From a2524d73c3fc46b2879c7f8e88baa38b1698f2a6 Mon Sep 17 00:00:00 2001 From: yugangw-msft Date: Wed, 10 Oct 2018 16:27:34 -0700 Subject: [PATCH 1/5] support sn+issue login --- adal/authentication_context.py | 8 +++++--- adal/self_signed_jwt.py | 22 ++++++++++++++++------ adal/token_request.py | 8 ++++---- tests/test_self_signed_jwt.py | 2 +- 4 files changed, 26 insertions(+), 14 deletions(-) diff --git a/adal/authentication_context.py b/adal/authentication_context.py index 45b3894c..fb6b2e05 100644 --- a/adal/authentication_context.py +++ b/adal/authentication_context.py @@ -235,19 +235,21 @@ def token_func(self): return self._acquire_token(token_func) def acquire_token_with_client_certificate(self, resource, client_id, - certificate, thumbprint): + certificate, thumbprint, send_x5c=False): '''Gets a token for a given resource via certificate credentials :param str resource: A URI that identifies the resource for which the token is valid. :param str client_id: The OAuth client id of the calling application. :param str certificate: A PEM encoded certificate private key. - :param str thumbprint: hex encoded thumbprint of the certificate. + :param str thumbprint: hex encoded thumbprint of the certificate. + :param send_x5c(optional): if True, send the public certificate through 'x5c' JWT header + for subject name and issuer based authentication, which is to support cert auto rolls :returns: dict with several keys, include "accessToken". ''' def token_func(self): token_request = TokenRequest(self._call_context, self, client_id, resource) - return token_request.get_token_with_certificate(certificate, thumbprint) + return token_request.get_token_with_certificate(certificate, thumbprint, send_x5c) return self._acquire_token(token_func) diff --git a/adal/self_signed_jwt.py b/adal/self_signed_jwt.py index 54c0fd99..2f8b19af 100644 --- a/adal/self_signed_jwt.py +++ b/adal/self_signed_jwt.py @@ -78,12 +78,13 @@ def __init__(self, call_context, authority, client_id): self._token_endpoint = authority.token_endpoint self._client_id = client_id - def _create_header(self, thumbprint): + def _create_header(self, thumbprint, public_certificate): x5t = _create_x5t_value(thumbprint) header = {'typ':'JWT', 'alg':'RS256', 'x5t':x5t} - - self._log.debug("Creating self signed JWT header. x5t: %(x5t)s", - {"x5t": x5t}) + if public_certificate: + header['x5c'] = public_certificate + self._log.debug("Creating self signed JWT header. x5t: %(x5t)s, x5c: %(x5c)s", + {"x5t": x5t, "x5c": public_certificate}) return header @@ -117,8 +118,17 @@ def _reduce_thumbprint(self, thumbprint): self._raise_on_invalid_thumbprint(canonical) return canonical - def create(self, certificate, thumbprint): + def create(self, certificate, thumbprint, send_x5c): thumbprint = self._reduce_thumbprint(thumbprint) - header = self._create_header(thumbprint) + + public_certificate = None + if send_x5c: + # to avoid pulling in OpenSSL dependency,we do low-tech but safe parsing based on + # https://github.com/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h + match = re.search('\-+BEGIN CERTIFICATE.