feat: Implement ES256 for JWT verification (#340)
feat: Implement EC256 for JWT verification
diff --git a/tests/crypt/test_es256.py b/tests/crypt/test_es256.py
new file mode 100644
index 0000000..087ce6e
--- /dev/null
+++ b/tests/crypt/test_es256.py
@@ -0,0 +1,131 @@
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+import os
+
+from cryptography.hazmat.primitives.asymmetric import ec
+import pytest
+
+from google.auth import _helpers
+from google.auth.crypt import base
+from google.auth.crypt import es256
+
+
+DATA_DIR = os.path.join(os.path.dirname(__file__), "..", "data")
+
+# To generate es256_privatekey.pem, es256_privatekey.pub, and
+# es256_public_cert.pem:
+# $ openssl ecparam -genkey -name prime256v1 -noout -out es256_privatekey.pem
+# $ openssl ec -in es256-private-key.pem -pubout -out es256-publickey.pem
+# $ openssl req -new -x509 -key es256_privatekey.pem -out \
+# > es256_public_cert.pem
+
+with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh:
+ PRIVATE_KEY_BYTES = fh.read()
+ PKCS1_KEY_BYTES = PRIVATE_KEY_BYTES
+
+with open(os.path.join(DATA_DIR, "es256_publickey.pem"), "rb") as fh:
+ PUBLIC_KEY_BYTES = fh.read()
+
+with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh:
+ PUBLIC_CERT_BYTES = fh.read()
+
+SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "es256_service_account.json")
+
+with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
+ SERVICE_ACCOUNT_INFO = json.load(fh)
+
+
+class TestES256Verifier(object):
+ def test_verify_success(self):
+ to_sign = b"foo"
+ signer = es256.ES256Signer.from_string(PRIVATE_KEY_BYTES)
+ actual_signature = signer.sign(to_sign)
+
+ verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES)
+ assert verifier.verify(to_sign, actual_signature)
+
+ def test_verify_unicode_success(self):
+ to_sign = u"foo"
+ signer = es256.ES256Signer.from_string(PRIVATE_KEY_BYTES)
+ actual_signature = signer.sign(to_sign)
+
+ verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES)
+ assert verifier.verify(to_sign, actual_signature)
+
+ def test_verify_failure(self):
+ verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES)
+ bad_signature1 = b""
+ assert not verifier.verify(b"foo", bad_signature1)
+ bad_signature2 = b"a"
+ assert not verifier.verify(b"foo", bad_signature2)
+
+ def test_from_string_pub_key(self):
+ verifier = es256.ES256Verifier.from_string(PUBLIC_KEY_BYTES)
+ assert isinstance(verifier, es256.ES256Verifier)
+ assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey)
+
+ def test_from_string_pub_key_unicode(self):
+ public_key = _helpers.from_bytes(PUBLIC_KEY_BYTES)
+ verifier = es256.ES256Verifier.from_string(public_key)
+ assert isinstance(verifier, es256.ES256Verifier)
+ assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey)
+
+ def test_from_string_pub_cert(self):
+ verifier = es256.ES256Verifier.from_string(PUBLIC_CERT_BYTES)
+ assert isinstance(verifier, es256.ES256Verifier)
+ assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey)
+
+ def test_from_string_pub_cert_unicode(self):
+ public_cert = _helpers.from_bytes(PUBLIC_CERT_BYTES)
+ verifier = es256.ES256Verifier.from_string(public_cert)
+ assert isinstance(verifier, es256.ES256Verifier)
+ assert isinstance(verifier._pubkey, ec.EllipticCurvePublicKey)
