keyserver: add generate key function

The superuser API, initdb, and tests will all need this functionality.

data/model/service_keys.py

@@ -1,10 +1,18 @@
+import json
+
 from calendar import timegm
 from datetime import datetime, timedelta
+from hashlib import sha256
 from peewee import JOIN_LEFT_OUTER
 
+from Crypto.PublicKey import RSA
+from jwkest.jwk import RSAKey
+
 from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval
 from data.model import ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, db_transaction, config
 from data.model.notification import create_notification, delete_all_notifications_by_path_prefix
+from util import canonicalize
+
 
 def _expired_keys_clause(service):
   return ((ServiceKey.service == service) &
@@ -49,6 +57,18 @@ def create_service_key(name, kid, service, jwk, metadata, expiration_date):
   _notify_superusers(key)
   _gc_expired(service)
 
+  return key
+
+
+def generate_service_key(service, expiration_date, kid=None, name='', metadata=None):
+  private_key = RSA.generate(2048)
+  jwk = RSAKey(key=private_key.publickey()).serialize()
+  if kid is None:
+    kid = sha256(json.dumps(canonicalize(jwk), separators=(',', ':'))).hexdigest()
+
+  key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date)
+  return (private_key, key)
+
 
 def replace_service_key(old_kid, kid, jwk, metadata, expiration_date):
   try: