A couple of new functions for JWK handling.

Author: rohe

src/cryptojwt/__init__.py

@@ -21,7 +21,7 @@
 except ImportError:
     pass
 
-__version__ = '0.7.10'
+__version__ = '0.7.11'
 
 logger = logging.getLogger(__name__)
 

src/cryptojwt/jwk/hmac.py

@@ -1,6 +1,8 @@
 import logging
 import os
 
+from . import JWK
+from . import USE
 from .utils import sha256_digest
 from .utils import sha384_digest
 from .utils import sha512_digest
@@ -12,8 +14,6 @@
 from ..utils import b64d
 from ..utils import b64e
 
-from . import JWK, USE
-
 logger = logging.getLogger(__name__)
 
 ALG2KEYLEN = {
@@ -23,7 +23,7 @@
     "HS256": 32,
     "HS384": 48,
     "HS512": 64
-    }
+}
 
 
 class SYMKey(JWK):

src/cryptojwt/jwk/jwk.py

@@ -1,23 +1,23 @@
 import copy
+import json
+import os
 
 from cryptography.hazmat import backends
-from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric.rsa import rsa_crt_dmp1
 from cryptography.hazmat.primitives.asymmetric.rsa import rsa_crt_dmq1
 from cryptography.hazmat.primitives.asymmetric.rsa import rsa_crt_iqmp
 
-from ..exception import MissingValue
-from ..exception import WrongKeyType
-from ..exception import UnknownKeyType
-from ..exception import UnsupportedAlgorithm
-from ..utils import base64url_to_long, b64d, as_bytes
-
 from .ec import ECKey
 from .ec import NIST2SEC
-from .rsa import RSAKey
 from .hmac import SYMKey
-
+from .rsa import RSAKey
+from ..exception import MissingValue
+from ..exception import UnknownKeyType
+from ..exception import UnsupportedAlgorithm
+from ..exception import WrongKeyType
+from ..utils import base64url_to_long
 
 EC_PUBLIC_REQUIRED = frozenset(['crv', 'x', 'y'])
 EC_PUBLIC = EC_PUBLIC_REQUIRED
@@ -173,3 +173,18 @@ def jwk_wrap(key, use="", kid=""):
 
     kspec.serialize()
     return kspec
+
+
+def dump_jwk(filename, key):
+    """Writes a RSAKey, ECKey or SYMKey instance as a JWK to a file."""
+    with open(filename, 'w') as fp:
+        fp.write(json.dumps(key.to_dict()))
+
+
+def import_jwk(filename):
+    """Reads a JWK from a file and converts it into the appropriate key class instance."""
+    if os.path.isfile(filename):
+        with open(filename) as jwk_file:
+            jwk_dict = json.loads(jwk_file.read())
+            return key_from_jwk_dict(jwk_dict)
+    return None

src/cryptojwt/jws/hmac.py

@@ -1,11 +1,8 @@
-import sys
-
+from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import hmac
-from cryptography.hazmat.backends import default_backend
 
 from . import Signer
-
 from ..exception import Unsupported
 
 
@@ -50,5 +47,3 @@ def verify(self, msg, sig, key):
             return True
         except:
             return False
-
-

src/cryptojwt/key_bundle.py

@@ -7,6 +7,7 @@
 
 import requests
 
+from cryptojwt.jwk.ec import NIST2SEC
 from cryptojwt.jwk.hmac import new_sym_key
 from .exception import DeSerializationNotPossible
 from .exception import JWKException
@@ -15,6 +16,8 @@
 from .jwk.ec import ECKey
 from .jwk.ec import new_ec_key
 from .jwk.hmac import SYMKey
+from .jwk.jwk import dump_jwk
+from .jwk.jwk import import_jwk
 from .jwk.rsa import RSAKey
 from .jwk.rsa import import_private_rsa_key_from_file
 from .jwk.rsa import new_rsa_key
@@ -67,7 +70,7 @@ def rsa_init(spec):
     Example of specification::
         {'size':2048, 'use': ['enc', 'sig'] }
 
-    Using the spec above 2 RSA keys would be minted, one for 
+    Using the spec above 2 RSA keys would be minted, one for
     encryption and one for signing.
     :param spec:
     :return: KeyBundle
@@ -439,8 +442,8 @@ def get(self, typ="", only_active=True):
     def keys(self):
         """
         Return all keys after having updated them
-        
-        :return: List of all keys 
+
+        :return: List of all keys
         """
         self._uptodate()
 
@@ -462,7 +465,7 @@ def active_keys(self):
     def remove_keys_by_type(self, typ):
         """
         Remove keys that are of a specific type.
-        
+
         :param typ: Type of key (rsa, ec, oct, ..)
         """
         _typs = [typ.lower(), typ.upper()]
@@ -474,7 +477,7 @@ def __str__(self):
     def jwks(self, private=False):
         """
         Create a JWKS as a JSON document
-        
+
         :param private: Whether private key information should be included.
         :return: A JWKS JSON representation of the keys in this bundle
         """
@@ -493,8 +496,8 @@ def jwks(self, private=False):
     def append(self, key):
         """
         Add a key to list of keys in this bundle
-        
-        :param key: Key to be added 
+
+        :param key: Key to be added
         """
         self._keys.append(key)
 
@@ -505,8 +508,8 @@ def extend(self, keys):
     def remove(self, key):
         """
         Remove a specific key from this bundle
-        
-        :param key: The key that should be removed 
+
+        :param key: The key that should be removed
         """
         try:
             self._keys.remove(key)
@@ -700,15 +703,16 @@ def build_key_bundle(key_conf, kid_template=""):
     An example of such a specification::
 
         keys = [
-            {"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
+            {"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"], 'size': 2048},
             {"type": "EC", "crv": "P-256", "use": ["sig"], "kid": "ec.1"},
-            {"type": "EC", "crv": "P-256", "use": ["enc"], "kid": "ec.2"}
+            {"type": "EC", "crv": "P-256", "use": ["enc"], "kid": "ec.2"},
+            {"type": "OCT", "bytes":}
         ]
 
     Keys in this specification are:
 
     type
-        The type of key. Presently only 'rsa' and 'ec' supported.
+        The type of key. Presently only 'rsa', 'ec' and 'oct' supported.
 
     key
         A name of a file where a key can be found. Only works with PEM encoded
@@ -801,6 +805,7 @@ def type_order(kd1, kd2):
 
     return None
 
+
 def kid_order(kd1, kd2):
     """Order key descriptions by kid."""
     try:
@@ -992,3 +997,54 @@ def unique_keys(keys):
             unique.append(k)
 
     return unique
+
+
+DEFAULT_SYM_KEYSIZE = 32
+DEFAULT_RSA_KEYSIZE = 2048
+DEFAULT_RSA_EXP = 65537
+DEFAULT_EC_CURVE = 'P-256'
+
+
+def key_gen(type, kid='', **kwargs):
+    """
+    Create a key and return it as a JWK.
+
+    :param type: Key type (RSA, EC, OCT)
+    :param kid:
+    :param kwargs: key specific keyword arguments
+        RSA: size, exp
+        EC: crv
+        SYM: bytes
+    """
+    if type.upper() == 'RSA':
+        keysize = kwargs.get("size", DEFAULT_RSA_KEYSIZE)
+        public_exponent = kwargs.get("exp", DEFAULT_RSA_EXP)
+        _key = new_rsa_key(public_exponent=public_exponent, key_size=keysize, kid=kid)
+    elif type.upper() == 'EC':
+        crv = kwargs.get("crv", DEFAULT_EC_CURVE)
+        if crv not in NIST2SEC:
+            logging.error("Unknown curve: %s", crv)
+            raise ValueError("Unknown curve: {}".format(crv))
+        _key = new_ec_key(crv=crv, kid=kid)
+    elif type.upper() in ["SYM", "OCT"]:
+        keysize = kwargs.get("bytes", 24)
+        randomkey = os.urandom(keysize)
+        _key = SYMKey(key=randomkey, kid=kid)
+    else:
+        logging.error("Unknown key type: %s", type)
+        raise ValueError("Unknown key type: %s".format(type))
+
+    return _key
+
+
+def init_key(filename, type, kid="", **kwargs):
+    if os.path.isfile(filename):
+        _old_key = import_jwk(filename)
+
+        if _old_key.kty == type:
+            if not kid or _old_key.kid == kid:
+                return _old_key
+
+    _new_key = key_gen(type, kid, **kwargs)
+    dump_jwk(filename, _new_key)
+    return _new_key

src/cryptojwt/key_jar.py

@@ -39,7 +39,7 @@ def __init__(self, ca_certs=None, verify_ssl=True, keybundle_cls=KeyBundle,
                  remove_after=3600, httpc=None):
         """
         KeyJar init function
-        
+
         :param ca_certs: CA certificates, to be used for HTTPS
         :param verify_ssl: Attempting SSL certificate verification
         :return: Keyjar instance
@@ -58,11 +58,11 @@ def __repr__(self):
 
