def load_keys(save_path):
fppub = open(os.path.join(save_path, "public.pem"), 'rb')
fppriv = open(os.path.join(save_path, "private.pem"), 'rb')
pub_key = JWK.from_pem(fppub.read())
priv_key = JWK.from_pem(fppriv.read())
fppub.close()
fppriv.close()
return {'public': pub_key, 'private': priv_key}
def __init__(self, host='localhost', port=7777, key=None):
self.host = host
self.port = port
self.key = key
with open('client_private.pem', mode='rb') as f:
self.privkey = JWK.from_pem(f.read())
with open('server_public.pem', mode='rb') as f:
self.server_pubkey = JWK.from_pem(f.read())
def get_jwk(cls, public_key):
# type: (str) -> t.Mapping[str, t.Any]
jwk_obj = JWK.from_pem(public_key.encode('utf-8'))
public_jwk = json.loads(jwk_obj.export_public())
public_jwk['alg'] = 'RS256'
public_jwk['use'] = 'sig'
return public_jwk
def handle(self, *args, **options: dict):
configDir: str = os.path.dirname(
os.getenv('ENV_FILE', '/secrets/env.json'))
self.stdout.write('Key files will be written to '
f'directory "{configDir}"...')
self.keyFileBasePathName = os.path.join(
configDir, options.get(self.baseNameOption))
self.stdout.write('Generating key...')
key: RsaKey = RSA.generate(4096)
self.stdout.write('Preparing private and public key strings...')
privateKey: bytes = key.exportKey()
publicKey: bytes = key.publickey().exportKey()
jwk_obj: JWK = JWK.from_pem(publicKey)
public_jwk: dict = {
**json.loads(jwk_obj.export_public()),
**{
'alg': 'RS256',
'use': 'sig'
}
}
self._writeKeyFile(self.KeyFileType.PRIVATE,
privateKey.decode('utf-8'))
self._writeKeyFile(self.KeyFileType.PUBLIC, publicKey.decode('utf-8'))
self._writeKeyFile(self.KeyFileType.JWK, json.dumps(public_jwk))
def verify_certificate(jwt: JWT) -> JWK:
"""Get (and verify) the signing key from JWT."""
# First element in the header is our actual key
try:
decoding_key = JWK.from_pem(
PEM_CERT_TEMPLATE.format(jwt.token.jose_header['x5c'][0]).encode())
except ValueError:
raise InvalidCert('Cannot decode key.')
if SETTINGS.metadata_service['disable_cert_verification']:
return decoding_key
if not SETTINGS.metadata_service['certificate']:
raise CommandError(
"Certificate verification enabled, but no certificate set. "
"Please set certificate or disable validation.")
# Create context and verify
store = _prepare_crypto_store(jwt)
decoding_cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
PEM_CERT_TEMPLATE.format(jwt.token.jose_header['x5c'][0]).encode())
store_ctx = crypto.X509StoreContext(store, decoding_cert)
try:
store_ctx.verify_certificate()
except crypto.X509StoreContextError:
raise InvalidCert('Key could not be verified.')
else:
return decoding_key
def load_pem(path: str) -> JWK:
"""
Load a PEM-formatted key or certificate
Parsing will fail if the file contains anything other than the PEM-formatted key/certificate.
