def test_dump_jwk():
kb = KeyBundle()
kb.append(RSAKey(pub_key=import_rsa_key_from_cert_file(CERT)))
jwks = kb.jwks()
_wk = json.loads(jwks)
assert list(_wk.keys()) == ["keys"]
assert len(_wk["keys"]) == 1
assert set(_wk["keys"][0].keys()) == {"kty", "e", "n"}
kb2 = KeyBundle(_wk)
assert len(kb2) == 1
key = kb2.get("rsa")[0]
assert key.kty == "RSA"
assert isinstance(key.public_key(), rsa.RSAPublicKey)
def import_keys(self, keyspec):
"""
The client needs it's own set of keys. It can either dynamically
create them or load them from local storage.
This method can also fetch other entities keys provided the
URL points to a JWKS.
:param keyspec:
"""
for where, spec in keyspec.items():
if where == 'file':
for typ, files in spec.items():
if typ == 'rsa':
for fil in files:
_key = RSAKey(
key=import_private_rsa_key_from_file(fil),
use='sig')
_bundle = KeyBundle()
_bundle.append(_key)
self.keyjar.add_kb('', _bundle)
elif where == 'url':
for iss, url in spec.items():
_bundle = KeyBundle(source=url)
self.keyjar.add_kb(iss, _bundle)
],
)
def test_to_jwe(keytype, alg, enc):
msg = Message(a="foo", b="bar", c="tjoho")
_jwe = msg.to_jwe(KEYJAR.get_encrypt_key(keytype, ""), alg=alg, enc=enc)
with pytest.raises(HeaderError):
Message().from_jwt(_jwe, KEYJAR, encalg="RSA-OAEP", encenc=enc)
with pytest.raises(HeaderError):
Message().from_jwt(_jwe, KEYJAR, encenc="A256CBC-HS512", encalg=alg)
NEW_KEYJAR = KEYJAR.copy()
kb = KeyBundle()
k = new_rsa_key()
NEW_KID = k.kid
kb.append(k)
NEW_KEYJAR.add_kb("", kb)
def test_no_suitable_keys():
keytype = "RSA"
alg = "RS256"
msg = Message(a="foo", b="bar", c="tjoho")
_jwt = msg.to_jwt(NEW_KEYJAR.get_signing_key(keytype, "", kid=NEW_KID),
alg)
with pytest.raises(NoSuitableSigningKeys):
Message().from_jwt(_jwt, KEYJAR)
def test_only_extras():
m = DummyMessage(foo="bar", extra="value")
def test_get_audience_and_algorithm_default_alg(self, entity):
_service_context = entity.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
_service_context.registration_response = {}
token_service = entity.client_get("service", 'accesstoken')
# Add a RSA key to be able to handle default
_kb = KeyBundle()
_rsa_key = new_rsa_key()
_kb.append(_rsa_key)
_service_context.keyjar.add_kb("", _kb)
# Since I have a RSA key this doesn't fail
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
assert _jws.jwt.headers["alg"] == "RS256"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
# By client preferences
request = AccessTokenRequest()
_service_context.client_preferences = {
"token_endpoint_auth_signing_alg": "RS512"
}
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
assert _jws.jwt.headers["alg"] == "RS512"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
# Use provider information is everything else fails
request = AccessTokenRequest()
_service_context.client_preferences = {}
_service_context.provider_info[
"token_endpoint_auth_signing_alg_values_supported"] = [
"ES256", "RS256"
]
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
# Should be RS256 since I have no key for ES256
assert _jws.jwt.headers["alg"] == "RS256"
assert _jws.jwt.headers["kid"] == _rsa_key.kid