def test_mismatch_alg_and_key(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg="ES256") with pytest.raises(NoSuitableSigningKeys): _jws.sign_compact(keys)
def test_dj_usage(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg="RS256") sjwt = _jws.sign_compact(keys) _jwt = factory(sjwt) assert _jwt.jwt.headers["alg"] == "RS256"
def test_extra_headers_1(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg="RS256") sjwt = _jws.sign_compact(keys, foo="bar") _jwt = factory(sjwt) assert set(_jwt.jwt.headers.keys()) == {"alg", "foo"}
def test_extra_headers_3(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _jws = JWS(payload, alg='RS256') _jws.set_header_claim('foo', 'bar') sjwt = _jws.sign_compact(keys, abc=123) _jwt = factory(sjwt) assert set(_jwt.jwt.headers.keys()) == {'alg', 'foo', 'abc'}
def test_factory_verify_alg(): pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) payload = "Please take a moment to register today" keys = [RSAKey(priv_key=pkey)] _signer = JWS(payload, alg="RS256") _signer.set_header_claim("foo", "bar") _jws = _signer.sign_compact(keys, abc=123) _verifier = factory(_jws) assert _verifier.jwt.verify_headers(alg="RS512") is False
def test_import_rsa_key(): _ckey = import_private_rsa_key_from_file(full_path(KEY)) assert isinstance(_ckey, rsa.RSAPrivateKey) djwk = jwk_wrap(_ckey).to_dict() assert _eq(djwk.keys(), ["kty", "e", "n", "p", "q", "d"]) assert djwk[ "n"] == '5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKTVtuu3VvxrpOWvwnFV' \ '-NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6bHgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR-gxDbh_D5TXuUqScOOqR47vSpIbUH-nc' assert djwk['e'] == 'AQAB'
def decrypt_from_jwe(jwe): RSA_KEY = settings.UNITICKET_JWT_RSA_KEY_PATH JWE_ALG = settings.UNITICKET_JWE_ALG JWE_ENC = settings.UNITICKET_JWE_ENC priv_key = import_private_rsa_key_from_file(RSA_KEY) _decryptor = factory(jwe, alg=JWE_ALG, enc=JWE_ENC) _dkey = RSAKey(priv_key=priv_key) msg = _decryptor.decrypt(jwe, [_dkey]) return msg
def test_serialize_rsa_priv_key(): rsakey = RSAKey( priv_key=import_private_rsa_key_from_file(full_path("rsa.key"))) assert rsakey.d d_rsakey = rsakey.serialize(private=True) restored_key = RSAKey(**d_rsakey) assert restored_key == rsakey assert rsakey.has_private_key() assert restored_key.has_private_key()
def test_signer_ps384(): payload = "Please take a moment to register today" _pkey = import_private_rsa_key_from_file(PRIV_KEY) keys = [RSAKey(priv_key=_pkey)] # keys[0]._keytype = "private" _jws = JWS(payload, alg="PS384") _jwt = _jws.sign_compact(keys) vkeys = [RSAKey(pub_key=_pkey.public_key())] _rj = JWS(alg="PS384") info = _rj.verify_compact(_jwt, vkeys) assert info == payload
def pem2rsa(filename: str, kid: Optional[str] = None, private: bool = False, passphrase: Optional[str] = None) -> JWK: """Convert RSA key from PEM to JWK""" if private: key = import_private_rsa_key_from_file(filename, passphrase) else: key = import_public_rsa_key_from_file(filename) jwk = RSAKey(kid=kid) jwk.load_key(key) return jwk
def test_signer_ps512(): payload = "Please take a moment to register today" # Key has to be big enough > 512+512+2 _pkey = import_private_rsa_key_from_file(full_path("./size2048.key")) keys = [RSAKey(priv_key=_pkey)] # keys[0]._keytype = "private" _jws = JWS(payload, alg="PS512") _jwt = _jws.sign_compact(keys) vkeys = [RSAKey(pub_key=_pkey.public_key())] _rj = factory(_jwt, alg="PS512") info = _rj.verify_compact(_jwt, vkeys) assert info == payload assert _rj.verify_alg("PS512")
