def test_ps256_key_with_a_custom_kid_header(self):
keyset_handle = tink.new_keyset_handle(
jwt.raw_jwt_ps256_2048_f4_template())
# Add a custom kid to the key in keyset_handle
value = keyset_handle._keyset.key[0].key_data.value
pss_key = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssPrivateKey.FromString(value)
pss_key.public_key.custom_kid.value = 'my kid'
keyset_handle._keyset.key[
0].key_data.value = pss_key.SerializeToString()
sign = keyset_handle.primitive(jwt.JwtPublicKeySign)
raw_jwt = jwt.new_raw_jwt(issuer='issuer', without_expiration=True)
signed_compact = sign.sign_and_encode(raw_jwt)
_, json_header, _, _ = _jwt_format.split_signed_compact(signed_compact)
header = _jwt_format.json_loads(json_header)
self.assertEqual(header['kid'], 'my kid')
# Now, change the output prefix type to TINK. This should fail.
keyset_handle._keyset.key[0].output_prefix_type = tink_pb2.TINK
with self.assertRaises(tink.TinkError):
tink_sign = keyset_handle.primitive(jwt.JwtPublicKeySign)
tink_sign.sign_and_encode(raw_jwt)
'JWT_ES256': jwt.jwt_es256_template(),
'JWT_ES256_RAW': jwt.raw_jwt_es256_template(),
'JWT_ES384': jwt.jwt_es384_template(),
'JWT_ES384_RAW': jwt.raw_jwt_es384_template(),
'JWT_ES512': jwt.jwt_es512_template(),
'JWT_ES512_RAW': jwt.raw_jwt_es512_template(),
'JWT_RS256_2048_F4': jwt.jwt_rs256_2048_f4_template(),
'JWT_RS256_2048_F4_RAW': jwt.raw_jwt_rs256_2048_f4_template(),
'JWT_RS256_3072_F4': jwt.jwt_rs256_3072_f4_template(),
'JWT_RS256_3072_F4_RAW': jwt.raw_jwt_rs256_3072_f4_template(),
'JWT_RS384_3072_F4': jwt.jwt_rs384_3072_f4_template(),
'JWT_RS384_3072_F4_RAW': jwt.raw_jwt_rs384_3072_f4_template(),
'JWT_RS512_4096_F4': jwt.jwt_rs512_4096_f4_template(),
'JWT_RS512_4096_F4_RAW': jwt.raw_jwt_rs512_4096_f4_template(),
'JWT_PS256_2048_F4': jwt.jwt_ps256_2048_f4_template(),
'JWT_PS256_2048_F4_RAW': jwt.raw_jwt_ps256_2048_f4_template(),
'JWT_PS256_3072_F4': jwt.jwt_ps256_3072_f4_template(),
'JWT_PS256_3072_F4_RAW': jwt.raw_jwt_ps256_3072_f4_template(),
'JWT_PS384_3072_F4': jwt.jwt_ps384_3072_f4_template(),
'JWT_PS384_3072_F4_RAW': jwt.raw_jwt_ps384_3072_f4_template(),
'JWT_PS512_4096_F4': jwt.jwt_ps512_4096_f4_template(),
'JWT_PS512_4096_F4_RAW': jwt.raw_jwt_ps512_4096_f4_template(),
}
# Key template names for which the list of supported languages is different from
# the list of supported languages of the whole key type.
_CUSTOM_SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME = {
'ECIES_P256_HKDF_HMAC_SHA256_XCHACHA20_POLY1305': ['cc', 'python'],
}
class JwtKeyTemplatesTest(parameterized.TestCase):
@parameterized.named_parameters([
('JWT_HS256', jwt.jwt_hs256_template()),
('JWT_HS256_RAW', jwt.raw_jwt_hs256_template()),
('JWT_HS384', jwt.jwt_hs384_template()),
('JWT_HS384_RAW', jwt.raw_jwt_hs384_template()),
('JWT_HS512', jwt.jwt_hs512_template()),
('JWT_HS512_RAW', jwt.raw_jwt_hs512_template()),
])
def test_mac_success(self, key_template):
keyset_handle = tink.new_keyset_handle(key_template)
jwt_hmac = keyset_handle.primitive(jwt.JwtMac)
token = jwt.new_raw_jwt(issuer='issuer',
subject='subject',
