# Xima CCaaS API - Authentication and JWT Signing Example

This notebook demonstrates the process of generating a private key and Certificate Signing Request (CSR),
receiving the Key ID (kid) and certificate, and using them to create and sign a JWT for API authentication.

**CRITICAL SECURITY WARNINGS:**

* **NEVER hardcode your actual private keys or certificates in this notebook or any client-side code!**
    This is a major security risk. Anyone with access to your private key can impersonate your application.
* This notebook is for *demonstration purposes only*. It uses a mock backend that does not perform full certificate validation.
* In a production environment, private keys should be stored securely (e.g., using hardware security modules or secure key management systems).


## 1. Introduction and Setup

In [1]:
#   No specific setup needed in Colab for basic libraries (os, json, hashlib are built-in)
#   Install cryptography for key generation and signing
try:
    import cryptography
except ImportError:
    print("Installing cryptography library...")
    !pip install cryptography
    import cryptography

import os
import json
import hashlib
import base64
import uuid
import time
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend
import datetime

In [2]:
# ===============================
# 🔧 Self-Signed Certificate Generator (Simulated Xima Signing)
# ===============================
# This helper function simulates what the Xima team would do when signing your CSR.
# In reality, Xima would issue a signed certificate using their internal CA.
# Here, we simulate that by generating a self-signed certificate.

from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
import datetime
import uuid

def generate_self_signed_certificate(csr_pem):
    """
    Generates a self-signed certificate from a CSR and returns the kid and certificate PEM.
    This simulates the backend issuing a certificate using your CSR.
    """

    # 1. Parse the CSR
    csr = x509.load_pem_x509_csr(csr_pem, default_backend())

    # 2. Extract subject and public key
    subject = csr.subject
    public_key = csr.public_key()

    # 3. Set issuer (self-signed, so issuer = subject)
    issuer = subject

    # 4. Build the certificate
    builder = x509.CertificateBuilder().subject_name(
        subject
    ).issuer_name(
        issuer
    ).public_key(
        public_key
    ).serial_number(
        x509.random_serial_number()
    ).not_valid_before(
        datetime.datetime.utcnow()
    ).not_valid_after(
        datetime.datetime.utcnow() + datetime.timedelta(days=365)
    ).add_extension(
        x509.SubjectAlternativeName([x509.DNSName("localhost")]),
        critical=False,
    ).sign(private_key, hashes.SHA256())  # Uses the same private key to sign

    # 5. Convert to PEM format and return with a generated Key ID
    certificate = builder.public_bytes(encoding=serialization.Encoding.PEM)
    kid = str(uuid.uuid4())

    return kid, certificate.decode("utf-8")


## 2. Private Key and CSR Generation

In [3]:
# ===============================
# 🛠️ Generate Private Key, CSR, and Simulate Backend Response
# ===============================
# This section creates your RSA private key, generates a CSR (Certificate Signing Request),
# and simulates the backend's response using the helper function above.

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
import json

# Step 1: Generate RSA Private Key
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)
print("✅ Private key generated.")

# Step 2: Create CSR with your chosen subject
subject = x509.Name([
    x509.NameAttribute(NameOID.COMMON_NAME, "My Awesome Reseller"),  # 🔧 Adjust as needed
])
csr_builder = x509.CertificateSigningRequestBuilder().subject_name(subject)
csr = csr_builder.sign(private_key, hashes.SHA256())
csr_pem = csr.public_bytes(serialization.Encoding.PEM)

print("📄 CSR generated:")
print(csr_pem.decode())

# Step 3: Simulate backend signing process (mock Xima response)
kid, certificate = generate_self_signed_certificate(csr_pem)

mock_csr_response = {
    "kid": kid,
    "certificate": certificate
}

print("\n📦 **Mock Backend Response (Simulated Certificate Issuance):**")
print(json.dumps(mock_csr_response, indent=4))


✅ Private key generated.
📄 CSR generated:
-----BEGIN CERTIFICATE REQUEST-----
MIICYzCCAUsCAQAwHjEcMBoGA1UEAwwTTXkgQXdlc29tZSBSZXNlbGxlcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4x6v6urOX7SN1h5rTGqiKnMB1I
rWOXGsby2fIszLtlhKkFdbS3hAaGqN+x3Y3llr/0GaPRLMRuZ0s+IHSA7fDnnV9x
lzCK+pZFzqc09QMFAMn6+eXt9HwgHQQyr2rRqlUhfmtEiZ0ObZPy0Q6BX/OaIEKk
szvUePtHZpDQc3wW+RVJm6IZJR1fGvTzRgb3SrIEe2/0W7+Z5rbuJA67jA7d/4mv
my7vAQuVw7t1GTwVUYuN4PchGL/xQ082FQ0+3DcY7XbpSq6JEmPA57lVM4Vs5ysI
m7hqg6PzR9gWZirZUlDnWSB+Xa7Rd85SV67mn1PGxcoKkovBnpT3Ye98D0ECAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBSuzKy4Nla0ZK6ocVNPpIvjfBK1iWiErTn
hKwoil7yUsopL672IwzjajXZjMAXksxwXZhMfUUbrfUcBGcuSaJD1L8jy4XWfull
ksPoy0+npkyrJlkCmE5/mbUbCdQay9QZ1qW5pKEzdDfTQKJCniNP7tbjHnHOOX2r
ZLu5sfC+cvfK+m1YLmAaEqv+IDgTqz4CVR7D+SImssTWqZz3VygeZJrIQF6cUqI3
vxuLvi8Z4oLe7IxcFO5993CAro1f9vQbokFqUGYCx+2sCZDJnkXUOW4uNq/qBuZ9
ZwXEJMnm5WdWB2o0ipBEOxfBBd3Jv8jTNUOrYPfWTs/0MipkSbvY
-----END CERTIFICATE REQUEST-----