def test_signer_ps256_fail(): payload = "Please take a moment to register today" _pkey = import_private_rsa_key_from_file(PRIV_KEY) keys = [RSAKey(priv_key=_pkey)] # keys[0]._keytype = "private" _jws = JWS(payload, alg="PS256") _jwt = _jws.sign_compact(keys)[:-5] + "abcde" vkeys = [RSAKey(pub_key=_pkey.public_key())] _rj = JWS(alg="PS256") try: _rj.verify_compact(_jwt, vkeys) except BadSignature: pass else: assert False
def encrypt_to_jwe(content): """Returns a string a serialized encryption from cryptojwt.jwe.jwe_rsa.JWE_RSA """ if isinstance(content, dict): content = json.dumps(content).encode() elif isinstance(content, str): content = content.encode() if not isinstance(content, bytes): raise Exception('encrypt_to_jwe content must be a bytes object') priv_key = import_private_rsa_key_from_file(RSA_KEY) pub_key = priv_key.public_key() _rsa = JWE_RSA(content, alg=JWE_ALG, enc=JWE_ENC) jwe = _rsa.encrypt(pub_key) return jwe
def test_rs256_rm_signature(): payload = "Please take a moment to register today" _pkey = import_private_rsa_key_from_file(PRIV_KEY) keys = [RSAKey(priv_key=_pkey)] # keys[0]._keytype = "private" _jws = JWS(payload, alg="RS256") _jwt = _jws.sign_compact(keys) p = _jwt.split(".") _jwt = ".".join(p[:-1]) vkeys = [RSAKey(key=_pkey.public_key())] _rj = JWS() try: _ = _rj.verify_compact(_jwt, vkeys) except WrongNumberOfParts: pass else: assert False
def test_get_asym_key_all(): # When not marked for a special usage this key can be use for everything rsakey = RSAKey( priv_key=import_private_rsa_key_from_file(full_path("rsa.key"))) assert rsakey.appropriate_for("sign") assert rsakey.appropriate_for("verify") assert rsakey.appropriate_for("encrypt") assert rsakey.appropriate_for("decrypt") rsakey.use = "sig" # Now it can only be used for signing and signature verification assert rsakey.appropriate_for("sign") assert rsakey.appropriate_for("verify") for usage in ["encrypt", "decrypt"]: assert rsakey.appropriate_for(usage) is None rsakey.use = "enc" # Now it can only be used for encrypting and decrypting assert rsakey.appropriate_for("encrypt") assert rsakey.appropriate_for("decrypt") for usage in ["sign", "verify"]: assert rsakey.appropriate_for(usage) is None
def test_get_asym_key_all(): # When not marked for a special usage this key can be use for everything rsakey = RSAKey( priv_key=import_private_rsa_key_from_file(full_path("rsa.key"))) assert rsakey.appropriate_for('sign') assert rsakey.appropriate_for('verify') assert rsakey.appropriate_for('encrypt') assert rsakey.appropriate_for('decrypt') rsakey.use = 'sig' # Now it can only be used for signing and signature verification assert rsakey.appropriate_for('sign') assert rsakey.appropriate_for('verify') for usage in ['encrypt', 'decrypt']: assert rsakey.appropriate_for(usage) is None rsakey.use = 'enc' # Now it can only be used for encrypting and decrypting assert rsakey.appropriate_for('encrypt') assert rsakey.appropriate_for('decrypt') for usage in ['sign', 'verify']: assert rsakey.appropriate_for(usage) is None
def import_keys(self, keyspec): """ The client needs it's own set of keys. It can either dynamically create them or load them from local storage. This method can also fetch other entities keys provided the URL points to a JWKS. :param keyspec: """ for where, spec in keyspec.items(): if where == 'file': for typ, files in spec.items(): if typ == 'rsa': for fil in files: _key = RSAKey( key=import_private_rsa_key_from_file(fil), use='sig') _bundle = KeyBundle() _bundle.append(_key) self.keyjar.add_kb('', _bundle) elif where == 'url': for iss, url in spec.items(): _bundle = KeyBundle(source=url) self.keyjar.add_kb(iss, _bundle)
