feat: new unit test + fixes

Author: Zicchio

pyeudiw/jwk/parse.py

@@ -1,4 +1,3 @@
-import base64
 from cryptojwt.jwk.ec import import_ec_key, ECKey
 from cryptojwt.jwk.rsa import RSAKey, import_rsa_key
 from ssl import DER_cert_to_PEM_cert
@@ -7,6 +6,8 @@
 from pyeudiw.jwk.exceptions import InvalidJwk
 from typing import Optional
 
+from pyeudiw.x509.verify import B64DER_cert_to_DER_cert
+
 def _parse_rsa_key(pem: str) -> Optional[JWK]:
     try:
         public_key = import_rsa_key(pem)
@@ -71,7 +72,7 @@ def parse_b64der(b64der: str) -> JWK:
     """
     Parse a (public) key from a Base64 encoded DER certificate.
     """
-    der = base64.b64decode(b64der)
+    der = B64DER_cert_to_DER_cert(b64der)
     return parse_certificate(der)
 
 

pyeudiw/satosa/default/request_handler.py

@@ -71,7 +71,11 @@ def request_endpoint(self, context: Context, *args) -> Response:
         trust_params = self.trust_evaluator.get_jwt_header_trust_parameters(issuer=self.client_id)
         _protected_jwt_headers.update(trust_params)
 
-        helper = JWSHelper(self.config["metadata_jwks"])
+        if ("x5c" in _protected_jwt_headers) or ("kid" in _protected_jwt_headers):
+            # let helper decide which key best fit the given header, otherise use default hich is the first confgiured key
+            helper = JWSHelper(self.config["metadata_jwks"])
+        else:
+            helper = JWSHelper(self.default_metadata_private_jwk)
 
         try:
             request_object_jwt = helper.sign(

pyeudiw/tests/jwt/test_sign_verify.py

@@ -1,8 +1,12 @@
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptojwt.jwk.ec import ECKey
 import pytest
 
 from pyeudiw.jwt.jws_helper import DEFAULT_TOKEN_TIME_TOLERANCE, JWSHelper
 from pyeudiw.jwt.utils import decode_jwt_header
+import pyeudiw.tests.x509.test_x509 as test_x509
 from pyeudiw.tools.utils import iat_now
+from pyeudiw.x509.verify import DER_cert_to_B64DER_cert
 
 
 class TestJWSHeperSelectSigningKey:
@@ -49,6 +53,19 @@ def test_JWSHelper_select_signing_key_infer_kid(self, sign_jwks):
         k = signer._select_signing_key(({"kid": exp_k["kid"]}, {}))
         assert k == exp_k
 
+    def test_JWSHelper_select_signing_key_infer_kid(self, sign_jwks: list[dict]):
+        new_private_ec_key = ec.generate_private_key(ec.SECP256R1())
+        x509_der_chain = test_x509.gen_chain(leaf_private_key=new_private_ec_key)
+        x5c = [DER_cert_to_B64DER_cert(der) for der in x509_der_chain]
+        new_ec_jwk = ECKey()
+        new_ec_jwk.load_key(new_private_ec_key)
+        exp_key: dict = new_ec_jwk.serialize(private=True)
+        sign_jwks.append(exp_key)
+
+        signer = JWSHelper(sign_jwks)
+        obt_key = signer._select_signing_key(({"x5c": x5c}, {}))
+        assert exp_key == obt_key
+
     def test_JWSHelper_select_signing_key_unique(self, sign_jwks):
         signer = JWSHelper(sign_jwks[0])
         exp_k = sign_jwks[0]

pyeudiw/x509/verify.py

@@ -95,6 +95,13 @@ def verify_x509_attestation_chain(x5c: list[bytes]) -> bool:
     return _verify_x509_certificate_chain(pems)
 
 
+def DER_cert_to_B64DER_cert(cert: bytes) -> str:
+    """
+    Encode in Base64 a DER certificate.
+    """
+    return base64.b64encode(cert).decode()
+
+
 def PEM_cert_to_B64DER_cert(cert: str) -> str:
     """
     Takes a certificate in ANSII PEM format and returns the base64