def test_verify_protected_headers(): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec.SECP256R1(), default_backend()) _key = ECKey().load_key(eck) keys = [_key] _jws = JWS(payload, alg="ES256") protected = dict(header1=u"header1 is protected", header2="header2 is protected too", a=1) _jwt = _jws.sign_compact(keys, protected=protected) protectedHeader, enc_payload, sig = _jwt.split(".") data = dict( payload=enc_payload, signatures=[ dict( header=dict(alg=u"ES256", jwk=_key.serialize()), protected=protectedHeader, signature=sig, ) ], ) # _pub_key = ECKey().load_key(eck.public_key()) _jws = JWS() assert _jws.verify_json(json.dumps(data)) == payload
def test_verify_json_flattened_syntax(): key = ECKey().load_key(P256()) protected_headers = {"foo": "bar"} unprotected_headers = {"abc": "xyz"} payload = "hello world" _jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[ (protected_headers, unprotected_headers) ], keys=[key], flatten=True) vkeys = [ECKey().load_key(key.public_key())] _jws = JWS() assert _jws.verify_json(_jwt, keys=vkeys) assert _jws.protected_headers() == {"alg": "ES256", "foo": "bar"}
def test_verify_json(): eck = ec.generate_private_key(ec.SECP256R1(), default_backend()) key = ECKey().load_key(eck) payload = "hello world" unprotected_headers = {"abc": "xyz"} protected_headers = {"foo": "bar"} _jwt = JWS(msg=payload, alg="ES256").sign_json(headers=[ (protected_headers, unprotected_headers) ], keys=[key]) vkeys = [ECKey().load_key(eck.public_key())] _jws = JWS() assert _jws.verify_json(_jwt, keys=vkeys) _protected = _jws.protected_headers() assert set(_protected.keys()) == {"foo", "alg"} assert _protected["foo"] == protected_headers["foo"] # alg is always protected by default assert _protected["alg"] == "ES256"
def test_missing_payload(): jws = JWS() with pytest.raises(FormatError): jws.verify_json('{"foo":"bar"}')
def main(): """Main function""" parser = argparse.ArgumentParser(description="JWS verifier") parser.add_argument( "--trusted", dest="trusted", metavar="filename", help="Trusted keys (JWKS)", required=False, ) parser.add_argument( "--input", dest="jws_input", metavar="filename", help="JWS file input", required=True, ) parser.add_argument( "--output", dest="output", metavar="filename", help="Output", required=False, ) parser.add_argument( "--headers", dest="headers_output", metavar="filename", help="Headers output", required=False, ) parser.add_argument("--debug", dest="debug", action="store_true", help="Enable debugging") args = parser.parse_args() if args.debug: logging.basicConfig(level=logging.DEBUG) else: logging.basicConfig(level=logging.INFO) trusted_keys = [] if args.trusted: with open(args.trusted) as input_file: trusted_payload = json.load(input_file) if isinstance(trusted_payload, dict): trusted_keys.append(key_from_jwk_dict(trusted_payload)) elif isinstance(trusted_payload, dict): for jwk_dict in trusted_payload["keys"]: trusted_keys.append( key_from_jwk_dict(jwk_dict, private=False)) else: raise ValueError("Unknown trusted list format") with open(args.jws_input, "rt") as input_file: jws_file = input_file.read() protected_headers = [] jws_dict = json.loads(jws_file) if args.trusted: jws = JWS() message = jws.verify_json(jws_file, keys=trusted_keys) else: message = json.loads(b64d(jws_dict["payload"].encode()).decode()) for signatures in jws_dict["signatures"]: if "protected" in signatures: protected_headers.append(extract_headers(signatures["protected"])) if args.headers_output: with open(args.headers_output, "wt") as output_file: print(json.dumps(protected_headers, indent=4), file=output_file) else: if args.trusted: print("# JWS PROTECTED HEADERS (VERIFIED)") else: print("# JWS PROTECTED HEADERS (NOT VERIFIED)") print(json.dumps(protected_headers, indent=4, sort_keys=True)) if args.output: with open(args.output, "wt") as output_file: print(json.dumps(message, indent=4), file=output_file) else: if args.trusted: print("# JWS CONTENTS (VERIFIED)") else: print("# JWS CONTENTS (NOT VERIFIED)") print(json.dumps(message, indent=4, sort_keys=True))