# Xima CCaaS API - Authentication and JWT Signing Example

This notebook demonstrates the process of generating a private key and Certificate Signing Request (CSR),
receiving the Key ID (kid) and certificate, and using them to create and sign a JWT for API authentication.

**CRITICAL SECURITY WARNINGS:**

* **NEVER hardcode your actual private keys or certificates in this notebook or any client-side code!**
    This is a major security risk. Anyone with access to your private key can impersonate your application.
* This notebook is for *demonstration purposes only*. It uses a mock backend that does not perform full certificate validation.
* In a production environment, private keys should be stored securely (e.g., using hardware security modules or secure key management systems).


## 1. Introduction and Setup

In [2]:
#   No specific setup needed in Colab for basic libraries (os, json, hashlib are built-in)
#   Install cryptography for key generation and signing
try:
    import cryptography
except ImportError:
    print("Installing cryptography library...")
    !pip install cryptography
    import cryptography

import os
import json
import hashlib
import base64
import uuid
import time
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend
import datetime

In [34]:
# ===============================
# 🔧 Self-Signed Certificate Generator (Simulated Xima Signing)
# ===============================
# This helper function simulates what the Xima team would do when signing your CSR.
# In reality, Xima would issue a signed certificate using their internal CA.
# Here, we simulate that by generating a self-signed certificate.

from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
import datetime
import uuid

def generate_self_signed_certificate(csr_pem):
    """
    Generates a self-signed certificate from a CSR and returns the kid and certificate PEM.
    This simulates the backend issuing a certificate using your CSR.
    """

    # 1. Parse the CSR
    csr = x509.load_pem_x509_csr(csr_pem, default_backend())

    # 2. Extract subject and public key
    subject = csr.subject
    public_key = csr.public_key()

    # 3. Set issuer (self-signed, so issuer = subject)
    issuer = subject

    # 4. Build the certificate
    builder = x509.CertificateBuilder().subject_name(
        subject
    ).issuer_name(
        issuer
    ).public_key(
        public_key
    ).serial_number(
        x509.random_serial_number()
    ).not_valid_before(
        datetime.datetime.utcnow()
    ).not_valid_after(
        datetime.datetime.utcnow() + datetime.timedelta(days=365)
    ).add_extension(
        x509.SubjectAlternativeName([x509.DNSName("localhost")]),
        critical=False,
    ).sign(private_key, hashes.SHA256())  # Uses the same private key to sign

    # 5. Convert to PEM format and return with a generated Key ID
    certificate = builder.public_bytes(encoding=serialization.Encoding.PEM)
    kid = str(uuid.uuid4())

    return kid, certificate.decode("utf-8")


## 2. Private Key and CSR Generation

In [35]:
# ===============================
# 🛠️ Generate Private Key, CSR, and Simulate Backend Response
# ===============================
# This section creates your RSA private key, generates a CSR (Certificate Signing Request),
# and simulates the backend's response using the helper function above.

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
import json

# Step 1: Generate RSA Private Key
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)
print("✅ Private key generated.")

# Step 2: Create CSR with your chosen subject
subject = x509.Name([
    x509.NameAttribute(NameOID.COMMON_NAME, "My Awesome Reseller"),  # 🔧 Adjust as needed
])
csr_builder = x509.CertificateSigningRequestBuilder().subject_name(subject)
csr = csr_builder.sign(private_key, hashes.SHA256())
csr_pem = csr.public_bytes(serialization.Encoding.PEM)

print("📄 CSR generated:")
print(csr_pem.decode())

# Step 3: Simulate backend signing process (mock Xima response)
kid, certificate = generate_self_signed_certificate(csr_pem)

mock_csr_response = {
    "kid": kid,
    "certificate": certificate
}

print("\n📦 **Mock Backend Response (Simulated Certificate Issuance):**")
print(json.dumps(mock_csr_response, indent=4))