"""
with open(path, "rb") as pem_file:
return JWK.from_pem(pem_file.read())
def generate(header, payload, priv_pem):
priv_pem = json_decode(priv_pem.replace('\n', '\\n'))
if priv_pem.startswith("-----BEGIN"):
priv_key = JWK.from_pem(to_bytes_2and3(priv_pem))
else:
priv_key = JWK(kty='oct', k=base64url_encode(priv_pem))
sig = JWS(payload)
sig.add_signature(priv_key, protected=header)
sys.stdout.write(sig.serialize(compact=True))
def generate(header, payload, priv_pem):
priv_pem = json_decode(priv_pem.replace('\n', '\\n'))
if priv_pem.startswith("-----BEGIN"):
priv_key = JWK.from_pem(to_bytes_2and3(priv_pem))
else:
priv_key = JWK(kty='oct', k=base64url_encode(priv_pem))
sig = JWS(payload)
sig.add_signature(priv_key, protected=header)
sys.stdout.write(sig.serialize(compact=True))
def verify(sjws, pub_pem):
sjws = json_decode(sjws)
pub_pem = json_decode(pub_pem.replace('\n', '\\n'))
if pub_pem.startswith("-----BEGIN"):
pub_key = JWK.from_pem(to_bytes_2and3(pub_pem))
else:
pub_key = JWK(kty='oct', k=base64url_encode(pub_pem))
sig = JWS()
sig.deserialize(sjws, pub_key)
sys.stdout.write(base64url_decode(json_decode(sig.serialize())['payload']))
def verify(sjws, pub_pem):
sjws = json_decode(sjws)
pub_pem = json_decode(pub_pem.replace('\n', '\\n'))
if pub_pem.startswith("-----BEGIN"):
pub_key = JWK.from_pem(to_bytes_2and3(pub_pem))
else:
pub_key = JWK(kty='oct', k=base64url_encode(pub_pem))
sig = JWS()
sig.deserialize(sjws, pub_key)
sys.stdout.write(base64url_decode(json_decode(sig.serialize())['payload']))
def listAll():
repo = KeyRepository(getDb())
docList = repo.fetchAll()
jwkset = JWKSet()
for keyDoc in docList:
jwk = JWK.from_pem(base64.b64decode(keyDoc.publicKey))
# wrong way, no idea how to make it proper :|
jwk._params['kid'] = str(keyDoc.id)
jwk._params['alg'] = keyDoc.algorithm
jwkset.add(jwk)
return jwkset.export(private_keys=False, as_dict=True)
def get_getPublicKeyJwk(request):
keyId = request.args['keyId']
publicKey = keystore.getKey(keyId)
if publicKey == None:
return Response(responseBody=json.dumps({'error': 'Key not found'}),
contentType="application/json", statusCode=404)
else:
pemEncoded = "-----BEGIN PUBLIC KEY-----\r\n" + utils.insert_newlines(publicKey.decode("ascii"), 64) + "\r\n-----END PUBLIC KEY-----"
jwk = JWK.from_pem(pemEncoded.encode("ascii"))
jwkDecoded = json.loads(jwk.export_public())
jwkDecoded['kid'] = keyId
jwkDecoded['kty'] = "RSA"
return Response(responseBody = json.dumps(jwkDecoded, indent=4), contentType = "application/json")
def get_getPublicKeysJwks(request):
keys = keystore.getAllKeys()
jwks = []
for keyId in keys.keys():
pemEncoded = "-----BEGIN PUBLIC KEY-----\r\n" + utils.insert_newlines(keys[keyId].decode("ascii"), 64) + "\r\n-----END PUBLIC KEY-----"
jwk = JWK.from_pem(pemEncoded.encode("ascii"))
jwkDecoded = json.loads(jwk.export_public())
jwkDecoded['kid'] = keyId
jwkDecoded['kty'] = "RSA"
jwkDecoded['use'] = "sig"
jwks.append(jwkDecoded)
return Response(responseBody = json.dumps({'keys': jwks}, indent = 4), contentType = "application/json")
def get_jwk(public_key: bytes) -> Dict[str, str]:
"""Gets the JSON Web Key from PKCS#8 formatted data from a PEM file.
Args:
public_key (bytes): PKCS#8 formmatted public key.
Returns:
Dict[str, str]: dictionary that represents the JWK.
