def test_mark_as_inactive():
desc = {"kty": "oct", "key": "supersecret", "use": "sig"}
kb = KeyBundle([desc])
assert len(kb.keys()) == 1
for k in kb.keys():
kb.mark_as_inactive(k.kid)
desc = {"kty": "oct", "key": "secret", "use": "enc"}
kb.do_keys([desc])
assert len(kb.keys()) == 2
assert len(kb.active_keys()) == 1
def test_outdated():
a = {"kty": "oct", "key": "supersecret", "use": "sig"}
b = {"kty": "oct", "key": "secret", "use": "enc"}
kb = KeyBundle([a, b])
keys = kb.keys()
now = time.time()
keys[0].inactive_since = now - 60
kb.remove_outdated(30)
assert len(kb) == 1
def build_keyjar(key_conf, kid_template="", keyjar=None, kidd=None):
"""
Initiates a new :py:class:`oicmsg.oauth2.Message` instance and
populates it with keys according to the key configuration.
Configuration of the type ::
keys = [
{"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["enc"]}
]
:param key_conf: The key configuration
:param kid_template: A template by which to build the kids
:return: A tuple consisting of a JWKS dictionary, a KeyJar instance
and a representation of which kids that can be used for what.
Note the JWKS contains private key information !!
"""
if keyjar is None:
keyjar = KeyJar()
if kidd is None:
kidd = {"sig": {}, "enc": {}}
kid = 0
jwks = {"keys": []}
for spec in key_conf:
typ = spec["type"].upper()
if typ == "RSA":
if "key" in spec:
error_to_catch = (OSError, IOError,
DeSerializationNotPossible)
try:
kb = KeyBundle(source="file://%s" % spec["key"],
fileformat="der",
keytype=typ, keyusage=spec["use"])
except error_to_catch:
kb = _new_rsa_key(spec)
except Exception:
raise
else:
kb = rsa_init(spec)
elif typ == "EC":
kb = ec_init(spec)
for k in kb.keys():
if kid_template:
k.kid = kid_template % kid
kid += 1
else:
k.add_kid()
kidd[k.use][k.kty] = k.kid
jwks["keys"].extend(
[k.serialize() for k in kb.keys() if k.kty != 'oct'])
keyjar.add_kb("", kb)
return jwks, keyjar, kidd