Added methods that will tell you if a key is public/private.

Symmetric keys are both/neither.

Author: rohe

src/cryptojwt/jwk.py

@@ -129,7 +129,7 @@ def der_cert(der_data):
     """
     Load a DER encoded certificate
 
-    @param der: DER-encoded certificate
+    @param der_data: DER-encoded certificate
     @return: RSA instance
     """
     if isinstance(der_data, str):
@@ -496,6 +496,16 @@ def add_kid(self):
         """
         self.kid = b64e(self.thumbprint('SHA-256')).decode('utf8')
 
+    def is_private_key(self):
+        for p in self.members:
+            if p not in self.public_members:
+                if getattr(self, p):
+                    return True
+        return False
+
+    def is_public_key(self):
+        return not self.is_private_key()
+
 
 def deser(val):
     """
@@ -570,13 +580,13 @@ class RSAKey(Key):
 
     Parameters according to https://tools.ietf.org/html/rfc7518#section-6.3
     """
-    members = Key.members
+    members = Key.members[:]
     # These are the RSA key specific parameters, they are always supposed to
     # be strings or bytes
     members.extend(["n", "e", "d", "p", "q"])
     # The parameters that represent long ints in the key instances
     longs = ["n", "e", "d", "p", "q", "dp", "dq", "di", "qi"]
-    public_members = Key.public_members
+    public_members = Key.public_members[:]
     # the public members of the key
     public_members.extend(["n", "e"])
     required = ['kty', 'n', 'e']
@@ -813,11 +823,12 @@ class ECKey(Key):
 
     Parameters according to https://tools.ietf.org/html/rfc7518#section-6.2
     """
-    members = Key.members
+    members = Key.members[:]
     # The elliptic curve specific attributes
     members.extend(["crv", "x", "y", "d"])
     longs = ['x', 'y', 'd']
-    public_members = ["kty", "alg", "use", "kid", "crv", "x", "y"]
+    public_members = Key.public_members[:]
+    public_members.extend(["kty", "alg", "use", "kid", "crv", "x", "y"])
     required = ['crv', 'key', 'x', 'y']
 
     def __init__(self, kty="EC", alg="", use="", kid="", key=None,
@@ -992,8 +1003,9 @@ class SYMKey(Key):
         }
 
     """
-    members = ["kty", "alg", "use", "kid", "k"]
-    public_members = members[:]
+    members = Key.members[:]
+    members.extend(["kty", "alg", "use", "kid", "k"])
+    public_members = Key.public_members[:]
     required = ['k', 'kty']
 
     def __init__(self, kty="oct", alg="", use="", kid="", key=None,
@@ -1046,6 +1058,12 @@ def encryption_key(self, alg, **kwargs):
 
         return _enc_key
 
+    def is_private_key(self):
+        return True
+
+    def is_public_key(self):
+        return True
+
 
 # -----------------------------------------------------------------------------
 
@@ -1181,7 +1199,7 @@ def __getitem__(self, item):
         """
         Get all keys of a specific key type
 
-        :param kty: Key type
+        :param item: Key type
         :return: list of keys
         """
         kty = item.lower()

src/cryptojwt/jws.py

@@ -39,7 +39,7 @@
 from cryptojwt.exception import UnSupported
 from cryptojwt.exception import WrongNumberOfParts
 
-from cryptojwt.jwk import load_x509_cert
+from cryptojwt.jwk import load_x509_cert, SYMKey
 from cryptojwt.jwk import KEYS
 from cryptojwt.jwk import sha256_digest
 from cryptojwt.jwk import sha384_digest
@@ -156,9 +156,12 @@ def verify(self, msg, signature, key):
                        self.hash_algorithm())
         except InvalidSignature as err:
             raise BadSignature(str(err))
+        except AttributeError:  # If private key
+            return False
         else:
             return True
 
+
 class DSASigner(Signer):
     def __init__(self, algorithm='SHA256'):
         if algorithm == 'SHA256':
@@ -595,6 +598,11 @@ def verify_compact_verbose(self, jws, keys=None, allow_none=False,
         verifier = SIGNER_ALGS[_alg]
 
         for key in _keys:
+            # Can not use asymmetric private key for verifying
+            if not isinstance(key, SYMKey):
+                if key.is_private_key():
+                    continue
+
             try:
                 verifier.verify(jwt.sign_input(), jwt.signature(),
                                 key.get_key(alg=_alg, private=False))

tests/test_2_jwk.py

@@ -97,6 +97,8 @@ def test_kspec():
     assert jwk["e"] == JWK["keys"][0]["e"]
     assert jwk["n"] == JWK["keys"][0]["n"]
 
+    assert not _key.is_private_key()
+
 
 def test_loads_0():
     keys = KEYS()
@@ -198,6 +200,8 @@ def test_serialize_rsa_priv_key():
     restored_key = RSAKey(**d_rsakey)
 
     assert restored_key == rsakey
+    assert rsakey.is_private_key()
+    assert restored_key.is_private_key()
 
 
 ECKEY = {