Merge branch 'main' into kid_thumbprint

Author: jschlyter

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   pypi_release:
-    name: Build with Poetry and Publish to PyPI
+    name: Build and Publish to PyPI
     runs-on: ubuntu-latest
     environment:
       name: pypi
@@ -16,9 +16,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
-      - name: Install and configure Poetry
-        run: pip install poetry
-      - name: Publish package
-        run: poetry build
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: latest
+          enable-cache: true
+      - name: Build package
+        run: uv build
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/test.yml

@@ -1,23 +1,13 @@
 name: Test
 
 on:
-  - push
-  - pull_request
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
-  pre_job:
-    runs-on: ubuntu-latest
-    outputs:
-      should_skip: ${{ steps.skip_check.outputs.should_skip }}
-    steps:
-      - id: skip_check
-        uses: fkirc/skip-duplicate-actions@master
-        with:
-          do_not_skip: '["pull_request"]'
-          cancel_others: 'true'
-          concurrent_skipping: same_content
   ruff:
-    needs: pre_job
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -44,15 +34,14 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install and configure Poetry
-        run: |
-          pip install poetry
-          poetry config virtualenvs.in-project true
-      - name: Install dependencies
-        run: poetry install
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: latest
+          enable-cache: true
       - name: Run pytest
         run: |
-          poetry run pytest -vvv -ra --cov=cryptojwt --cov-report=xml
+          uv run pytest -vvv -ra --cov=cryptojwt --cov-report=xml
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v4
         with:

.gitignore

@@ -137,5 +137,4 @@ tests/pyoidc
 tests/pyoidc.pub
 tests/xtest_usage.py
 
-# Poetry
-poetry.lock
+*.lock

Makefile

@@ -1,8 +1,8 @@
 all:
 
 test:
-	poetry run pytest --ruff --ruff-format --cov
+	uv run pytest --ruff --ruff-format --cov
 
 reformat:
-	poetry run ruff check --select I --fix src tests
-	poetry run ruff format src tests
+	uv run ruff check --select I --fix src tests
+	uv run ruff format src tests

pyproject.toml

@@ -1,41 +1,51 @@
 # PEP 518: https://www.python.org/dev/peps/pep-0518/
 
-[tool.poetry]
+[project]
 name = "cryptojwt"
-version = "1.9.5"
+dynamic = ["version"]
 description = "Python implementation of JWT, JWE, JWS and JWK"
-authors = ["Roland Hedberg <[email protected]>"]
+authors = [
+    {name="Roland Hedberg", email = "[email protected]"}
+]
 license = "Apache-2.0"
 repository = "https://github.com/IdentityPython/JWTConnect-Python-CryptoJWT"
 readme = "README.md"
 packages = [
     { include = "cryptojwt", from = "src" }
 ]
+requires-python = ">=3.9,<4.0"
+dependencies = [
+    "cryptography>=3.4.6",
+    "requests>=2.25.1"
+]
 
-[tool.poetry.scripts]
+[project.scripts]
 jwkgen = "cryptojwt.tools.keygen:main"
 jwkconv = "cryptojwt.tools.keyconv:main"
 jwtpeek = "cryptojwt.tools.jwtpeek:main"
 
-[tool.poetry.dependencies]
-python = "^3.9"
-cryptography = ">=3.4.6"
-requests = "^2.25.1"
+[build-system]
+requires = ["hatchling", "uv-dynamic-versioning"]
+build-backend = "hatchling.build"
+
+[tool.hatch.version]
+source = "uv-dynamic-versioning"
 
-[tool.poetry.group.dev.dependencies]
-alabaster = "^0.7.12"
-pytest = "^8.2.1"
-pytest-cov = "^4.0.0"
-responses = "^0.13.0"
-sphinx = "^3.5.2"
-sphinx-autobuild = "^2021.3.14"
-coverage = "^7"
-ruff = ">=0.9.9"
-pytest-ruff = "^0.3.2"
+[tool.hatch.metadata]
+allow-direct-references = true
 
-[build-system]
-requires = ["poetry-core>=1.0.0"]
-build-backend = "poetry.core.masonry.api"
+[dependency-groups]
+dev = [
+    "alabaster>=0.7.12",
+    "pytest>=8.2.1",
+    "pytest-cov>=4.0.0",
+    "responses>=0.13.0",
+    "sphinx>=3.5.2",
+    "sphinx-autobuild>=2021.3.14",
+    "coverage>=7",
+    "ruff>=0.9.9",
+    "pytest-ruff>=0.3.2"
+]
 
 [tool.coverage.run]
 branch = true

src/cryptojwt/__init__.py

@@ -1,7 +1,7 @@
 """JSON Web Token"""
 
 import logging
-from importlib.metadata import version
+from importlib.metadata import version, PackageNotFoundError
 
 from cryptojwt.jwe.jwe import JWE
 from cryptojwt.jwk import JWK
@@ -13,7 +13,10 @@
 from .exception import BadSyntax
 from .utils import as_unicode, b64d, b64encode_item, split_token
 
-__version__ = version("cryptojwt")
+try:
+    __version__ = version("cryptojwt")
+except PackageNotFoundError:
+    __version__ = "0.0.0"
 
 __all__ = [
     "JWE",

src/cryptojwt/jwk/ec.py

@@ -243,6 +243,20 @@ def __eq__(self, other):
         if self.__class__ != other.__class__:
             return False
 
+        if self.use and other.use:
+            if self.use != other.use:
+                return False
+
+        if self.kid:
+            if other.kid:
+                if self.kid != other.kid:
+                    return False
+            else:
+                return False
+        else:
+            if other.kid:
+                return False
+
         if cmp_keys(self.pub_key, other.pub_key, ec.EllipticCurvePublicKey):
             if other.private_key():
                 if cmp_keys(self.priv_key, other.priv_key, ec.EllipticCurvePrivateKey):

src/cryptojwt/jws/pss.py

@@ -14,10 +14,13 @@ class PSSSigner(Signer):
     def __init__(self, algorithm="SHA256"):
         if algorithm == "SHA256":
             self.hash_algorithm = hashes.SHA256
+            self.salt_length = 32
         elif algorithm == "SHA384":
             self.hash_algorithm = hashes.SHA384
+            self.salt_length = 48
         elif algorithm == "SHA512":
             self.hash_algorithm = hashes.SHA512
+            self.salt_length = 64
         else:
             raise Unsupported(f"algorithm: {algorithm}")
 
@@ -36,7 +39,7 @@ def sign(self, msg, key):
             digest,
             padding.PSS(
                 mgf=padding.MGF1(self.hash_algorithm()),
-                salt_length=padding.PSS.MAX_LENGTH,
+                salt_length=self.salt_length,
             ),
             utils.Prehashed(self.hash_algorithm()),
         )
@@ -48,7 +51,7 @@ def verify(self, msg, signature, key):
 
         :param msg: The message
         :param sig: A signature
-        :param key: A ec.EllipticCurvePublicKey to use for the verification.
+        :param key: A rsa._RSAPublicKey to use for the verification.
         :raises: BadSignature if the signature can't be verified.
         :return: True
         """
@@ -58,7 +61,7 @@ def verify(self, msg, signature, key):
                 msg,
                 padding.PSS(
                     mgf=padding.MGF1(self.hash_algorithm()),
-                    salt_length=padding.PSS.MAX_LENGTH,
+                    salt_length=self.salt_length,
                 ),
                 self.hash_algorithm(),
             )

src/cryptojwt/key_bundle.py

@@ -1134,23 +1134,24 @@ def sort_func(kd1, kd2):
 
 def order_key_defs(key_def):
     """
-    Sort a set of key definitions. A key definition that defines more then
-    one usage type are splitted into as many definitions as the number of
+    Sort a set of key definitions. A key definition that defines more than
+    one usage type are split into as many definitions as the number of
     usage types specified. One key definition per usage type.
 
-    :param key_def: A set of key definitions
+    :param key_def: A set of key definitions. List of dictionaries
     :return: The set of definitions as a sorted list
     """
     _int = []
     # First make sure all defs only reference one usage
     for _def in key_def:
-        if len(_def["use"]) > 1:
-            for _use in _def["use"]:
-                _kd = _def.copy()
-                _kd["use"] = _use
-                _int.append(_kd)
-        else:
-            _int.append(_def)
+        if isinstance(_def, dict):
+            if len(_def["use"]) > 1:
+                for _use in _def["use"]:
+                    _kd = _def.copy()
+                    _kd["use"] = _use
+                    _int.append(_kd)
+            else:
+                _int.append(_def)
 
     _int.sort(key=cmp_to_key(sort_func))
 

src/cryptojwt/key_jar.py

@@ -492,7 +492,9 @@ def _add_key(
                     if _add_keys[0] not in keys:
                         keys.append(_add_keys[0])
                 elif allow_missing_kid:
-                    keys.extend(_add_keys)
+                    for _key in _add_keys:
+                        if _key and _key not in keys:
+                            keys.append(_key)
                 elif no_kid_issuer:
                     try:
                         allowed_kids = no_kid_issuer[issuer_id]