def test_mark_as_inactive(): desc = {"kty": "oct", "key": "supersecret", "use": "sig"} kb = KeyBundle([desc]) assert len(kb.keys()) == 1 for k in kb.keys(): kb.mark_as_inactive(k.kid) desc = {"kty": "oct", "key": "secret", "use": "enc"} kb.do_keys([desc]) assert len(kb.keys()) == 2 assert len(kb.active_keys()) == 1
def test_outdated(): a = {"kty": "oct", "key": "supersecret", "use": "sig"} b = {"kty": "oct", "key": "secret", "use": "enc"} kb = KeyBundle([a, b]) keys = kb.keys() now = time.time() keys[0].inactive_since = now - 60 kb.remove_outdated(30) assert len(kb) == 1
def build_keyjar(key_conf, kid_template="", keyjar=None, kidd=None): """ Initiates a new :py:class:`oicmsg.oauth2.Message` instance and populates it with keys according to the key configuration. Configuration of the type :: keys = [ {"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]}, {"type": "EC", "crv": "P-256", "use": ["sig"]}, {"type": "EC", "crv": "P-256", "use": ["enc"]} ] :param key_conf: The key configuration :param kid_template: A template by which to build the kids :return: A tuple consisting of a JWKS dictionary, a KeyJar instance and a representation of which kids that can be used for what. Note the JWKS contains private key information !! """ if keyjar is None: keyjar = KeyJar() if kidd is None: kidd = {"sig": {}, "enc": {}} kid = 0 jwks = {"keys": []} for spec in key_conf: typ = spec["type"].upper() if typ == "RSA": if "key" in spec: error_to_catch = (OSError, IOError, DeSerializationNotPossible) try: kb = KeyBundle(source="file://%s" % spec["key"], fileformat="der", keytype=typ, keyusage=spec["use"]) except error_to_catch: kb = _new_rsa_key(spec) except Exception: raise else: kb = rsa_init(spec) elif typ == "EC": kb = ec_init(spec) for k in kb.keys(): if kid_template: k.kid = kid_template % kid kid += 1 else: k.add_kid() kidd[k.use][k.kty] = k.kid jwks["keys"].extend( [k.serialize() for k in kb.keys() if k.kty != 'oct']) keyjar.add_kb("", kb) return jwks, keyjar, kidd