class JwtKeyTemplatesTest(parameterized.TestCase):
@parameterized.parameters([
('JWT_HS256', jwt.jwt_hs256_template()),
('JWT_HS384', jwt.jwt_hs384_template()),
('JWT_HS512', jwt.jwt_hs512_template()),
('JWT_ES256', jwt.jwt_es256_template()),
('JWT_ES384', jwt.jwt_es384_template()),
('JWT_ES512', jwt.jwt_es512_template()),
('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()),
('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()),
('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()),
('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()),
('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()),
('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()),
('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()),
('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()),
])
def test_template(self, template_name, template):
self.assertEqual(template,
helper.template_from_testdata(template_name, 'jwt'))
@parameterized.named_parameters(('0', 0, b'\x00'),
('256', 256, b'\x01\x00'),
('65537', 65537, b'\x01\x00\x01'))
def test_num_to_bytes(self, number, expected):
self.assertEqual(jwt._jwt_key_templates._num_to_bytes(number),
expected)
class JwtKeyTemplatesTest(parameterized.TestCase):
@parameterized.parameters([
('JWT_HS256', jwt.jwt_hs256_template()),
('JWT_HS384', jwt.jwt_hs384_template()),
('JWT_HS512', jwt.jwt_hs512_template()),
('JWT_ES256', jwt.jwt_es256_template()),
('JWT_ES384', jwt.jwt_es384_template()),
('JWT_ES512', jwt.jwt_es512_template()),
('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()),
('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()),
('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()),
('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()),
('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()),
('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()),
('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()),
('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()),
])
def test_template(self, template_name, template):
self.assertEqual(template,
helper.template_from_testdata(template_name, 'jwt'))
@parameterized.named_parameters(('0', 0, b'\x00'),
('256', 256, b'\x01\x00'),
('65537', 65537, b'\x01\x00\x01'))
def test_num_to_bytes(self, number, expected):
self.assertEqual(jwt._jwt_key_templates._num_to_bytes(number),
expected)
@parameterized.named_parameters([
('JWT_HS256', jwt.jwt_hs256_template()),
('JWT_HS384', jwt.jwt_hs384_template()),
('JWT_HS512', jwt.jwt_hs512_template()),
])
def test_mac_success(self, key_template):
keyset_handle = tink.new_keyset_handle(key_template)
jwt_hmac = keyset_handle.primitive(jwt.JwtMac)
token = jwt.new_raw_jwt(issuer='issuer', subject='subject')
compact = jwt_hmac.compute_mac_and_encode(token)
output_token = jwt_hmac.verify_mac_and_decode(compact,
jwt.new_validator())
self.assertEqual(output_token.issuer(), token.issuer())
self.assertEqual(output_token.subject(), token.subject())
prf.prf_key_templates.AES_CMAC,
'HMAC_PRF_SHA256':
prf.prf_key_templates.HMAC_SHA256,
'HMAC_PRF_SHA512':
prf.prf_key_templates.HMAC_SHA512,
'HKDF_PRF_SHA256':
prf.prf_key_templates.HKDF_SHA256,
'JWT_HS256': jwt.jwt_hs256_template(),
'JWT_HS256_RAW': jwt.raw_jwt_hs256_template(),
'JWT_HS384': jwt.jwt_hs384_template(),
'JWT_HS384_RAW': jwt.raw_jwt_hs384_template(),
'JWT_HS512': jwt.jwt_hs512_template(),
'JWT_HS512_RAW': jwt.raw_jwt_hs512_template(),
'JWT_ES256': jwt.jwt_es256_template(),
'JWT_ES256_RAW': jwt.raw_jwt_es256_template(),
'JWT_ES384': jwt.jwt_es384_template(),
'JWT_ES384_RAW': jwt.raw_jwt_es384_template(),
'JWT_ES512': jwt.jwt_es512_template(),