"""
jwk_obj = JWK.from_pem(public_key)
public_jwk = json.loads(jwk_obj.export_public())
public_jwk["alg"] = "RS256"
public_jwk["use"] = "sig"
return public_jwk
def create_apns_jwt():
with open(path.join(getcwd(), APNS_KEY), 'rb') as key:
jwk = JWK.from_pem(key.read())
jwt = JWT(header={
'typ': 'JWT',
'alg': 'ES256',
'kid': notifications['apns_key_id']
},
claims={
'iss': notifications['apple_team_id'],
'iat': int(time())
},
algs=['ES256'])
jwt.make_signed_token(jwk)
return jwt.serialize()
def create_webpush_jwt(endpoint_url):
with open(WEBPUSH_PRIVATE_KEY_PATH, 'rb') as key:
jwk = JWK.from_pem(key.read())
jwt = JWT(header={
'typ': 'JWT',
'alg': 'ES256'
},
claims={
'sub': f'mailto:{notifications["support_email"]}',
'exp': str(int(time() + WEBPUSH_EXPIRATION)),
'aud': f'{endpoint_url.scheme}://{endpoint_url.netloc}'
},
algs=['ES256'])
jwt.make_signed_token(jwk)
return jwt.serialize()
def _get_app_token(self):
expired = self._is_token_expired(self._current_app_token_expiry)
if expired:
now = self._get_now_timestamp()
expiry = now + (10 * 60)
self._current_app_token_expiry = expiry
token = JWT(
header={'alg': 'RS256'},
claims={
'iat': now,
'exp': expiry,
'iss': self._identifier,
},
algs=['RS256'],
)
token.make_signed_token(JWK.from_pem(self._private_key))
self._current_app_token = token.serialize()
return self._current_app_token
def get_jwk(public_key: str) -> dict:
'''
Load public key as dictionary
Args:
public_key (str): Path to pem
Returns:
dict: Exported public key
'''
jwk_obj = JWK.from_pem(public_key)
public_jwk = json.loads(jwk_obj.export_public())
public_jwk['alg'] = 'RS256'
public_jwk['use'] = 'sig'
return public_jwk
def create_public_thumbprint(save_path):
key = JWK.from_pem(os.path.join(save_path, "public.pem"))
return key.export()
def bench_RSA(self):
""" Import key """
JWK.from_pem(to_bytes_2and3(priv_pem))
def export_key(filename,key):
f = open(filename, "a")
f.write(key)
f.close()
key = RSA.generate(4096)
private_key = key.exportKey()
print(str(private_key))
export_key('private.key', str(private_key, encoding='UTF-8'))
public_key = key.publickey().exportKey()
print(str(public_key))
export_key('public.key', str(public_key, encoding='UTF-8'))
f = open("public.key", "r")
public_pem = f.read()
f.close()
jwk_obj = JWK.from_pem(public_pem.encode('utf-8'))
public_jwk = json.loads(jwk_obj.export_public())
public_jwk['alg'] = 'RS256'
public_jwk['use'] = 'sig'
public_jwk_str = json.dumps(public_jwk)
export_key('public.jwk.json', public_jwk_str)
print(public_jwk_str)
801xAoGADQB84MJe/X8xSUZQzpn2KP/yZ7C517qDJjComGe3mjVxTIT5XAaa1tLy\n\ T4mvpSeYDJkBD8Hxr3fB1YNDWNbgwrNPGZnUTBNhxIsNLPnV8WySiW57LqVXlggH\n\ vjFmyDdU5Hh6ma4q+BeAqbXZSJz0cfkBcBLCSe2gIJ/QJ3YJVQI= \n\ -----END RSA PRIVATE KEY-----" rsa_pub_pem = "-----BEGIN PUBLIC KEY----- \n\ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qiw8PWs7PpnnC2BUEoD\n\ RcwXF8pq8XT1/3Hc3cuUJwX/otNefr/Bomr3dtM0ERLN3DrepCXvuzEU5FcJVDUB\n\ 3sI+pFtjjLBXD/zJmuL3Afg91J9p79+Dm+43cR6wuKywVJx5DJIdswF6oQDDzhwu\n\ 