+\-+(?P[^-]+)\-+END CERTIFICATE.+\-+', + certificate, re.I) + public_certificate = match.group('public').strip() + + header = self._create_header(thumbprint, public_certificate) payload = self._create_payload() return _sign_jwt(header, payload, certificate) diff --git a/adal/token_request.py b/adal/token_request.py index dd6f4501..fa6d264e 100644 --- a/adal/token_request.py +++ b/adal/token_request.py @@ -351,20 +351,20 @@ def get_token_from_cache_with_refresh(self, user_id): self._user_id = user_id return self._find_token_from_cache() - def _create_jwt(self, certificate, thumbprint): + def _create_jwt(self, certificate, thumbprint, send_x5c): ssj = self._create_self_signed_jwt() - jwt = ssj.create(certificate, thumbprint) + jwt = ssj.create(certificate, thumbprint, send_x5c) if not jwt: raise AdalError("Failed to create JWT.") return jwt - def get_token_with_certificate(self, certificate, thumbprint): + def get_token_with_certificate(self, certificate, thumbprint, send_x5c): self._log.info("Getting a token via certificate.") - jwt = self._create_jwt(certificate, thumbprint) + jwt = self._create_jwt(certificate, thumbprint, send_x5c) oauth_parameters = self._create_oauth_parameters(OAUTH2_GRANT_TYPE.CLIENT_CREDENTIALS) oauth_parameters[OAUTH2_PARAMETERS.CLIENT_ASSERTION_TYPE] = OAUTH2_GRANT_TYPE.JWT_BEARER diff --git a/tests/test_self_signed_jwt.py b/tests/test_self_signed_jwt.py index 629e381b..ae6b35d7 100644 --- a/tests/test_self_signed_jwt.py +++ b/tests/test_self_signed_jwt.py @@ -69,7 +69,7 @@ def _create_jwt(self, cert, thumbprint, encodeError = None): else: self_signed_jwt._encode_jwt = mock.MagicMock(return_value = self.expectedJwt) - jwt = ssjwt.create(cert, thumbprint) + jwt = ssjwt.create(cert, thumbprint, False) return jwt def _create_jwt_and_match_expected_err(self, testCert, thumbprint, encodeError = None): From e6c8ed1978db13e3a715e7a36bdbec4cb4eeb1ce Mon Sep 17 00:00:00 2001 From: yugangw-msft Date: Thu, 11 Oct 2018 11:57:46 -0700 Subject: [PATCH 2/5] add error handling --- adal/self_signed_jwt.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/adal/self_signed_jwt.py b/adal/self_signed_jwt.py index 2f8b19af..7352d305 100644 --- a/adal/self_signed_jwt.py +++ b/adal/self_signed_jwt.py @@ -123,10 +123,12 @@ def create(self, certificate, thumbprint, send_x5c): public_certificate = None if send_x5c: - # to avoid pulling in OpenSSL dependency,we do low-tech but safe parsing based on - # https://github.com/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h + # to avoid pulling in OpenSSL dependency, we do low-tech but safe parsing based on markers + # defined in "/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h" match = re.search('\-+BEGIN CERTIFICATE.+\-+(?P[^-]+)\-+END CERTIFICATE.+\-+', certificate, re.I) + if not match: + raise AdalError("Error:Invalid Certificate: Marker of '-----BEGIN CERTIFICATE-----' was not found") public_certificate = match.group('public').strip() header = self._create_header(thumbprint, public_certificate) From ce349d86829f4844ee1f8511874375181b6cb1ad Mon Sep 17 00:00:00 2001 From: yugangw-msft Date: Thu, 11 Oct 2018 18:23:51 -0700 Subject: [PATCH 3/5] fix lint error --- adal/self_signed_jwt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adal/self_signed_jwt.py b/adal/self_signed_jwt.py index 7352d305..015e3cef 100644 --- a/adal/self_signed_jwt.py +++ b/adal/self_signed_jwt.py @@ -125,7 +125,7 @@ def create(self, certificate, thumbprint, send_x5c): if send_x5c: # to avoid pulling in OpenSSL dependency, we do low-tech but safe parsing based on markers # defined in "/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h" - match = re.search('\-+BEGIN CERTIFICATE.+\-+(?P[^-]+)\-+END CERTIFICATE.+\-+', + match = re.search(r'\-+BEGIN CERTIFICATE.+\-+(?P[^-]+)\-+END CERTIFICATE.+\-+', certificate, re.I) if not match: raise AdalError("Error:Invalid Certificate: Marker of '-----BEGIN CERTIFICATE-----' was not found") From 9b58f3c39f923a8bbc3f4bc2931340b3b7db3f62 Mon Sep 17 00:00:00 2001 From: yugangw-msft Date: Wed, 17 Oct 2018 09:34:30 -0700 Subject: [PATCH 4/5] address review feedback --- adal/authentication_context.py | 9 +++++---- adal/self_signed_jwt.py | 12 +----------- adal/token_request.py | 8 ++++---- tests/test_self_signed_jwt.py | 2 +- 4 files changed, 11 insertions(+), 20 deletions(-) diff --git a/adal/authentication_context.py b/adal/authentication_context.py index fb6b2e05..8b5ca270 100644 --- a/adal/authentication_context.py +++ b/adal/authentication_context.py @@ -235,7 +235,7 @@ def token_func(self): return self._acquire_token(token_func) def acquire_token_with_client_certificate(self, resource, client_id, - certificate, thumbprint, send_x5c=False): + certificate, thumbprint, public_certificate=None): '''Gets a token for a given resource via certificate credentials :param str resource: A URI that identifies the resource for which the @@ -243,13 +243,14 @@ def acquire_token_with_client_certificate(self, resource, client_id, :param str client_id: The OAuth client id of the calling application. :param str certificate: A PEM encoded certificate private key. :param str thumbprint: hex encoded thumbprint of the certificate. - :param send_x5c(optional): if True, send the public certificate through 'x5c' JWT header - for subject name and issuer based authentication, which is to support cert auto rolls + :param public_certificate(optional): if not None, it will be sent to the service for subject name + and issuer based authentication, which is to support cert auto rolls. The value must match the + certificate private key parameter. :returns: dict with several keys, include "accessToken". ''' def token_func(self): token_request = TokenRequest(self._call_context, self, client_id, resource) - return token_request.get_token_with_certificate(certificate, thumbprint, send_x5c) + return token_request.get_token_with_certificate(certificate, thumbprint, public_certificate) return