For RP testing:
a negative test for rp-response_type-code where a regular RS256 id_token is generated by the test suite and expected by the RP, we should produce a HS256 JWT that is signed with the PEM formatted representation of the public key and see that the RP rejects that ID token.
For OP testing:
a negative test for OP-request-Sig the test suite should generate a request object that is signed with HS256 using the PEM formatted representation of the RSA public key as the symmetric key value and see that the OP rejects that request object.
As @jpf suggested we should add an OP and RP test that detects algorithm confusion as described in: https://www.chosenplaintext.ca/2015/03/31/jwt-algorithm-confusion.html
For RP testing: a negative test for
rp-response_type-code
where a regular RS256id_token
is generated by the test suite and expected by the RP, we should produce a HS256 JWT that is signed with the PEM formatted representation of the public key and see that the RP rejects that ID token.For OP testing: a negative test for
OP-request-Sig
the test suite should generate a request object that is signed with HS256 using the PEM formatted representation of the RSA public key as the symmetric key value and see that the OP rejects that request object.