = create_fixed_jwt_hmac() signed_compact = ( 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleH' 'AiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk') verified_jwt = jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator(issuer='joe', fixed_now=DATETIME_1970)) self.assertEqual(verified_jwt.issuer(), 'joe') self.assertEqual(verified_jwt.expiration().year, 2011) self.assertCountEqual(verified_jwt.custom_claim_names(), ['http://example.com/is_root']) self.assertTrue( verified_jwt.custom_claim('http://example.com/is_root')) # fails because it is expired with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator(fixed_now=DATETIME_2020)) # fails with wrong issuer with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator(issuer='jane', fixed_now=DATETIME_1970)) @parameterized.named_parameters([ ('invalid_header_typ', 'eyJ0eXAiOiJKV0QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA' '4MTkzODEsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.m6sYAmMakslu' 'W4deYZS0HaBKbMrfa6kBy6IRr1Vy5Gg'), ('modified_signature', 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleH' 'AiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXi'), ('modified_payload', 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLCJleHAiOj' 'EzMDA4MTkzODEsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'), ('modified_header', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleH' 'AiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'), ('extra .', 'eyJhbGciOiJIUzI1NiJ9.e30.abc.'), ('invalid_header_encoding', 'eyJhbGciOiJIUzI1NiJ9?.e30.abc'), ('invalid_payload_encoding', 'eyJhbGciOiJIUzI1NiJ9.e30?.abc'), ('invalid_mac_encoding', 'eyJhbGciOiJIUzI1NiJ9.e30.abc?'), ('no_mac', 'eyJhbGciOiJIUzI1NiJ9.e30'), ]) def test_invalid_signed_compact(self, invalid_signed_compact): jwt_hmac = create_fixed_jwt_hmac() validator = jwt.new_validator(issuer='joe', fixed_now=DATETIME_1970) with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode(invalid_signed_compact, validator)
class JwtHmacKeyManagerTest(parameterized.TestCase): def test_basic(self): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() self.assertEqual(key_manager.primitive_class(), _jwt_mac.JwtMacInternal) self.assertEqual(key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.JwtHmacKey') @parameterized.named_parameters([ ('JWT_HS256', jwt.jwt_hs256_template()), ('JWT_HS384', jwt.jwt_hs384_template()), ('JWT_HS512', jwt.jwt_hs512_template()), ]) def test_new_keydata_primitive_success(self, template): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() key_data = key_manager.new_key_data(template) jwt_hmac = key_manager.primitive(key_data) raw_jwt = jwt.new_raw_jwt( type_header='typeHeader', issuer='issuer', without_expiration=True) signed_compact = jwt_hmac.compute_mac_and_encode_with_kid(raw_jwt, None) verified_jwt = jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator( expected_type_header='typeHeader', expected_issuer='issuer', allow_missing_expiration=True, fixed_now=DATETIME_1970)) self.assertEqual(verified_jwt.type_header(), 'typeHeader') self.assertEqual(verified_jwt.issuer(), 'issuer') def test_fixed_signed_compact(self): signed_compact = ( 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleH' 'AiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk') jwt_hmac = create_fixed_jwt_hmac() verified_jwt = jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator( expected_type_header='JWT', expected_issuer='joe', fixed_now=DATETIME_1970)) self.assertEqual(verified_jwt.issuer(), 'joe') self.assertEqual(verified_jwt.expiration().year, 2011) self.assertCountEqual(verified_jwt.custom_claim_names(), ['http://example.com/is_root']) self.assertTrue(verified_jwt.custom_claim('http://example.com/is_root')) self.assertTrue(verified_jwt.type_header(), 'JWT') # fails because it is expired with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode(signed_compact, jwt.new_validator(fixed_now=DATETIME_2020)) # fails with wrong issuer with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator(expected_issuer='jane', fixed_now=DATETIME_1970)) def test_valid_signed_compact(self): jwt_hmac = create_fixed_jwt_hmac() valid_token = create_signed_token('{"alg":"HS256"}', '{"iss":"joe"}') verified = jwt_hmac.verify_mac_and_decode( valid_token, jwt.new_validator( expected_issuer='joe', allow_missing_expiration=True, fixed_now=DATETIME_1970)) self.assertEqual(verified.issuer(), 'joe') token_with_unknown_typ = create_signed_token( '{"alg":"HS256","typ":"unknown"}', '{"iss":"joe"}') verified2 = jwt_hmac.verify_mac_and_decode( token_with_unknown_typ, jwt.new_validator( expected_type_header='unknown', expected_issuer='joe', allow_missing_expiration=True, fixed_now=DATETIME_1970)) self.assertEqual(verified2.issuer(), 'joe') token_with_unknown_kid = create_signed_token( '{"kid":"unknown","alg":"HS256"}', '{"iss":"joe"}') verified2 = jwt_hmac.verify_mac_and_decode( token_with_unknown_kid, jwt.new_validator( expected_issuer='joe', allow_missing_expiration=True, fixed_now=DATETIME_1970)) self.assertEqual(verified2.issuer(), 'joe') def test_invalid_signed_compact_with_valid_signature(self): jwt_hmac = create_fixed_jwt_hmac() validator = jwt.new_validator( expected_issuer='joe', allow_missing_expiration=True, fixed_now=DATETIME_1970) # token with valid signature but invalid alg header token_with_invalid_header = create_signed_token('{"alg":"RS256"}', '{"iss":"joe"}') with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode(token_with_invalid_header, validator) # token with valid signature but invalid json in payload token_with_invalid_payload = create_signed_token('{"alg":"HS256"}', '{"iss":"joe"') with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode(token_with_invalid_payload, validator) @parameterized.named_parameters([ ('modified_signature', 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleH' 'AiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXi'), ('modified_payload', 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLCJleHAiOj' 'EzMDA4MTkzODEsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'), ('modified_header', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleH' 'AiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.' 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'), ('extra .', 'eyJhbGciOiJIUzI1NiJ9.e30.abc.'), ('invalid_header_encoding', 'eyJhbGciOiJIUzI1NiJ9?.e30.abc'), ('invalid_payload_encoding', 'eyJhbGciOiJIUzI1NiJ9.e30?.abc'), ('invalid_mac_encoding', 'eyJhbGciOiJIUzI1NiJ9.e30.abc?'), ('no_mac', 'eyJhbGciOiJIUzI1NiJ9.e30'), ]) def test_invalid_signed_compact(self, invalid_signed_compact): jwt_hmac = create_fixed_jwt_hmac() validator = jwt.new_validator( expected_issuer='joe', allow_missing_expiration=True, fixed_now=DATETIME_1970) with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode(invalid_signed_compact, validator)