(key, sig, contents, headDict, quiet)
| 678 | return newVal |
| 679 | |
| 680 | def testKey(key, sig, contents, headDict, quiet): |
| 681 | if headDict["alg"] == "HS256": |
| 682 | testSig = base64.urlsafe_b64encode(hmac.new(key,contents,hashlib.sha256).digest()).decode('UTF-8').strip("=") |
| 683 | elif headDict["alg"] == "HS384": |
| 684 | testSig = base64.urlsafe_b64encode(hmac.new(key,contents,hashlib.sha384).digest()).decode('UTF-8').strip("=") |
| 685 | elif headDict["alg"] == "HS512": |
| 686 | testSig = base64.urlsafe_b64encode(hmac.new(key,contents,hashlib.sha512).digest()).decode('UTF-8').strip("=") |
| 687 | else: |
| 688 | cprintc("Algorithm is not HMAC-SHA - cannot test with this tool.", "red") |
| 689 | exit(1) |
| 690 | if testSig == sig: |
| 691 | cracked = True |
| 692 | if len(key) > 25: |
| 693 | cprintc("[+] CORRECT key found:\n"+key.decode('UTF-8'), "green") |
| 694 | else: |
| 695 | cprintc("[+] "+key.decode('UTF-8')+" is the CORRECT key!", "green") |
| 696 | cprintc("You can tamper/fuzz the token contents (-T/-I) and sign it using:\npython3 jwt_tool.py [options here] -S "+str(headDict["alg"]).lower()+" -p \""+key.decode('UTF-8')+"\"", "cyan") |
| 697 | return cracked |
| 698 | else: |
| 699 | cracked = False |
| 700 | if quiet == False: |
| 701 | if len(key) > 25: |
| 702 | cprintc("[-] "+key[0:25].decode('UTF-8')+"...(output trimmed) is not the correct key", "red") |
| 703 | else: |
| 704 | cprintc("[-] "+key.decode('UTF-8')+" is not the correct key", "red") |
| 705 | return cracked |
| 706 | |
| 707 | def getRSAKeyPair(): |
| 708 | #config['crypto']['pubkey'] = config['crypto']['pubkey'] |
no test coverage detected