def test_a_1_3b():
_jwt = ("eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJl"
"eHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0c"
"nVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")
keys = [SYMKey(key=intarr2bin(HMAC_KEY))]
_jws2 = JWS(alg="")
_jws2.verify_compact(_jwt, keys)
def test_jws_mac_authenticator_and_verifier():
algs = ['HS256', 'HS384', 'HS512']
for alg in algs:
calgs = algs[:]
calgs.remove(alg)
json_hmac_key = json.loads(test_vector.json_hmac_key)
json_hmac_key['alg'] = alg
json_hmac_key = json.dumps(json_hmac_key)
json_header_hmac = json.loads(test_vector.test_header_hmac)
json_header_hmac['alg'] = alg
json_header_hmac = json.dumps(json_header_hmac)
# Authenticator
mac_key = key_from_jwk_dict(json.loads(json_hmac_key))
authenticator = JWS(test_vector.test_payload,
**json.loads(json_header_hmac))
signed_token = authenticator.sign_compact([mac_key])
# Verify
verifier = JWS(alg=alg)
assert verifier.verify_compact(signed_token, [mac_key])
for modified_token in modify_token(signed_token, calgs):
with pytest.raises(JWKESTException):
assert verifier.verify_compact(modified_token, [mac_key])
def test_jws_rsa_signer_and_verifier():
algs = ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512']
for alg in algs:
calgs = algs[:]
calgs.remove(alg)
json_priv_key = json.loads(test_vector.json_rsa_priv_key)
json_priv_key['alg'] = alg
json_priv_key = json.dumps(json_priv_key)
json_pub_key = json.loads(test_vector.json_rsa_pub_key)
json_pub_key['alg'] = alg
json_pub_key = json.dumps(json_pub_key)
json_header_rsa = json.loads(test_vector.test_header_rsa)
json_header_rsa['alg'] = alg
# Sign
priv_key = key_from_jwk_dict(json.loads(json_priv_key))
jws = JWS(msg=test_vector.test_payload, **json_header_rsa)
signed_token = jws.sign_compact([priv_key])
# Verify
pub_key = key_from_jwk_dict(json.loads(json_pub_key))
verifier = JWS(alg=[alg])
assert verifier.verify_compact(signed_token, [pub_key])
for modified_token in modify_token(signed_token, calgs):
with pytest.raises(JWKESTException):
verifier.verify_compact(modified_token, [pub_key])
def test_jws_1():
msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True}
key = SYMKey(key=intarr2bin(HMAC_KEY))
_jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize())
res = _jws.sign_compact()
_jws2 = JWS(alg="HS256")
_jws2.verify_compact(res, keys=[key])
assert _jws2.msg == msg
def test_jws_mm():
msg = {"iss": "joe", "exp": 1300819380, "http://example.com/is_root": True}
key = SYMKey(key=intarr2bin(HMAC_KEY))
_jws = JWS(msg, cty="JWT", alg="HS256", jwk=key.serialize())
res = _jws.sign_compact()
_jws2 = JWS(alg="HS512")
with pytest.raises(SignerAlgError):
_jws2.verify_compact(res, keys=[key])
def test_jws_ecdsa_verifier_with_rfc_es512():
# Set up phase: parse the key and initialize the verifier.
key = key_from_jwk_dict(json.loads(test_vector.es512_ecdsa_pub_key))
verifier = JWS(alg='ES512')
# Use phase
assert verifier.verify_compact(test_vector.es512_ecdsa_token, [key])
for modified_token in modify_token(test_vector.es512_ecdsa_token,
['ES256', 'ES512']):
with pytest.raises(JWKESTException):
verifier.verify_compact(modified_token, [key])
def test_jws_mac_verifier_with_rfc():
# Set up phase: parse the key and initialize the JwsMacVerify
key = key_from_jwk_dict(json.loads(test_vector.json_hmac_key))
verifier = JWS(alg='HS256')
# Use phase
assert verifier.verify_compact(test_vector.hmac_token, [key])
for modified_token in modify_token(test_vector.hmac_token,
['HS384', 'HS512']):
with pytest.raises(JWKESTException):
assert verifier.verify_compact(modified_token, [key])
def test_jws_rsa_verifier_with_rfc():