📦 **Mock Backend Response (Simulated Certificate Issu

In [4]:
# ===============================
# 🔒 Certificate Validation Section
# ===============================
# This section demonstrates how to use the mock JSON response returned
# from the backend CSR process (or simulate one) to parse and validate
# the X.509 certificate string.

import json
from cryptography import x509
from cryptography.hazmat.backends import default_backend

# Example mock response (replace this with the real response you got back)
raw_cert_string = mock_csr_response["certificate"]

# Step 1: Extract and decode the certificate string
raw_cert_string = mock_csr_response["certificate"]
pem_cert = raw_cert_string.encode('utf-8').decode('unicode_escape').encode('utf-8')

# Step 2: Load and validate the certificate
try:
    cert = x509.load_pem_x509_certificate(pem_cert, default_backend())
    print("✅ Certificate successfully parsed!")
    print("📌 Certificate Info:")
    print(f"  🔑 KID: {mock_csr_response['kid']}")
    print(f"  🧾 Subject: {cert.subject.rfc4514_string()}")
    print(f"  🏢 Issuer: {cert.issuer.rfc4514_string()}")
    print(f"  📅 Valid from: {cert.not_valid_before_utc}")
    print(f"  📅 Valid until: {cert.not_valid_after_utc}")
except Exception as e:
    print("❌ Failed to parse certificate:")
    print(str(e))


✅ Certificate successfully parsed!
📌 Certificate Info:
  🔑 KID: 3343c158-d371-41cd-be7d-d8b3cb133445
  🧾 Subject: CN=My Awesome Reseller
  🏢 Issuer: CN=My Awesome Reseller
  📅 Valid from: 2025-04-14 21:18:20+00:00
  📅 Valid until: 2026-04-14 21:18:20+00:00


## 4. JWT Creation and Signing

In [None]:
# ===============================
# 🔐 JWT Creation & Signing (Ready for Real API Request)
# ===============================
# This section builds a signed JWT using your private key and the KID from the issued cert.
# It hashes the license update payload (including the JTI and expiration), includes the hash in the JWT payload,
# and signs the JWT — ready to send to the real licensing update endpoint.

import json
import base64
import hashlib
import uuid
import time
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes

# ------------------------------------
# 4.1 🔧 Construct JWT Header
# ------------------------------------
kid = mock_csr_response["kid"]

jwt_header = {
    "alg": "RS256",
    "typ": "JWT",
    "kid": kid
}

print("\n🔧 JWT Header:")
print(json.dumps(jwt_header, indent=4))

# ------------------------------------
# 4.2 📦 Construct License Payload (Request Body)
# ------------------------------------
# Generate JTI and expiration time
jti = str(uuid.uuid4())
current_time = int(time.time())
expiration_time = current_time + (30 * 60)  # 30 minutes in seconds

license_payload = {
    "ccId": {
        "resellerId": "EXAMPLERESELLERID",
        "divisionId": "EXAMPLEDIVISIONID"
    },
    "digitalOnlySeats": 15,
    "essentialSeats": 15,
    "professionalSeats": 15,
    "eliteSeats": 15,
    "workforceOptimizationSeats": 15,
    "workforceManagementSeats": 15,
    "speechAnalyticsSeats": 6,
    "dialerSeats": 6,
    "additionalAiMessages": 6000,
    "aiMessaging": {
        "standardBundles": 5,
        "advancedBundles": 0
    },
    "aiAudioServices": {
        "seatLicenses": 10,
        "additionalHours": 20
    },
    "ehrEmrIntegrationSeats": 10
}

print("\n📦 License Payload:")
print(json.dumps(license_payload, indent=4))

# ------------------------------------
# 4.3 🔐 Hash Payload and Build JWT Payload
# ------------------------------------
payload_string = json.dumps(license_payload, sort_keys=False, separators=(',', ':')).encode('utf-8')
payload_hash = hashlib.sha256(payload_string).hexdigest()

# JWT payload now includes JTI and exp claims directly
jwt_payload = {
    "payload_hash": payload_hash,
    "jti": jti,                 # JTI moved to JWT payload
    "exp": expiration_time      # Expiration moved to JWT payload
}

print("\n📦 JWT Payload:")
print(json.dumps(jwt_payload, indent=4))


# ------------------------------------
# 4.4 🔡 Encode Header and Payload (Base64URL)
# ------------------------------------
def base64url_encode(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).rstrip(b'=').decode('utf-8')

header_encoded = base64url_encode(json.dumps(jwt_header).encode('utf-8'))
payload_encoded = base64url_encode(json.dumps(jwt_payload).encode('utf-8'))

# ------------------------------------
# 4.5 ✍️ Sign the JWT
# ------------------------------------
message = f"{header_encoded}.{payload_encoded}".encode('utf-8')
signature = private_key.sign(
    message,
    padding.PKCS1v15(),
    hashes.SHA256()
)
signature_encoded = base64url_encode(signature)

jwt = f"{header_encoded}.{payload_encoded}.{signature_encoded}"

print("\n🔐 Generated JWT:")
print(jwt)



🔧 JWT Header:
{
    "alg": "RS256",
    "typ": "JWT",
    "kid": "3343c158-d371-41cd-be7d-d8b3cb133445"
}

📦 License Payload:
{
    "serial": "EXAMPLECUSTOMER1D57107A415DEE77F",
    "digitalOnlySeats": 15,
    "essentialSeats": 15,
    "professionalSeats": 15,
    "eliteSeats": 15,
    "workforceOptimizationSeats": 15,
    "workforceManagementSeats": 15,
    "speechAnalyticsSeats": 6,
    "dialerSeats": 6,
    "additionalAiMessages": 6000
}

📦 JWT Payload:
{
    "payload_hash": "fc9be0662a10e190e7faf49a4906398a9d6b9df47d7bbdac1b182dadb2044bcc",
    "jti": "b6df15ce-8d6e-4a4f-9065-3834c1adbd10",
    "exp": 1744667387
}

🔐 Generated JWT:
eyJhbGciOiAiUlMyNTYiLCAidHlwIjogIkpXVCIsICJraWQiOiAiMzM0M2MxNTgtZDM3MS00MWNkLWJlN2QtZDhiM2NiMTMzNDQ1In0.eyJwYXlsb2FkX2hhc2giOiAiZmM5YmUwNjYyYTEwZTE5MGU3ZmFmNDlhNDkwNjM5OGE5ZDZiOWRmNDdkN2JiZGFjMWIxODJkYWRiMjA0NGJjYyIsICJqdGkiOiAiYjZkZjE1Y2UtOGQ2ZS00YTRmLTkwNjUtMzgzNGMxYWRiZDEwIiwgImV4cCI6IDE3NDQ2NjczODd9.h-u37HnqIQD1SvGtu1BjffHtfJH0Ro09XABR6mI0o6NOUstYic

## 5. License Update Request Generation

In [8]:
# ===============================
# 🚀 Send License Update Request to Sandbox API
# ===============================
# This cell sends the license update request to your live sandbox server at:
#   🔗 https://api.ximadev.cloud/v1/licensing/update
# It includes a signed JWT in the Authorization header (containing jti, exp and payload hash)
# and the raw JSON license payload in the body (without authentication claims).

import requests

# ✅ JWT is already built earlier in `jwt` and contains jti and exp claims
# ✅ `payload_string` contains the serialized license payload 
# ✅ The JWT includes authentication claims for security

headers = {
    "Authorization": f"Bearer {jwt}",
    "Content-Type": "application/json"
}

SANDBOX_API_URL = "https://api.ximadev.cloud/v1/api/licensing/update"

try:
    response = requests.post(
        SANDBOX_API_URL,
        headers=headers,
        data=payload_string  # License payload without jti or exp
    )

    print("✅ Request sent to sandbox API.")
    print(f"🌐 Status Code: {response.status_code}")
    print("📨 Response Body:")
    print(response.text)

    if response.status_code == 200:
        print("\n🎉 License update successful!")
        # JTI is tracked by the server but not included in request payload
    else:
        print("\n❌ License update failed!")
        # Check for specific error codes
        error_codes = ["INVALID_JTI", "DUPLICATE_JTI", "EXPIRED_TOKEN"]
        for code in error_codes:
            if code in response.text:
                print(f"  - Error likely related to {code}")

except requests.exceptions.RequestException as e:
    print("❌ Request failed:")
    print(str(e))

❌ Request failed:
HTTPSConnectionPool(host='api.ximadev.cloud', port=443): Max retries exceeded with url: /v1/api/licensing/update (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7dbfd0139d10>: Failed to resolve 'api.ximadev.cloud' ([Errno -2] Name or service not known)"))