+
+
+class TestES256Signer(object):
+ def test_from_string_pkcs1(self):
+ signer = es256.ES256Signer.from_string(PKCS1_KEY_BYTES)
+ assert isinstance(signer, es256.ES256Signer)
+ assert isinstance(signer._key, ec.EllipticCurvePrivateKey)
+
+ def test_from_string_pkcs1_unicode(self):
+ key_bytes = _helpers.from_bytes(PKCS1_KEY_BYTES)
+ signer = es256.ES256Signer.from_string(key_bytes)
+ assert isinstance(signer, es256.ES256Signer)
+ assert isinstance(signer._key, ec.EllipticCurvePrivateKey)
+
+ def test_from_string_bogus_key(self):
+ key_bytes = "bogus-key"
+ with pytest.raises(ValueError):
+ es256.ES256Signer.from_string(key_bytes)
+
+ def test_from_service_account_info(self):
+ signer = es256.ES256Signer.from_service_account_info(SERVICE_ACCOUNT_INFO)
+
+ assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID]
+ assert isinstance(signer._key, ec.EllipticCurvePrivateKey)
+
+ def test_from_service_account_info_missing_key(self):
+ with pytest.raises(ValueError) as excinfo:
+ es256.ES256Signer.from_service_account_info({})
+
+ assert excinfo.match(base._JSON_FILE_PRIVATE_KEY)
+
+ def test_from_service_account_file(self):
+ signer = es256.ES256Signer.from_service_account_file(SERVICE_ACCOUNT_JSON_FILE)
+
+ assert signer.key_id == SERVICE_ACCOUNT_INFO[base._JSON_FILE_PRIVATE_KEY_ID]
+ assert isinstance(signer._key, ec.EllipticCurvePrivateKey)
diff --git a/tests/data/es256_privatekey.pem b/tests/data/es256_privatekey.pem
new file mode 100644
index 0000000..5c950b5
--- /dev/null
+++ b/tests/data/es256_privatekey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAIC57aTx5ev4T2HBMQk4fXV09AzLDQ3Ju1uNoEB0LngoAoGCCqGSM49
+AwEHoUQDQgAEsACsrmP6Bp216OCFm73C8W/VRHZWcO8yU/bMwx96f05BkTII3KeJ
+z2O0IRAnXfso8K6YsjMuUDGCfj+b1IDIoA==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data/es256_public_cert.pem b/tests/data/es256_public_cert.pem
new file mode 100644
index 0000000..774ca14
--- /dev/null
+++ b/tests/data/es256_public_cert.pem
@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE-----
+MIIBGDCBwAIJAPUA0H4EQWsdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMMCnVuaXQt
+dGVzdHMwHhcNMTkwNTA5MDI1MDExWhcNMTkwNjA4MDI1MDExWjAVMRMwEQYDVQQD
+DAp1bml0LXRlc3RzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsACsrmP6Bp21
+6OCFm73C8W/VRHZWcO8yU/bMwx96f05BkTII3KeJz2O0IRAnXfso8K6YsjMuUDGC
+fj+b1IDIoDAKBggqhkjOPQQDAgNHADBEAh8PcDTMyWk8SHqV/v8FLuMbDxdtAsq2
+dwCpuHQwqCcmAiEAnwtkiyieN+8zozaf1P4QKp2mAqNGqua50y3ua5uVotc=
+-----END CERTIFICATE-----
diff --git a/tests/data/es256_publickey.pem b/tests/data/es256_publickey.pem
new file mode 100644
index 0000000..51f2a03
--- /dev/null
+++ b/tests/data/es256_publickey.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsACsrmP6Bp216OCFm73C8W/VRHZW
+cO8yU/bMwx96f05BkTII3KeJz2O0IRAnXfso8K6YsjMuUDGCfj+b1IDIoA==
+-----END PUBLIC KEY-----
diff --git a/tests/data/es256_service_account.json b/tests/data/es256_service_account.json
new file mode 100644
index 0000000..dd26719
--- /dev/null
+++ b/tests/data/es256_service_account.json
@@ -0,0 +1,10 @@
+{
+ "type": "service_account",
+ "project_id": "example-project",
+ "private_key_id": "1",
+ "private_key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAIC57aTx5ev4T2HBMQk4fXV09AzLDQ3Ju1uNoEB0LngoAoGCCqGSM49\nAwEHoUQDQgAEsACsrmP6Bp216OCFm73C8W/VRHZWcO8yU/bMwx96f05BkTII3KeJ\nz2O0IRAnXfso8K6YsjMuUDGCfj+b1IDIoA==\n-----END EC PRIVATE KEY-----",