# Set up phase: parse the key and initialize the verifier.
key = key_from_jwk_dict(json.loads(test_vector.json_rsa_pub_key))
jws = JWS()
assert jws.verify_compact(test_vector.rsa_token, [key])
# mess with the JWS
for _token in modify_token(test_vector.rsa_token,
['RS384', 'RS512', 'PS256', 'PS384', 'PS512']):
with pytest.raises(JWKESTException):
jws.verify_compact(_token, [key])
def test_jws_ecdsa_signer_verifier_es256():
# Sign
priv_key = key_from_jwk_dict(json.loads(test_vector.es256_ecdsa_priv_key))
signer = JWS(msg=test_vector.test_payload,
**json.loads(test_vector.test_header_ecdsa))
signed_token = signer.sign_compact([priv_key])
# Verify
pub_key = key_from_jwk_dict(json.loads(test_vector.es256_ecdsa_pub_key))
verifier = JWS(alg='ES256')
assert verifier.verify_compact(signed_token, [pub_key])
for modified_token in modify_token(signed_token, ['ES384', 'ES512']):
with pytest.raises(JWKESTException):
verifier.verify_compact(modified_token, [pub_key])
def test_signer_ps256_fail():
payload = "Please take a moment to register today"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="PS256")
_jwt = _jws.sign_compact(keys)[:-5] + "abcde"
vkeys = [RSAKey(pub_key=_pkey.public_key())]
_rj = JWS(alg="PS256")
try:
_rj.verify_compact(_jwt, vkeys)
except BadSignature:
pass
else:
assert False
def test_signer_protected_headers():
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec.SECP256R1(), default_backend())
_key = ECKey().load_key(eck)
keys = [_key]
_jws = JWS(payload, alg="ES256")
protected = dict(header1=u"header1 is protected",
header2="header2 is protected too",
a=1)
_jwt = _jws.sign_compact(keys, protected=protected)
exp_protected = protected.copy()
exp_protected["alg"] = "ES256"
enc_header, enc_payload, sig = _jwt.split(".")
assert json.loads(b64d(
enc_header.encode("utf-8")).decode("utf-8")) == exp_protected
assert b64d(enc_payload.encode("utf-8")).decode("utf-8") == payload
_pub_key = ECKey().load_key(eck.public_key())
_rj = JWS(alg="ES256")
info = _rj.verify_compact(_jwt, [_pub_key])
assert info == payload
# Protected by default
protected["alg"] = "ES256"
assert _rj.protected_headers() == protected
def test_client_secret_jwt(self, services):
_service_context = services['accesstoken'].service_context
_service_context.token_endpoint = "https://example.com/token"
_service_context.set(
'provider_info', {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
})
csj = ClientSecretJWT()
request = AccessTokenRequest()
csj.construct(request,
service=services['accesstoken'],
algorithm="HS256",
authn_endpoint='userinfo')
assert request["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in request
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_symmetric(_service_context.get('client_id'),
_service_context.get('client_secret'),
usage=['sig'])
jso = JWT(key_jar=_kj, sign_alg='HS256').unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
_rj = JWS(alg='HS256')
info = _rj.verify_compact(
cas,
_kj.get_signing_key(issuer_id=_service_context.get('client_id')))
assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert info['aud'] == [_service_context.get('provider_info')['issuer']]
def test_hmac_512():
payload = "Please take a moment to register today"
keys = [SYMKey(key=b"My hollow echo chamber", alg="HS512")]
_jws = JWS(payload, alg="HS512")
_jwt = _jws.sign_compact(keys)
_rj = JWS(alg="HS512")
info = _rj.verify_compact(_jwt, keys)
assert info == payload
def test_hmac_from_keyrep():
payload = "Please take a moment to register today"
symkeys = [k for k in SIGJWKS if k.kty == "oct"]
_jws = JWS(payload, alg="HS512")
_jwt = _jws.sign_compact(symkeys)
_rj = JWS(alg="HS512")
info = _rj.verify_compact(_jwt, symkeys)
assert info == payload
def test_signer_es(ec_func, alg):
