Merge pull request #22 from jschlyter/keyconv2

Improve key conversion tool

Author: rohe

src/cryptojwt/tools/keyconv.py

@@ -25,7 +25,7 @@ def jwk_from_file(filename: str, private: bool = True) -> JWK:
     return key_from_jwk_dict(jwk_dict, private=private)
 
 
-def pem2rsa(filename: str, kid: str = None, private: bool = False, passphrase: str = None) -> JWK:
+def pem2rsa(filename: str, kid: Optional[str] = None, private: bool = False, passphrase: Optional[str] = None) -> JWK:
     """Convert RSA key from PEM to JWK"""
     if private:
         key = import_private_rsa_key_from_file(filename, passphrase)
@@ -36,7 +36,7 @@ def pem2rsa(filename: str, kid: str = None, private: bool = False, passphrase: s
     return jwk
 
 
-def pem2ec(filename: str, kid: str = None, private: bool = False, passphrase: str = None) -> JWK:
+def pem2ec(filename: str, kid: Optional[str] = None, private: bool = False, passphrase: Optional[str] = None) -> JWK:
     """Convert EC key from PEM to JWK"""
     if private:
         key = import_private_key_from_file(filename, passphrase)
@@ -54,20 +54,35 @@ def bin2jwk(filename: str, kid: str) -> bytes:
     return SYMKey(kid=kid, key=content)
 
 
-def pem2jwk(filename: str, kid: str, private: bool = False) -> JWK:
+def pem2jwk(filename: str, kid: Optional[str] = None, kty: Optional[str] = None, private: bool = False, passphrase: Optional[str] = None) -> JWK:
     """Read PEM from filename and return JWK"""
     with open(filename, 'rt') as file:
         content = file.readlines()
     header = content[0]
 
     if private:
-        passphrase = getpass('Private key passphrase: ')
+        if passphrase is None:
+            passphrase = getpass('Private key passphrase: ')
         if len(passphrase) == 0:
             passphrase = None
     else:
         passphrase = None
 
-    if 'BEGIN EC PRIVATE KEY' in header:
+    if 'BEGIN PUBLIC KEY' in header:
+        if kty is not None and kty == 'EC':
+            jwk = pem2ec(filename, kid, private=False)
+        elif kty is not None and kty == 'RSA':
+            jwk = pem2rsa(filename, kid, private=False)
+        else:
+            raise ValueError("Unknown key type")
+    elif 'BEGIN PRIVATE KEY' in header:
+        if kty is not None and kty == 'EC':
+            jwk = pem2ec(filename, kid, private=True, passphrase=passphrase)
+        elif kty is not None and kty == 'RSA':
+            jwk = pem2rsa(filename, kid, private=True, passphrase=passphrase)
+        else:
+            raise ValueError("Unknown key type")
+    elif 'BEGIN EC PRIVATE KEY' in header:
         jwk = pem2ec(filename, kid, private=True, passphrase=passphrase)
     elif 'BEGIN EC PUBLIC KEY' in header:
         jwk = pem2ec(filename, kid, private=False)
@@ -81,18 +96,22 @@ def pem2jwk(filename: str, kid: str, private: bool = False) -> JWK:
     return jwk
 
 
-def export_jwk(jwk: JWK, private: bool = False) -> bytes:
+def export_jwk(jwk: JWK, private: bool = False, encrypt: bool = False, passphrase: Optional[str] = None) -> bytes:
     """Export JWK as PEM/bin"""
 
     if jwk.kty == 'oct':
         return jwk.key
 
     if private:
-        passphrase = getpass('Private key passphrase: ')
+        if encrypt:
+            if passphrase is None:
+                passphrase = getpass('Private key passphrase: ')
+        else:
+            passphrase = None
         if passphrase:
             enc = serialization.BestAvailableEncryption(passphrase.encode())
         else:
-            enc = serialization.NoEncryption
+            enc = serialization.NoEncryption()
         serialized = jwk.priv_key.private_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PrivateFormat.PKCS8,
@@ -134,10 +153,18 @@ def main():
                         dest='kid',
                         metavar='key_id',
                         help='Key ID')
+    parser.add_argument('--kty',
+                        dest='kty',
+                        metavar='type',
+                        help='Key type')
     parser.add_argument('--private',
                         dest='private',
                         action='store_true',
                         help="Output private key")
+    parser.add_argument('--encrypt',
+                        dest='encrypt',
+                        action='store_true',
+                        help="Encrypt private key")
     parser.add_argument('--output',
                         dest='output',
                         metavar='filename',
@@ -149,13 +176,13 @@ def main():
 