'JWT_ES512_RAW': jwt.raw_jwt_es512_template(),
'JWT_RS256_2048_F4': jwt.jwt_rs256_2048_f4_template(),
'JWT_RS256_2048_F4_RAW': jwt.raw_jwt_rs256_2048_f4_template(),
'JWT_RS256_3072_F4': jwt.jwt_rs256_3072_f4_template(),
'JWT_RS256_3072_F4_RAW': jwt.raw_jwt_rs256_3072_f4_template(),
'JWT_RS384_3072_F4': jwt.jwt_rs384_3072_f4_template(),
'JWT_RS384_3072_F4_RAW': jwt.raw_jwt_rs384_3072_f4_template(),
'JWT_RS512_4096_F4': jwt.jwt_rs512_4096_f4_template(),
'JWT_RS512_4096_F4_RAW': jwt.raw_jwt_rs512_4096_f4_template(),
'JWT_PS256_2048_F4': jwt.jwt_ps256_2048_f4_template(),
'JWT_PS256_2048_F4_RAW': jwt.raw_jwt_ps256_2048_f4_template(),
'JWT_PS256_3072_F4': jwt.jwt_ps256_3072_f4_template(),
'JWT_PS256_3072_F4_RAW': jwt.raw_jwt_ps256_3072_f4_template(),
class JwtKeyTemplatesTest(parameterized.TestCase):
@parameterized.named_parameters([
('JWT_HS256', jwt.jwt_hs256_template()),
('JWT_HS256_RAW', jwt.raw_jwt_hs256_template()),
('JWT_HS384', jwt.jwt_hs384_template()),
('JWT_HS384_RAW', jwt.raw_jwt_hs384_template()),
('JWT_HS512', jwt.jwt_hs512_template()),
('JWT_HS512_RAW', jwt.raw_jwt_hs512_template()),
])
def test_mac_success(self, key_template):
keyset_handle = tink.new_keyset_handle(key_template)
jwt_hmac = keyset_handle.primitive(jwt.JwtMac)
token = jwt.new_raw_jwt(issuer='issuer',
subject='subject',
without_expiration=True)
compact = jwt_hmac.compute_mac_and_encode(token)
output_token = jwt_hmac.verify_mac_and_decode(
compact,
jwt.new_validator(expected_issuer='issuer',
allow_missing_expiration=True))
self.assertEqual(output_token.issuer(), token.issuer())
self.assertEqual(output_token.subject(), token.subject())
@parameterized.named_parameters([
('JWT_ES256', jwt.jwt_es256_template()),
('JWT_ES256_RAW', jwt.raw_jwt_es256_template()),
('JWT_ES384', jwt.jwt_es384_template()),
('JWT_ES384_RAW', jwt.raw_jwt_es384_template()),
('JWT_ES512', jwt.jwt_es512_template()),
('JWT_ES512_RAW', jwt.raw_jwt_es512_template()),
('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()),
('JWT_RS256_2048_F4_RAW', jwt.raw_jwt_rs256_2048_f4_template()),
('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()),
('JWT_RS256_3072_F4_RAW', jwt.raw_jwt_rs256_3072_f4_template()),
('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()),
('JWT_RS384_3072_F4_RAW', jwt.raw_jwt_rs384_3072_f4_template()),
('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()),
('JWT_RS512_4096_F4_RAW', jwt.raw_jwt_rs512_4096_f4_template()),
('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()),
('JWT_PS256_2048_F4_RAW', jwt.raw_jwt_ps256_2048_f4_template()),
('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()),
('JWT_PS256_3072_F4_RAW', jwt.raw_jwt_ps256_3072_f4_template()),
('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()),
('JWT_PS384_3072_F4_RAW', jwt.raw_jwt_ps384_3072_f4_template()),
('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()),
('JWT_PS512_4096_F4_RAW', jwt.raw_jwt_ps512_4096_f4_template()),
])
def test_new_keydata_primitive_success(self, template):
private_handle = tink.new_keyset_handle(template)
sign = private_handle.primitive(jwt.JwtPublicKeySign)
verify = private_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
raw_jwt = jwt.new_raw_jwt(issuer='issuer',
subject='subject',
without_expiration=True)
compact = sign.sign_and_encode(raw_jwt)
verified_jwt = verify.verify_and_decode(
compact,
jwt.new_validator(expected_issuer='issuer',
allow_missing_expiration=True))
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
