|
| 1 | +import json |
| 2 | +import uuid |
| 3 | + |
| 4 | +from jwcrypto import jwe, jwk, jwt |
| 5 | +from jwcrypto.common import json_decode, json_encode |
| 6 | +from jwcrypto.jws import InvalidJWSSignature |
| 7 | + |
| 8 | +from odoo import fields, models |
| 9 | + |
| 10 | + |
| 11 | +class JWCryptoEncryptionProvider(models.Model): |
| 12 | + _inherit = "g2p.encryption.provider" |
| 13 | + |
| 14 | + type = fields.Selection(selection_add=[("jwcrypto", "JWCrypto")]) |
| 15 | + |
| 16 | + jwcrypto_key = fields.Char(help="JWK key in JSON format for encryption, decryption, signing, and verification") |
| 17 | + |
| 18 | + def _get_jwk_key(self): |
| 19 | + self.ensure_one() |
| 20 | + if not self.jwcrypto_key: |
| 21 | + raise ValueError("JWCrypto key is not set.") |
| 22 | + return jwk.JWK.from_json(self.jwcrypto_key) |
| 23 | + |
| 24 | + def encrypt_data_jwcrypto(self, data: bytes, **kwargs) -> bytes: |
| 25 | + self.ensure_one() |
| 26 | + key = self._get_jwk_key() |
| 27 | + enc = jwe.JWE(data, json_encode({"alg": "RSA-OAEP", "enc": "A256GCM"})) |
| 28 | + enc.add_recipient(key) |
| 29 | + return enc.serialize(compact=True).encode("utf-8") |
| 30 | + |
| 31 | + def decrypt_data_jwcrypto(self, data: bytes, **kwargs) -> bytes: |
| 32 | + self.ensure_one() |
| 33 | + key = self._get_jwk_key() |
| 34 | + enc = jwe.JWE() |
| 35 | + enc.deserialize(data.decode("utf-8"), key=key) |
| 36 | + return enc.payload |
| 37 | + |
| 38 | + def jwt_sign_jwcrypto(self, data, **kwargs) -> str: |
| 39 | + self.ensure_one() |
| 40 | + key = self._get_jwk_key() |
| 41 | + token = jwt.JWT(header={"alg": "RS256"}, claims=data) |
| 42 | + token.make_signed_token(key) |
| 43 | + return token.serialize() |
| 44 | + |
| 45 | + def jwt_verify_jwcrypto(self, token: str, **kwargs): |
| 46 | + self.ensure_one() |
| 47 | + key = self._get_jwk_key() |
| 48 | + try: |
| 49 | + received_jwt = jwt.JWT(key=key, jwt=token) |
| 50 | + verified = True |
| 51 | + except InvalidJWSSignature: |
| 52 | + received_jwt = None |
| 53 | + verified = False |
| 54 | + return verified, received_jwt |
| 55 | + |
| 56 | + def get_jwks_jwcrypto(self, **kwargs): |
| 57 | + self.ensure_one() |
| 58 | + key = self._get_jwk_key() |
| 59 | + public_key = key.export_public() |
| 60 | + jwks = {"keys": [json_decode(public_key)]} |
| 61 | + return jwks |
| 62 | + |
| 63 | + def generate_and_store_jwcrypto_key(self, key_type="RSA", size=2048): |
| 64 | + """ |
| 65 | + Generates a new JWK (JSON Web Key) for the current record and stores it in the `jwcrypto_key` field. |
| 66 | + :param key_type: The type of key to generate, e.g., 'RSA'. |
| 67 | + :param size: The size of the key (applies to RSA keys). |
| 68 | + :return: None |
| 69 | + """ |
| 70 | + if key_type != "RSA": |
| 71 | + raise ValueError("Unsupported key type. Currently, only 'RSA' is supported.") |
| 72 | + |
| 73 | + key = jwk.JWK.generate(kty=key_type, size=size) |
| 74 | + |
| 75 | + kid = str(uuid.uuid4()) |
| 76 | + |
| 77 | + key_export = key.export() |
| 78 | + |
| 79 | + export_data = json.loads(key_export) |
| 80 | + export_data["kid"] = kid |
| 81 | + |
| 82 | + key_export = json.dumps(export_data) |
| 83 | + |
| 84 | + # Assuming this method is called on a specific record, not on the model class itself |
| 85 | + self.jwcrypto_key = key_export |
0 commit comments