self._acquire_token(token_func) diff --git a/adal/self_signed_jwt.py b/adal/self_signed_jwt.py index 015e3cef..66bfb9a8 100644 --- a/adal/self_signed_jwt.py +++ b/adal/self_signed_jwt.py @@ -118,19 +118,9 @@ def _reduce_thumbprint(self, thumbprint): self._raise_on_invalid_thumbprint(canonical) return canonical - def create(self, certificate, thumbprint, send_x5c): + def create(self, certificate, thumbprint, public_certificate): thumbprint = self._reduce_thumbprint(thumbprint) - public_certificate = None - if send_x5c: - # to avoid pulling in OpenSSL dependency, we do low-tech but safe parsing based on markers - # defined in "/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h" - match = re.search(r'\-+BEGIN CERTIFICATE.+\-+(?P[^-]+)\-+END CERTIFICATE.+\-+', - certificate, re.I) - if not match: - raise AdalError("Error:Invalid Certificate: Marker of '-----BEGIN CERTIFICATE-----' was not found") - public_certificate = match.group('public').strip() - header = self._create_header(thumbprint, public_certificate) payload = self._create_payload() return _sign_jwt(header, payload, certificate) diff --git a/adal/token_request.py b/adal/token_request.py index fa6d264e..6332708b 100644 --- a/adal/token_request.py +++ b/adal/token_request.py @@ -351,20 +351,20 @@ def get_token_from_cache_with_refresh(self, user_id): self._user_id = user_id return self._find_token_from_cache() - def _create_jwt(self, certificate, thumbprint, send_x5c): + def _create_jwt(self, certificate, thumbprint, public_certificate): ssj = self._create_self_signed_jwt() - jwt = ssj.create(certificate, thumbprint, send_x5c) + jwt = ssj.create(certificate, thumbprint, public_certificate) if not jwt: raise AdalError("Failed to create JWT.") return jwt - def get_token_with_certificate(self, certificate, thumbprint, send_x5c): + def get_token_with_certificate(self, certificate, thumbprint, public_certificate): self._log.info("Getting a token via certificate.") - jwt = self._create_jwt(certificate, thumbprint, send_x5c) + jwt = self._create_jwt(certificate, thumbprint, public_certificate) oauth_parameters = self._create_oauth_parameters(OAUTH2_GRANT_TYPE.CLIENT_CREDENTIALS) oauth_parameters[OAUTH2_PARAMETERS.CLIENT_ASSERTION_TYPE] = OAUTH2_GRANT_TYPE.JWT_BEARER diff --git a/tests/test_self_signed_jwt.py b/tests/test_self_signed_jwt.py index ae6b35d7..2c45870e 100644 --- a/tests/test_self_signed_jwt.py +++ b/tests/test_self_signed_jwt.py @@ -69,7 +69,7 @@ def _create_jwt(self, cert, thumbprint, encodeError = None): else: self_signed_jwt._encode_jwt = mock.MagicMock(return_value = self.expectedJwt) - jwt = ssjwt.create(cert, thumbprint, False) + jwt = ssjwt.create(cert, thumbprint, public_certificate=None) return jwt def _create_jwt_and_match_expected_err(self, testCert, thumbprint, encodeError = None): From f2e35687080a6d8352f9a2dc9a4f243eb543e9f2 Mon Sep 17 00:00:00 2001 From: yugangw-msft Date: Wed, 17 Oct 2018 14:27:49 -0700 Subject: [PATCH 5/5] add tests --- tests/test_self_signed_jwt.py | 22 +++++++--- tests/util.py | 83 +++++++++++++++++++++-------------- 2 files changed, 65 insertions(+), 40 deletions(-) diff --git a/tests/test_self_signed_jwt.py b/tests/test_self_signed_jwt.py index 2c45870e..47c22552 100644 --- a/tests/test_self_signed_jwt.py +++ b/tests/test_self_signed_jwt.py @@ -52,13 +52,16 @@ class TestSelfSignedJwt(unittest.TestCase): testNowDate = cp['nowDate'] testJwtId = cp['jwtId'] - expectedJwt = cp['expectedJwt'] + expectedJwtWithThumbprint = cp['expectedJwtWithThumbprint'] + expectedJwtWithPublicCert = cp['expectedJwtWithPublicCert'] + unexpectedJwt = 'unexpectedJwt' testAuthority = Authority('https://login.windows.net/naturalcauses.com', False) testClientId = 'd6835713-b745-48d1-bb62-7a8248477d35' testCert = cp['cert'] + testPublicCert=cp['publicCert'] - def _create_jwt(self, cert, thumbprint, encodeError = None): + def _create_jwt(self, cert, thumbprint, public_certificate = None, encodeError = None): ssjwt = SelfSignedJwt(cp['callContext'], self.testAuthority, self.testClientId) self_signed_jwt._get_date_now = mock.MagicMock(return_value = self.testNowDate) @@ -67,19 +70,24 @@ def _create_jwt(self, cert, thumbprint, encodeError = None): if encodeError: self_signed_jwt._encode_jwt = mock.MagicMock(return_value = self.unexpectedJwt) else: - self_signed_jwt._encode_jwt = mock.MagicMock(return_value = self.expectedJwt) + expected = self.expectedJwtWithPublicCert if public_certificate else self.expectedJwtWithThumbprint + self_signed_jwt._encode_jwt = mock.MagicMock(return_value = expected) - jwt = ssjwt.create(cert, thumbprint, public_certificate=None) + jwt = ssjwt.create(cert, thumbprint, public_certificate=public_certificate) return jwt def _create_jwt_and_match_expected_err(self, testCert, thumbprint, encodeError = None): with self.assertRaises(Exception): - self._create_jwt(testCert, thumbprint, encodeError) + self._create_jwt(testCert, thumbprint, encodeError = encodeError) def _create_jwt_and_match_expected_jwt(self, cert, thumbprint): jwt = self._create_jwt(cert, thumbprint) self.assertTrue(jwt, 'No JWT generated') - self.assertTrue(jwt == self.expectedJwt, 'Generated JWT does not match expected:{}'.format(jwt)) + self.assertTrue(jwt == self.expectedJwtWithThumbprint, 'Generated JWT does not match expected:{}'.format(jwt)) + + def test_jwt_hash_with_public_cert(self): + jwt = self._create_jwt(self.testCert, cp['certHash'], public_certificate = self.testPublicCert) + self.assertTrue(jwt == self.expectedJwtWithPublicCert, 'Generated JWT does not match expected:{}'.format(jwt)) def test_create_jwt_hash_colons(self): self._create_jwt_and_match_expected_jwt(self.testCert, cp['certHash']) @@ -93,7 +101,7 @@ def test_create_jwt_hash_straight_hex(self): self._create_jwt_and_match_expected_jwt(self.testCert, thumbprint) def test_create_jwt_invalid_cert(self): - self._create_jwt_and_match_expected_err('foobar', cp['certHash'], True) + self._create_jwt_and_match_expected_err('foobar', cp['certHash'], encodeError = True) def