     if f.endswith('.json'):
         jwk = jwk_from_file(f, args.private)
-        serialized = export_jwk(jwk, args.private)
+        serialized = export_jwk(jwk, private=args.private, encrypt=args.encrypt)
         output_bytes(data=serialized, binary=(jwk.kty == 'oct'), filename=args.output)
     elif f.endswith('.bin'):
-        jwk = bin2jwk(f, args.kid)
+        jwk = bin2jwk(filename=f, kid=args.kid)
         output_jwk(jwk=jwk, private=True, filename=args.output)
     elif f.endswith('.pem'):
-        jwk = pem2jwk(f, args.kid, args.private)
+        jwk = pem2jwk(filename=f, kid=args.kid, private=args.private, kty=args.kty)
         output_jwk(jwk=jwk, private=args.private, filename=args.output)
     else:
         exit(-1)

tests/test_30_tools.py

@@ -0,0 +1,58 @@
+import uuid
+import os
+import pytest
+import json
+
+from cryptojwt.jwk import JWK
+from cryptojwt.jwk.rsa import import_private_rsa_key_from_file, import_public_rsa_key_from_file
+from cryptojwt.jwk.ec import import_private_key_from_file, import_public_key_from_file
+import cryptojwt.tools.keyconv as keyconv
+from cryptojwt.jwx import key_from_jwk_dict
+
+
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+
+import test_vector
+
+
+
+def jwk_from_file(filename: str, private: bool = True) -> JWK:
+    """Read JWK from file"""
+    with open(filename, mode='rt') as input_file:
+        jwk_dict = json.loads(input_file.read())
+    return key_from_jwk_dict(jwk_dict, private=private)
+
+
+def convert_rsa_pem2jwt(filename_jwk: str, filename_pem: str, private: bool):
+    k1 = jwk_from_file(filename=filename_jwk, private=private)
+    k2 = keyconv.pem2jwk(filename=filename_pem, kid=k1.kid, kty='RSA', private=private, passphrase='')
+    if k1 != k2:
+        raise Exception("Keys differ")
+
+def convert_ec_pem2jwt(filename_jwk: str, filename_pem: str, private: bool):
+    k1 = jwk_from_file(filename=filename_jwk, private=private)
+    k2 = keyconv.pem2jwk(filename=filename_pem, kid=k1.kid, kty='EC', private=private, passphrase='')
+    if k1 != k2:
+        raise Exception("Keys differ")
+
+def test_pem2rsa_public():
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-1024.json', BASEDIR+'/test_keys/rsa-1024-public.pem', private=False)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-1280.json', BASEDIR+'/test_keys/rsa-1280-public.pem', private=False)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-2048.json', BASEDIR+'/test_keys/rsa-2048-public.pem', private=False)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-3072.json', BASEDIR+'/test_keys/rsa-3072-public.pem', private=False)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-4096.json', BASEDIR+'/test_keys/rsa-4096-public.pem', private=False)
+
+def test_pem2rsa_private():
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-1024.json', BASEDIR+'/test_keys/rsa-1024-private.pem', private=True)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-1280.json', BASEDIR+'/test_keys/rsa-1280-private.pem', private=True)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-2048.json', BASEDIR+'/test_keys/rsa-2048-private.pem', private=True)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-3072.json', BASEDIR+'/test_keys/rsa-3072-private.pem', private=True)
+    convert_rsa_pem2jwt(BASEDIR+'/test_keys/rsa-4096.json', BASEDIR+'/test_keys/rsa-4096-private.pem', private=True)
+
+def test_pem2ec_public():
+    convert_ec_pem2jwt(BASEDIR+'/test_keys/ec-p256.json', BASEDIR+'/test_keys/ec-p256-public.pem', private=False)
+    convert_ec_pem2jwt(BASEDIR+'/test_keys/ec-p384.json', BASEDIR+'/test_keys/ec-p384-public.pem', private=False)
+
+def test_pem2ec_private():
+    convert_ec_pem2jwt(BASEDIR+'/test_keys/ec-p256.json', BASEDIR+'/test_keys/ec-p256-private.pem', private=True)
+    convert_ec_pem2jwt(BASEDIR+'/test_keys/ec-p384.json', BASEDIR+'/test_keys/ec-p384-private.pem', private=True)

tests/test_keys/ec-p256-private.pem

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrp4E4eaFhHonpP/U
+8QRaFDTvCGy8mQrSfQod+QxmViehRANCAAQE1WQ7bdvJIkUESD9hc3GUv1+QGt+A
+cKvuzxfjPRqqzLtvlU5nUKOM2rgLCMVP0hiu4wtgREKUYLybH1UPwEuv
+-----END PRIVATE KEY-----
+

tests/test_keys/ec-p256-public.pem

@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBNVkO23bySJFBEg/YXNxlL9fkBrf
+gHCr7s8X4z0aqsy7b5VOZ1CjjNq4CwjFT9IYruMLYERClGC8mx9VD8BLrw==
+-----END PUBLIC KEY-----
+

