def test_get_signing_key_use_undefined():
kj = KeyJar()
kj.import_jwks(JWK1, '')
keys = kj.get_signing_key(kid='rsa1')
assert len(keys) == 1
keys = kj.get_signing_key(key_type='rsa')
assert len(keys) == 1
keys = kj.get_signing_key(key_type='rsa', kid='rsa1')
assert len(keys) == 1
def test_get_signing_key_use_undefined():
kj = KeyJar()
kj.import_jwks(JWK1, '')
keys = kj.get_signing_key(kid='rsa1')
assert len(keys) == 1
keys = kj.get_signing_key(key_type='rsa')
assert len(keys) == 1
keys = kj.get_signing_key(key_type='rsa', kid='rsa1')
assert len(keys) == 1
def test_get_signing_key_use_undefined():
kj = KeyJar()
kj.import_jwks(JWK1, "")
keys = kj.get_signing_key(kid="rsa1")
assert len(keys) == 1
keys = kj.get_signing_key(key_type="rsa")
assert len(keys) == 1
keys = kj.get_signing_key(key_type="rsa", kid="rsa1")
assert len(keys) == 1
def test_get_inactive_sig(self):
"""get_signing_key cannot return inactive `sig` key."""
ks = KeyJar()
ks['http://example.com'] = KeyBundle([{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}])
ks['http://example.com'][0]._keys[0].inactive_since = 1
key = ks.get_signing_key(owner='http://example.com')
assert len(key) == 0
def test_get_inactive_sig(self):
"""get_signing_key cannot return inactive `sig` key."""
ks = KeyJar()
ks['http://example.com'] = KeyBundle(
[{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}])
ks['http://example.com'][0]._keys[0].inactive_since = 1
key = ks.get_signing_key(owner='http://example.com')
assert len(key) == 0
def test_local_jwk_file():
kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"])
assert len(kb) == 1
kj = KeyJar()
kj.issuer_keys[""] = [kb]
keys = kj.get_signing_key()
assert len(keys) == 1
key = keys[0]
assert isinstance(key, RSAKey)
assert key.kid == "abc"
def test_local_jwk_file():
kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"])
assert len(kb) == 1
kj = KeyJar()
kj.issuer_keys[""] = [kb]
keys = kj.get_signing_key()
assert len(keys) == 1
key = keys[0]
assert isinstance(key, RSAKey)
assert key.kid == "abc"
class KeyBundle(keyio.KeyBundle):
def __init__(self,
keys=None,
source="",
cache_time=300,
verify_ssl=True,
fileformat="jwk",
keytype="RSA",
keyusage=None,
verify_keys=None):
super(KeyBundle, self).__init__(keys=keys,
source=source,
cache_time=cache_time,
verify_ssl=verify_ssl,
fileformat=fileformat,
keytype=keytype,
keyusage=keyusage)
if verify_keys is not None:
if isinstance(verify_keys, KeyJar):
self.verify_keys = verify_keys
else:
self.verify_keys = KeyJar()
self.verify_keys.import_jwks(verify_keys, '')
def _parse_remote_response(self, response):
"""
Parse simple JWKS or signed JWKS from the HTTP response.
:param response: HTTP response from the 'jwks_uri' or 'signed_jwks_uri'
endpoint
:return: response parsed as JSON
"""
# Check if the content type is the right one.
try:
if response.headers["Content-Type"] == 'application/json':
logger.debug("Loaded JWKS: %s from %s" %
(response.text, self.source))
try:
return json.loads(response.text)
except ValueError:
return None
elif response.headers["Content-Type"] == 'application/jose':
logger.debug("Signed JWKS: %s from %s" %
(response.text, self.source))
_jws = factory(response.text)
_resp = _jws.verify_compact(
response.text, keys=self.verify_keys.get_signing_key())
return _resp
else:
logger.error('Wrong content type: {}'.format(
response.headers['Content-Type']))
return None
except KeyError:
pass
def test_signing():
kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"])
assert len(kb) == 1
kj = KeyJar()
kj.issuer_keys[""] = [kb]
keys = kj.get_signing_key()
payload = "Please take a moment to register today"
_jws = JWS(payload, alg="RS512")
try:
_jwt = _jws.sign_compact(keys)
assert False
except (NoSuitableSigningKeys, WrongTypeOfKey):
assert True
def test_signing():
# Signing is only possible if key is a private RSA key
kb = keybundle_from_local_file("rsa.key", "rsa", ["ver", "sig"])
assert len(kb) == 2
kj = KeyJar()
kj.issuer_keys[""] = [kb]
keys = kj.get_signing_key()
payload = "Please take a moment to register today"
_jws = JWS(payload, alg="RS512")
try:
_jwt = _jws.sign_compact(keys)
assert True
except (NoSuitableSigningKeys, WrongTypeOfKey):
assert False
def test_signing():
# Signing is only possible if key is a private RSA key
kb = keybundle_from_local_file("rsa.key", "rsa", ["ver", "sig"])
assert len(kb) == 2
kj = KeyJar()
kj.issuer_keys[""] = [kb]
keys = kj.get_signing_key()
payload = "Please take a moment to register today"
_jws = JWS(payload, alg="RS512")
try:
_jwt = _jws.sign_compact(keys)
assert True
except (NoSuitableSigningKeys, WrongTypeOfKey):
assert False
class TestBackchannelLogout(object):
@pytest.fixture(autouse=True)
def setup(self):
self.kj = KeyJar()
self.kj.add_symmetric("", "dYMmrcQksKaPkhdgRNYk3zzh5l7ewdDJ", ["sig"])
self.key = self.kj.get_signing_key("oct")
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
sub="https://example.com/sub",
)
self.signed_jwt = lt.to_jwt(key=self.key, algorithm="HS256")
def test_verify_with_keyjar(self):
bclr = BackChannelLogoutRequest(logout_token=self.signed_jwt)
assert bclr.verify(keyjar=self.kj)
# The signed JWT is replaced by a dictionary with all the verified values
assert bclr["logout_token"]["iss"] == "https://example.com"
def test_verify_with_key(self):
bclr = BackChannelLogoutRequest(logout_token=self.signed_jwt)
assert bclr.verify(key=self.key)
# The signed JWT is replaced by a dictionary with all the verified values
assert bclr["logout_token"]["iss"] == "https://example.com"
def test_bogus_logout_token(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
nonce=rndstr(16),
)
signed_jwt = lt.to_jwt(key=self.key, algorithm="HS256")
bclr = BackChannelLogoutRequest(logout_token=signed_jwt)
with pytest.raises(MessageException):
bclr.verify(key=self.key)
def get_signed_keys(self, uri, signing_keys):
"""
:param uri: Where the signed JWKS can be found
:param signing_keys: Dictionary representation of a JWKS
:return: list of KeyBundle instances or None
"""
r = self.server.http_request(uri, allow_redirects=True)
if r.status_code == 200:
_skj = KeyJar()
_skj.import_jwks(signing_keys, '')
_jws = factory(r.text)
_jwks = _jws.verify_compact(r.text, Keys=_skj.get_signing_key())
_kj = KeyJar()
_kj.import_jwks(json.loads(_jwks), '')
return _kj.issuer_keys['']
else:
return None
from jwkest.jws import alg2keytype
from oic.oic.message import IdToken
from oic.utils.keyio import KeyBundle, KeyJar
__author__ = 'rohe0002'
b0 = KeyBundle(source="http://localhost:8090/exports/jwk.json", src_type="jwk",
usage=["ver", "dec", "sig"])
b1 = KeyBundle(source="http://localhost:8090/exports/cert.pem", src_type="x509",
usage=["ver", "dec", "sig"])
print b0
print b1
kj = KeyJar()
kj["foobar"] = [b0, b1]
idt = IdToken().from_dict({"user_id": "diana", "aud": "uo5nowsdL3ck",
"iss": "https://localhost:8092", "acr": "2",
"exp": 1354442188, "iat": 1354359388})
ckey = kj.get_signing_key(alg2keytype("RS256"), "foobar")
_signed_jwt = idt.to_jwt(key=ckey, algorithm="RS256")
