def __init__(self, identifier, jku, jwkset=None):
self.identifier = identifier
self.jku = jku
self.jwkset = jwkset or JwkSet(
keys=[
Jwk.generate(KeyTypeEnum.RSA),
Jwk.generate(KeyTypeEnum.EC),
Jwk.generate(KeyTypeEnum.OCT),
]
)
def test_generate(self):
'''
nose2 jose.tests.test_jwk.TestJwk.test_generate
'''
for name, kty in KeyTypeEnum.__members__.items():
jwk = Jwk.generate(kty=kty, kid="hoge")
print jwk.to_json(indent=2)
def provide(cls, enc, jwk, jwe, cek=None, iv=None, *args, **kwargs):
if cls._KEY_WRAP is None and cek is not None:
#: CEK must be None for ECDH_ES
return None
jwe.apu = jwe.apu or "TODO:RANDOM APU"
jwe.apv = jwe.apv or "TODO:RANDOM APv"
if cek:
pass
else:
cek, iv = enc.encryptor.create_key_iv()
#: parmeters for ECDH
epk = Jwk.generate(kty=KeyTypeEnum.EC) # new adhoc key
agr = epk.key.agreement_to(jwk.key)
klen = cls.digest_key_bitlength(enc)
algid = jwe.alg.value if cls._KEY_WRAP else enc.value
other_info = cls.other_info(algid, jwe.apu, jwe.apv, klen)
#: create or derived key
key, cek_ci = cls.create_key(agr, klen, other_info, cek)
cek = cek if cls._KEY_WRAP else key
jwe.epk = epk.public_jwk
return (cek, iv, cek_ci, key)
def run(self, params, **options):
authority = Authority.objects.get(id=params.id[0])
jku = authority.auth_metadata_object.jwks_uri or \
AuthorityKeyResource.url(
authority.identifier,
tenant=authority.tenant, id=params.jkuid)
jwkset = JwkSet(
keys=[Jwk.generate(kty=params.kty[0])])
jwkset.save(authority, jku)
def test_algs(self):
''' nose2 jose.tests.test_jws.TestJwsMessage.test_algs'''
for alg in SigDict.values():
alg = SigEnum.create(alg)
signer = "https://%s.com" % alg.name
jku = signer + "/jwkset"
jwk = Jwk.generate(alg.key_type)
plaintext = "This is a message to be signed by %s" % alg.value
signature = alg.signer.sign(jwk, plaintext)
self.assertTrue(alg.signer.verify(jwk, plaintext, signature))
print alg.value, jwk.kty.value, len(signature), _BE(signature)
@property
def private_key(self):
return self.material
@property
def public_key(self):
return self.material
@property
def is_private(self):
return self.material is not None
@property
def is_public(self):
return self.material is not None
@property
def shared_key(self):
return self.material
def thumbprint_fields(self):
return ['k', 'kty', ]
if __name__ == '__main__':
from jose.jwa.keys import KeyTypeEnum
jwk = Jwk.generate(kty=KeyTypeEnum.create('oct'))
assert len(jwk.key.shared_key) == 200
jwk = Jwk.generate(kty=KeyTypeEnum.create('oct'), length=32)
assert len(jwk.key.shared_key) == 32
encs = ['A128GCM', 'A192GCM', 'A256GCM']
algs = ['A128GCMKW', 'A192GCMKW', 'A256GCMKW']
for e in encs:
enc = EncEnum.create(e).encryptor
cek, iv = enc.create_key_iv()
assert len(cek) == enc._KEY_LEN
assert len(iv) == enc._IV_LEN
print(enc.__name__)
print("CEK =", base64.urlsafe_b64encode(cek))
print("IV=", base64.urlsafe_b64encode(iv))
import itertools
from jose.jwk import Jwk
from jose.jwe import Jwe
jwk = Jwk.generate(kty="oct")
for a, e in list(itertools.product(algs, encs)):
jwe = Jwe(
alg=KeyEncEnum.create(a),
enc=EncEnum.create(e),
)
cek, iv, cek_ci, kek = jwe.provide_key(jwk)
print("alg=", a, "enc=", e)
print("CEK=", base64.base64url_encode(cek))
print("IV=", base64.base64url_encode(iv))
print("CEK_CI=", base64.base64url_encode(cek_ci))
print("Jwe.iv=", jwe.iv)
print("Jwe.tag=", jwe.tag)
cek2 = jwe.agree_key(jwk, cek_ci)
def test_rs256(self):
''' nose2 jose.tests.test_jws.TestJws.test_rs256'''
''' JWS A.2
'''
octes = [123, 34, 97, 108, 103, 34, 58,
34, 82, 83, 50, 53, 54, 34, 125]
jws_str = ''.join(chr(i) for i in octes)
self.assertEqual(jws_str, '{"alg":"RS256"}')
jws_new = Jws.from_json(jws_str)
self.assertEqual(jws_new.alg, SigEnum.RS256)
b64_header = base64.base64url_encode(jws_str)
self.assertEqual(b64_header, 'eyJhbGciOiJSUzI1NiJ9')
b64_payload = ''.join([