tests/test_keys/ec-p256.json

@@ -0,0 +1,8 @@
+{
+    "crv": "P-256",
+    "d": "rp4E4eaFhHonpP_U8QRaFDTvCGy8mQrSfQod-QxmVic",
+    "kid": "dHNuMWxLYnlrSjgxMk8wdVEwWVd3Z1o1UUNsbnNTVkZxcDdDUzFUaXhWTQ",
+    "kty": "EC",
+    "x": "BNVkO23bySJFBEg_YXNxlL9fkBrfgHCr7s8X4z0aqsw",
+    "y": "u2-VTmdQo4zauAsIxU_SGK7jC2BEQpRgvJsfVQ_AS68"
+}

tests/test_keys/ec-p384-private.pem

@@ -0,0 +1,7 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCUwKlpiMoGAPaoSfl5
+iVTFrhF1hVzR57YiMld16H7HcMzv6HNF/nHkiaITetKxCaKhZANiAATpTb3pcZ+C
+E9WYGiBho6391NUd5wx15qhGTWT0/2hl2DEvfxHEN/rXJUbG+mzCpvDSvz5IfDDF
+ryLtXb3fgSYxGA8VLPC24wT0PImF5L7u3Z4vjSmO38qkrIwBMkUKyTU=
+-----END PRIVATE KEY-----
+

tests/test_keys/ec-p384-public.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE6U296XGfghPVmBogYaOt/dTVHecMdeao
+Rk1k9P9oZdgxL38RxDf61yVGxvpswqbw0r8+SHwwxa8i7V2934EmMRgPFSzwtuME
+9DyJheS+7t2eL40pjt/KpKyMATJFCsk1
+-----END PUBLIC KEY-----
+

tests/test_keys/ec-p384.json

@@ -0,0 +1,8 @@
+{
+    "crv": "P-384",
+    "d": "lMCpaYjKBgD2qEn5eYlUxa4RdYVc0ee2IjJXdeh-x3DM7-hzRf5x5ImiE3rSsQmi",
+    "kid": "UDdTWUdvVFZhR0RNVXFUV1pDWEJqT1pwN1BGSnpQSC1LNUMtNE5CUjBhaw",
+    "kty": "EC",
+    "x": "6U296XGfghPVmBogYaOt_dTVHecMdeaoRk1k9P9oZdgxL38RxDf61yVGxvpswqbw",
+    "y": "0r8-SHwwxa8i7V2934EmMRgPFSzwtuME9DyJheS-7t2eL40pjt_KpKyMATJFCsk1"
+}

tests/test_keys/rsa-1024-private.pem

@@ -0,0 +1,17 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAN8MXPfNgdWPVofE
+OvRbhumygi+ttUEZ/Y+Ts/CIoB6neeSjQJZ2zgxQhGWKgKKKATopKPZ4TFK00AUN
+/eNyM59ikRWRpSzIabByUpfEA81EyvoYAl4qVsmpOzl5h3m2kGN15bauOQP9bpHv
+vOn4S25TiNj/NHZhZ6oHoZ1Od24rAgMBAAECgYEA0wOOPH12lETL9xuFLsIcS6Eu
+ms66yIE/KgLxW+DVosqMfeqYYwC4hFv0NWAnvB3VdWGVOD+s7R3UIsQO6ouTGzTT
+Jgye2gg9YbZbB2+STV9cbeUwTCI4ILzsTp8LVHpZTmAXWvp+ui4S+mL78rT3O+pV
+T1BQBwPMqvGOyoBuOTECQQD7xr1Lieex4a0Wi3WeW3ck1GCtIEU0MgIeZLTwc1Y+
+rhem0IQsx4axnV7His+iGikQm20i2EX9AOg2dFRRbJpjAkEA4spAGHgvd+cqUxus
+wQX7SfwNdrMSRko5qJIJXOL0zuUBgJ33APSLTWw2MSRND7cj7yh1b/o8eWkvnRZD
+AkADmQJBAMz29ZNRKPV+qtH3pkDMZSnuWuWVp8DeFSt5AHPe8Q8F2utKRM/Pfq+J
+VWdMccudUGDcpvP+7LsSyffKq/m9V9ECQE6xBtR2v2HHYDQ+Ig9H2A2v26wYLnsd
+Pixzn7QPPAqeA4txREeckslmhtc+VU7iqSFO1JDqLxmhmdfT5aReOeECQGKfe9gJ
+oiTy02VzeMQ/2FSdkHG7ZjZYl1+rwA1Y+2eKstg88xpk456ePp4PBJ5MQLEQKvyq
+wXuCdEjuK8ipOaQ=
+-----END PRIVATE KEY-----
+

tests/test_keys/rsa-1024-public.pem

@@ -0,0 +1,7 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfDFz3zYHVj1aHxDr0W4bpsoIv
+rbVBGf2Pk7PwiKAep3nko0CWds4MUIRlioCiigE6KSj2eExStNAFDf3jcjOfYpEV
+kaUsyGmwclKXxAPNRMr6GAJeKlbJqTs5eYd5tpBjdeW2rjkD/W6R77zp+EtuU4jY
+/zR2YWeqB6GdTnduKwIDAQAB
+-----END PUBLIC KEY-----
+