without_expiration=True)
compact = jwt_hmac.compute_mac_and_encode(token)
output_token = jwt_hmac.verify_mac_and_decode(
compact,
jwt.new_validator(expected_issuer='issuer',
allow_missing_expiration=True))
self.assertEqual(output_token.issuer(), token.issuer())
self.assertEqual(output_token.subject(), token.subject())
@parameterized.named_parameters([
('JWT_ES256', jwt.jwt_es256_template()),
('JWT_ES256_RAW', jwt.raw_jwt_es256_template()),
('JWT_ES384', jwt.jwt_es384_template()),
('JWT_ES384_RAW', jwt.raw_jwt_es384_template()),
('JWT_ES512', jwt.jwt_es512_template()),
('JWT_ES512_RAW', jwt.raw_jwt_es512_template()),
('JWT_RS256_2048_F4', jwt.jwt_rs256_2048_f4_template()),
('JWT_RS256_2048_F4_RAW', jwt.raw_jwt_rs256_2048_f4_template()),
('JWT_RS256_3072_F4', jwt.jwt_rs256_3072_f4_template()),
('JWT_RS256_3072_F4_RAW', jwt.raw_jwt_rs256_3072_f4_template()),
('JWT_RS384_3072_F4', jwt.jwt_rs384_3072_f4_template()),
('JWT_RS384_3072_F4_RAW', jwt.raw_jwt_rs384_3072_f4_template()),
('JWT_RS512_4096_F4', jwt.jwt_rs512_4096_f4_template()),
('JWT_RS512_4096_F4_RAW', jwt.raw_jwt_rs512_4096_f4_template()),
('JWT_PS256_2048_F4', jwt.jwt_ps256_2048_f4_template()),
('JWT_PS256_2048_F4_RAW', jwt.raw_jwt_ps256_2048_f4_template()),
('JWT_PS256_3072_F4', jwt.jwt_ps256_3072_f4_template()),
('JWT_PS256_3072_F4_RAW', jwt.raw_jwt_ps256_3072_f4_template()),
('JWT_PS384_3072_F4', jwt.jwt_ps384_3072_f4_template()),
('JWT_PS384_3072_F4_RAW', jwt.raw_jwt_ps384_3072_f4_template()),
('JWT_PS512_4096_F4', jwt.jwt_ps512_4096_f4_template()),
('JWT_PS512_4096_F4_RAW', jwt.raw_jwt_ps512_4096_f4_template()),
])
def test_new_keydata_primitive_success(self, template):
private_handle = tink.new_keyset_handle(template)
sign = private_handle.primitive(jwt.JwtPublicKeySign)
verify = private_handle.public_keyset_handle().primitive(
jwt.JwtPublicKeyVerify)
raw_jwt = jwt.new_raw_jwt(issuer='issuer',
subject='subject',
without_expiration=True)
compact = sign.sign_and_encode(raw_jwt)
verified_jwt = verify.verify_and_decode(
compact,
jwt.new_validator(expected_issuer='issuer',
allow_missing_expiration=True))
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
'JWT_RS256_3072_F4':
jwt.jwt_rs256_3072_f4_template(),
'JWT_RS256_3072_F4_RAW':
jwt.raw_jwt_rs256_3072_f4_template(),
'JWT_RS384_3072_F4':
jwt.jwt_rs384_3072_f4_template(),
'JWT_RS384_3072_F4_RAW':
jwt.raw_jwt_rs384_3072_f4_template(),
'JWT_RS512_4096_F4':
jwt.jwt_rs512_4096_f4_template(),
'JWT_RS512_4096_F4_RAW':
jwt.raw_jwt_rs512_4096_f4_template(),
'JWT_PS256_2048_F4':
jwt.jwt_ps256_2048_f4_template(),
'JWT_PS256_2048_F4_RAW':
jwt.raw_jwt_ps256_2048_f4_template(),
'JWT_PS256_3072_F4':
jwt.jwt_ps256_3072_f4_template(),
'JWT_PS256_3072_F4_RAW':
jwt.raw_jwt_ps256_3072_f4_template(),
'JWT_PS384_3072_F4':
jwt.jwt_ps384_3072_f4_template(),
'JWT_PS384_3072_F4_RAW':
jwt.raw_jwt_ps384_3072_f4_template(),
'JWT_PS512_4096_F4':
jwt.jwt_ps512_4096_f4_template(),
'JWT_PS512_4096_F4_RAW':
jwt.raw_jwt_ps512_4096_f4_template(),
}
# Key template names for which the list of supported languages is different from
