def test_jwe_no_error_with_iat_claim(self): claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=20)
def test_jwe(self): bad_key = {'k': RSA.generate(2048).exportKey('PEM')} for (alg, jwk), enc in product(self.algs, self.encs): jwe = jose.encrypt(claims, rsa_pub_key, enc=enc, alg=alg) # make sure the body can't be loaded as json (should be encrypted) try: json.loads(jose.b64decode_url(jwe.ciphertext)) self.fail() except ValueError: pass token = jose.serialize_compact(jwe) jwt = jose.legacy_decrypt(jose.deserialize_compact(token), rsa_priv_key) self.assertNotIn(jose._TEMP_VER_KEY, claims) self.assertEqual(jwt.claims, claims) # invalid key try: jose.legacy_decrypt(jose.deserialize_compact(token), bad_key) self.fail() except jose.Error as e: self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe_invalid_base64(self): try: jose.legacy_decrypt('aaa', rsa_priv_key) self.fail() # expecting error due to invalid base64 except jose.Error as e: pass self.assertEqual(e.args[0], 'Unable to decode base64: Incorrect padding')
def test_jwe_invalid_base64(self): try: jose.legacy_decrypt('aaa', rsa_priv_key) self.fail() # expecting error due to invalid base64 except jose.Error as e: pass self.assertEquals( e.args[0], 'Unable to decode base64: Incorrect padding' )
def test_jwe_not_yet_valid_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) try: jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting not valid yet except jose.NotYetValid as e: pass self.assertEqual( e.args[0], 'Token not valid until {}'.format( jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE])))
def test_jwe_expired_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) try: jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting expired token except jose.Expired as e: pass self.assertEqual( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME])))
def test_decrypt_invalid_compression_error(self): jwe = jose.encrypt(claims, rsa_pub_key, compression='DEF') header = jose.b64encode_url( jose.json_encode( {"alg": "RSA-OAEP", "enc": "A128CBC-HS256", jose._TEMP_VER_KEY: jose._TEMP_VER, "zip": "BAD"} ) ) try: jose.legacy_decrypt(jose.JWE(*((header,) + (jwe[1:]))), rsa_priv_key) self.fail() except jose.Error as e: self.assertEqual( e.message, 'Unsupported compression algorithm: BAD')
def test_jwe_not_yet_valid_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) try: jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting not valid yet except jose.NotYetValid as e: pass self.assertEquals( e.args[0], 'Token not valid until {}'.format( jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE]) ) )
def test_jwe_expired_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) try: jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting expired token except jose.Expired as e: pass self.assertEquals( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME]) ) )
def test_jwe_adata(self): adata = '42' for (alg, jwk), enc in product(self.algs, self.encs): et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key, adata=adata)) jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key, adata=adata) # make sure signatures don't match when adata isn't passed in try: hdr, dt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() except jose.Error as e: self.assertEqual(e.message, 'Mismatched authentication tags') self.assertEqual(jwt.claims, claims)
def test_jwe_adata(self): adata = '42' for (alg, jwk), enc in product(self.algs, self.encs): et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key, adata=adata)) jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key, adata=adata) # make sure signaures don't match when adata isn't passed in try: hdr, dt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() except jose.Error as e: self.assertEqual(e.message, 'Mismatched authentication tags') self.assertEqual(jwt.claims, claims)
def test_jwe_expired_error_with_iat_claim(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) try: jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=expiry_seconds) self.fail() # expecting expired token except jose.Expired as e: pass expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds self.assertEqual( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(expiration_time)))
def test_jwe_add_header(self): add_header = {'foo': 'bar'} for (alg, jwk), enc in product(self.algs, self.encs): et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key, add_header=add_header)) jwt = jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.assertEqual(jwt.header['foo'], add_header['foo'])
def test_jwe_expired_error_with_iat_claim(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) try: jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=expiry_seconds) self.fail() # expecting expired token except jose.Expired as e: pass expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds self.assertEquals( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(expiration_time) ) )
def test_jwe_compression(self): local_claims = copy(claims) for v in xrange(1000): local_claims['dummy_' + str(v)] = '0' * 100 jwe = jose.serialize_compact(jose.encrypt(local_claims, rsa_pub_key)) _, _, _, uncompressed_ciphertext, _ = jwe.split('.') jwe = jose.serialize_compact(jose.encrypt(local_claims, rsa_pub_key, compression='DEF')) _, _, _, compressed_ciphertext, _ = jwe.split('.') self.assertTrue(len(compressed_ciphertext) < len(uncompressed_ciphertext)) jwt = jose.legacy_decrypt(jose.deserialize_compact(jwe), rsa_priv_key) self.assertEqual(jwt.claims, local_claims)
def test_jwe_ignores_expired_token_if_validate_claims_is_false(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key, validate_claims=False)
def test_jwe_no_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) - 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_no_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) + 5} et = jose.serialize_compact(jose.encrypt(claims, rsa_pub_key)) jose.legacy_decrypt(jose.deserialize_compact(et), rsa_priv_key)