payload = "Please take a moment to register today"
eck = ec.generate_private_key(ec_func(), default_backend())
keys = [ECKey().load_key(eck)]
_jws = JWS(payload, alg=alg)
_jwt = _jws.sign_compact(keys)
_pubkey = ECKey().load_key(eck.public_key())
_rj = JWS(alg=alg)
info = _rj.verify_compact(_jwt, [_pubkey])
assert info == payload
def test_signer_ps384():
payload = "Please take a moment to register today"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="PS384")
_jwt = _jws.sign_compact(keys)
vkeys = [RSAKey(pub_key=_pkey.public_key())]
_rj = JWS(alg="PS384")
info = _rj.verify_compact(_jwt, vkeys)
assert info == payload
def test_jws_verifier_with_kid():
# Sign
priv_key = key_from_jwk_dict(
json.loads(test_vector.test_json_ecdsa_priv_key_kid1))
signer = JWS(test_vector.test_payload,
**json.loads(test_vector.test_header_ecdsa_kid1))
signed_token_kid1 = signer.sign_compact([priv_key])
priv_key = key_from_jwk_dict(
json.loads(test_vector.test_json_ecdsa_priv_key_kid2))
signer = JWS(test_vector.test_payload,
**json.loads(test_vector.test_header_ecdsa_kid2))
signed_token_kid2 = signer.sign_compact([priv_key])
# Verify
pub_key = key_from_jwk_dict(
json.loads(test_vector.test_json_ecdsa_pub_key_kid1))
verifier = JWS(alg='ES256')
assert verifier.verify_compact(signed_token_kid1, [pub_key])
# The signature is valid but the kids don't match.
with pytest.raises(NoSuitableSigningKeys):
verifier.verify_compact(signed_token_kid2, [pub_key])
def test_1():
claimset = {
"iss": "joe",
"exp": 1300819380,
"http://example.com/is_root": True
}
_jws = JWS(claimset, cty="JWT", alg="none")
_jwt = _jws.sign_compact()
_jr = JWS()
_msg = _jr.verify_compact(_jwt, allow_none=True)
print(_jr)
assert _jr.jwt.headers["alg"] == "none"
assert _msg == claimset
def test_rs256_rm_signature():
payload = "Please take a moment to register today"
_pkey = import_private_rsa_key_from_file(PRIV_KEY)
keys = [RSAKey(priv_key=_pkey)]
# keys[0]._keytype = "private"
_jws = JWS(payload, alg="RS256")
_jwt = _jws.sign_compact(keys)
p = _jwt.split(".")
_jwt = ".".join(p[:-1])
vkeys = [RSAKey(key=_pkey.public_key())]
_rj = JWS()
try:
_ = _rj.verify_compact(_jwt, vkeys)
except WrongNumberOfParts:
pass
else:
assert False
def test_client_secret_jwt(self, entity):
_service_context = entity.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
csj.construct(request,
service=entity.client_get("service", 'accesstoken'),
authn_endpoint='token_endpoint')
assert request["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in request
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_symmetric(_service_context.client_id,
_service_context.client_secret, ['sig'])
jso = JWT(key_jar=_kj, sign_alg='HS256').unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "exp", "iat", 'jti'])
_rj = JWS(alg='HS256')
info = _rj.verify_compact(
cas, _kj.get_signing_key(issuer_id=_service_context.client_id))
assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert info['aud'] == [
_service_context.provider_info['token_endpoint']
]
def test_jws_verifier_with_multiple_keys():
# Set up phase: parse the keys and initialize the verifier.
jwks = KeyBundle(json.loads(test_vector.json_pub_keys))
keys = jwks.keys()
verifier = JWS(alg='RS256')
assert verifier.verify_compact(test_vector.rsa_token, keys)
for modified_token in modify_token(
test_vector.rsa_token,
['RS384', 'RS512', 'PS256', 'PS384', 'PS512']):
with pytest.raises(JWKESTException):
verifier.verify_compact(modified_token, keys)
verifier = JWS(alg='ES256')
assert verifier.verify_compact(test_vector.es256_ecdsa_token, keys)
for modified_token in modify_token(test_vector.es256_ecdsa_token,
['ES384', 'ES512']):
with pytest.raises(JWKESTException):
verifier.verify_compact(modified_token, keys)
