def _verify_crypto_keys(self):
"""
verifies whether or not valid crypto keys were provided to the signer.
if both keys are valid, encodes and decodes a JWT to make sure the keys match.
if both private and public keys are valid and are matching => signer is enabled
if both private and public keys are None => signer is disabled (self.enabled == False)
if only one key is valid/not-None => throws ValueError
any other case => throws ValueError
"""
if self._private_key is not None and self._public_key is not None:
# both keys provided, let's make sure these keys were generated correctly
token = jwt.encode({"some": "payload"}, self._private_key, algorithm=self._algorithm)
try:
jwt.decode(token, self._public_key, algorithms=[self._algorithm])
except jwt.PyJWTError as exc:
logger.info("JWT Signer key verification failed with error: {err}", err=exc)
raise InvalidJWTCryptoKeysException("private key and public key do not match!") from exc
# save jwk
self._jwk: PyJWK = PyJWK.from_json(self.get_jwk(), algorithm=self._algorithm)
elif (self._private_key != self._public_key) and (self._private_key is None or self._public_key is None):
raise ValueError("JWT Signer not valid, only one of private key / public key pair was provided!")
elif self._private_key is None and self._public_key is None:
# valid situation, running in dev mode and api security is off
self._enabled = False
logger.info("OPAL was not provided with JWT encryption keys, cannot verify api requests!")
else:
raise ValueError("Invalid JWT Signer input!")
def test_should_load_key_okp_without_alg_from_dict(self):
with open(key_path("jwk_okp_pub_Ed25519.json")) as keyfile:
key_data = json.loads(keyfile.read())
jwk = PyJWK.from_dict(key_data)
assert jwk.key_type == "OKP"
assert isinstance(jwk.Algorithm, Ed25519Algorithm)
def test_should_load_key_ec_p384_from_dict(self):
with open(key_path("jwk_ec_pub_P-384.json")) as keyfile:
key_data = json.loads(keyfile.read())
jwk = PyJWK.from_dict(key_data)
assert jwk.key_type == "EC"
assert isinstance(jwk.Algorithm, ECAlgorithm)
assert jwk.Algorithm.hash_alg == ECAlgorithm.SHA384
def test_should_load_key_from_dict_with_algorithm(self):
with open(key_path("jwk_rsa_pub.json")) as keyfile:
key_data = json.loads(keyfile.read())
jwk = PyJWK.from_dict(key_data, algorithm="RS256")
assert jwk.key_type == "RSA"
assert isinstance(jwk.Algorithm, RSAAlgorithm)
assert jwk.Algorithm.hash_alg == RSAAlgorithm.SHA256
def test_should_load_key_hmac_from_dict(self):
with open(key_path("jwk_hmac.json")) as keyfile:
key_data = json.loads(keyfile.read())
jwk = PyJWK.from_dict(key_data)
assert jwk.key_type == "oct"
assert isinstance(jwk.Algorithm, HMACAlgorithm)
assert jwk.Algorithm.hash_alg == HMACAlgorithm.SHA256
def test_should_load_key_from_jwk_data_json_string(self):
algo = RSAAlgorithm(RSAAlgorithm.SHA256)
with open(key_path("jwk_rsa_pub.json"), "r") as keyfile:
pub_key = algo.from_jwk(keyfile.read())
key_data_str = algo.to_jwk(pub_key)
key_data = json.loads(key_data_str)
# TODO Should `to_jwk` set these?
key_data["alg"] = "RS256"
key_data["use"] = "sig"
key_data["kid"] = "keyid-abc123"
jwk = PyJWK.from_json(json.dumps(key_data))
assert jwk.key_type == "RSA"
assert jwk.key_id == "keyid-abc123"
assert jwk.public_key_use == "sig"
def test_from_dict_should_throw_exception_if_arg_is_invalid(self):
with open(key_path("jwk_rsa_pub.json")) as keyfile:
valid_rsa_pub = json.loads(keyfile.read())
with open(key_path("jwk_ec_pub_P-256.json")) as keyfile:
valid_ec_pub = json.loads(keyfile.read())
with open(key_path("jwk_okp_pub_Ed25519.json")) as keyfile:
valid_okp_pub = json.loads(keyfile.read())
# Unknown algorithm
with pytest.raises(PyJWKError):
PyJWK.from_dict(valid_rsa_pub, algorithm="unknown")
# Missing kty
v = valid_rsa_pub.copy()
del v["kty"]
with pytest.raises(InvalidKeyError):
PyJWK.from_dict(v)
# Unknown kty
v = valid_rsa_pub.copy()
v["kty"] = "unknown"
with pytest.raises(InvalidKeyError):
PyJWK.from_dict(v)
# Unknown EC crv
v = valid_ec_pub.copy()
v["crv"] = "unknown"
with pytest.raises(InvalidKeyError):
PyJWK.from_dict(v)
# Unknown OKP crv
v = valid_okp_pub.copy()
v["crv"] = "unknown"
with pytest.raises(InvalidKeyError):
PyJWK.from_dict(v)
# Missing OKP crv
v = valid_okp_pub.copy()
del v["crv"]
with pytest.raises(InvalidKeyError):
PyJWK.from_dict(v)