'eyJpc3MiOiJqb2UiLA0KICJleHAiOj',
'EzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt',
'cGxlLmNvbS9pc19yb290Ijp0cnVlfQ'])
payload = base64.base64url_decode(b64_payload)
jwt_new = Jwt.from_json(payload)
self.assertEqual(jwt_new.iss, "joe")
self.assertEqual(jwt_new.exp, 1300819380)
self.assertEqual(jwt_new['http://example.com/is_root'], True)
s_input = [
101, 121, 74, 104, 98, 71, 99,
105, 79, 105, 74, 83, 85, 122, 73,
49, 78, 105, 74, 57, 46, 101, 121,
74, 112, 99, 51, 77, 105, 79, 105,
74, 113, 98, 50, 85, 105, 76, 65,
48, 75, 73, 67, 74, 108, 101, 72,
65, 105, 79, 106, 69, 122, 77, 68,
65, 52, 77, 84, 107, 122, 79, 68,
65, 115, 68, 81, 111, 103, 73, 109,
104, 48, 100, 72, 65, 54, 76,
121, 57, 108, 101, 71, 70, 116, 99,
71, 120, 108, 76, 109, 78, 118,
98, 83, 57, 112, 99, 49, 57, 121, 98,
50, 57, 48, 73, 106, 112, 48,
99, 110, 86, 108, 102, 81]
s_input_str = "".join(chr(i) for i in s_input)
self.assertEqual(
s_input_str, ".".join([b64_header, b64_payload]))
pri_json_dict = {
"kty": "RSA",
"n": "".join([
"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddx",
"HmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMs",
"D1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSH",
"SXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdV",
"MTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8",
"NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ"]),
"e": "AQAB",
"d": "".join([
"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97I",
"jlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0",
"BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn",
"439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYT",
"CBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLh",
"BOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ"]),
}
jwk = Jwk(**pri_json_dict)
self.assertTrue(jwk.key.is_private)
signer = jws_new.alg.signer
from jose.jwa.rsa import RS256
self.assertEqual(signer, RS256)
sig_calc = signer.sign(jwk, s_input_str)
sig = [
112, 46, 33, 137, 67, 232, 143,
209, 30, 181, 216, 45, 191, 120, 69,
243, 65, 6, 174, 27, 129, 255, 247,
115, 17, 22, 173, 209, 113, 125,
131, 101, 109, 66, 10, 253, 60,
150, 238, 221, 115, 162, 102, 62, 81,
102, 104, 123, 0, 11, 135, 34, 110, 1, 135, 237, 16, 115, 249, 69,
229, 130, 173, 252, 239, 22, 216, 90, 121, 142, 232, 198, 109, 219,
61, 184, 151, 91, 23, 208, 148, 2, 190, 237, 213, 217, 217, 112, 7,
16, 141, 178, 129, 96, 213, 248, 4, 12, 167, 68, 87, 98, 184, 31,
190, 127, 249, 217, 46, 10, 231,
111, 36, 242, 91, 51, 187, 230, 244,
74, 230, 30, 177, 4, 10, 203, 32, 4, 77, 62, 249, 18, 142, 212, 1,
48, 121, 91, 212, 189, 59, 65, 238,
202, 208, 102, 171, 101, 25, 129,
253, 228, 141, 247, 127, 55, 45, 195, 139, 159, 175, 221, 59, 239,
177, 139, 93, 163, 204, 60, 46, 176, 47, 158, 58, 65, 214, 18, 202,
173, 21, 145, 18, 115, 160, 95, 35,
185, 232, 56, 250, 175, 132, 157,
105, 132, 41, 239, 90, 30, 136, 121, 130, 54, 195, 212, 14, 96, 69,
34, 165, 68, 200, 242, 122, 122, 45,
184, 6, 99, 209, 108, 247, 202,
234, 86, 222, 64, 92, 178, 33, 90, 69, 178, 194, 85, 102, 181, 90,
193, 167, 72, 160, 112, 223, 200,
163, 42, 70, 149, 67, 208, 25, 238, 251, 71]
self.assertEqual(sig, [ord(i) for i in sig_calc])
b64_sig = "".join([
'cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7',
'AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4',
'BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K',
'0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv',
'hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB',
'p0igcN_IoypGlUPQGe77Rw'])
self.assertEqual(b64_sig, base64.base64url_encode(sig_calc))
##########################
# implementation
jws_impl = Jws(alg='RS256')
msg = Message(payload=_BE(payload))
msg.signatures.append(Signature(_protected=jws_impl))
token = msg.serialize_compact(jwk=jwk)
items = token.split('.')