89d2V5x02aXB9LqdXkPwiO0eR5s/xHXgASl+hqDdVL9hLod3iGa9nV7cElCbcl8U\n\ VXNPJnQAfaiKazF+hCdl/syrIh0KCZ5opggsTJibo8qFXBmG4PkT5YbhHE11wYKI\n\ LwZFSvZ9iddRPQK3CtgFiBnXbVwU5t67tn9pMizHgypgsfBoeoyBrpTuc4egSCpj\n\ sQIDAQAB \n\ -----END PUBLIC KEY-----" rsa_priv_key = JWK.from_pem(to_bytes_2and3(rsa_priv_pem)) rsa_pub_key = JWK.from_pem(to_bytes_2and3(rsa_pub_pem)) ec_p256_priv_pem = "-----BEGIN EC PRIVATE KEY----- \n\ MHcCAQEEIHUzppsG3mykCT4wm/zle/61EiRxMrqhMuIhJ9ODYSSPoAoGCCqGSM49\n\ AwEHoUQDQgAEXkWPnLkwayWN5S1m5b6+3ZMlOi4IdMYQx6tGwPdCZLUko3sqIQHp\n\ CLCxpT9Cis1hHR/kWy4Tr18Ow3tBi9YKLA== \n\ -----END EC PRIVATE KEY-----" ec_p256_pub_pem = "-----BEGIN PUBLIC KEY----- \n\ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXkWPnLkwayWN5S1m5b6+3ZMlOi4I\n\ dMYQx6tGwPdCZLUko3sqIQHpCLCxpT9Cis1hHR/kWy4Tr18Ow3tBi9YKLA== \n\ -----END PUBLIC KEY-----" ec_p256_priv_key = JWK.from_pem(to_bytes_2and3(ec_p256_priv_pem)) ec_p256_pub_key = JWK.from_pem(to_bytes_2and3(ec_p256_pub_pem))
def get_jwk(public_key):
jwk_obj = JWK.from_pem(public_key)
public_jwk = json.loads(jwk_obj.export_public())
public_jwk["alg"] = "RS256"
public_jwk["use"] = "sig"
return public_jwk
801xAoGADQB84MJe/X8xSUZQzpn2KP/yZ7C517qDJjComGe3mjVxTIT5XAaa1tLy\n\
T4mvpSeYDJkBD8Hxr3fB1YNDWNbgwrNPGZnUTBNhxIsNLPnV8WySiW57LqVXlggH\n\
vjFmyDdU5Hh6ma4q+BeAqbXZSJz0cfkBcBLCSe2gIJ/QJ3YJVQI= \n\
-----END RSA PRIVATE KEY-----"
pub_pem = "-----BEGIN PUBLIC KEY----- \n\
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qiw8PWs7PpnnC2BUEoD\n\
RcwXF8pq8XT1/3Hc3cuUJwX/otNefr/Bomr3dtM0ERLN3DrepCXvuzEU5FcJVDUB\n\
3sI+pFtjjLBXD/zJmuL3Afg91J9p79+Dm+43cR6wuKywVJx5DJIdswF6oQDDzhwu\n\
89d2V5x02aXB9LqdXkPwiO0eR5s/xHXgASl+hqDdVL9hLod3iGa9nV7cElCbcl8U\n\
VXNPJnQAfaiKazF+hCdl/syrIh0KCZ5opggsTJibo8qFXBmG4PkT5YbhHE11wYKI\n\
LwZFSvZ9iddRPQK3CtgFiBnXbVwU5t67tn9pMizHgypgsfBoeoyBrpTuc4egSCpj\n\
sQIDAQAB \n\
-----END PUBLIC KEY-----"
priv_key = JWK.from_pem(to_bytes_2and3(priv_pem))
pub_key = JWK.from_pem(to_bytes_2and3(pub_pem))
priv_keys = {
'HS256': {'default': JWK(kty='oct', k=base64url_encode('some random key'))},
'HS384': {'default': JWK(kty='oct', k=base64url_encode('another one'))},
'HS512': {'default': JWK(kty='oct', k=base64url_encode('keys keys keys!'))},
'RS256': {'python-jwt': priv_key},
'RS384': {'python-jwt': priv_key},
'RS512': {'python-jwt': priv_key},
'PS256': {'python-jwt': priv_key},
'PS384': {'python-jwt': priv_key},
'PS512': {'python-jwt': priv_key}
}
pub_keys = {
def __init__(self, port=7777):
self.port = port
self.data = MCData()
with open('server_private.pem', mode='rb') as f:
self.privkey = JWK.from_pem(f.read())
def get_key(path):
# type: (str) -> JWK
with open(path, 'rb') as key_file:
return JWK.from_pem(key_file.read())
def get_jwk(public_key):
jwk_obj = JWK.from_pem(public_key)
public_jwk = json.loads(jwk_obj.export_public())
public_jwk['alg'] = 'RS256'
public_jwk['use'] = 'sig'
return public_jwk
def bench_RSA(self):
""" Import key """
JWK.from_pem(to_bytes_2and3(priv_pem))
