mv JWK-canonicalization util.security.fingerprint

This commit is contained in:
Jimmy Zelinskie 2016-04-12 13:36:17 -04:00 committed by Jimmy Zelinskie
parent 4020ab9f55
commit 6577ac3e62
3 changed files with 37 additions and 18 deletions

View file

@ -1,8 +1,5 @@
import json
from calendar import timegm from calendar import timegm
from datetime import datetime, timedelta from datetime import datetime, timedelta
from hashlib import sha256
from peewee import JOIN_LEFT_OUTER from peewee import JOIN_LEFT_OUTER
from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA
@ -11,7 +8,7 @@ from jwkest.jwk import RSAKey
from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval
from data.model import ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, db_transaction, config from data.model import ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, db_transaction, config
from data.model.notification import create_notification, delete_all_notifications_by_path_prefix from data.model.notification import create_notification, delete_all_notifications_by_path_prefix
from util import canonicalize from util.security.fingerprint import canonical_kid
def _expired_keys_clause(service): def _expired_keys_clause(service):
@ -64,7 +61,7 @@ def generate_service_key(service, expiration_date, kid=None, name='', metadata=N
private_key = RSA.generate(2048) private_key = RSA.generate(2048)
jwk = RSAKey(key=private_key.publickey()).serialize() jwk = RSAKey(key=private_key.publickey()).serialize()
if kid is None: if kid is None:
kid = sha256(json.dumps(canonicalize(jwk), separators=(',', ':'))).hexdigest() kid = canonical_kid(jwk)
key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date) key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date)
return (private_key, key) return (private_key, key)

View file

@ -1,6 +1,3 @@
import collections
def get_app_url(config): def get_app_url(config):
""" Returns the application's URL, based on the given config. """ """ Returns the application's URL, based on the given config. """
return '%s://%s' % (config['PREFERRED_URL_SCHEME'], config['SERVER_HOSTNAME']) return '%s://%s' % (config['PREFERRED_URL_SCHEME'], config['SERVER_HOSTNAME'])
@ -19,13 +16,3 @@ def slash_join(*args):
args = [rmslash(path) for path in args] args = [rmslash(path) for path in args]
return '/'.join(args) return '/'.join(args)
def canonicalize(json_obj):
""" Returns a JSON object sorted by key. """
if isinstance(json_obj, collections.MutableMapping):
sorted_obj = sorted({key: canonicalize(val) for key, val in json_obj.items()}.items())
return collections.OrderedDict(sorted_obj)
elif isinstance(json_obj, (list, tuple)):
return [canonicalize(val) for val in json_obj]
return json_obj

View file

@ -0,0 +1,35 @@
import collections
import json
from hashlib import sha256
def canonicalize(json_obj):
"""This function canonicalizes a Python object that will be serialized as JSON.
Args:
json_obj (object): the Python object that will later be serialized as JSON.
Returns:
object: json_obj now sorted to its canonical form.
"""
if isinstance(json_obj, collections.MutableMapping):
sorted_obj = sorted({key: canonicalize(val) for key, val in json_obj.items()}.items())
return collections.OrderedDict(sorted_obj)
elif isinstance(json_obj, (list, tuple)):
return [canonicalize(val) for val in json_obj]
return json_obj
def canonical_kid(jwk):
"""This function returns the SHA256 hash of a canonical JWK.
Args:
jwk (object): the JWK for which a kid will be generated.
Returns:
string: the unique kid for the given JWK.
"""
return sha256(json.dumps(canonicalize(jwk), separators=(',', ':'))).hexdigest()