self.assertEqual(len(msg.signatures), 1)
self.assertEqual(msg.signatures[0]._protected.alg.value, 'RS256')
self.assertEqual(len(items), 3)
self.assertEqual(msg.signatures[0].protected, items[0])
self.assertEqual(msg.payload, items[1])
self.assertEqual(msg.signatures[0].signature, items[2])
#: restore token
msg2 = Message.from_token(token, sender=None, receiver=None)
self.assertEqual(len(msg2.signatures), 1)
self.assertEqual(msg2.payload, _BE(payload))
self.assertEqual(msg2.payload, msg.payload)
self.assertEqual(len(msg2.signatures), 1)
self.assertEqual(msg2.signatures[0]._protected.alg.value, 'RS256')
self.assertEqual(msg2.signatures[0].protected, items[0])
self.assertEqual(msg2.payload, items[1])
self.assertEqual(msg2.signatures[0].signature, items[2])
#: verify message
s = msg2.signatures[0]
self.assertTrue(s.verify(msg2.payload, jwk=jwk))
#: wrong key fails
new_jwk = Jwk.generate(KeyTypeEnum.RSA)
self.assertFalse(s.verify(msg2.payload, jwk=new_jwk))
#: Json Serialization
json_str = msg.serialize_json(jwk, indent=2)
msg3 = Message.from_token(json_str)
self.assertEqual(len(msg3.signatures), 1)
self.assertTrue(
msg3.signatures[0].verify(msg3.payload, jwk.public_jwk))
self.assertFalse(
msg3.signatures[0].verify(msg3.payload, new_jwk.public_jwk))
ret = cls._cipher.new(jwk.key.private_key).decrypt(cek_ci, _sentinel)
if ret == _sentinel:
return None
return ret
class RSA_OAEP(RsaKeyEncryptor):
_cipher = PKCS1_OAEP
@classmethod
def decrypt(cls, jwk, cek_ci, *args, **kwargs):
return cls._cipher.new(jwk.key.private_key).decrypt(cek_ci)
if __name__ == '__main__':
from jose.jwe import Jwe
from jose.jwa.keys import KeyTypeEnum
jwk = Jwk.generate(kty=KeyTypeEnum.RSA)
jwe = Jwe.from_json('{"alg": "RSA1_5", "enc": "A128CBC-HS256"}')
cek, iv, cek_ci, kek = jwe.provide_key(jwk)
print("CEK", base64.base64url_encode(cek))
print("IV", base64.base64url_encode(iv))
print("CEK_CI", base64.base64url_encode(cek_ci))
cek2 = jwe.agree_key(jwk, cek_ci)
print("CEK2", base64.base64url_encode(cek_ci))
print("IV", base64.base64url_encode(iv))
assert(cek == cek2)
def run(self, args):
super(CreateCommand, self).run(args)
jwk = Jwk.generate(**self.inits)
jwk.add_to(args.id, args.jku)
def _create_jwk(self, owner, jku, alg):
# jwk = Jwk.get_or_create_from(
# owner, jku, alg.key_type, kid=None)
jwk = Jwk.generate(alg.key_type)
return jwk
