def test_wrong_alg(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") with pytest.raises(HeaderError): factory(_jwe, alg="A192KW", enc="A128CBC-HS256")
def test_ecdh_no_setup_dynamic_epk(): jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") jwt = jwenc.encrypt([eck_bob]) assert jwt ret_jwe = factory(jwt, alg="ECDH-ES", enc="A128GCM") res = ret_jwe.decrypt(jwt, [eck_bob]) assert res == plain
def test_ecdh_encrypt_decrypt_direct_key(): # Alice starts of jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM") cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain, key=eck_bob) kwargs = { 'params': params, 'cek': cek, 'iv': iv, 'encrypted_key': encrypted_key } assert "epk" in params assert not encrypted_key jwt = jwenc.encrypt(**kwargs) # Bob decrypts ret_jwe = factory(jwt, alg="ECDH-ES", enc="A128GCM") jwdec = JWE_EC() jwdec.dec_setup(ret_jwe.jwt, key=bob) msg = jwdec.decrypt(ret_jwe.jwt) assert msg == plain
def main(jwt, keys, quiet): _jw = jwe.factory(jwt) if _jw: if not quiet: print("Encrypted JSON Web Token") print('Headers: {}'.format(_jw.jwt.headers)) if keys: res = _jw.decrypt(keys=keys) json_object = json.loads(res) json_str = json.dumps(json_object, indent=2) print(highlight(json_str, JsonLexer(), TerminalFormatter())) else: print("No keys can't decrypt") sys.exit(1) else: _jw = jws.factory(jwt) if _jw: if quiet: json_object = json.loads(_jw.jwt.part[1].decode("utf-8")) json_str = json.dumps(json_object, indent=2) print(highlight(json_str, JsonLexer(), TerminalFormatter())) else: print("Signed JSON Web Token") print('Headers: {}'.format(_jw.jwt.headers)) if keys: res = _jw.verify_compact(keys=keys) print('Verified message: {}'.format(res)) else: json_object = json.loads(_jw.jwt.part[1].decode("utf-8")) json_str = json.dumps(json_object, indent=2) print('Unverified message: {}'.format( highlight(json_str, JsonLexer(), TerminalFormatter())))
def test_verify_headers(): jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") jwt = jwenc.encrypt([eck_bob]) assert jwt decrypter = factory(jwt, alg="ECDH-ES", enc="A128GCM") assert decrypter.jwt.verify_headers(alg='ECDH-ES', enc='A128GCM') assert decrypter.jwt.verify_headers(alg='RS256') is False assert decrypter.jwt.verify_headers(kid='RS256') is False
def test_no_key(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(NoSuitableDecryptionKey): decrypter.decrypt(_jwe, [])
def test_wrong_alg_2(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(WrongEncryptionAlgorithm): decrypter.decrypt(_jwe, [encryption_key], alg='A192KW')
def test_encrypt_jwk_key(): # This is a weird case. Signing the JWT with a key that is # published in the JWT. Still it should be possible. jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM", jwk=eck_bob) _enc = jwenc.encrypt() assert _enc decrypter = factory(_enc, alg="ECDH-ES", enc="A128GCM") res = decrypter.decrypt() assert res == plain
def test_sym_encrypt_decrypt_jwe(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") resp = decrypter.decrypt(_jwe, [encryption_key]) assert resp == plain
def decrypt_from_jwe(jwe): RSA_KEY = settings.UNITICKET_JWT_RSA_KEY_PATH JWE_ALG = settings.UNITICKET_JWE_ALG JWE_ENC = settings.UNITICKET_JWE_ENC priv_key = import_private_rsa_key_from_file(RSA_KEY) _decryptor = factory(jwe, alg=JWE_ALG, enc=JWE_ENC) _dkey = RSAKey(priv_key=priv_key) msg = _decryptor.decrypt(jwe, [_dkey]) return msg
def test_encrypt_decrypt_rsa_cbc(): _key = RSAKey(pub_key=pub_key) _jwe0 = JWE(plain, alg="RSA1_5", enc="A128CBC-HS256") jwt = _jwe0.encrypt([_key]) _jwe1 = factory(jwt, alg="RSA1_5", enc="A128CBC-HS256") _dkey = RSAKey(priv_key=priv_key) msg = _jwe1.decrypt(jwt, [_dkey]) assert msg == plain
def test_sym_jwenc(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") _jwenc = decrypter.jwt assert _jwenc.b64_protected_header() == _jwenc.b64part[0] assert _jwenc.b64_encrypted_key() == _jwenc.b64part[1] assert _jwenc.b64_initialization_vector() == _jwenc.b64part[2] assert _jwenc.b64_ciphertext() == _jwenc.b64part[3] assert _jwenc.b64_authentication_tag() == _jwenc.b64part[4] assert _jwenc.protected_header() == _jwenc.part[0] assert _jwenc.encrypted_key() == _jwenc.part[1] assert _jwenc.initialization_vector() == _jwenc.part[2] assert _jwenc.ciphertext() == _jwenc.part[3] assert _jwenc.authentication_tag() == _jwenc.part[4]
def test_ecdh_encrypt_decrypt_keywrapped_key(): jwenc = JWE_EC(plain, alg="ECDH-ES+A128KW", enc="A128GCM") cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain, key=eck_bob) kwargs = {} kwargs['params'] = params kwargs['cek'] = cek kwargs['iv'] = iv kwargs['encrypted_key'] = encrypted_key assert "epk" in params assert encrypted_key jwt = jwenc.encrypt(**kwargs) ret_jwe = factory(jwt, alg="ECDH-ES+A128KW", enc="A128GCM") jwdec = JWE_EC() jwdec.dec_setup(ret_jwe.jwt, key=bob) msg = jwdec.decrypt(ret_jwe.jwt) assert msg == plain
def test_request_object_encryption(): msg = AuthorizationRequest(state='ABCDE', redirect_uri='https://example.com/cb', response_type='code') conf = { 'redirect_uris': ['https://example.com/cli/authz_cb'], 'client_id': 'client_1', 'client_secret': 'abcdefghijklmnop', } service_context = ServiceContext(keyjar=keyjar, config=conf) service_context.behaviour["request_object_encryption_alg"] = 'RSA1_5' service_context.behaviour[ "request_object_encryption_enc"] = "A128CBC-HS256" _jwe = request_object_encryption(msg.to_json(), service_context, target=RECEIVER) assert _jwe _decryptor = factory(_jwe) assert _decryptor.jwt.verify_headers(alg='RSA1_5', enc='A128CBC-HS256')