test_create_jwt_invalid_thumbprint_1(self): self._create_jwt_and_match_expected_err(self.testCert, 'zzzz') diff --git a/tests/util.py b/tests/util.py index 9ffe439e..f855df44 100644 --- a/tests/util.py +++ b/tests/util.py @@ -176,41 +176,58 @@ # This is a dummy RSA private cert used for testing purpose.It does not represent valid credential. # privatePem variable is a fake certificate in the form of a string. def get_self_signed_cert(): - private_pem = ("-----BEGIN RSA PRIVATE KEY-----" - "MIIEpAIBAAKCAQEAoMGZTZi0vU/ICYVgV4vcTwzvZCNXdJ9EgGBBFu1E0/j4FF0Y" - "Fd2sP7IwmWVZLlWJ5VbwAtdMiRdrogX/QnWPfsNfsPzDdRRJD+Erh9tmBzJm08h7" - "1RggS1/VehZ9WNdTDlQM3P+zNg0IG274VIr+ZSBzIbYxV6ecPdRU/EsZ5Wa5SCwG" - "Fu1qPJW8KY8yvse9PHdFiHjrmcZSKTbBCp/2grdBrk/N1jwtH6Yj100l7G69HPE/" - "4kXYRX9f/LjpzF77VMCj7UJtmb1yR3fRHpppbm7GkqvJFM2Kg3UG5fsp8nQBDRc+" - "R3kjm+DU05MoFdsfo3DkzpNJjDcLUPdANe+mWwIDAQABAoIBACdb/1r+XpJTbFjY" - "bSRCPCimtB5CgPEu5ajA6G7inQ2BUcw6luETq07VJA0KwXEUxHSAerdXW4fdUh8T" - "dNIi0oVo9I7y9DBATTs0GGJlF2//qSmFVrxv8chCqJQB2aLc5ZsGfTfG62v6eNeu" - "reKVPYApF8dTQnWBtkF1MXGsOaTuxEecrM6KbES97kElC0QsJ89sDnTUjKuihfc9" - "Q9IfWDbX/5WY6JL7XMbQtKRIzd+y/E9dpU3Hu+UErKWyb5pQiud81/Q/xQThSrVt" - "zpmXwlsEFCrSzDML+aOTDqrsRwypRc5sTNAMadkeRrrlo+5OzoUG1aTxco8tZ1MD" - "ch7RTJECgYEA1fqn93X6S1sA8R4lYOJUDd5JmEskKwLl5Vg2VSinSD1YyMdtPnQa" - "ZWCEbJGXN60tEd7ZjOM4wA0mIrwEkkApFWEiGpMe4aGTD11455rA5IfrZUGPXlcw" - "lkmt4wPytKx/xDLBfa8oAu33dFDe/nhRqQqAMTi7DAnttqjUxPg/N8UCgYEAwFNG" - "qLG+5+J4sq5xoXgDj0Zggi5hx2IEfN68BmyYHvfL8VSDkQMsiYXNAhTWByCkjW9D" - "j/hdouGlDwMCLWq0XPgO/XsSlU7jJExsrRch63kf72PTZP/qapSkOonCe9TViNTQ" - "KiRXu/v9OfJYSRPnpKz0/5goFSq7E12mBWZJJ58CgYEAvmmKNLSAobP+t5H68ycU" - "Yy7u0J31Nm0ixR7lYoyFp8wniKumdA//OT1VOgOoy/vIAoILl8rPQl+xEvG7I6YC" - "qSrBnWJT9bbBVcf5Aih9BCBLgdSATxRJgUNZgI2P2eUy4RXFhyFp+olmTdR1S38o" - "M8PLZYG1OTZQmd3NUOYT430CgYBzU7yEPgnPPTPJWefTvobL7JTEm5GQoQs14c54" - "P7g8obUO4vH+DBwx3yUfAWWSYpWqJjUqaPGlUY/L3673kwvS0AEVKS7sj6CPTLDC" - "XqO9cyWeRIsn/noQLVAJtkAER41AfvTQwHhHxoSDsfoU4DXAvuIvPouSncwOgdKj" - "XEGz2wKBgQDQmB/u4oGaPRf5DdasiAcqofYDEoo/OcpdRPeW2t5z7WDZcjeN4ajR" - "GDoQssBpy1fpsPnghksMhYZL2l9xiSInkFw87ax5EYBS43Mt5HfJPgwpEnA5yV3W" - "WGt3TBp7BgYOKhIID6803lBYfDmtQzdD+xMjlJKSQ9wfZYCuXrYwSg==" - "-----END RSA PRIVATE KEY-----") - - return private_pem - -parameters['certHash'] = 'C1:5D:EA:86:56:AD:DF:67:BE:80:31:D8:5E:BD:DC:5A:D6:C4:36:E1' + private_pem = ("-----BEGIN PRIVATE KEY-----\n" + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDLTKKMn3WJiDnc" + "8VuJPDr1kj9VYr9zdobMUSJ9YgRb6Rz05YiUOlSeNiMA6Y7yrpVbSxewIAkVC/gI" + "W/Ywp4FtR9j/SzQ91HIHvmKBrOAorpPDS0ZQ6nfeaBtZ14UIF16H/OvgyMkweBBd" + "7pIbF4i7ty3gdhFzpN2xd+qXTeDVMtxaQOM8RTAVp1RUpuNpPSIQxo9dLyOotcAe" + "Fj8uc0mMa0o6DbdxD26RiBIOgzcsYr5WUCMihmE3h1EIbXtQC5YwFnU9Q8OgupWz" + "i31QE1fbFgWzpjx1/KU9Yb8doWs1jwXSo4UGYecxiOKBrFuj0I6Kyelv9dfiayZF" + "GpwR+FmXAgMBAAECggEABmSxk/SL0LhtAWrBsy4muIRR45CIbswibxh6GjFT68QH" + "+heh1O+Eq7kOHsA5k54z6jwRUaOgRX4r3a9urZcG9fXVeCnYSb19nIq7NFLIdd8P" + "nIuoeXD2NhNWENw7PcbmXSZyEI6f7RtJgHq5M4ro7OZU1gNAhz9/DU61HO8BDBNP" + "9TT9