def unpack(self, token):
"""
Unpack a received signed or signed and encrypted Json Web Token
:param token: The Json Web Token
:return: If decryption and signature verification work the payload
will be returned as a Message instance.
"""
if not token:
raise KeyError
_rj = jwe.factory(token)
if _rj:
token = self._decrypt(_rj, token)
_rj = jws.factory(token)
if _rj:
info = self._verify(_rj, token)
else:
raise Exception()
if self.message_type:
return self.message_type(**info)
else:
return info
def test_ecdh_no_setup_dynamic_epk():
jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM")
jwt = jwenc.encrypt([remotekey])
assert jwt
ret_jwe = factory(jwt)
res = ret_jwe.decrypt(jwt, [remotekey])
assert res
def test_ecdh_encrypt_decrypt_keywrapped_key():
global epk
jwenc = JWE_EC(plain, alg="ECDH-ES+A128KW", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
'',
key=remotekey,
epk=localkey)
kwargs = {}
kwargs['params'] = params
kwargs['cek'] = cek
kwargs['iv'] = iv
kwargs['encrypted_key'] = encrypted_key
assert "epk" in params
assert encrypted_key
jwt = jwenc.encrypt(key=localkey, **kwargs)
ret_jwe = factory(jwt)
jwdec = JWE_EC()
jwdec.dec_setup(ret_jwe.jwt, key=remotekey)
msg = jwdec.decrypt(ret_jwe.jwt, key=remotekey)
assert msg == plain
def test_ecdh_encrypt_decrypt_keywrapped_key():
global epk
jwenc = JWE_EC(plain, alg="ECDH-ES+A128KW", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain, '',
key=remotekey,
epk=localkey)
kwargs = {}
kwargs['params'] = params
kwargs['cek'] = cek
kwargs['iv'] = iv
kwargs['encrypted_key'] = encrypted_key
assert "epk" in params
assert encrypted_key
jwt = jwenc.encrypt(key=localkey, **kwargs)
ret_jwe = factory(jwt)
jwdec = JWE_EC()
jwdec.dec_setup(ret_jwe.jwt, key=remotekey)
msg = jwdec.decrypt(ret_jwe.jwt, key=remotekey)
assert msg == plain
def test_encrypt_decrypt_rsa_cbc():
_key = RSAKey(key=rsa)
_key._keytype = "private"
_jwe0 = JWE(plain, alg="RSA1_5", enc="A128CBC-HS256")
jwt = _jwe0.encrypt([_key])
_jwe1 = factory(jwt)
msg = _jwe1.decrypt(jwt, [_key])
assert msg == plain
def test_encrypt_decrypt_rsa_cbc():
_key = RSAKey(key=rsa)
_key._keytype = "private"
_jwe0 = JWE(plain, alg="RSA1_5", enc="A128CBC-HS256")
jwt = _jwe0.encrypt([_key])
_jwe1 = factory(jwt)
msg = _jwe1.decrypt(jwt, [_key])
assert msg == plain
def unpack(self, token):
if not token:
raise KeyError
_rj = jws.factory(token)
if _rj:
info = self._verify(_rj, token)
else:
_rj = jwe.factory(token)
if not _rj:
raise KeyError()
info = self._decrypt(_rj, token)
if self.message_type:
return self.message_type(**info)
else:
return info
def unpack(self, token):
if not token:
raise KeyError
_rj = jws.factory(token)
if _rj:
info = self._verify(_rj, token)
else:
_rj = jwe.factory(token)
if not _rj:
raise KeyError()
info = self._decrypt(_rj, token)
if self.message_type:
return self.message_type(**info)
else:
return info
def from_jwt(self, txt, key=None, verify=True, keyjar=None, **kwargs):
"""
Given a signed and/or encrypted JWT, verify its correctness and then
create a class instance from the content.
:param txt: The JWT
:param key: keys that might be used to decrypt and/or verify the
signature of the JWT
:param verify: Whether the signature should be verified or not
:param keyjar: A KeyJar that might contain the necessary key.