+ "client_email": "service-account@example.com",
+ "client_id": "1234",
+ "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+ "token_uri": "https://accounts.google.com/o/oauth2/token"
+}
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
index b0c6e48..488aee4 100644
--- a/tests/test_jwt.py
+++ b/tests/test_jwt.py
@@ -37,6 +37,12 @@
with open(os.path.join(DATA_DIR, "other_cert.pem"), "rb") as fh:
OTHER_CERT_BYTES = fh.read()
+with open(os.path.join(DATA_DIR, "es256_privatekey.pem"), "rb") as fh:
+ EC_PRIVATE_KEY_BYTES = fh.read()
+
+with open(os.path.join(DATA_DIR, "es256_public_cert.pem"), "rb") as fh:
+ EC_PUBLIC_CERT_BYTES = fh.read()
+
SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, "service_account.json")
with open(SERVICE_ACCOUNT_JSON_FILE, "r") as fh:
@@ -68,8 +74,21 @@
@pytest.fixture
-def token_factory(signer):
- def factory(claims=None, key_id=None):
+def es256_signer():
+ return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1")
+
+
+def test_encode_basic_es256(es256_signer):
+ test_payload = {"test": "value"}
+ encoded = jwt.encode(es256_signer, test_payload)
+ header, payload, _, _ = jwt._unverified_decode(encoded)
+ assert payload == test_payload
+ assert header == {"typ": "JWT", "alg": "ES256", "kid": es256_signer.key_id}
+
+
+@pytest.fixture
+def token_factory(signer, es256_signer):
+ def factory(claims=None, key_id=None, use_es256_signer=False):
now = _helpers.datetime_to_secs(_helpers.utcnow())
payload = {
"aud": "audience@example.com",
@@ -86,7 +105,10 @@
signer._key_id = None
key_id = None
- return jwt.encode(signer, payload, key_id=key_id)
+ if use_es256_signer:
+ return jwt.encode(es256_signer, payload, key_id=key_id)
+ else:
+ return jwt.encode(signer, payload, key_id=key_id)
return factory
@@ -98,6 +120,15 @@
assert payload["metadata"]["meta"] == "data"
+def test_decode_valid_es256(token_factory):
+ payload = jwt.decode(
+ token_factory(use_es256_signer=True), certs=EC_PUBLIC_CERT_BYTES
+ )
+ assert payload["aud"] == "audience@example.com"
+ assert payload["user"] == "billy bob"
+ assert payload["metadata"]["meta"] == "data"
+
+
def test_decode_valid_with_audience(token_factory):
payload = jwt.decode(
token_factory(), certs=PUBLIC_CERT_BYTES, audience="audience@example.com"
@@ -201,6 +232,29 @@
assert payload["user"] == "billy bob"
+def test_decode_unknown_alg():
+ headers = json.dumps({u"kid": u"1", u"alg": u"fakealg"})
+ token = b".".join(
+ map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
+ )
+
+ with pytest.raises(ValueError) as excinfo:
+ jwt.decode(token)
+ assert excinfo.match(r"fakealg")
+
+
+def test_decode_missing_crytography_alg(monkeypatch):
+ monkeypatch.delitem(jwt._ALGORITHM_TO_VERIFIER_CLASS, "ES256")
+ headers = json.dumps({u"kid": u"1", u"alg": u"ES256"})
+ token = b".".join(
+ map(lambda seg: base64.b64encode(seg.encode("utf-8")), [headers, u"{}", u"sig"])
+ )
+
+ with pytest.raises(ValueError) as excinfo:
+ jwt.decode(token)
+ assert excinfo.match(r"cryptography")
+
+
def test_roundtrip_explicit_key_id(token_factory):
token = token_factory(key_id="3")
certs = {"2": OTHER_CERT_BYTES, "3": PUBLIC_CERT_BYTES}