'JWT_HS256_RAW': jwt.raw_jwt_hs256_template(), 'JWT_HS384': jwt.jwt_hs384_template(), 'JWT_HS384_RAW': jwt.raw_jwt_hs384_template(), 'JWT_HS512': jwt.jwt_hs512_template(), 'JWT_HS512_RAW': jwt.raw_jwt_hs512_template(), 'JWT_ES256': jwt.jwt_es256_template(), 'JWT_ES256_RAW': jwt.raw_jwt_es256_template(), 'JWT_ES384': jwt.jwt_es384_template(), 'JWT_ES384_RAW': jwt.raw_jwt_es384_template(), 'JWT_ES512': jwt.jwt_es512_template(), 'JWT_ES512_RAW': jwt.raw_jwt_es512_template(), 'JWT_RS256_2048_F4': jwt.jwt_rs256_2048_f4_template(), 'JWT_RS256_2048_F4_RAW': jwt.raw_jwt_rs256_2048_f4_template(), 'JWT_RS256_3072_F4': jwt.jwt_rs256_3072_f4_template(), 'JWT_RS256_3072_F4_RAW': jwt.raw_jwt_rs256_3072_f4_template(), 'JWT_RS384_3072_F4':
def test_key_rotation(self, old_key_tmpl, new_key_tmpl):
old_key_tmpl = jwt.jwt_es256_template()
new_key_tmpl = jwt.jwt_es384_template()
builder = keyset_builder.new_keyset_builder()
older_key_id = builder.add_new_key(old_key_tmpl)
builder.set_primary_key(older_key_id)
handle1 = builder.keyset_handle()
sign1 = handle1.primitive(jwt.JwtPublicKeySign)
verify1 = handle1.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
newer_key_id = builder.add_new_key(new_key_tmpl)
handle2 = builder.keyset_handle()
sign2 = handle2.primitive(jwt.JwtPublicKeySign)
verify2 = handle2.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
builder.set_primary_key(newer_key_id)
handle3 = builder.keyset_handle()
sign3 = handle3.primitive(jwt.JwtPublicKeySign)
verify3 = handle3.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
builder.disable_key(older_key_id)
handle4 = builder.keyset_handle()
sign4 = handle4.primitive(jwt.JwtPublicKeySign)
verify4 = handle4.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
raw_jwt = jwt.new_raw_jwt(issuer='a', without_expiration=True)
validator = jwt.new_validator(expected_issuer='a',
allow_missing_expiration=True)
self.assertNotEqual(older_key_id, newer_key_id)
# 1 uses the older key. So 1, 2 and 3 can verify the signature, but not 4.
compact1 = sign1.sign_and_encode(raw_jwt)
self.assertEqual(
verify1.verify_and_decode(compact1, validator).issuer(), 'a')
self.assertEqual(
verify2.verify_and_decode(compact1, validator).issuer(), 'a')
self.assertEqual(
verify3.verify_and_decode(compact1, validator).issuer(), 'a')
with self.assertRaises(tink.TinkError):
verify4.verify_and_decode(compact1, validator)
# 2 uses the older key. So 1, 2 and 3 can verify the signature, but not 4.
compact2 = sign2.sign_and_encode(raw_jwt)
self.assertEqual(
verify1.verify_and_decode(compact2, validator).issuer(), 'a')
self.assertEqual(
verify2.verify_and_decode(compact2, validator).issuer(), 'a')
self.assertEqual(
verify3.verify_and_decode(compact2, validator).issuer(), 'a')
with self.assertRaises(tink.TinkError):
verify4.verify_and_decode(compact2, validator)
# 3 uses the newer key. So 2, 3 and 4 can verify the signature, but not 1.
compact3 = sign3.sign_and_encode(raw_jwt)
with self.assertRaises(tink.TinkError):
verify1.verify_and_decode(compact3, validator)
self.assertEqual(
verify2.verify_and_decode(compact3, validator).issuer(), 'a')
self.assertEqual(
verify3.verify_and_decode(compact3, validator).issuer(), 'a')
self.assertEqual(
verify4.verify_and_decode(compact3, validator).issuer(), 'a')
# 4 uses the newer key. So 2, 3 and 4 can verify the signature, but not 1.
compact4 = sign4.sign_and_encode(raw_jwt)
with self.assertRaises(tink.TinkError):
verify1.verify_and_decode(compact4, validator)
self.assertEqual(
verify2.verify_and_decode(compact4, validator).issuer(), 'a')
self.assertEqual(
verify3.verify_and_decode(compact4, validator).issuer(), 'a')
self.assertEqual(
verify4.verify_and_decode(compact4, validator).issuer(), 'a')