:param kwargs: Extra key word arguments
:return: A class instance
"""
# if key is None and keyjar is not None:
# key = keyjar.get_verify_key(owner="")
# elif key is None:
# key = []
#
# if keyjar is not None and "sender" in kwargs:
# key.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
_jw = jwe.factory(txt)
if _jw:
logger.debug("JWE headers: {}".format(_jw.jwt.headers))
if "algs" in kwargs and "encalg" in kwargs["algs"]:
if kwargs["algs"]["encalg"] != _jw["alg"]:
raise WrongEncryptionAlgorithm("%s != %s" % (_jw["alg"], kwargs["algs"]["encalg"]))
if kwargs["algs"]["encenc"] != _jw["enc"]:
raise WrongEncryptionAlgorithm("%s != %s" % (_jw["enc"], kwargs["algs"]["encenc"]))
if keyjar:
dkeys = keyjar.get_decrypt_key(owner="")
if "sender" in kwargs:
dkeys.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
elif key:
dkeys = key
else:
dkeys = []
logger.debug('Decrypt class: {}'.format(_jw.__class__))
_res = _jw.decrypt(txt, dkeys)
logger.debug('decrypted message:{}'.format(_res))
if isinstance(_res, tuple):
txt = as_unicode(_res[0])
elif isinstance(_res, list) and len(_res) == 2:
txt = as_unicode(_res[0])
else:
txt = as_unicode(_res)
self.jwe_header = _jw.jwt.headers
_jw = jws.factory(txt)
if _jw:
if "algs" in kwargs and "sign" in kwargs["algs"]:
_alg = _jw.jwt.headers["alg"]
if kwargs["algs"]["sign"] != _alg:
raise WrongSigningAlgorithm("%s != %s" % (_alg, kwargs["algs"]["sign"]))
try:
_jwt = JWT().unpack(txt)
jso = _jwt.payload()
_header = _jwt.headers
if key is None and keyjar is not None:
key = keyjar.get_verify_key(owner="")
elif key is None:
key = []
if keyjar is not None and "sender" in kwargs:
key.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
logger.debug("Raw JSON: {}".format(sanitize(jso)))
logger.debug("JWS header: {}".format(sanitize(_header)))
if _header["alg"] == "none":
pass
elif verify:
if keyjar:
key = self.get_verify_keys(keyjar, key, jso, _header,
_jw, **kwargs)
if "alg" in _header and _header["alg"] != "none":
if not key:
raise MissingSigningKey(
"alg=%s" % _header["alg"])
logger.debug("Found signing key.")
try:
_jw.verify_compact(txt, key)
except NoSuitableSigningKeys:
if keyjar:
update_keyjar(keyjar)
key = self.get_verify_keys(keyjar, key, jso,
_header, _jw, **kwargs)
_jw.verify_compact(txt, key)
except Exception:
raise
else:
self.jws_header = _jwt.headers
else:
jso = json.loads(txt)
self.jwt = txt
return self.from_dict(jso)
#!/Users/eddyvides/Desktop/sei-0119/projects/planning-organizer/.venv/bin/python3
import sys
from jwkest import jwe
from jwkest import jws
__author__ = 'roland'
jwt = sys.argv[1]
_jw = jwe.factory(jwt)
if _jw:
print("jwe")
else:
_jw = jws.factory(jwt)
if _jw:
print("jws")
print(_jw.jwt.headers)
print(_jw.jwt.part[1])
def from_jwt(self, txt, key=None, verify=True, keyjar=None, **kwargs):
"""
Given a signed and/or encrypted JWT, verify its correctness and then
create a class instance from the content.
:param txt: The JWT
:param key: keys that might be used to decrypt and/or verify the
signature of the JWT
:param verify: Whether the signature should be verified or not
:param keyjar: A KeyJar that might contain the necessary key.
