def test_wrong_key_type(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") with pytest.raises(NoSuitableEncryptionKey): jwenc.encrypt([encryption_key])
def test_unknown_alg(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwenc = JWE(plain, alg="BCD", enc="A128GCM") with pytest.raises(ValueError): jwenc.encrypt([encryption_key])
def test_ecdh_no_setup_dynamic_epk(): jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") jwt = jwenc.encrypt([eck_bob]) assert jwt ret_jwe = factory(jwt, alg="ECDH-ES", enc="A128GCM") res = ret_jwe.decrypt(jwt, [eck_bob]) assert res == plain
def test_wrong_alg(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") with pytest.raises(HeaderError): factory(_jwe, alg="A192KW", enc="A128CBC-HS256")
def test_verify_headers(): jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") jwt = jwenc.encrypt([eck_bob]) assert jwt decrypter = factory(jwt, alg="ECDH-ES", enc="A128GCM") assert decrypter.jwt.verify_headers(alg='ECDH-ES', enc='A128GCM') assert decrypter.jwt.verify_headers(alg='RS256') is False assert decrypter.jwt.verify_headers(kid='RS256') is False
def test_no_key(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(NoSuitableDecryptionKey): decrypter.decrypt(_jwe, [])
def test_wrong_alg_2(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") with pytest.raises(WrongEncryptionAlgorithm): decrypter.decrypt(_jwe, [encryption_key], alg='A192KW')
def test_encrypt_jwk_key(): # This is a weird case. Signing the JWT with a key that is # published in the JWT. Still it should be possible. jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM", jwk=eck_bob) _enc = jwenc.encrypt() assert _enc decrypter = factory(_enc, alg="ECDH-ES", enc="A128GCM") res = decrypter.decrypt() assert res == plain
def request_object_encryption(msg, service_context, **kwargs): """ Created an encrypted JSON Web token with *msg* as body. :param msg: The mesaqg :param service_context: :param kwargs: :return: """ try: encalg = kwargs["request_object_encryption_alg"] except KeyError: try: encalg = service_context.get('behaviour')[ "request_object_encryption_alg"] except KeyError: return msg if not encalg: return msg try: encenc = kwargs["request_object_encryption_enc"] except KeyError: try: encenc = service_context.get('behaviour')[ "request_object_encryption_enc"] except KeyError: raise MissingRequiredAttribute( "No request_object_encryption_enc specified") if not encenc: raise MissingRequiredAttribute( "No request_object_encryption_enc specified") _jwe = JWE(msg, alg=encalg, enc=encenc) _kty = alg2keytype(encalg) try: _kid = kwargs["enc_kid"] except KeyError: _kid = "" if "target" not in kwargs: raise MissingRequiredAttribute("No target specified") if _kid: _keys = service_context.keyjar.get_encrypt_key(_kty, issuer_id=kwargs["target"], kid=_kid) _jwe["kid"] = _kid else: _keys = service_context.keyjar.get_encrypt_key(_kty, issuer_id=kwargs["target"]) return _jwe.encrypt(_keys)
def test_sym_encrypt_decrypt_jwe(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") resp = decrypter.decrypt(_jwe, [encryption_key]) assert resp == plain
def test_encrypt_decrypt_rsa_cbc(): _key = RSAKey(pub_key=pub_key) _jwe0 = JWE(plain, alg="RSA1_5", enc="A128CBC-HS256") jwt = _jwe0.encrypt([_key]) _jwe1 = factory(jwt, alg="RSA1_5", enc="A128CBC-HS256") _dkey = RSAKey(priv_key=priv_key) msg = _jwe1.decrypt(jwt, [_dkey]) assert msg == plain
def to_jwe(self, keys, enc, alg, lev=0): """ Place the information in this instance in a JSON object. Make that JSON object the body of a JWT. Then encrypt that JWT using the specified algorithms and the given keys. Return the encrypted JWT. :param keys: list or KeyJar instance :param enc: Content Encryption Algorithm :param alg: Key Management Algorithm :param lev: Used for JSON construction :return: An encrypted JWT. If encryption failed an exception will be raised. """ _jwe = JWE(self.to_json(lev), alg=alg, enc=enc) return _jwe.encrypt(keys)
def test_sym_jwenc(): encryption_key = SYMKey(use="enc", key='DukeofHazardpass', kid="some-key-id") jwe = JWE(plain, alg="A128KW", enc="A128CBC-HS256") _jwe = jwe.encrypt(keys=[encryption_key], kid="some-key-id") decrypter = factory(_jwe, alg="A128KW", enc="A128CBC-HS256") _jwenc = decrypter.jwt assert _jwenc.b64_protected_header() == _jwenc.b64part[0] assert _jwenc.b64_encrypted_key() == _jwenc.b64part[1] assert _jwenc.b64_initialization_vector() == _jwenc.b64part[2] assert _jwenc.b64_ciphertext() == _jwenc.b64part[3] assert _jwenc.b64_authentication_tag() == _jwenc.b64part[4] assert _jwenc.protected_header() == _jwenc.part[0] assert _jwenc.encrypted_key() == _jwenc.part[1] assert _jwenc.initialization_vector() == _jwenc.part[2] assert _jwenc.ciphertext() == _jwenc.part[3] assert _jwenc.authentication_tag() == _jwenc.part[4]
def test_encrypt_no_keys(): jwenc = JWE(plain, alg="ECDH-ES", enc="A128GCM") with pytest.raises(NoSuitableEncryptionKey): jwenc.encrypt()
def test_rsa_with_kid(): encryption_keys = [RSAKey(use="enc", pub_key=pub_key, kid="some-key-id")] jwe = JWE("some content", alg="RSA-OAEP", enc="A256CBC-HS512") jwe.encrypt(keys=encryption_keys, kid="some-key-id")