     def add_url(self, issuer, url, **kwargs):
         """
-        Add a set of keys by url. This method will create a 
+        Add a set of keys by url. This method will create a
         :py:class:`oidcmsg.key_bundle.KeyBundle` instance with the
         url as source specification. If no file format is given it's assumed
         that what's on the other side is a JWKS.
-        
+
         :param issuer: Who issued the keys
         :param url: Where can the key/-s be found
         :param kwargs: extra parameters for instantiating KeyBundle
@@ -86,13 +86,13 @@ def add_url(self, issuer, url, **kwargs):
 
     def add_symmetric(self, issuer, key, usage=None):
         """
-        Add a symmetric key. This is done by wrapping it in a key bundle 
+        Add a symmetric key. This is done by wrapping it in a key bundle
         cloak since KeyJar does not handle keys directly but only through
         key bundles.
-        
+
         :param issuer: Owner of the key
-        :param key: The key 
-        :param usage: What the key can be used for signing/signature 
+        :param key: The key
+        :param usage: What the key can be used for signing/signature
             verification (sig) and/or encryption/decryption (enc)
         """
         if issuer not in self.issuer_keys:
@@ -111,7 +111,7 @@ def add_symmetric(self, issuer, key, usage=None):
     def add_kb(self, issuer, kb):
         """
         Add a key bundle and bind it to an identifier
-        
+
         :param issuer: Owner of the keys in the key bundle
         :param kb: A :py:class:`oidcmsg.key_bundle.KeyBundle` instance
         """
@@ -124,7 +124,7 @@ def __setitem__(self, issuer, val):
         """
         Bind one or a list of key bundles to a special identifier.
         Will overwrite whatever was there before !!
-        
+
         :param issuer: The owner of the keys in the key bundle/-s
         :param val: A single or a list of KeyBundle instance
         """
@@ -140,7 +140,7 @@ def __setitem__(self, issuer, val):
     def items(self):
         """
         Get all owner ID's and their key bundles
-        
+
         :return: list of 2-tuples (Owner ID., list of KeyBundles)
         """
         return self.issuer_keys.items()
@@ -375,9 +375,9 @@ def find(self, source, issuer):
 
     def export_jwks(self, private=False, issuer="", usage=None):
         """
-        Produces a dictionary that later can be easily mapped into a 
+        Produces a dictionary that later can be easily mapped into a
         JSON string representing a JWKS.
-        
+
         :param private: Whether it should be the private keys or the public
         :param issuer: The entity ID.
         :return: A dictionary with one key: 'keys'
@@ -650,17 +650,18 @@ def build_keyjar(key_conf, kid_template="", keyjar=None, owner=''):
     an existing KeyJar based on a key specification.
 
     An example of such a specification::
-    
+
         keys = [
             {"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
             {"type": "EC", "crv": "P-256", "use": ["sig"], "kid": "ec.1"},
             {"type": "EC", "crv": "P-256", "use": ["enc"], "kid": "ec.2"}
+            {"type": "OCT", "bytes": 32, "use":["sig"]}
         ]
 
     Keys in this specification are:
 
     type
-        The type of key. Presently only 'rsa' and 'ec' supported.
+        The type of key. Presently only 'rsa', 'oct' and 'ec' supported.
 
     key
         A name of a file where a key can be found. Only works with PEM encoded

tests/test_02_jwk.py

@@ -22,6 +22,8 @@
 from cryptojwt.jwk.hmac import SYMKey
 from cryptojwt.jwk.hmac import new_sym_key
 from cryptojwt.jwk.hmac import sha256_digest
+from cryptojwt.jwk.jwk import dump_jwk
+from cryptojwt.jwk.jwk import import_jwk
 from cryptojwt.jwk.jwk import jwk_wrap
 from cryptojwt.jwk.jwk import key_from_jwk_dict
 from cryptojwt.jwk.rsa import RSAKey
@@ -605,3 +607,15 @@ def test_mint_new_sym_key():
     assert key.use == 'sig'
     assert key.kid == 'one'
     assert len(key.key) == 24
+
+
+def test_dump_load():
+    _ckey = import_rsa_key_from_cert_file(CERT)
+    _key = jwk_wrap(_ckey, "sig", "kid1")
+    _filename = full_path("tmp_jwk.json")
+
+    dump_jwk(_filename, _key)
+    key = import_jwk(_filename)
+    assert isinstance(key, RSAKey)
+    assert key.kid == "kid1"
+    assert key.use == "sig"