def test_update_mark_inactive(): rsa_key = new_rsa_key() _jwks = {"keys": [rsa_key.serialize()]} fname = "tmp_jwks.json" with open(fname, "w") as fp: fp.write(json.dumps(_jwks)) kb = KeyBundle(source="file://{}".format(fname), fileformat="jwks") assert len(kb) == 1 # new set of keys rsa_key = new_rsa_key(alg="RS256") ec_key = new_ec_key(crv="P-256") _jwks = {"keys": [rsa_key.serialize(), ec_key.serialize()]} with open(fname, "w") as fp: fp.write(json.dumps(_jwks)) kb.update() # 2 active and 1 inactive assert len(kb) == 3 assert len(kb.active_keys()) == 2 assert len(kb.get("rsa")) == 1 assert len(kb.get("rsa", only_active=False)) == 2
def create_jwks(): from cryptojwt.jwk.rsa import new_rsa_key rsa_key = new_rsa_key() jwk_priv = rsa_key.serialize(private=True) # public jwk_pub = rsa_key.serialize() return jwk_priv, jwk_pub
def test_key_from_jwk_dict_rsa(): rsa_key = new_rsa_key() jwk = rsa_key.serialize(private=True) _key = key_from_jwk_dict(jwk) assert isinstance(_key, RSAKey) assert _key.has_private_key() _key2 = RSAKey(**jwk) assert isinstance(_key2, RSAKey) assert _key2.has_private_key()
def main(): """ Main function""" parser = argparse.ArgumentParser( description="JSON Web Key (JWK) Generator") parser.add_argument("--kty", dest="kty", metavar="type", help="Key type", required=True) parser.add_argument("--size", dest="keysize", type=int, metavar="size", help="Key size") parser.add_argument( "--crv", dest="crv", metavar="curve", help="EC curve", choices=NIST2SEC.keys(), default=DEFAULT_EC_CURVE, ) parser.add_argument( "--exp", dest="rsa_exp", type=int, metavar="exponent", help="RSA public key exponent (default {})".format(DEFAULT_RSA_EXP), default=DEFAULT_RSA_EXP, ) parser.add_argument("--kid", dest="kid", metavar="id", help="Key ID") args = parser.parse_args() if args.kty.upper() == "RSA": if args.keysize is None: args.keysize = DEFAULT_RSA_KEYSIZE jwk = new_rsa_key(public_exponent=args.rsa_exp, key_size=args.keysize, kid=args.kid) elif args.kty.upper() == "EC": if args.crv not in NIST2SEC: print("Unknown curve: {0}".format(args.crv), file=sys.stderr) exit(1) jwk = new_ec_key(crv=args.crv, kid=args.kid) elif args.kty.upper() == "SYM": if args.keysize is None: args.keysize = DEFAULT_SYM_KEYSIZE randomkey = os.urandom(args.keysize) jwk = SYMKey(key=randomkey, kid=args.kid) else: print("Unknown key type: {}".format(args.kty), file=sys.stderr) exit(1) jwk_dict = jwk.serialize(private=True) print(json.dumps(jwk_dict, sort_keys=True, indent=4)) print("SHA-256: " + jwk.thumbprint("SHA-256").decode(), file=sys.stderr)
def test_ignore_invalid_keys(): rsa_key_dict = new_rsa_key().serialize() rsa_key_dict["kty"] = "b0rken" kb = KeyBundle(keys={"keys": [rsa_key_dict]}, ignore_invalid_keys=True) assert len(kb) == 0 with pytest.raises(UnknownKeyType): KeyBundle(keys={"keys": [rsa_key_dict]}, ignore_invalid_keys=False)
def main(): """ Main function""" parser = argparse.ArgumentParser(description='JSON Web Key (JWK) Generator') parser.add_argument('--kty', dest='kty', metavar='type', help='Key type', required=True) parser.add_argument('--size', dest='keysize', type=int, metavar='size', help='Key size') parser.add_argument('--crv', dest='crv', metavar='curve', help='EC curve', choices=NIST2SEC.keys(), default=DEFAULT_EC_CURVE) parser.add_argument('--exp', dest='rsa_exp', type=int, metavar='exponent', help='RSA public