custodia: do not use deprecated jwcrypto wrappers

jwcrypto has turned JWK object into a dict-like structure in 2020 and marked data wrappers as deprecated. The only exception for direct foo['bar'] access is a key ID -- some keys might have no 'kid' property, thus it is best to use jwk.get('kid') instead for those. Fixes: https://pagure.io/freeipa/issue/9597 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2024-05-22 13:59:46 +03:00
parent 84eed2a67f
commit 5368120805
2 changed files with 9 additions and 9 deletions
--- a/install/tools/ipa-custodia-check.in
+++ b/install/tools/ipa-custodia-check.in
@@ -192,10 +192,10 @@ class IPACustodiaTester:
                usage, IPA_CUSTODIA_KEYFILE
            ))

-        if pkey.key_id != self.host_spn:
+        if pkey.get('kid') != self.host_spn:
            raise self.error(  # pylint: disable=raising-bad-type, #4772
                "KID '{}' != host service principal name '{}' "
-                "(usage: {})".format(pkey.key_id, self.host_spn, usage),
+                "(usage: {})".format(pkey.get('kid'), self.host_spn, usage),
                fatal=True
            )
        else:
--- a/ipaserver/custodia/message/kem.py
+++ b/ipaserver/custodia/message/kem.py
@@ -85,7 +85,7 @@ class KEMKeysStore(SimplePathAuthz):
        if self._alg is None:
            alg = self.config.get('signing_algorithm', None)
            if alg is None:
-                ktype = self.server_keys[KEY_USAGE_SIG].key_type
+                ktype = self.server_keys[KEY_USAGE_SIG]['kty']
                if ktype == 'RSA':
                    alg = 'RS256'
                elif ktype == 'EC':
@@ -125,9 +125,9 @@ class KEMHandler(MessageHandler):
        if 'kid' not in header:
            raise InvalidMessage("Missing key identifier")

-        key = self.kkstore.find_key(header['kid'], usage)
+        key = self.kkstore.find_key(header.get('kid'), usage)
        if key is None:
-            raise UnknownPublicKey('Key found [kid:%s]' % header['kid'])
+            raise UnknownPublicKey('Key found [kid:%s]' % header.get('kid'))
        return json_decode(key)

    def parse(self, msg, name):
@@ -179,14 +179,14 @@ class KEMHandler(MessageHandler):
        self.msg_type = 'kem'

        return {'type': self.msg_type,
-                'value': {'kid': self.client_keys[KEY_USAGE_ENC].key_id,
+                'value': {'kid': self.client_keys[KEY_USAGE_ENC].get('kid'),
                          'claims': claims}}

    def reply(self, output):
        if self.client_keys is None:
            raise UnknownPublicKey("Peer key not defined")

-        ktype = self.client_keys[KEY_USAGE_ENC].key_type
+        ktype = self.client_keys[KEY_USAGE_ENC]['kty']
        if ktype == 'RSA':
            enc = ('RSA-OAEP', 'A256CBC-HS512')
        else:
@@ -224,7 +224,7 @@ class KEMClient:


 def make_sig_kem(name, value, key, alg):
-    header = {'kid': key.key_id, 'alg': alg}
+    header = {'kid': key.get('kid'), 'alg': alg}
    claims = {'sub': name, 'exp': int(time.time() + (5 * 60))}
    if value is not None:
        claims['value'] = value
@@ -235,7 +235,7 @@ def make_sig_kem(name, value, key, alg):

 def make_enc_kem(name, value, sig_key, alg, enc_key, enc):
    plaintext = make_sig_kem(name, value, sig_key, alg)
-    eprot = {'kid': enc_key.key_id, 'alg': enc[0], 'enc': enc[1]}
+    eprot = {'kid': enc_key.get('kid'), 'alg': enc[0], 'enc': enc[1]}
    jwe = JWE(plaintext, json_encode(eprot))
    jwe.add_recipient(enc_key)
    return jwe.serialize(compact=True)