From 7e1b7ff7ae0d6f8b187b1ff19e5a94c04cb72bfd Mon Sep 17 00:00:00 2001
From: Jakub Warmuz <jakub@warmuz.org>
Date: Tue, 6 Oct 2015 20:56:03 +0000
Subject: [PATCH 1/3] Add naive JWK Thumbprint implementation

---
 acme/acme/jose/jwk.py      | 31 +++++++++++++++++++++++++++++++
 acme/acme/jose/jwk_test.py | 23 +++++++++++++++++++++--
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/acme/acme/jose/jwk.py b/acme/acme/jose/jwk.py
index 7a976f189..2b8fa0a34 100644
--- a/acme/acme/jose/jwk.py
+++ b/acme/acme/jose/jwk.py
@@ -1,10 +1,12 @@
 """JSON Web Key."""
 import abc
 import binascii
+import json
 import logging
 
 import cryptography.exceptions
 from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric import rsa
@@ -27,6 +29,32 @@ class JWK(json_util.TypedJSONObjectWithFields):
     cryptography_key_types = ()
     """Subclasses should override."""
 
+    required = NotImplemented
+    """Required members of public key's representation as defined by JWK/JWA."""
+
+    _thumbprint_json_dumps_params = {
+        # "no whitespace or line breaks before or after any syntactic
+        # elements"
+        'indent': 0,
+        'separators': (',', ':'),
+        # "members ordered lexicographically by the Unicode [UNICODE]
+        # code points of the member names"
+        'sort_keys': True,
+    }
+
+    def thumbprint(self, hash_function=hashes.SHA256):
+        """Compute JWK Thumbprint.
+
+        https://tools.ietf.org/html/rfc7638
+
+        """
+        digest = hashes.Hash(hash_function(), backend=default_backend())
+        digest.update(json.dumps(
+            dict((k, v) for k, v in six.iteritems(self.to_json())
+                 if k in self.required),
+            **self._thumbprint_json_dumps_params).encode())
+        return digest.finalize()
+
     @abc.abstractmethod
     def public_key(self):  # pragma: no cover
         """Generate JWK with public key.
@@ -105,6 +133,7 @@ class JWKES(JWK):  # pragma: no cover
     typ = 'ES'
     cryptography_key_types = (
         ec.EllipticCurvePublicKey, ec.EllipticCurvePrivateKey)
+    required = ('crv', JWK.type_field_name, 'x', 'y')
 
     def fields_to_partial_json(self):
         raise NotImplementedError()
@@ -122,6 +151,7 @@ class JWKOct(JWK):
     """Symmetric JWK."""
     typ = 'oct'
     __slots__ = ('key',)
+    required = ('k', JWK.type_field_name)
 
     def fields_to_partial_json(self):
         # TODO: An "alg" member SHOULD also be present to identify the
@@ -150,6 +180,7 @@ class JWKRSA(JWK):
     typ = 'RSA'
     cryptography_key_types = (rsa.RSAPublicKey, rsa.RSAPrivateKey)
     __slots__ = ('key',)
+    required = ('e', JWK.type_field_name, 'n')
 
     def __init__(self, *args, **kwargs):
         if 'key' in kwargs and not isinstance(
diff --git a/acme/acme/jose/jwk_test.py b/acme/acme/jose/jwk_test.py
index 5462af6b0..d8a7410e8 100644
--- a/acme/acme/jose/jwk_test.py
+++ b/acme/acme/jose/jwk_test.py
@@ -25,9 +25,24 @@ class JWKTest(unittest.TestCase):
         self.assertRaises(errors.Error, JWKRSA.load, DSA_PEM)
 
 
-class JWKOctTest(unittest.TestCase):
+class JWKTestBaseMixin(object):
+    """Mixin test for JWK subclass tests."""
+
+    thumbprint = NotImplemented
+
+    def test_thumbprint_private(self):
+        self.assertEqual(self.thumbprint, self.jwk.thumbprint())
+
+    def test_thumbprint_public(self):
+        self.assertEqual(self.thumbprint, self.jwk.public_key().thumbprint())
+
+
+class JWKOctTest(unittest.TestCase, JWKTestBaseMixin):
     """Tests for acme.jose.jwk.JWKOct."""
 
+    thumbprint = (b"=,\xdd;I\x1a+i\x02x\x8a\x12?06IM\xc2\x80"
+                  b"\xe4\xc3\x1a\xfc\x89\xf3)'\xce\xccm\xfd5")
+
     def setUp(self):
         from acme.jose.jwk import JWKOct
         self.jwk = JWKOct(key=b'foo')
@@ -52,10 +67,13 @@ class JWKOctTest(unittest.TestCase):
         self.assertTrue(self.jwk.public_key() is self.jwk)
 
 
-class JWKRSATest(unittest.TestCase):
+class JWKRSATest(unittest.TestCase, JWKTestBaseMixin):
     """Tests for acme.jose.jwk.JWKRSA."""
     # pylint: disable=too-many-instance-attributes
 
