feat: add RFC 9278 JWK thumbprint URI

Author: lepture

README.md

@@ -53,6 +53,7 @@ It follows RFCs with extensible API. The module has implementations of:
 - RFC7797: [JSON Web Signature (JWS) Unencoded Payload Option](https://jose.authlib.org/en/dev/guide/jws/#rfc7797)
 - RFC8037: ``OKP`` Key and ``EdDSA`` algorithm
 - RFC8812: ``ES256K`` algorithm
+- RFC9278: [JWK Thumbprint URI](https://jose.authlib.org/en/api/jwk/#joserfc.jwk.thumbprint_uri)
 
 And draft RFCs implementation of:
 

README.rst

@@ -16,6 +16,7 @@ This package contains implementation of:
 - RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
 - RFC8037: OKP Key and EdDSA algorithm
 - RFC8812: ES256K algorithm
+- RFC9278: JWK Thumbprint URI
 
 And draft RFCs implementation of:
 

docs/api/jwk.rst

@@ -7,3 +7,4 @@ This part of the documentation covers all the interfaces of ``joserfc.jwk``.
 
 .. automodule:: joserfc.jwk
     :members:
+    :inherited-members:

src/joserfc/_rfc7517/models.py

@@ -3,7 +3,8 @@
 from collections.abc import KeysView
 from abc import ABCMeta, abstractmethod
 from .types import DictKey, AnyKey, KeyParameters
-from .._rfc7638 import thumbprint
+from .._rfc7638 import calculate_thumbprint
+from .._rfc9278 import concat_thumbprint_uri
 from ..registry import (
     KeyParameterRegistryDict,
     JWK_PARAMETER_REGISTRY,
@@ -167,7 +168,14 @@ def thumbprint(self) -> str:
         defined in RFC7638."""
         fields = [k for k in self.value_registry if self.value_registry[k].required]
         fields.append("kty")
-        return thumbprint(self.dict_value, fields, self.thumbprint_digest_method)
+        data = {key: self.dict_value[key] for key in fields}
+        return calculate_thumbprint(data, self.thumbprint_digest_method)
+
+    def thumbprint_uri(self) -> str:
+        """Call this method will generate the thumbprint URI
+        defined in RFC9278."""
+        value = self.thumbprint()
+        return concat_thumbprint_uri(value, self.thumbprint_digest_method)
 
     def as_dict(self, private: t.Optional[bool] = None, **params: t.Any) -> DictKey:
         """Output this key to a JWK format (in dict). By default, it will return

src/joserfc/_rfc7638/__init__.py

@@ -5,17 +5,14 @@
 from ..util import to_bytes, urlsafe_b64encode
 
 
-def thumbprint(
-    dict_value: t.Dict[str, t.Any],
-    fields: t.List[str],
+def calculate_thumbprint(
+    value: t.Dict[str, t.Any],
     digest_method: t.Literal["sha256", "sha384", "sha512"] = "sha256",
 ) -> str:
-    sorted_fields = sorted(fields)
-
+    sorted_fields = sorted(value.keys())
     data = OrderedDict()
     for k in sorted_fields:
-        data[k] = dict_value[k]
-
+        data[k] = value[k]
     json_data = json.dumps(data, ensure_ascii=True, separators=(",", ":"))
     hash_value = hashlib.new(digest_method, to_bytes(json_data))
     digest_data = hash_value.digest()

src/joserfc/_rfc9278/__init__.py

@@ -0,0 +1,18 @@
+import typing as t
+from .._rfc7638 import calculate_thumbprint
+
+JWK_THUMBPRINT_URN = "urn:ietf:params:oauth:jwk-thumbprint"
+
+
+def calculate_thumbprint_uri(
+    value: t.Dict[str, t.Any],
+    digest_method: t.Literal["sha256", "sha384", "sha512"] = "sha256",
+) -> str:
+    """Calculate JWK thumbprint URI, defined by RFC9278."""
+    value = calculate_thumbprint(value, digest_method=digest_method)
+    return concat_thumbprint_uri(value, digest_method=digest_method)
+
+
+def concat_thumbprint_uri(value: str, digest_method: t.Literal["sha256", "sha384", "sha512"]) -> str:
+    method = digest_method.replace("sha", "sha-")
+    return f"{JWK_THUMBPRINT_URN}:{method}:{value}"

src/joserfc/jwk.py

@@ -12,6 +12,7 @@
 from ._rfc7518.ec_key import ECKey as ECKey
 from ._rfc8037.okp_key import OKPKey as OKPKey
 from ._rfc8812 import register_secp256k1
+from ._rfc9278 import calculate_thumbprint_uri as thumbprint_uri
 from .registry import Header
 
 
@@ -36,6 +37,7 @@
     "guess_key",
     "import_key",
     "generate_key",
+    "thumbprint_uri",
 ]
 
 register_secp256k1()

tests/jwk/test_key_methods.py

@@ -2,7 +2,7 @@
 
 # trigger register_key_set
 import joserfc.jws  # noqa: F401
-from joserfc.jwk import guess_key, import_key, generate_key
+from joserfc.jwk import guess_key, import_key, generate_key, thumbprint_uri
 from joserfc.jwk import KeySet, OctKey, RSAKey, ECKey, OKPKey
 from joserfc.errors import (
     UnsupportedKeyAlgorithmError,
@@ -126,3 +126,15 @@ def test_check_ops(self):
 
     def test_import_without_kty(self):
         self.assertRaises(MissingKeyTypeError, import_key, {})
+
+    def test_thumbprint_uri(self):
+        value = thumbprint_uri(
+            {
+                "kty": "EC",
+                "crv": "P-256",
+                "x": "jJ6Flys3zK9jUhnOHf6G49Dyp5hah6CNP84-gY-n9eo",
+                "y": "nhI6iD5eFXgBTLt_1p3aip-5VbZeMhxeFSpjfEAf7Ww",
+            }
+        )
+        expected = "urn:ietf:params:oauth:jwk-thumbprint:sha-256:w9eYdC6_s_tLQ8lH6PUpc0mddazaqtPgeC2IgWDiqY8"
+        self.assertEqual(value, expected)

tests/jwk/test_oct_key.py

@@ -37,6 +37,18 @@ def test_import_key_from_dict(self):
         key = OctKey.import_key(data)
         self.assertEqual(key.as_dict(), data)
 
+    def test_thumbprint_uri(self):
+        data = {
+            "kty": "oct",
+            "alg": "A128KW",
+            "k": "GawgguFyGrWKav7AX4VKUg",
+            "use": "sig",
+            "key_ops": ["sign", "verify"],
+        }
+        key = OctKey.import_key(data)
+        thumbprint = "k1JnWRfC-5zzmL72vXIuBgTLfVROXBakS4OmGcrMCoc"
+        self.assertEqual(key.thumbprint_uri(), f"urn:ietf:params:oauth:jwk-thumbprint:sha-256:{thumbprint}")
+
     def test_import_missing_k(self):
         data = {
             "kty": "oct",