def test_sign_operation_benchmark(self):
from cis_crypto import operation
import time
os.environ["CIS_SECRET_MANAGER_FILE_PATH"] = "tests/fixture"
os.environ["CIS_SECRET_MANAGER"] = "file"
os.environ["CIS_SIGNING_KEY_NAME"] = "fake-access-file-key.priv.pem"
sample_payload = {"values": {"test_key": "test_data"}}
o = operation.Sign()
o.load(sample_payload)
i = 0
# Run 10 sign operations and average them for accuracy
start = time.time()
for i in range(0, 10):
o.jws()
stop = time.time()
taken = stop - start
taken_per_sig = taken / 10
print(
"test_sign_operation_benchmark() has taken {} seconds to run, or {} second per "
"Sign operation".format(taken, taken_per_sig)
)
# On a recent ULV laptop (2018) taken_per_sig is 0.006s, thus we're being very conservative here in case CI is
# slow, but this would catch anything crazy slow
assert taken_per_sig < 1
def test_sign_verify_operation_jwks(self):
# This test is a sign + verify operation with fake local keys ("full chain" test)
from cis_crypto import operation
from jose import jwk
import json
os.environ["CIS_PUBLIC_KEY_NAME"] = "publisher"
with open("tests/fixture/fake-well-known.json") as fd:
fake_wk = json.loads(fd.read())
with open("tests/fixture/fake-publisher-key_0.priv.jwk") as fd:
fake_jwk_priv = json.loads(fd.read())
fake_jwk_priv_jose = jwk.construct(fake_jwk_priv, "RS256")
# Note: does not include the signature object
sample_payload = {
"metadata": {
"classification": "PUBLIC",
"last_modified": "1970-01-01T00:00:00Z",
"created": "1970-01-01T00:00:00Z",
"verified": True,
"display": "public",
},
"value": "test",
}
o = operation.Sign()
test_valid_payload = o.load(sample_payload)
assert isinstance(test_valid_payload, dict) is True
o._jwk = fake_jwk_priv_jose
signature = o.jws()
assert isinstance(signature, str) is True
# verify
o2 = operation.Verify()
test_valid_payload["signature"] = {
"publisher": {
"alg": "RS256",
"typ": "JWS",
"name": "hris",
"value": signature
}
}
o2.well_known_mode = "https"
o2.well_known = fake_wk
o2.load(test_valid_payload["signature"]["publisher"]["value"])
sig = o2.jws(keyname="hris")
jsig = json.loads(sig)
assert isinstance(jsig, dict) is True
def test_verify_operation_without_bad_sig(self):
from cis_crypto import operation
from jose.exceptions import JWSError
os.environ["CIS_SECRET_MANAGER_FILE_PATH"] = "tests/fixture"
os.environ["CIS_SECRET_MANAGER"] = "file"
os.environ["CIS_SIGNING_KEY_NAME"] = "evil-signing-key.priv.pem"
os.environ["CIS_PUBLIC_KEY_NAME"] = "fake-access-file-key.pub.pem"
os.environ["CIS_WELL_KNOWN_MODE"] = "file"
# Assumption : we only want to sign values and not metadata.
sample_payload = {
"metadata": {
"classification": "PUBLIC",
"last_modified": "2018-01-01T00:00:00Z",
"created": "2018-01-01T00:00:00Z",
"publisher_authority": "mozilliansorg",
"verified": "false",
},
"values": {
"my blog": "https://example.net/blog"
},
}
s = operation.Sign()
assert s is not None
test_valid_payload = s.load(sample_payload)
assert test_valid_payload is not None
sig = s.jws()
o = operation.Verify()
o.load(sig)
key_material = o._get_public_key()
assert key_material is not None
# Expect verification to fail
with pytest.raises(JWSError):
o.jws()
def run(self):
logger = logging.getLogger(__name__)
self.config = self.parse_args(sys.argv[1:])
if self.config.func == "sign_operation":
logger.info("Attempting to sign file: {}".format(self.config.file))
file_content = common.load_file(self.config.file)
signing_object = operation.Sign()
signing_object.load(file_content)
jws = signing_object.jws()
common.write_file(jws, "{}.jws".format(self.config.file))
logger.info("File signed. Your signed file is now: {}.jws".format(
self.config.file))
logger.info(
"To verify this file use cis_crypto verify --file {}.jws".
format(self.config.file))
elif self.config.func == "verify_operation":
logger.info(
"Attempting verification of signature for file: {}".format(
self.config.file))
everett_config = common.get_config()
logger.info("Attempting fetch of .well-known data from: {}".format(
everett_config("public_key_name",
namespace="cis",
default="access-file-key.pub.pem")))
file_content = common.load_file(self.config.file)
verify_object = operation.Verify()
verify_object.load(file_content)
try:
jws = verify_object.jws(
) # This will raise if the signature is invalid.
logger.info("Signature verified for file: {}".format(
self.config.file))
except jose.exceptions.JWSError:
logger.error("The signature could not be verified.")
sys.exit()
sys.exit()
def test_sign_operation(self):
from cis_crypto import operation
os.environ["CIS_SECRET_MANAGER_FILE_PATH"] = "tests/fixture"
os.environ["CIS_SECRET_MANAGER"] = "file"
os.environ["CIS_SIGNING_KEY_NAME"] = "fake-access-file-key.priv.pem"
# Taken from the profile v2 specification
# https://github.com/mozilla-iam/cis/blob/profilev2/docs/profile_data/user_profile_core_plus_extended.json
"""
{
'uris': {
'signature': {
'publisher': {
'alg': 'RS256',
'typ': 'JWT',
'value': 'abc'
},
'additional': [
{
'alg': 'RS256',
'typ': 'JWT',
'value': 'abc'
}
]
},
'metadata': {
'classification': 'PUBLIC',
'last_modified': '2018-01-01T00:00:00Z',
'created': '2018-01-01T00:00:00Z',
'publisher_authority': 'mozilliansorg',
'verified': 'false'
},
'values': {
'my blog': 'https://example.net/blog'
}
}
}
"""
# Assumption : we only want to sign values and not metadata.
sample_payload = {
"metadata": {
"classification": "PUBLIC",
"last_modified": "2018-01-01T00:00:00Z",
"created": "2018-01-01T00:00:00Z",
"publisher_authority": "mozilliansorg",
"verified": "false",
},
"values": {"my blog": "https://example.net/blog"},
}
o = operation.Sign()
assert o is not None
test_valid_payload = o.load(sample_payload)
assert test_valid_payload is not None
assert isinstance(test_valid_payload, dict) is True
assert isinstance(o.payload, dict) is True
test_str_payload = o.load(json.dumps(sample_payload))
assert test_str_payload is not None
assert isinstance(test_valid_payload, dict) is True
assert isinstance(o.payload, dict) is True
signature = o.jws()
assert isinstance(signature, str) is True