Refactor Key into jose.backends.base to make it importable into backends. Use pycrypto backend by default for RSA. Add to_pem and public_key to EC and RSA keys in order to abstract away backend key implementations and be able to convert between keys. Move base64_to_long and int_arr_to_long to jose.utils to be importable by backends.

Gasper Zejn · Gasper Zejn · commit fbd122d6002c · 2017-04-13T17:32:34.000+02:00
diff --git a/jose/backends/__init__.py b/jose/backends/__init__.py
@@ -0,0 +1,5 @@
+
+try:
+    from .pycrypto_backend import RSAKey
+except ImportError:
+    from .cryptography_backend import CryptographyRSAKey as RSAKey
diff --git a/jose/backends/base.py b/jose/backends/base.py
@@ -0,0 +1,18 @@
+class Key(object):
+    """
+    A simple interface for implementing JWK keys.
+    """
+    def __init__(self, key, algorithm):
+        pass
+
+    def sign(self, msg):
+        raise NotImplementedError()
+
+    def verify(self, msg, sig):
+        raise NotImplementedError()
+
+    def public_key(self):
+        raise NotImplementedError()
+
+    def to_pem(self):
+        raise NotImplementedError()
diff --git a/jose/backends/cryptography_backend.py b/jose/backends/cryptography_backend.py
@@ -2,14 +2,14 @@
 import ecdsa
 from ecdsa.util import sigdecode_string, sigencode_string, sigdecode_der, sigencode_der
 
-from jose.jwk import Key, base64_to_long
+from jose.backends.base import Key
+from jose.utils import base64_to_long
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.backends.openssl.rsa import _RSAPublicKey
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, rsa, padding
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
 
@@ -34,10 +34,15 @@ def __init__(self, key, algorithm, cryptography_backend=default_backend):
             ALGORITHMS.ES384: self.SHA384,
             ALGORITHMS.ES512: self.SHA512
         }.get(algorithm)
+        self._algorithm = algorithm
 
         self.curve = self.CURVE_MAP.get(self.hash_alg)
         self.cryptography_backend = cryptography_backend
 
+        if hasattr(key, 'public_bytes') or hasattr(key, 'private_bytes'):
+            self.prepared_key = key
+            return
+
         if isinstance(key, (ecdsa.SigningKey, ecdsa.VerifyingKey)):
             # convert to PEM and let cryptography below load it as PEM
             key = key.to_pem().decode('utf-8')
@@ -93,6 +98,25 @@ def verify(self, msg, sig):
         except:
             return False
 
+    def public_key(self):
+        if hasattr(self.prepared_key, 'public_bytes'):
+            return self
+        return self.__class__(self.prepared_key.public_key(), self._algorithm)
+
+    def to_pem(self):
+        if hasattr(self.prepared_key, 'public_bytes'):
+            pem = self.prepared_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo
+            )
+            return pem.decode('utf-8')
+        pem = self.prepared_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+        return pem.decode('utf-8')
+
 
 class CryptographyRSAKey(Key):
     SHA256 = hashes.SHA256
@@ -108,10 +132,12 @@ def __init__(self, key, algorithm, cryptography_backend=default_backend):
             ALGORITHMS.RS384: self.SHA384,
             ALGORITHMS.RS512: self.SHA512
         }.get(algorithm)
+        self._algorithm = algorithm
 
         self.cryptography_backend = cryptography_backend
 
-        if isinstance(key, _RSAPublicKey):
+        # if it conforms to RSAPublicKey interface
+        if hasattr(key, 'public_bytes') and hasattr(key, 'public_numbers'):
             self.prepared_key = key
             return
 
@@ -166,3 +192,21 @@ def verify(self, msg, sig):
             return True
         except InvalidSignature:
             return False
+
+    def public_key(self):
+        if hasattr(self.prepared_key, 'public_bytes'):
+            return self
+        return self.__class__(self.prepared_key.public_key(), self._algorithm)
+
+    def to_pem(self):
+        if hasattr(self.prepared_key, 'public_bytes'):
+            return self.prepared_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo
+            ).decode('utf-8')
+
+        return self.prepared_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        ).decode('utf-8')
diff --git a/jose/backends/pycrypto_backend.py b/jose/backends/pycrypto_backend.py
@@ -8,7 +8,8 @@
 from Crypto.Signature import PKCS1_v1_5
 from Crypto.Util.asn1 import DerSequence
 
-from jose.jwk import Key, base64_to_long
+from jose.backends.base import Key
+from jose.jwk import base64_to_long
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
 from jose.utils import base64url_decode
@@ -43,6 +44,7 @@ def __init__(self, key, algorithm):
             ALGORITHMS.RS384: self.SHA384,
             ALGORITHMS.RS512: self.SHA512
         }.get(algorithm)
+        self._algorithm = algorithm
 
         if isinstance(key, _RSAKey):
             self.prepared_key = key
@@ -102,3 +104,11 @@ def verify(self, msg, sig):
             return PKCS1_v1_5.new(self.prepared_key).verify(self.hash_alg.new(msg), sig)
         except Exception as e:
             return False
+
+    def public_key(self):
+        if not self.prepared_key.key.has_private():
+            return self
+        return self.__class__(self.prepared_key.publickey(), self._algorithm)
+
+    def to_pem(self):
+        return self.prepared_key.exportKey('PEM')
diff --git a/jose/jwk.py b/jose/jwk.py
@@ -1,35 +1,16 @@
 