+    thumbprint = (b'\x08\xfa1\x87\x1d\x9b6H/*\x1eW\xc2\xe3\xf6P'
+                  b'\xefs\x0cKB\x87\xcf\x85yO\x045\x0e\x91\x80\x0b')
+
     def setUp(self):
         from acme.jose.jwk import JWKRSA
         self.jwk256 = JWKRSA(key=RSA256_KEY.public_key())
@@ -87,6 +105,7 @@ class JWKRSATest(unittest.TestCase):
             'dq': 'bHh2u7etM8LKKCF2pY2UdQ',
             'qi': 'oi45cEkbVoJjAbnQpFY87Q',
         })
+        self.jwk = self.private
 
     def test_init_auto_comparable(self):
         self.assertTrue(isinstance(

From 3dac62f20e8dbfacea32df6b1748d5f560b559e3 Mon Sep 17 00:00:00 2001
From: Jakub Warmuz <jakub@warmuz.org>
Date: Tue, 6 Oct 2015 20:56:31 +0000
Subject: [PATCH 2/3] json_dumps_pretty: prettier separators.

---
 acme/acme/jose/interfaces.py      | 2 +-
 acme/acme/jose/interfaces_test.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/acme/acme/jose/interfaces.py b/acme/acme/jose/interfaces.py
index f841848b3..f85777a30 100644
--- a/acme/acme/jose/interfaces.py
+++ b/acme/acme/jose/interfaces.py
@@ -194,7 +194,7 @@ class JSONDeSerializable(object):
         :rtype: str
 
         """
-        return self.json_dumps(sort_keys=True, indent=4, separators=(',', ': '))
+        return self.json_dumps(sort_keys=True, indent=4)
 
     @classmethod
     def json_dump_default(cls, python_object):
diff --git a/acme/acme/jose/interfaces_test.py b/acme/acme/jose/interfaces_test.py
index 380c3a2a5..91e6f4416 100644
--- a/acme/acme/jose/interfaces_test.py
+++ b/acme/acme/jose/interfaces_test.py
@@ -91,7 +91,7 @@ class JSONDeSerializableTest(unittest.TestCase):
 
     def test_json_dumps_pretty(self):
         self.assertEqual(
-            self.seq.json_dumps_pretty(), '[\n    "foo1",\n    "foo2"\n]')
+            self.seq.json_dumps_pretty(), '[\n    "foo1", \n    "foo2"\n]')
 
     def test_json_dump_default(self):
         from acme.jose.interfaces import JSONDeSerializable

From c6ebfae15e91a232648e41c4a50ea93d01a15d19 Mon Sep 17 00:00:00 2001
From: Jakub Warmuz <jakub@warmuz.org>
Date: Tue, 6 Oct 2015 20:57:33 +0000
Subject: [PATCH 3/3] Unify quotes

---
 acme/acme/jose/jwk.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/acme/acme/jose/jwk.py b/acme/acme/jose/jwk.py
index 2b8fa0a34..74fa72319 100644
--- a/acme/acme/jose/jwk.py
+++ b/acme/acme/jose/jwk.py
@@ -88,7 +88,7 @@ class JWK(json_util.TypedJSONObjectWithFields):
                 exceptions[loader] = error
 
         # no luck
-        raise errors.Error("Unable to deserialize key: {0}".format(exceptions))
+        raise errors.Error('Unable to deserialize key: {0}'.format(exceptions))
 
     @classmethod
     def load(cls, data, password=None, backend=None):
@@ -109,17 +109,17 @@ class JWK(json_util.TypedJSONObjectWithFields):
         try:
             key = cls._load_cryptography_key(data, password, backend)
         except errors.Error as error:
-            logger.debug("Loading symmetric key, assymentric failed: %s", error)
+            logger.debug('Loading symmetric key, assymentric failed: %s', error)
             return JWKOct(key=data)
 
         if cls.typ is not NotImplemented and not isinstance(
                 key, cls.cryptography_key_types):
-            raise errors.Error("Unable to deserialize {0} into {1}".format(
+            raise errors.Error('Unable to deserialize {0} into {1}'.format(
                 key.__class__, cls.__class__))
         for jwk_cls in six.itervalues(cls.TYPES):
             if isinstance(key, jwk_cls.cryptography_key_types):
                 return jwk_cls(key=key)
-        raise errors.Error("Unsupported algorithm: {0}".format(key.__class__))
+        raise errors.Error('Unsupported algorithm: {0}'.format(key.__class__))
 
 
 @JWK.register
@@ -235,7 +235,7 @@ class JWKRSA(JWK):
                     jobj.get(x) for x in ('p', 'q', 'dp', 'dq', 'qi'))
                 if tuple(param for param in all_params if param is None):
                     raise errors.Error(
-                        "Some private parameters are missing: {0}".format(
+                        'Some private parameters are missing: {0}'.format(
                             all_params))
                 p, q, dp, dq, qi = tuple(
                     cls._decode_param(x) for x in all_params)