|
5 | 5 | from cryptojwt.exception import IssuerNotFound
|
6 | 6 | from cryptojwt.jws.exception import NoSuitableSigningKeys
|
7 | 7 | from cryptojwt.jwt import JWT
|
| 8 | +from cryptojwt.jwt import VerificationError, utc_time_sans_frac |
8 | 9 | from cryptojwt.jwt import pick_key
|
9 | 10 | from cryptojwt.key_bundle import KeyBundle
|
10 | 11 | from cryptojwt.key_jar import KeyJar
|
@@ -81,6 +82,59 @@ def test_jwt_pack_and_unpack():
|
81 | 82 | assert set(info.keys()) == {"iat", "iss", "sub"}
|
82 | 83 |
|
83 | 84 |
|
| 85 | +def test_jwt_pack_and_unpack_valid(): |
| 86 | + alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256") |
| 87 | + t = utc_time_sans_frac() |
| 88 | + payload = {"sub": "sub", "nbf": t, "exp": t + 3600} |
| 89 | + _jwt = alice.pack(payload=payload) |
| 90 | + |
| 91 | + bob = JWT(key_jar=BOB_KEY_JAR, iss=BOB, allowed_sign_algs=["RS256"]) |
| 92 | + info = bob.unpack(_jwt) |
| 93 | + |
| 94 | + assert set(info.keys()) == {"iat", "iss", "sub", "nbf", "exp"} |
| 95 | + |
| 96 | + |
| 97 | +def test_jwt_pack_and_unpack_not_yet_valid(): |
| 98 | + lifetime = 3600 |
| 99 | + skew = 15 |
| 100 | + alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256", lifetime=lifetime) |
| 101 | + timestamp = utc_time_sans_frac() |
| 102 | + payload = {"sub": "sub", "nbf": timestamp} |
| 103 | + _jwt = alice.pack(payload=payload) |
| 104 | + |
| 105 | + bob = JWT(key_jar=BOB_KEY_JAR, iss=BOB, allowed_sign_algs=["RS256"], skew=skew) |
| 106 | + _ = bob.unpack(_jwt, timestamp=timestamp - skew) |
| 107 | + with pytest.raises(VerificationError): |
| 108 | + _ = bob.unpack(_jwt, timestamp=timestamp - skew - 1) |
| 109 | + |
| 110 | + |
| 111 | +def test_jwt_pack_and_unpack_expired(): |
| 112 | + lifetime = 3600 |
| 113 | + skew = 15 |
| 114 | + alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256", lifetime=lifetime) |
| 115 | + payload = {"sub": "sub"} |
| 116 | + _jwt = alice.pack(payload=payload) |
| 117 | + |
| 118 | + bob = JWT(key_jar=BOB_KEY_JAR, iss=BOB, allowed_sign_algs=["RS256"], skew=skew) |
| 119 | + iat = bob.unpack(_jwt)["iat"] |
| 120 | + _ = bob.unpack(_jwt, timestamp=iat + lifetime + skew - 1) |
| 121 | + with pytest.raises(VerificationError): |
| 122 | + _ = bob.unpack(_jwt, timestamp=iat + lifetime + skew) |
| 123 | + |
| 124 | + |
| 125 | +def test_jwt_pack_and_unpack_max_lifetime_exceeded(): |
| 126 | + lifetime = 3600 |
| 127 | + alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256", lifetime=lifetime) |
| 128 | + payload = {"sub": "sub"} |
| 129 | + _jwt = alice.pack(payload=payload) |
| 130 | + |
| 131 | + bob = JWT( |
| 132 | + key_jar=BOB_KEY_JAR, iss=BOB, allowed_sign_algs=["RS256"], allowed_max_lifetime=lifetime - 1 |
| 133 | + ) |
| 134 | + with pytest.raises(VerificationError): |
| 135 | + _ = bob.unpack(_jwt) |
| 136 | + |
| 137 | + |
84 | 138 | def test_jwt_pack_and_unpack_unknown_issuer():
|
85 | 139 | alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256")
|
86 | 140 | payload = {"sub": "sub"}
|
@@ -261,4 +315,4 @@ def test_eddsa_jwt():
|
261 | 315 | kj = KeyJar()
|
262 | 316 | kj.add_kb(ISSUER, KeyBundle(JWKS_DICT))
|
263 | 317 | jwt = JWT(key_jar=kj)
|
264 |
| - _ = jwt.unpack(JWT_TEST) |
| 318 | + _ = jwt.unpack(JWT_TEST, timestamp=1655278809) |
0 commit comments