h2Kf5cAHC79lrRs7Cj9yLK/JFFPFSyTEqxo9O6xHQfRv6X25rZeYo9JzGaqP" + "mwTvmheEqW7a75apBEpbzqD0f0jT4anaOSab0D10LyD9qEiCpzgDKG8Q31c0y9zS" + "Utk0suVR35abo22LdtvXMSyQMDfOOx3hqbUZ9c34uQKBgQD+oJUtfUYT9DBg/+jR" + "t/u+Tq/VnpolciQiIpIvUArhIFmOzLkt/hjH8ozOJlRrFADUWAE+pSWuAMdPjAsi" + "NGRYueAPQ29bqRF+5i0cJHXlxVNsqhF1SD5z/qaKU/MVL358v++g5shazQm45gUg" + "BeXyeRc++aFBTUAjUyoDOCh+bQKBgQDMZTacfAcGORL8TVvjq+0IJ6IppICmwRVU" + "FlZ/7HSJ+F1itggp0Kn9xzEk7SPgU8w0koysN+2189wn77PhQAAp1oGH2xvubXIz" + "nnAFpS9XbmzrG3JhHEVJqMe2qZ/pFOSqZxnNAekyWcE3BLamBBrMIx4wJBpmxVkf" + "EWUGSvolkwKBgDqQ8P8Pi2jXh7En64MhUFQLgUIfQtFOGaWIUhtzy6zQZgkEaat8" + "gHKtBVn9Uvl2FmLBAzhHgA0vvKg9S+pIJrSJvFGGbzyj/JQ1mTaZ5Ew/QNsDmxRg" + "04yWi/PRL142GF/VPebCbl8EPjI7Jf6hnKxS0df4TvDYNeJqJIWtCxNZAoGBAI04" + "rUfnhe7txklepcujgW1t/OQqzdzpcXQczv0qAcdGPDe0r+U8UAeQ9kqeMniPTXtR" + "ejKPngVmjUlmm/FZCAPgOrUEVcMiCZLSuHGeFRyipky3NQsVvmXLYNm7T0p67hcy" + "jygPVvE8BHygHBaOpXlAFl6Kw1cYqaAGo7d6XGVTAoGBAL0FucFmEAZOH7Bcnl30" + "JMXMcoedCAMMZG235cL2xBz6z+MzWVMkiZxblOVqAHRExGDoT01fymVte1OoKx7Q" + "SKiGNXCVBatkk7PlRUVnL0ziSwgYVxNX9eGNXZRBXUH3BuoYPlfdUMH36vgmukbT" + "Ui28YpkjQ5RY1UwUY6tk+Bka\n" + "-----END PRIVATE KEY-----") + public_pem = ("MIICoTCCAYkCAgPoMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMMCUNMSS1Mb2dp" + "bjAiGA8yMDE4MTAxNzE2MTAxN1oYDzIwMTkxMDE3MTYxMDE5WjAUMRIwEAYDVQQD" + "DAlDTEktTG9naW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLTKKM" + "n3WJiDnc8VuJPDr1kj9VYr9zdobMUSJ9YgRb6Rz05YiUOlSeNiMA6Y7yrpVbSxew" + "IAkVC/gIW/Ywp4FtR9j/SzQ91HIHvmKBrOAorpPDS0ZQ6nfeaBtZ14UIF16H/Ovg" + "yMkweBBd7pIbF4i7ty3gdhFzpN2xd+qXTeDVMtxaQOM8RTAVp1RUpuNpPSIQxo9d" + "LyOotcAeFj8uc0mMa0o6DbdxD26RiBIOgzcsYr5WUCMihmE3h1EIbXtQC5YwFnU9" + "Q8OgupWzi31QE1fbFgWzpjx1/KU9Yb8doWs1jwXSo4UGYecxiOKBrFuj0I6Kyelv" + "9dfiayZFGpwR+FmXAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBADfEqXzcI/fs82T0" + "9B3H3lGWQL1JlcxOxD2TeMPtubDNllhZBT5GaYiw1LWAq+xJZZh+QPNxvZVw5Q/p" + "wgXo32maLNwjuhlDl/5bNNOMsxszRz60C2QQXzIaBxd6T2EUcnMQozu5y/33HT8k" + "k/ipBKbfmLP7Hgvs2xdhjHQcG61a2QP6qxD0UjVpXlgsL8wwc28ZSk1RqhxnHG0s" + "HRrRuwNhqWRe7JCGNkOwUghlemrqSuL3i6iAaeqipBqS0vVFGN8KS12jKYirEV5T" + "YkJ2HRrzSWEWbGhk+LnVis47nYRFzQB/sec/m+rpCpX6Spmiez6Yge2u874Oks/A" + "OGQyeYk=") + + return private_pem, public_pem + +parameters['certHash'] = 'B8:D3:FC:F1:51:50:63:7F:B0:ED:EE:32:C5:A2:4B:A2:28:D8:93:91' parameters['nowDate'] = datetime.fromtimestamp(1418433646.179) parameters['jwtId'] = '09841beb-a2c2-4777-a347-34ef055238a8' -parameters['expectedJwt'] = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IndWM3FobGF0MzJlLWdESFlYcjNjV3RiRU51RSJ9.eyJhdWQiOiJodHRwczovL2xvZ2luLndpbmRvd3MubmV0L3JyYW5kYWxsYWFkMS5vbm1pY3Jvc29mdC5jb20vb2F1dGgyL3Rva2VuIiwiaXNzIjoiY2xpZW4mJj8_P3RJZCIsInN1YiI6ImNsaWVuJiY_Pz90SWQiLCJuYmYiOjE0MTg0MzM2NDYsImV4cCI6MTQxODQzNDI0NiwianRpIjoiMDk4NDFiZWItYTJjMi00Nzc3LWEzNDctMzRlZjA1NTIzOGE4In0.dgF0TRlcASgTMp_1dlm8vd7tudr6n40VeuOQGFnz566s3n76WR_jJDBBBKlYeqc9gwCPFOzrLVAJehVYZ3N7YPzVdulf47rLoQdAp8R_p4Q4hdBZuIzfgDWwXjnP9x_NlfzezEYE4r8KTS2g5BBzPmx538AfIdNM93hWIxQySZGWY5UAhTkT1qE1ce1Yjo1M2HqzEJhTg5TTyfrnDtNxFxmzYhSyA9B41lB5kBuJTXUWXPrr-6eG8cEUOS-iiH7YB1Tf4J7_9JQloevTiOrfv4pSp6xLLXm2ntNBg3gaKsGKdYd-3tsCG0mHn7BzL0b-QCLalkUr8KtgtLqkxuAiLQ' -parameters['cert'] = get_self_signed_cert() +parameters['expectedJwtWithThumbprint'] = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InVOUDg4VkZRWTMtdzdlNHl4YUpMb2lqWWs1RT0ifQ.eyJleHAiOjE0MTg0MzQyNDYsImF1ZCI6bnVsbCwiaXNzIjoiZDY4MzU3MTMtYjc0NS00OGQxLWJiNjItN2E4MjQ4NDc3ZDM1IiwianRpIjoiMDk4NDFiZWItYTJjMi00Nzc3LWEzNDctMzRlZjA1NTIzOGE4IiwibmJmIjoxNDE4NDMzNjQ2LCJzdWIiOiJkNjgzNTcxMy1iNzQ1LTQ4ZDEtYmI2Mi03YTgyNDg0NzdkMzUifQ.sV5CPEQjYqlnGXhv2f8ozCpAD281is1aOjOHZRKQlPe8zuRhEC4DnAv66QcrxA9HkPs3OAR1GWHnlgVL88uCcAbdEgFo7cAVaQQeRr90zlDMOMoZqULXnorbO90q91BrnJdbcygzsba4Z_FPzKAsJ7J8NXWfWcbkFGrisjuyi97Nm-nCCpjH1zM6gi3paGg_53GFb2S7xMv1lvB7LfPQMI8QvOC64kmVia-cr2NQoT9XLz2U_1ahCKidN2ozyCv09shRjfBu2QSeIctbv0BKVfQQCUnLuMQ-O4_NKY3THZn5hl5PvFDPjlI3X_Om58gPhwISkgtndGTMJ9W-H5z71Q' +parameters['expectedJwtWithPublicCert'] = 'eyJ4NWMiOiJNSUlDb1RDQ0FZa0NBZ1BvTUEwR0NTcUdTSWIzRFFFQkJRVUFNQlF4RWpBUUJnTlZCQU1NQ1VOTVNTMU1iMmRwYmpBaUdBOHlNREU0TVRBeE56RTJNVEF4TjFvWUR6SXdNVGt4TURFM01UWXhNREU1V2pBVU1SSXdFQVlEVlFRRERBbERURWt0VEc5bmFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFETFRLS01uM1dKaURuYzhWdUpQRHIxa2o5VllyOXpkb2JNVVNKOVlnUmI2UnowNVlpVU9sU2VOaU1BNlk3eXJwVmJTeGV3SUFrVkMvZ0lXL1l3cDRGdFI5ai9TelE5MUhJSHZtS0JyT0FvcnBQRFMwWlE2bmZlYUJ0WjE0VUlGMTZIL092Z3lNa3dlQkJkN3BJYkY0aTd0eTNnZGhGenBOMnhkK3FYVGVEVk10eGFRT004UlRBVnAxUlVwdU5wUFNJUXhvOWRMeU9vdGNBZUZqOHVjMG1NYTBvNkRiZHhEMjZSaUJJT2d6Y3NZcjVXVUNNaWhtRTNoMUVJYlh0UUM1WXdGblU5UThPZ3VwV3ppMzFRRTFmYkZnV3pwangxL0tVOVliOGRvV3MxandYU280VUdZZWN4aU9LQnJGdWowSTZLeWVsdjlkZmlheVpGR3B3UitGbVhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFEZkVxWHpjSS9mczgyVDA5QjNIM2xHV1FMMUpsY3hPeEQyVGVNUHR1YkRObGxoWkJUNUdhWWl3MUxXQXEreEpaWmgrUVBOeHZaVnc1US9wd2dYbzMybWFMTndqdWhsRGwvNWJOTk9Nc3hzelJ6NjBDMlFRWHpJYUJ4ZDZUMkVVY25NUW96dTV5LzMzSFQ4a2svaXBCS2JmbUxQN0hndnMyeGRoakhRY0c2MWEyUVA2cXhEMFVqVnBYbGdzTDh3d2MyOFpTazFScWh4bkhHMHNIUnJSdXdOaHFXUmU3SkNHTmtPd1VnaGxlbXJxU3VMM2k2aUFhZXFpcEJxUzB2VkZHTjhLUzEyaktZaXJFVjVUWWtKMkhScnpTV0VXYkdoaytMblZpczQ3bllSRnpRQi9zZWMvbStycENwWDZTcG1pZXo2WWdlMnU4NzRPa3MvQU9HUXllWWs9IiwieDV0IjoidU5QODhWRlFZMy13N2U0eXhhSkxvaWpZazVFPSIsImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.eyJqdGkiOiIwOTg0MWJlYi1hMmMyLTQ3NzctYTM0Ny0zNGVmMDU1MjM4YTgiLCJleHAiOjE0MTg0MzQyNDYsImF1ZCI6bnVsbCwic3ViIjoiZDY4MzU3MTMtYjc0NS00OGQxLWJiNjItN2E4MjQ4NDc3ZDM1IiwibmJmIjoxNDE4NDMzNjQ2LCJpc3MiOiJkNjgzNTcxMy1iNzQ1LTQ4ZDEtYmI2Mi03YTgyNDg0NzdkMzUifQ.ROcEKjjuKN0-iK4seRCYftvEh8F5Esj1Y3NJF0MbUGWZQYTRnjibJAnVkvmCqFSGT_mDFhasTM67pwAWtfYNP875UM87HG4aUyZG48pFojnWxnMMf9gBardPmpaDNi3U_iIGoTGVLR60JV30WjsOCkEJY79l68EMc5i6XqYtOSyJDlI0rn8ZTqoyVHQYqCwkTLDF0cqTrqK6HV9iWuiT0rq3LMP2lShwAhKaTYIeAAek5Bw5LwRR2mo9ybreq_02vCDxIQg0C3kBDGMU8GxQ2tAWMYSqnxNfrjgUhARDQYdZTjCyuq1kOb8QrHly29mPT7xdS7Xnc0IF6JZb1PXj0Q' +parameters['cert'], parameters['publicCert'] = get_self_signed_cert() correlation_id_regex = re.compile("[^\s]+")