✅ Private key generated.
📄 CSR generated:
-----BEGIN CERTIFICATE REQUEST-----
MIICYzCCAUsCAQAwHjEcMBoGA1UEAwwTTXkgQXdlc29tZSBSZXNlbGxlcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSjuk7SMxtzV4LX1rTbLqlJ46mB
J4QMe3eFUwBhR9bGxhzO7//OfiH6+Q0G3WTVVClGpV0CODC8/46qde9hj1b/tsXd
O9/zZrvSBV9jXPw8Y+kBZeKotk4col6msF/oHTgreSiMaQPFTgZsllvUg1m0vujZ
bCMcvKQOCHX8kmKl8B/wzB5azGoFpBHVAT2zKj8OhNYg3SmSdWljE8uDYkbq884c
FKqKcizsOVzjkisvpBPV58JobKQpbxk3bXlSY3hA2BHLRBtUXvO+So2QutZ7mQHn
hAxu852HdQ3wtjDRb5oGxPoZ3m2rs1kJplycKhmPhqvNer7XWRs9133VYlUCAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQDKf3FV0qvV2+Cku/fVs4cotLshtCa3piMx
Nuds2jrxiZwd2D1ffiLtNHn+j1AbRJd+HVVdHFIWYMzHnRzu33cN3xTBBiQ1LgDU
dcTdj/GEJ5i5lXfrqrsYRlh0FVM51eUhxc4D6qBnkGqoPRZ80Xrcvil1j4aJ9NDI
WdYVgmX4PFO6nOJwak62g/oeSBzQdXf+0CStwB+gR71uITggW1WICm4A1b+MS5tB
aSnoNPUAelFdOkT30OMAikI8EvYkTm3oWPsEujhDmzWUebyuEO5BKC/bU5tVSHFz
33CMUVB9KnaOxchXIeCKoF1K4xkm+0VJtgnMT+Td1BFpAX8xI5wM
-----END CERTIFICATE REQUEST-----


📦 **Mock Backend Response (Simulated Certificate Issu

In [37]:
# ===============================
# 🔒 Certificate Validation Section
# ===============================
# This section demonstrates how to use the mock JSON response returned
# from the backend CSR process (or simulate one) to parse and validate
# the X.509 certificate string.

import json
from cryptography import x509
from cryptography.hazmat.backends import default_backend

# Example mock response (replace this with the real response you got back)
raw_cert_string = mock_csr_response["certificate"]

# Step 1: Extract and decode the certificate string
raw_cert_string = mock_csr_response["certificate"]
pem_cert = raw_cert_string.encode('utf-8').decode('unicode_escape').encode('utf-8')

# Step 2: Load and validate the certificate
try:
    cert = x509.load_pem_x509_certificate(pem_cert, default_backend())
    print("✅ Certificate successfully parsed!")
    print("📌 Certificate Info:")
    print(f"  🔑 KID: {mock_csr_response['kid']}")
    print(f"  🧾 Subject: {cert.subject.rfc4514_string()}")
    print(f"  🏢 Issuer: {cert.issuer.rfc4514_string()}")
    print(f"  📅 Valid from: {cert.not_valid_before_utc}")
    print(f"  📅 Valid until: {cert.not_valid_after_utc}")
except Exception as e:
    print("❌ Failed to parse certificate:")
    print(str(e))


✅ Certificate successfully parsed!
📌 Certificate Info:
  🔑 KID: f76bd221-8dda-4f49-a004-3545bc8b7b67
  🧾 Subject: CN=My Awesome Reseller
  🏢 Issuer: CN=My Awesome Reseller
  📅 Valid from: 2025-04-11 21:34:48+00:00
  📅 Valid until: 2026-04-11 21:34:48+00:00


## 4. JWT Creation and Signing

In [39]:
# ===============================
# 🔐 JWT Creation & Signing (Ready for Real API Request)
# ===============================
# This section builds a signed JWT using your private key and the KID from the issued cert.
# It hashes the license update payload, includes the hash in the JWT payload,
# and signs the JWT — ready to send to the real licensing update endpoint.

import json
import base64
import hashlib
import uuid
import time
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes

# ------------------------------------
# 4.1 🔧 Construct JWT Header
# ------------------------------------
kid = mock_csr_response["kid"]

jwt_header = {
    "alg": "RS256",
    "typ": "JWT",
    "kid": kid
}

print("\n🔧 JWT Header:")
print(json.dumps(jwt_header, indent=4))

# ------------------------------------
# 4.2 📦 Construct License Payload (Request Body)
# ------------------------------------
license_payload = {
    "serial": "EXAMPLECUSTOMER1D57107A415DEE77F",  # 🔄 Replace with real customer serial
    "digitalOnlySeats": 15,
    "essentialSeats": 15,
    "professionalSeats": 15,
    "eliteSeats": 15,
    "workforceOptimizationSeats": 15,
    "workforceManagementSeats": 15,
    "speechAnalyticsSeats": 6,
    "dialerSeats": 6,
    "additionalAiMessages": 6000
}