key exponent (default {})'.format(DEFAULT_RSA_EXP), default=DEFAULT_RSA_EXP) parser.add_argument('--kid', dest='kid', metavar='id', help='Key ID') args = parser.parse_args() if args.kty.upper() == 'RSA': if args.keysize is None: args.keysize = DEFAULT_RSA_KEYSIZE jwk = new_rsa_key(public_exponent=args.rsa_exp, key_size=args.keysize, kid=args.kid) elif args.kty.upper() == 'EC': if args.crv not in NIST2SEC: print("Unknown curve: {0}".format(args.crv), file=sys.stderr) exit(1) jwk = new_ec_key(crv=args.crv, kid=args.kid) elif args.kty.upper() == 'SYM': if args.keysize is None: args.keysize = DEFAULT_SYM_KEYSIZE randomkey = os.urandom(args.keysize) jwk = SYMKey(key=randomkey, kid=args.kid) else: print("Unknown key type: {}".format(args.kty), file=sys.stderr) exit(1) jwk_dict = jwk.serialize(private=True) print(json.dumps(jwk_dict, sort_keys=True, indent=4)) print("SHA-256: " + jwk.thumbprint('SHA-256').decode(), file=sys.stderr)
def test_update_2(): rsa_key = new_rsa_key() _jwks = {"keys": [rsa_key.serialize()]} fname = "tmp_jwks.json" with open(fname, "w") as fp: fp.write(json.dumps(_jwks)) kb = KeyBundle(source="file://{}".format(fname), fileformat="jwks") assert len(kb) == 1 # Added one more key ec_key = new_ec_key(crv="P-256", key_ops=["sign"]) _jwks = {"keys": [rsa_key.serialize(), ec_key.serialize()]} with open(fname, "w") as fp: fp.write(json.dumps(_jwks)) kb.update() assert len(kb) == 2
created = alchemy_db.Column(alchemy_db.DateTime, default=datetime.datetime.utcnow) def __repr__(self): return '<Thing owned by %r>' % self.owner Base.metadata.create_all(engine) # ====================================================================== # JWK things from cryptojwt.jwk.rsa import new_rsa_key from cryptojwt.jwk.jwk import key_from_jwk_dict rsa_key = new_rsa_key() rsa_key.serialize(private=True) # get and set things in the alchemy_db from sqlalchemy.orm import sessionmaker Session = sessionmaker(bind=engine) session = Session() thing = Thing(owner='peppe', data=json.dumps(rsa_key.serialize(private=True))) # store in the alchemy_db, commit means we have in a transation session.add(thing) session.commit() # get an entry
("RSA", "RSA1_5", "A128CBC-HS256"), ("EC", "ECDH-ES", "A128GCM"), ], ) def test_to_jwe(keytype, alg, enc): msg = Message(a="foo", b="bar", c="tjoho") _jwe = msg.to_jwe(KEYJAR.get_encrypt_key(keytype, ""), alg=alg, enc=enc) with pytest.raises(HeaderError): Message().from_jwt(_jwe, KEYJAR, encalg="RSA-OAEP", encenc=enc) with pytest.raises(HeaderError): Message().from_jwt(_jwe, KEYJAR, encenc="A256CBC-HS512", encalg=alg) NEW_KEYJAR = KEYJAR.copy() kb = KeyBundle() k = new_rsa_key() NEW_KID = k.kid kb.append(k) NEW_KEYJAR.add_kb("", kb) def test_no_suitable_keys(): keytype = "RSA" alg = "RS256" msg = Message(a="foo", b="bar", c="tjoho") _jwt = msg.to_jwt(NEW_KEYJAR.get_signing_key(keytype, "", kid=NEW_KID), alg) with pytest.raises(NoSuitableSigningKeys): Message().from_jwt(_jwt, KEYJAR)
import os from cryptojwt.jwk.ec import new_ec_key from cryptojwt.jwk.hmac import SYMKey from cryptojwt.jwk.rsa import new_rsa_key from cryptojwt.jwk.wrap import unwrap_key from cryptojwt.jwk.wrap import wrap_key __author__ = "jschlyter" WRAPPING_KEYS = [ SYMKey(use="enc", key=os.urandom(32)), new_ec_key(crv="P-256"), new_ec_key(crv="P-384"), new_rsa_key(size=2048), new_rsa_key(size=4096), ] SECRET_KEYS = [ SYMKey(use="enc", key=os.urandom(32)), new_ec_key(crv="P-256"), new_rsa_key(size=2048), ] def test_wrap_default(): for wrapping_key in WRAPPING_KEYS: for key in SECRET_KEYS: wrapped_key = wrap_key(key, wrapping_key) unwrapped_key = unwrap_key(wrapped_key, [wrapping_key]) assert key == unwrapped_key
self.storage.set(name, value) def append(self, name_id, item): _list = self.storage.get(name_id) if _list: _list.append(self._data_to_db(item)) self.update(name_id, _list) else: self.set(name_id, item) # is it needed? #def extend(self, name_id, items): #_list = self.storage.get(name_id) #_list.extend(name_id, items) #self.update(name_id, _list) def copy(self): raise NotImplemented() # POC _list = JWKList(ABS_STORAGE_SQLALCHEMY) _list.set('ciao', new_rsa_key()) _list _list.append('ciao', new_rsa_key()) _list _list.delete('ciao')
def test_new_rsa_key(): key = new_rsa_key() assert isinstance(key, RSAKey) assert key.priv_key
def test_get_audience_and_algorithm_default_alg(self, entity): _service_context = entity.client_get("service_context") _service_context.token_endpoint = "https://example.com/token" _service_context.provider_info = { 'issuer': 'https://example.com/', 'token_endpoint': "https://example.com/token" } _service_context.registration_response = { 'token_endpoint_auth_signing_alg': "HS256" } csj = ClientSecretJWT() request = AccessTokenRequest() _service_context.registration_response = {} token_service = entity.client_get("service", 'accesstoken') # Add a RSA key to be able to handle default _kb = KeyBundle() _rsa_key = new_rsa_key() _kb.append(_rsa_key) _service_context.keyjar.add_kb("", _kb) # Since I have a RSA key this doesn't fail csj.construct(request, service=token_service, authn_endpoint='token_endpoint') _jws = factory(request["client_assertion"]) assert _jws.jwt.headers["alg"] == "RS256" assert _jws.jwt.headers["kid"] == _rsa_key.kid # By client preferences request = AccessTokenRequest() _service_context.client_preferences = { "token_endpoint_auth_signing_alg": "RS512" } csj.construct(request, service=token_service, authn_endpoint='token_endpoint') _jws = factory(request["client_assertion"]) assert _jws.jwt.headers["alg"] == "RS512" assert _jws.jwt.headers["kid"] == _rsa_key.kid # Use provider information is everything else fails request = AccessTokenRequest() _service_context.client_preferences = {} _service_context.provider_info[ "token_endpoint_auth_signing_alg_values_supported"] = [ "ES256", "RS256" ] csj.construct(request, service=token_service, authn_endpoint='token_endpoint') _jws = factory(request["client_assertion"]) # Should be RS256 since I have no key for ES256 assert _jws.jwt.headers["alg"] == "RS256" assert _jws.jwt.headers["kid"] == _rsa_key.kid
def get(self): return self._get_list() def set(self, items): value = [self.io.serialize(v) for v in items] if self.storage.get(self.name): del self.storage[self.name] self.storage.set(self.name, value) if __name__ == "__main__": # POC from cryptojwt.jwk.rsa import new_rsa_key ABS_STORAGE_SQLALCHEMY = dict(driver='sqlalchemy', url='sqlite:///:memory:', params=dict(table='Thing'), handler=AbstractStorageSQLAlchemy) _list = ASList(ABS_STORAGE_SQLALCHEMY, io_class=JWK_IO) _rsa1 = new_rsa_key() _rsa2 = new_rsa_key() _list.append(_rsa1) _list.append(_rsa2) # should be 2 keys by now print('len:', len(_list)) print('Has key1:', _rsa1 in _list) del _list