search

latchset / jwcrypto

Implements JWK,JWS,JWE specifications using python-cryptography
GNU Lesser General Public License v3.0
432 stars 119 forks source link

Shouldn't `jwk.import_from_pyca` also provide a `kid` param and set it to `thumbprint()` by default? #332

Open matgnt opened 10 months ago

matgnt commented 10 months ago

When importing from a pem file (import_from_pem), the kid can be set or if not, it uses the thumbprint() by default. Especially when the jwk is added to a jwks afterwards - and potentially multiple keys are in the jwks, a kid would be required to identify the right key.

https://github.com/latchset/jwcrypto/blob/41fb08a00ad2a36a1d85bf77ad973b31144ef9f2/jwcrypto/jwk.py#L1012

Example workaround:

    pub_jwk.import_from_pyca(pub_key)
    pub_jwk['kid'] = pub_jwk.thumbprint()
    jwks = JWKSet()
    jwks.add(pub_jwk)
    jwks_export = jwks.export(private_keys=False, as_dict=True)

Anything I'm doing wrong here? Thanks, Matthias

simo5 commented 10 months ago

I do not understand what the question is. The code will set the thumbprint() as the 'kid' if an explicit kid is not provided to import_from_pem().

But in your example you are calling import_from_pyca() which is a different function ...

When importing from raw keys thre is no automatic setting of the 'kid' parameter.

Is this a feature request to add a kid=None parameter to import_from_pyca(), and automatically set kid to self.thumbprint() when kid is not explicitly provided?

matgnt commented 10 months ago

Is this a feature request to add a kid=None parameter to import_from_pyca(), and automatically set kid to self.thumbprint() when kid is not explicitly provided?

Yes, correct.

Because I used the pem import first, I was confused why I didn't see the kid in my JWKS exports when I changed code to import from pyca.