def test_new_keydata_primitive_success(self, template): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() key_data = key_manager.new_key_data(template) jwt_hmac = key_manager.primitive(key_data) raw_jwt = jwt.new_raw_jwt( type_header='typeHeader', issuer='issuer', without_expiration=True) validator = jwt.new_validator( expected_type_header='typeHeader', expected_issuer='issuer', allow_missing_expiration=True, fixed_now=DATETIME_1970) token_with_kid = jwt_hmac.compute_mac_and_encode_with_kid( raw_jwt, kid='kid-123') token_without_kid = jwt_hmac.compute_mac_and_encode_with_kid( raw_jwt, kid=None) # Verification of a token with a kid only fails if the wrong kid is passed. verified_jwt = jwt_hmac.verify_mac_and_decode_with_kid( token_with_kid, validator, kid='kid-123') self.assertEqual(verified_jwt.type_header(), 'typeHeader') self.assertEqual(verified_jwt.issuer(), 'issuer') jwt_hmac.verify_mac_and_decode_with_kid(token_with_kid, validator, kid=None) with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode_with_kid( token_with_kid, validator, kid='other-kid') # A token without kid is only valid if no kid is passed. jwt_hmac.verify_mac_and_decode_with_kid( token_without_kid, validator, kid=None) with self.assertRaises(tink.TinkError): jwt_hmac.verify_mac_and_decode_with_kid( token_without_kid, validator, kid='kid-123')
def test_new_keydata_primitive_success(self, template): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() key_data = key_manager.new_key_data(template) jwt_hmac = key_manager.primitive(key_data) raw_jwt = jwt.new_raw_jwt(issuer='issuer') signed_compact = jwt_hmac.compute_mac_and_encode(raw_jwt) verified_jwt = jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator(fixed_now=DATETIME_1970)) self.assertEqual(verified_jwt.issuer(), 'issuer')
def create_fixed_jwt_hmac() -> jwt.JwtMac: # test example in https://tools.ietf.org/html/rfc7515#appendix-A.1.1 key_encoded = (b'AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_' b'T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow') padded_key_encoded = key_encoded + b'=' * (-len(key_encoded) % 4) key_value = base64.urlsafe_b64decode(padded_key_encoded) jwt_hmac_key = jwt_hmac_pb2.JwtHmacKey(version=0, hash_type=common_pb2.SHA256, key_value=key_value) key_data = tink_pb2.KeyData( type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey', key_material_type=tink_pb2.KeyData.SYMMETRIC, value=jwt_hmac_key.SerializeToString()) key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() return key_manager.primitive(key_data)
def test_new_keydata_primitive_success(self, template): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() key_data = key_manager.new_key_data(template) jwt_hmac = key_manager.primitive(key_data) raw_jwt = jwt.new_raw_jwt( type_header='typeHeader', issuer='issuer', without_expiration=True) signed_compact = jwt_hmac.compute_mac_and_encode_with_kid(raw_jwt, None) verified_jwt = jwt_hmac.verify_mac_and_decode( signed_compact, jwt.new_validator( expected_type_header='typeHeader', expected_issuer='issuer', allow_missing_expiration=True, fixed_now=DATETIME_1970)) self.assertEqual(verified_jwt.type_header(), 'typeHeader') self.assertEqual(verified_jwt.issuer(), 'issuer')
def test_basic(self): key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() self.assertEqual(key_manager.primitive_class(), jwt.JwtMac) self.assertEqual(key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.JwtHmacKey')
def create_fixed_jwt_hmac() -> _jwt_mac.JwtMacInternal: key_data = _fixed_key_data() key_manager = _jwt_hmac_key_manager.MacCcToPyJwtMacKeyManager() return key_manager.primitive(key_data)