Merge branch 'main' into sdjwt2

Author: rohe

.github/workflows/test.yml

@@ -28,6 +28,7 @@ jobs:
           - "3.9"
           - "3.10"
           - "3.11"
+          - "3.12"
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }}

src/cryptojwt/jwe/jwe_ec.py

@@ -213,7 +213,6 @@ def encrypt(self, key=None, iv="", cek="", **kwargs):
         return jwe.pack(parts=[iv, ctxt, tag])
 
     def decrypt(self, token=None, **kwargs):
-
         if isinstance(token, JWEnc):
             jwe = token
         else:

src/cryptojwt/jwk/__init__.py

@@ -31,7 +31,6 @@ class JWK(object):
     def __init__(
         self, kty="", alg="", use="", kid="", x5c=None, x5t="", x5u="", key_ops=None, **kwargs
     ):
-
         self.extra_args = kwargs
 
         # want kty, alg, use and kid to be strings
@@ -75,6 +74,9 @@ def __init__(
                     "PS256",
                     "PS384",
                     "PS512",
+                    "EdDSA",
+                    "Ed25519",
+                    "Ed448",
                     "none",
                 ]:
                     raise UnsupportedAlgorithm("Unknown algorithm: {}".format(alg))
@@ -93,6 +95,9 @@ def __init__(
                     "PS256",
                     "PS384",
                     "PS512",
+                    "EdDSA",
+                    "Ed25519",
+                    "Ed448",
                     "none",
                     "RSA1_5",
                     "RSA-OAEP",

src/cryptojwt/jwk/okp.py

@@ -321,7 +321,6 @@ def cmp_keys(a, b, key_type):
 
 
 def new_okp_key(crv, kid="", **kwargs):
-
     _key = OKP_CRV2PRIVATE[crv].generate()
 
     _rk = OKPKey(priv_key=_key, kid=kid, **kwargs)

src/cryptojwt/jws/eddsa.py

@@ -10,6 +10,9 @@
 
 
 class EDDSASigner(Signer):
+    def __init__(self, algorithm=None):
+        self.algorithm = algorithm
+
     def sign(self, msg, key):
         """
         Create a signature over a message as defined in RFC7515 using an
@@ -20,6 +23,17 @@ def sign(self, msg, key):
         :return:
         """
 
+        if self.algorithm:
+            if self.algorithm == "Ed25519" and not isinstance(key, ed25519.Ed25519PrivateKey):
+                raise TypeError("The private key must be an instance of Ed25519PrivateKey")
+            if self.algorithm == "Ed448" and not isinstance(key, ed448.Ed448PrivateKey):
+                raise TypeError("The private key must be an instance of Ed448PrivateKey")
+
+        if not isinstance(key, (ed25519.Ed25519PrivateKey, ed448.Ed448PrivateKey)):
+            raise TypeError(
+                "The private key must be an instance of Ed25519PrivateKey or Ed448PrivateKey"
+            )
+
         if not isinstance(key, (ed25519.Ed25519PrivateKey, ed448.Ed448PrivateKey)):
             raise TypeError(
                 "The private key must be an instance of Ed25519PrivateKey or Ed448PrivateKey"
@@ -37,6 +51,13 @@ def verify(self, msg, sig, key):
         :raises: BadSignature if the signature can't be verified.
         :return: True
         """
+
+        if self.algorithm:
+            if self.algorithm == "Ed25519" and not isinstance(key, ed25519.Ed25519PublicKey):
+                raise TypeError("The public key must be an instance of Ed25519PublicKey")
+            if self.algorithm == "Ed448" and not isinstance(key, ed448.Ed448PublicKey):
+                raise TypeError("The public key must be an instance of Ed448PublicKey")
+
         if not isinstance(key, (ed25519.Ed25519PublicKey, ed448.Ed448PublicKey)):
             raise TypeError(
                 "The public key must be an instance of Ed25519PublicKey or Ed448PublicKey"

src/cryptojwt/jws/jws.py

@@ -48,6 +48,8 @@
     "PS384": PSSSigner("SHA384"),
     "PS512": PSSSigner("SHA512"),
     "EdDSA": EDDSASigner(),
+    "Ed25519": EDDSASigner("Ed25519"),
+    "Ed448": EDDSASigner("Ed448"),
     "none": None,
 }
 

src/cryptojwt/jws/utils.py

@@ -47,6 +47,10 @@ def alg2keytype(alg):
         return "RSA"
     elif alg.startswith("HS") or alg.startswith("A"):
         return "oct"
+    elif alg == "Ed25519":
+        return "OKP"
+    elif alg == "Ed448":
+        return "OKP"
     elif alg.startswith("ES") or alg.startswith("ECDH-ES"):
         return "EC"
     elif alg == "EdDSA":

src/cryptojwt/jwt.py

@@ -91,14 +91,14 @@ def __init__(
         enc_enc: str = "A128GCM",
         enc_alg: str = "RSA-OAEP-256",
         msg_cls: Optional[MutableMapping] = None,
-        iss2msg_cls: Dict[str, str] = None,
-        skew: int = 15,
-        allowed_sign_algs: List[str] = None,
-        allowed_enc_algs: List[str] = None,
-        allowed_enc_encs: List[str] = None,
-        allowed_max_lifetime: int = None,
-        zip: str = "",
-        typ2msg_cls: Dict = None,
+        iss2msg_cls: Optional[Dict[str, str]] = None,
+        skew: Optional[int] = 15,
+        allowed_sign_algs: Optional[List[str]] = None,
+        allowed_enc_algs: Optional[List[str]] = None,
+        allowed_enc_encs: Optional[List[str]] = None,
+        allowed_max_lifetime: Optional[int] = None,
+        zip: Optional[str] = "",
+        typ2msg_cls: Optional[Dict] = None,
     ):
         self.key_jar = key_jar  # KeyJar instance
         self.iss = iss  # My identifier
@@ -223,7 +223,7 @@ def pack(
         recv: Optional[str] = "",
         aud: Optional[str] = None,
         iat: Optional[int] = None,
-        jws_headers: Dict[str, str] = None,
+        jws_headers: Optional[Dict[str, str]] = None,
         **kwargs
     ) -> str:
         """
@@ -269,8 +269,7 @@ def pack(
             else:
                 _key = None
 
-            if jws_headers is None:
-                jws_headers = {}
+            jws_headers = jws_headers or {}
 
             _jws = JWS(self.message(signing_key=_key, **_args), alg=self.alg)
             _sjwt = _jws.sign_compact([_key], protected=jws_headers)

src/cryptojwt/key_bundle.py

@@ -566,7 +566,6 @@ def update(self):
         :return: True if update was ok or False if we encountered an error during update.
         """
         if self.source:
-
             try:
                 if self.local:
                     if self.fileformat in ["jwks", "jwk"]:

src/cryptojwt/key_jar.py

@@ -482,7 +482,6 @@ def _add_key(
         no_kid_issuer=None,
         allow_missing_kid=False,
     ):
-
         _issuer = self._get_issuer(issuer_id)
         if _issuer is None:
             logger.error('Issuer "{}" not in keyjar'.format(issuer_id))

tests/test_03_key_bundle.py

@@ -225,7 +225,7 @@ def test_ignore_unknown_types():
             "-u6VtZ5rAdBo5fCjjy3LnkrsoK_QWrlKB08j_PcvwpAMfTEDHw5spepw",
             "use": "sig",
             "alg": "EdDSA",
-            "kty": "OKP",
+            "kty": "XXX",
             "crv": "Ed25519",
             "x": "FnbcUAXZ4ySvrmdXK1MrDuiqlqTXvGdAaE4RWZjmFIQ",
         }

tests/test_04_key_issuer.py

@@ -446,24 +446,6 @@ def test_load_missing_key_parameter():
             "n": "68be-nJp46VLj4Ci1V36IrVGYqkuBfYNyjQTZD_7yRYcERZebowOnwr3w0DoIQpl8iL2X8OXUo7rUW_LMzLxKx2hEmdJfUn4LL2QqA3KPgjYz8hZJQPG92O14w9IZ-8bdDUgXrg9216H09yq6ZvJrn5Nwvap3MXgECEzsZ6zQLRKdb_R96KFFgCiI3bEiZKvZJRA7hM2ePyTm15D9En_Wzzfn_JLMYgE_DlVpoKR1MsTinfACOlwwdO9U5Dm-5elapovILTyVTgjN75i-wsPU2TqzdHFKA-4hJNiWGrYPiihlAFbA2eUSXuEYFkX43ahoQNpeaf0mc17Jt5kp7pM2w",
             "e": "AQAB",
         },
-        {
-            "kid": "q-H9y8iuh3BIKZBbK6S0mH_isBlJsk"
-            "-u6VtZ5rAdBo5fCjjy3LnkrsoK_QWrlKB08j_PcvwpAMfTEDHw5spepw",
-            "use": "sig",
-            "alg": "EdDSA",
-            "kty": "OKP",
-            "crv": "Ed25519",
-            "x": "FnbcUAXZ4ySvrmdXK1MrDuiqlqTXvGdAaE4RWZjmFIQ",
-        },
-        {
-            "kid": "bL33HthM3fWaYkY2_pDzUd7a65FV2R2LHAKCOsye8eNmAPDgRgpHWPYpWFVmeaujUUEXRyDLHN"
-            "-Up4QH_sFcmw",
-            "use": "sig",
-            "alg": "EdDSA",
-            "kty": "OKP",
-            "crv": "Ed25519",
-            "x": "CS01DGXDBPV9cFmd8tgFu3E7eHn1UcP7N1UCgd_JgZo",
-        },
     ]
 }
 

