def test_sign1_verify_unprotected_kid(): private_key, public_key = gen_keypair() issuer = "hello" ttl = 3600 payload = {"test": True} signed_data = sign(private_key, issuer, ttl, payload, kid_protected=False) res = verify(signed_data, [public_key]) assert res.eu_dgc_v1.get("test") is True assert res.expired is False
def process_hc1_cwt(signed_data: bytes, public_keys): res = verify(signed_data=signed_data, public_keys=public_keys) logger.info("Signatured issued by: %s", res.iss) logger.info("Signature verified by: %s", b64e(res.kid).decode()) logger.info("Signatured issued at: %s", res.iat) if res.expired: logger.warning("Signatured expired at: %s", res.exp) else: logger.info("Signatured expires at: %s", res.exp) if res.eu_dgc_v1 is None: logger.warning("No EU HCERT version 1 found in payload") logger.info("Verified payload: %s", json.dumps(res.eu_dgc_v1, indent=4))
jwk_dict = pem_to_jwk_dict(cert_pem) public_key = cosekey_from_jwk_dict(jwk_dict, private=False) reference_payload = testdata.get("JSON") optical_payload = testdata["PREFIX"] assert optical_payload.startswith("HC1:") if (base45_payload := testdata.get("BASE45")): assert optical_payload[4:] == base45_payload else: base45_payload = optical_payload[4:] signed_data = decode_and_decompress(base45_payload.encode()) res = verify(signed_data=signed_data, public_keys=[public_key]) logger.info("Signature verified") if res.eu_dcc_v1 is None: logger.warning("No EU DCC version 1 found in payload") sys.exit(-1) if reference_payload: reference_serialized = canonicalize_dict(reference_payload) verified_serialized = canonicalize_dict(res.eu_dgc_v1) ddiff = DeepDiff(reference_serialized, verified_serialized) if ddiff: logger.error("Reference data does not match payload") print(json.dumps(ddiff, indent=4)) sys.exit(-1)