def test_create_signed_jwt_symmetric(self): settings.JWTAUTH_ALGORITHM = 'HS256' settings.JWTAUTH_KEY = b'a897dya9s78dyasdya9sdya9s7dya9sd7y' settings.JWTAUTH_CERT = None user = get_user_model().objects.create(**_user_dict) data = JWTConnectAuthTokenBuilder.build(user=user) logger.warn(json.dumps(data, indent=2)) assert data['access_token']['email'] == user.email jwts = JWTConnectAuthTokenBuilder.create( data, alg=settings.JWTAUTH_ALGORITHM) logger.info(json.dumps(jwts, indent=2)) assert 'access_token' in jwts.keys() assert 'refresh_token' in jwts.keys() atoken = JWTConnectAuthKeyHandler.decode_jwt(jwts['access_token']) assert isinstance(atoken, dict) settings.JWTAUTH_ALGORITHM = 'RS256' settings.JWTAUTH_KEY = import_private_rsa_key_from_file( 'certs/private.key') settings.JWTAUTH_CERT = import_public_key_from_cert_file( 'certs/public.cert')
def test_rsasigner_wrong_key_variant(): _pkey = import_private_rsa_key_from_file(PRIV_KEY) with pytest.raises(TypeError): RSASigner().sign(b"Message to whom it may concern", _pkey.public_key)
def test_pick_alg_dont_get_alg_from_single_key_if_already_specified(): expected_alg = "RS512" _pkey = import_private_rsa_key_from_file(PRIV_KEY) vkeys = [RSAKey(pub_key=_pkey.public_key())] alg = JWS(alg=expected_alg)._pick_alg(vkeys) assert alg == expected_alg
ctx, tag = encrypter.encrypt(orig_msg) encrypter.key = None with pytest.raises(MissingKey): encrypter.decrypt(ctx, iv=encrypter.iv, tag=b'12346567890') BASEDIR = os.path.abspath(os.path.dirname(__file__)) def full_path(local_file): return os.path.join(BASEDIR, local_file) KEY = full_path("rsa.key") priv_key = import_private_rsa_key_from_file(KEY) pub_key = priv_key.public_key() plain = b'Now is the time for all good men to come to the aid of their country.' def test_cek_reuse_encryption_rsaes_rsa15(): _rsa = JWE_RSA(plain, alg="RSA1_5", enc="A128CBC-HS256") jwt = _rsa.encrypt(pub_key) dec = JWE_RSA() msg = dec.decrypt(jwt, priv_key) assert msg == plain _rsa2 = JWE_RSA(plain, alg="RSA1_5", enc="A128CBC-HS256") jwt = _rsa2.encrypt(None, cek=dec["cek"]) dec2 = JWE_RSA()
from oidcmsg.oauth2 import AuthorizationResponse from oidcmsg.oauth2 import RefreshAccessTokenRequest from oidcmsg.oauth2 import ResponseMessage from oidcmsg.oidc import IdToken from oidcmsg.time_util import utc_time_sans_frac from oidcservice.exception import OidcServiceError from oidcservice.exception import ParseError from oidcrp.oauth2 import Client sys.path.insert(0, '.') _dirname = os.path.dirname(os.path.abspath(__file__)) BASE_PATH = os.path.join(_dirname, "data", "keys") _key = import_private_rsa_key_from_file(os.path.join(BASE_PATH, "rsa.key")) KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"}) CLIENT_ID = "client_1" IDTOKEN = IdToken(iss="http://oidc.example.org/", sub="sub", aud=CLIENT_ID, exp=utc_time_sans_frac() + 86400, nonce="N0nce", iat=time.time()) class DB(object): def __init__(self): self.db = {}
LANGUAGE_CODE = 'en-us' TIME_ZONE = 'UTC' USE_I18N = True USE_L10N = True USE_TZ = True # Static files (CSS, JavaScript, Images) # https://docs.djangoproject.com/en/3.1/howto/static-files/ STATIC_URL = '/static/' # JWTCONNECT SETTINGS JWTAUTH_KEY = import_private_rsa_key_from_file('certs/private.key') JWTAUTH_CERT = import_public_key_from_cert_file('certs/public.cert') JWTAUTH_ISSUER = 'http://localhost:8000' JWTAUTH_MULTIPLE_TOKENS = False REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework.authentication.BasicAuthentication', 'rest_framework.authentication.SessionAuthentication', # jwtconnect auth 'jwtconnect_auth.authentication.JWTConnectAuthBearer' ] }