# ------------------------------------
# 4.3 🔐 Hash Payload and Build JWT Payload
# ------------------------------------
payload_string = json.dumps(license_payload, sort_keys=False, separators=(',', ':')).encode('utf-8')
payload_hash = hashlib.sha256(payload_string).hexdigest()

jwt_payload = {
    "payload_hash": payload_hash,
    "iat": int(time.time()),
    "jti": str(uuid.uuid4())
}

print("\n📦 JWT Payload:")
print(json.dumps(jwt_payload, indent=4))

# ------------------------------------
# 4.4 🔡 Encode Header and Payload (Base64URL)
# ------------------------------------
def base64url_encode(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).rstrip(b'=').decode('utf-8')

header_encoded = base64url_encode(json.dumps(jwt_header).encode('utf-8'))
payload_encoded = base64url_encode(json.dumps(jwt_payload).encode('utf-8'))

# ------------------------------------
# 4.5 ✍️ Sign the JWT
# ------------------------------------
message = f"{header_encoded}.{payload_encoded}".encode('utf-8')
signature = private_key.sign(
    message,
    padding.PKCS1v15(),
    hashes.SHA256()
)
signature_encoded = base64url_encode(signature)

jwt = f"{header_encoded}.{payload_encoded}.{signature_encoded}"

print("\n🔐 Generated JWT:")
print(jwt)



🔧 JWT Header:
{
    "alg": "RS256",
    "typ": "JWT",
    "kid": "f76bd221-8dda-4f49-a004-3545bc8b7b67"
}

📦 JWT Payload:
{
    "payload_hash": "fc9be0662a10e190e7faf49a4906398a9d6b9df47d7bbdac1b182dadb2044bcc",
    "iat": 1744407867,
    "jti": "5c7de31a-49de-483c-b799-48f8020b4145"
}

🔐 Generated JWT:
eyJhbGciOiAiUlMyNTYiLCAidHlwIjogIkpXVCIsICJraWQiOiAiZjc2YmQyMjEtOGRkYS00ZjQ5LWEwMDQtMzU0NWJjOGI3YjY3In0.eyJwYXlsb2FkX2hhc2giOiAiZmM5YmUwNjYyYTEwZTE5MGU3ZmFmNDlhNDkwNjM5OGE5ZDZiOWRmNDdkN2JiZGFjMWIxODJkYWRiMjA0NGJjYyIsICJpYXQiOiAxNzQ0NDA3ODY3LCAianRpIjogIjVjN2RlMzFhLTQ5ZGUtNDgzYy1iNzk5LTQ4ZjgwMjBiNDE0NSJ9.uEBU5_iZ-trxNl1gjSbtaYCNHSWtElIXlYW3kbTPe61YmQCqfc5NBZ0VPfDzZKub7-xpqlMoP8KN8ji1cvap01C3oFDWatjaiG4I3I5fWvP7ND7s0geHPO9WzMN5O4dlJNfBh-J8Gb31hZ1hTDc7j06gGKwv_EXMC1ErGsyTzl2UGlrwuGfjOc2jpYlPIbdMC3GPsxp6IpJ0d6jMeg7f7UwnCQp1OeB_9RKdOT8yP_GYnVvtadqg3O4pB19mHcWR_SKhkMsGCw48kB9zBhyKYRHy35K32UvFR7q7E3pLjcOgWFo2Rmbzd6BYuBVcaMXg_cKroN9-KdVduPiGHJIH8g


## 5. License Update Request Generation

In [None]:
# ===============================
# 🚀 Send Real License Update Request to Sandbox API
# ===============================
# This cell sends the actual license update request to your live sandbox server at:
#   🔗 https://sandbox-api.ximadev.cloud/v1/api/v1/licensing/update
# It includes a signed JWT in the Authorization header and the raw JSON license payload in the body.

import requests

# ✅ JWT is already built earlier in `jwt`
# ✅ `payload_string` contains the exact serialized license payload used to generate the hash

headers = {
    "Authorization": f"Bearer {jwt}",
    "Content-Type": "application/json"
}

SANDBOX_API_URL = "https://lic-api.ximadev.cloud/v1/api/licensing/update"

try:
    response = requests.post(
        SANDBOX_API_URL,
        headers=headers,
        data=payload_string
    )

    print("✅ Request sent to sandbox API.")
    print(f"🌐 Status Code: {response.status_code}")
    print("📨 Response Body:")
    print(response.text)

except requests.exceptions.RequestException as e:
    print("❌ Request failed:")
    print(str(e))