:param kwargs: Extra key word arguments
:return: A class instance
"""
if key is None and keyjar is not None:
key = keyjar.get_verify_key(owner="")
elif key is None:
key = []
if keyjar is not None and "sender" in kwargs:
key.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
_jw = jwe.factory(txt)
if _jw:
if "algs" in kwargs and "encalg" in kwargs["algs"]:
try:
assert kwargs["algs"]["encalg"] == _jw["alg"]
except AssertionError:
raise WrongEncryptionAlgorithm("%s != %s" % (
_jw["alg"], kwargs["algs"]["encalg"]))
try:
assert kwargs["algs"]["encenc"] == _jw["enc"]
except AssertionError:
raise WrongEncryptionAlgorithm("%s != %s" % (
_jw["enc"], kwargs["algs"]["encenc"]))
if keyjar:
dkeys = keyjar.get_decrypt_key(owner="")
elif key:
dkeys = key
else:
dkeys = []
txt = as_unicode(_jw.decrypt(txt, dkeys))
self.jwe_header = _jw.jwt.headers
_jw = jws.factory(txt)
if _jw:
if "algs" in kwargs and "sign" in kwargs["algs"]:
_alg = _jw.jwt.headers["alg"]
try:
assert kwargs["algs"]["sign"] == _alg
except AssertionError:
raise WrongSigningAlgorithm("%s != %s" % (
_alg, kwargs["algs"]["sign"]))
try:
_jwt = JWT().unpack(txt)
jso = _jwt.payload()
_header = _jwt.headers
logger.debug("Raw JSON: {}".format(jso))
logger.debug("header: {}".format(_header))
if _header["alg"] == "none":
pass
elif verify:
if keyjar:
key = self.get_verify_keys(keyjar, key, jso, _header,
_jw, **kwargs)
if "alg" in _header and _header["alg"] != "none":
if not key:
raise MissingSigningKey(
"alg=%s" % _header["alg"])
logger.debug("Verify keys: {}".format(key))
try:
_jw.verify_compact(txt, key)
except NoSuitableSigningKeys:
if keyjar:
update_keyjar(keyjar)
key = self.get_verify_keys(keyjar, key, jso,
_header, _jw, **kwargs)
_jw.verify_compact(txt, key)
except Exception:
raise
else:
self.jws_header = _jwt.headers
else:
jso = json.loads(txt)
return self.from_dict(jso)
def from_jwt(self, txt, key=None, verify=True, keyjar=None, **kwargs):
"""
Given a signed and/or encrypted JWT, verify its correctness and then
create a class instance from the content.
:param txt: The JWT
:param key: keys that might be used to decrypt and/or verify the
signature of the JWT
:param verify: Whether the signature should be verified or not
:param keyjar: A KeyJar that might contain the necessary key.
:param kwargs: Extra key word arguments
:return: A class instance
"""
if key is None and keyjar is not None:
key = keyjar.get_verify_key(owner="")
elif key is None:
key = []
if keyjar is not None and "sender" in kwargs:
key.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
_jw = jwe.factory(txt)
if _jw:
if "algs" in kwargs and "encalg" in kwargs["algs"]:
try:
assert kwargs["algs"]["encalg"] == _jw["alg"]
except AssertionError:
raise WrongEncryptionAlgorithm(
"%s != %s" % (_jw["alg"], kwargs["algs"]["encalg"]))
try:
assert kwargs["algs"]["encenc"] == _jw["enc"]
except AssertionError:
raise WrongEncryptionAlgorithm(
"%s != %s" % (_jw["enc"], kwargs["algs"]["encenc"]))
if keyjar:
dkeys = keyjar.get_decrypt_key(owner="")
elif key:
dkeys = key
else:
dkeys = []
txt = _jw.decrypt(txt, dkeys)
self.jwe_header = _jw.jwt.headers
_jw = jws.factory(txt)
if _jw:
if "algs" in kwargs and "sign" in kwargs["algs"]:
_alg = _jw.jwt.headers["alg"]
try:
assert kwargs["algs"]["sign"] == _alg
except AssertionError:
raise WrongSigningAlgorithm("%s != %s" %
(_alg, kwargs["algs"]["sign"]))
try:
_jwt = JWT().unpack(txt)
jso = json.loads(_jwt.part[1])
_header = _jwt.headers
logger.debug("Raw JSON: %s" % jso)
if _header["alg"] == "none":
pass
else:
if keyjar:
if "jku" in _header:
if not keyjar.find(_header["jku"], jso["iss"]):
# This is really questionable
try:
if kwargs["trusting"]:
keyjar.add(jso["iss"], _header["jku"])
except KeyError:
pass
if "kid" in _header and _header["kid"]:
_jw["kid"] = _header["kid"]
try:
_key = keyjar.get_key_by_kid(
_header["kid"], jso["iss"])
if _key:
key.append(_key)
except KeyError:
pass
try:
self._add_key(keyjar, kwargs["opponent_id"], key)
except KeyError:
pass
if verify:
if keyjar:
for ent in ["iss", "aud", "client_id"]:
if ent not in jso:
continue
if ent == "aud":
# list or basestring
if isinstance(jso["aud"], basestring):
_aud = [jso["aud"]]
else:
_aud = jso["aud"]
for _e in _aud:
self._add_key(keyjar, _e, key)
else:
self._add_key(keyjar, jso[ent], key)
if "alg" in _header and _header["alg"] != "none":
if not key:
raise MissingSigningKey("alg=%s" %
_header["alg"])
_jw.verify_compact(txt, key)
except Exception:
raise
else:
self.jws_header = _jwt.headers
else:
jso = json.loads(txt)
return self.from_dict(jso)
def from_jwt(self, txt, key=None, verify=True, keyjar=None, **kwargs):
"""
Given a signed and/or encrypted JWT, verify its correctness and then
create a class instance from the content.