tests/test_04_key_jar.py

@@ -538,6 +538,11 @@ def test_load_missing_key_parameter():
             "n": "68be-nJp46VLj4Ci1V36IrVGYqkuBfYNyjQTZD_7yRYcERZebowOnwr3w0DoIQpl8iL2X8OXUo7rUW_LMzLxKx2hEmdJfUn4LL2QqA3KPgjYz8hZJQPG92O14w9IZ-8bdDUgXrg9216H09yq6ZvJrn5Nwvap3MXgECEzsZ6zQLRKdb_R96KFFgCiI3bEiZKvZJRA7hM2ePyTm15D9En_Wzzfn_JLMYgE_DlVpoKR1MsTinfACOlwwdO9U5Dm-5elapovILTyVTgjN75i-wsPU2TqzdHFKA-4hJNiWGrYPiihlAFbA2eUSXuEYFkX43ahoQNpeaf0mc17Jt5kp7pM2w",
             "e": "AQAB",
         },
+    ]
+}
+
+JWKS_EDDSA = {
+    "keys": [
         {
             "kid": "q-H9y8iuh3BIKZBbK6S0mH_isBlJsk"
             "-u6VtZ5rAdBo5fCjjy3LnkrsoK_QWrlKB08j_PcvwpAMfTEDHw5spepw",
@@ -556,6 +561,22 @@ def test_load_missing_key_parameter():
             "crv": "Ed25519",
             "x": "CS01DGXDBPV9cFmd8tgFu3E7eHn1UcP7N1UCgd_JgZo",
         },
+        {
+            "kid": "OF9xVk9NWE5iQ2N6OGhILTVGcXg4RE1FRk5NWVVsaXZLcFNRNUxCYk9vQQ",
+            "use": "sig",
+            "alg": "Ed25519",
+            "kty": "OKP",
+            "crv": "Ed25519",
+            "x": "M_D8nslNSecjPwiP6DwuNhWRdrgqp02U7f5xo4GhdlY",
+        },
+        {
+            "kid": "RUpoaXktM1JwT0hON3lzNWNfN0RUbVpiWExwbnJnNDRfYWhZY3htaTZ1Zw",
+            "use": "sig",
+            "alg": "Ed448",
+            "kty": "OKP",
+            "crv": "Ed448",
+            "x": "C3y5YN00IxyadHXm4NApPGAzv5w8s9e-fbGu2svYrrCuJDYDDZe-uEOPSobII6psCZCEvo2howmA",
+        },
     ]
 }
 
@@ -580,6 +601,16 @@ def test_get_ec_wrong_alg():
     assert k == []
 
 
+def test_get_eddsa():
+    kj = KeyJar()
+    kj.import_jwks(JWKS_EDDSA, "")
+    assert len(kj.get_issuer_keys("")) == 4
+    k = kj.get("sig", "OKP", alg="Ed25519")
+    assert k
+    k = kj.get("sig", "OKP", alg="Ed448")
+    assert k
+
+
 def test_keyjar_eq():
     kj1 = KeyJar()
     kj1.import_jwks(JWKS_SPO, "")

tests/test_06_jws.py

@@ -609,6 +609,20 @@ def test_signer_ps512():
 
 
 def test_signer_eddsa():
+    payload = "Please take a moment to register today"
+    okp = ed25519.Ed25519PrivateKey.generate()
+    _key = OKPKey().load_key(okp)
+    keys = [_key]
+    _jws = JWS(payload, alg="Ed25519")
+    _jwt = _jws.sign_compact(keys)
+
+    _pubkey = OKPKey().load_key(okp.public_key())
+    _rj = JWS(alg="Ed25519")
+    info = _rj.verify_compact(_jwt, [_pubkey])
+    assert info == payload
+
+
+def test_signer_eddsa_polymorphic():
     payload = "Please take a moment to register today"
     okp = ed25519.Ed25519PrivateKey.generate()
     _key = OKPKey().load_key(okp)
@@ -627,12 +641,12 @@ def test_signer_eddsa_fail():
     okp = ed25519.Ed25519PrivateKey.generate()
     _key = OKPKey().load_key(okp)
     keys = [_key]
-    _jws = JWS(payload, alg="EdDSA")
+    _jws = JWS(payload, alg="Ed25519")
     _jwt = _jws.sign_compact(keys)
 
     okp2 = ed25519.Ed25519PrivateKey.generate()
     _pubkey = OKPKey().load_key(okp2.public_key())
-    _rj = JWS(alg="EdDSA")
+    _rj = JWS(alg="Ed25519")
     try:
         info = _rj.verify_compact(_jwt, [_pubkey])
     except BadSignature: