def test_jws_verifier_with_kid(self):
# Sign
priv_key1 = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_priv_key_kid1)
signer1 = jws.JwsPublicKeySign(priv_key1)
signed_token_kid1 = signer1.sign(self.test_header_es256_kid1,
self.test_payload)
priv_key2 = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_priv_key_kid2)
signer2 = jws.JwsPublicKeySign(priv_key2)
signed_token_kid2 = signer2.sign(self.test_header_es256_kid2,
self.test_payload)
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(
self.test_json_ecdsa_pub_key_kid1)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verifier.verify(signed_token_kid1)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token_kid1):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
# The signature is valid but the kids don't match.
self.assertRaises(SecurityException, verifier.verify,
signed_token_kid2)
def __init__(self,
jwk_set,
issuer=None,
subject=None,
audiences=None,
clock_skew_tolerance=0):
"""Constructor for JwtPublicKeyVerify.
Args:
jwk_set: a JwkSet.
issuer: string, the issuer claim as defined at
https://tools.ietf.org/html/rfc7519#section-4.1.1.
subject: string, the subject claim as defined at
https://tools.ietf.org/html/rfc7519#section-4.1.2.
audiences: list of string, the audiences claim as defined at
https://tools.ietf.org/html/rfc7519#section-4.1.3.
clock_skew_tolerance: integer, the clock skew that the verifier tolerates.
Raises:
UnsupportedAlgorithm: if the algorihtm is not defined at
https://tools.ietf.org/html/rfc7518#section-3.1 or if jwk is not Rsa or
Ecdsa key.
"""
self.verifier = jws.JwsPublicKeyVerify(jwk_set)
self.issuer = issuer
self.subject = subject
self.audiences = audiences
self.clock_skew_tolerance = clock_skew_tolerance
def test_jws_ec_from_cryptography_key(self):
# Sign the token.
priv_key = load_pem_private_key(
self.test_pem_ec_p256_priv_key.encode('utf-8'),
None,
backend=backends.default_backend())
jwk_priv_key = jws.CleartextJwkSetReader.from_cryptography_key(
priv_key, 'ES256')
signer = jws.JwsPublicKeySign(jwk_priv_key)
signed_token = signer.sign(self.test_header_es256, self.test_payload)
# Verify the token.
# The real use case is that cryptography supports extracting public key from
# certificate, but we simulate it here by reading it from PEM.
pub_key = load_pem_public_key(
self.test_pem_ec_p256_pub_key.encode('utf-8'),
backend=backends.default_backend())
jwk_pub_key = jws.CleartextJwkSetReader.from_cryptography_key(
pub_key, 'ES256')
verifier = jws.JwsPublicKeyVerify(jwk_pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_rsa_signer_and_verifier(self):
algs = ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512']
for alg in algs:
json_priv_key = json.loads(self.json_rsa_priv_key)
json_priv_key['alg'] = alg
json_priv_key = json.dumps(json_priv_key)
json_pub_key = json.loads(self.json_rsa_pub_key)
json_pub_key['alg'] = alg
json_pub_key = json.dumps(json_pub_key)
json_header_rsa = dict(self.test_header_rsa)
json_header_rsa['alg'] = alg
# Sign
priv_key = jws.CleartextJwkSetReader.from_json(json_priv_key)
signer = jws.JwsPublicKeySign(priv_key)
signed_token = signer.sign(json_header_rsa, self.test_payload)
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(json_pub_key)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_ecdsa_verifier_with_rfc_es512(self):
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(self.es512_ecdsa_pub_key)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verified_payload = verifier.verify(self.es512_ecdsa_token)
self.assertEqual(b'Payload', verified_payload)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(self.es512_ecdsa_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_rsa_verifier_with_rfc(self):
# Set up phase: parse the key and initialize the verifier.
keys = jws.CleartextJwkSetReader.from_json(self.json_rsa_pub_key)
verifier = jws.JwsPublicKeyVerify(keys)
# Use phase
try:
verified_payload = verifier.verify(self.rsa_token)
self.assertEqual(
'{"iss":"joe",\r\n "exp":1300819380,\r\n "http://example.com/is_root":true}'
.encode('utf-8'), verified_payload)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(self.rsa_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_verifier_with_multiple_keys(self):
# Set up phase: parse the keys and initialize the verifier.
keys = jws.CleartextJwkSetReader.from_json(self.json_pub_keys)
verifier = jws.JwsPublicKeyVerify(keys)
# Use phase
try:
verifier.verify(self.rsa_token)
verifier.verify(self.es256_ecdsa_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(self.rsa_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
for modified_token in _modify_token(self.es256_ecdsa_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_ecdsa_signer_verifier_es256(self):
# Sign
priv_key = jws.CleartextJwkSetReader.from_json(
self.es256_ecdsa_priv_key)
signer = jws.JwsPublicKeySign(priv_key)
signed_token = signer.sign(self.test_header_es256, self.test_payload)
# Verify
pub_key = jws.CleartextJwkSetReader.from_json(self.es256_ecdsa_pub_key)
verifier = jws.JwsPublicKeyVerify(pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
def test_jws_ec_from_pem_key(self):
# Sign the token
rsa_priv_key = jws.CleartextJwkSetReader.from_pem(
self.test_pem_ec_p256_priv_key.encode('utf-8'), 'ES256')
signer = jws.JwsPublicKeySign(rsa_priv_key)
signed_token = signer.sign(self.test_header_es256, self.test_payload)
# Verify the token
rsa_pub_key = jws.CleartextJwkSetReader.from_pem(
self.test_pem_ec_p256_pub_key.encode('utf-8'), 'ES256')
verifier = jws.JwsPublicKeyVerify(rsa_pub_key)
try:
verifier.verify(signed_token)
except SecurityException:
self.fail('Valid token, should not throw exception')
for modified_token in _modify_token(signed_token):
self.assertRaises(SecurityException, verifier.verify,
modified_token)