:param txt: The JWT
:param key: keys that might be used to decrypt and/or verify the
signature of the JWT
:param verify: Whether the signature should be verified or not
:param keyjar: A KeyJar that might contain the necessary key.
:param kwargs: Extra key word arguments
:return: A class instance
"""
if key is None and keyjar is not None:
key = keyjar.get_verify_key(owner="")
elif key is None:
key = []
if keyjar is not None and "sender" in kwargs:
key.extend(keyjar.get_verify_key(owner=kwargs["sender"]))
_jw = jwe.factory(txt)
if _jw:
if "algs" in kwargs and "encalg" in kwargs["algs"]:
try:
assert kwargs["algs"]["encalg"] == _jw["alg"]
except AssertionError:
raise WrongEncryptionAlgorithm("%s != %s" % (
_jw["alg"], kwargs["algs"]["encalg"]))
try:
assert kwargs["algs"]["encenc"] == _jw["enc"]
except AssertionError:
raise WrongEncryptionAlgorithm("%s != %s" % (
_jw["enc"], kwargs["algs"]["encenc"]))
if keyjar:
dkeys = keyjar.get_decrypt_key(owner="")
elif key:
dkeys = key
else:
dkeys = []
txt = _jw.decrypt(txt, dkeys)
self.jwe_header = _jw.jwt.headers
_jw = jws.factory(txt)
if _jw:
if "algs" in kwargs and "sign" in kwargs["algs"]:
_alg = _jw.jwt.headers["alg"]
try:
assert kwargs["algs"]["sign"] == _alg
except AssertionError:
raise WrongSigningAlgorithm("%s != %s" % (
_alg, kwargs["algs"]["sign"]))
try:
_jwt = JWT().unpack(txt)
jso = json.loads(_jwt.part[1])
_header = _jwt.headers
logger.debug("Raw JSON: %s" % jso)
if _header["alg"] == "none":
pass
else:
if keyjar:
if "jku" in _header:
if not keyjar.find(_header["jku"], jso["iss"]):
# This is really questionable
try:
if kwargs["trusting"]:
keyjar.add(jso["iss"], _header["jku"])
except KeyError:
pass
if "kid" in _header and _header["kid"]:
_jw["kid"] = _header["kid"]
try:
_key = keyjar.get_key_by_kid(_header["kid"],
jso["iss"])
if _key:
key.append(_key)
except KeyError:
pass
try:
self._add_key(keyjar, kwargs["opponent_id"], key)
except KeyError:
pass
if verify:
if keyjar:
for ent in ["iss", "aud", "client_id"]:
if ent not in jso:
continue
if ent == "aud":
# list or basestring
if isinstance(jso["aud"], basestring):
_aud = [jso["aud"]]
else:
_aud = jso["aud"]
for _e in _aud:
self._add_key(keyjar, _e, key)
else:
self._add_key(keyjar, jso[ent], key)
if "alg" in _header and _header["alg"] != "none":
if not key:
raise MissingSigningKey(
"alg=%s" % _header["alg"])
_jw.verify_compact(txt, key)
except Exception:
raise
else:
self.jws_header = _jwt.headers
else:
jso = json.loads(txt)
return self.from_dict(jso)
#!/usr/bin/env python
import sys
from jwkest import jwe
from jwkest import jws
__author__ = 'roland'
jwt = open(sys.argv[1]).read()
_jw = jwe.factory(jwt)
if _jw:
print("jwe")
else:
_jw = jws.factory(jwt)
if _jw:
print("jws")
print(_jw.jwt.headers)
print(_jw.jwt.part[1])