-import base64
 import hashlib
 import hmac
-import struct
 import six
-import sys
 
 import ecdsa
 
 from jose.constants import ALGORITHMS
 from jose.exceptions import JWKError
-from jose.utils import base64url_decode
+from jose.utils import base64url_decode, base64_to_long
 from jose.utils import constant_time_string_compare
-
-# Deal with integer compatibilities between Python 2 and 3.
-# Using `from builtins import int` is not supported on AppEngine.
-if sys.version_info > (3,):
-    long = int
-
-
-def int_arr_to_long(arr):
-    return long(''.join(["%02x" % byte for byte in arr]), 16)
-
-
-def base64_to_long(data):
-    if isinstance(data, six.text_type):
-        data = data.encode("ascii")
-
-    # urlsafe_b64decode will happily convert b64encoded data
-    _d = base64.urlsafe_b64decode(bytes(data) + b'==')
-    return int_arr_to_long(struct.unpack('%sB' % len(_d), _d))
+from jose.backends.base import Key
+from jose.backends import RSAKey
 
 
 def get_key(algorithm):
@@ -88,20 +69,6 @@ def get_algorithm_object(algorithm):
     return getattr(key, attr)
 
 
-class Key(object):
-    """
-    A simple interface for implementing JWK keys.
-    """
-    def __init__(self, key, algorithm):
-        pass
-
-    def sign(self, msg):
-        raise NotImplementedError()
-
-    def verify(self, msg, sig):
-        raise NotImplementedError()
-
-
 class HMACKey(Key):
     """
     Performs signing and verification operations using HMAC
@@ -180,6 +147,7 @@ def __init__(self, key, algorithm):
         if algorithm not in ALGORITHMS.EC:
             raise JWKError('hash_alg: %s is not a valid hash algorithm' % algorithm)
         self.hash_alg = get_algorithm_object(algorithm)
+        self._algorithm = algorithm
 
         self.curve = self.CURVE_MAP.get(self.hash_alg)
 
@@ -234,8 +202,10 @@ def verify(self, msg, sig):
         except:
             return False
 
+    def public_key(self):
+        if isinstance(self.prepared_key, ecdsa.VerifyingKey):
+            return self
+        return self.__class__(self.prepared_key.get_verifying_key(), self._algorithm)
 
-from jose.backends.pycrypto_backend import RSAKey
-#ALGORITHMS.register_key('RS256', RSAKey)
-#ALGORITHMS.register_key('RS384', RSAKey)
-#ALGORITHMS.register_key('RS512', RSAKey)
+    def to_pem(self):
+        return self.prepared_key.to_pem()
diff --git a/jose/utils.py b/jose/utils.py
@@ -1,6 +1,27 @@
 
 import base64
 import hmac
+import six
+import struct
+import sys
+
+# Deal with integer compatibilities between Python 2 and 3.
+# Using `from builtins import int` is not supported on AppEngine.
+if sys.version_info > (3,):
+    long = int
+
+
+def int_arr_to_long(arr):
+    return long(''.join(["%02x" % byte for byte in arr]), 16)
+
+
+def base64_to_long(data):
+    if isinstance(data, six.text_type):
+        data = data.encode("ascii")
+
+    # urlsafe_b64decode will happily convert b64encoded data
+    _d = base64.urlsafe_b64decode(bytes(data) + b'==')
+    return int_arr_to_long(struct.unpack('%sB' % len(_d), _d))
 
 
 def calculate_at_hash(access_token, hash_alg):
@@ -83,3 +104,5 @@ def constant_time_string_compare(a, b):
             result |= ord(x) ^ ord(y)
 
         return result == 0
+
+
diff --git a/tests/algorithms/test_RSA.py b/tests/algorithms/test_RSA.py
@@ -106,7 +106,9 @@ def test_RSA_key_instance(self):
             long(26057131595212989515105618545799160306093557851986992545257129318694524535510983041068168825614868056510242030438003863929818932202262132630250203397069801217463517914103389095129323580576852108653940669240896817348477800490303630912852266209307160550655497615975529276169196271699168537716821419779900117025818140018436554173242441334827711966499484119233207097432165756707507563413323850255548329534279691658369466534587631102538061857114141268972476680597988266772849780811214198186940677291891818952682545840788356616771009013059992237747149380197028452160324144544057074406611859615973035412993832273216732343819),
             ).public_key(default_backend())
 
-        CryptographyRSAKey(key, ALGORITHMS.RS256)
+        pubkey = CryptographyRSAKey(key, ALGORITHMS.RS256)
+        pem = pubkey.to_pem()
+        assert pem.startswith('-----BEGIN PUBLIC KEY-----')
 
     def test_RSA_jwk(self):
         d = {
@@ -133,7 +135,7 @@ def test_bad_cert(self):
 
     def test_signing_parity(self):
         key1 = RSAKey(private_key, ALGORITHMS.RS256)
-        public_key = key1.prepared_key.publickey().exportKey().decode('utf-8')
+        public_key = key1.public_key().to_pem().decode('utf-8')
         vkey1 = RSAKey(public_key, ALGORITHMS.RS256)
         key2 = CryptographyRSAKey(private_key, ALGORITHMS.RS256)
         vkey2 = CryptographyRSAKey(public_key, ALGORITHMS.RS256)
diff --git a/tests/algorithms/test_cryptography_EC.py b/tests/algorithms/test_cryptography_EC.py
@@ -18,7 +18,13 @@ class TestCryptographyECAlgorithm:
 
     def test_EC_key(self):
         key = ecdsa.SigningKey.from_pem(private_key)
-        CryptographyECKey(key, ALGORITHMS.ES256)
+        k = CryptographyECKey(key, ALGORITHMS.ES256)
+
+        print(repr(k.to_pem().strip()))
+        print(repr(private_key.strip()))
+        assert k.to_pem().strip() == private_key.strip()
+        public_pem = k.public_key().to_pem()
+        public_key = CryptographyECKey(public_pem, ALGORITHMS.ES256)
 
     def test_string_secret(self):
         key = 'secret'
