Merge pull request #69 from jschlyter/accept_invalid_keys

jschlyter · web-flow · commit 88bfcec67b1f · 2020-10-07T15:57:53.000+02:00
Add option ignore_invalid_keys to KeyBundle
diff --git a/src/cryptojwt/key_bundle.py b/src/cryptojwt/key_bundle.py
@@ -162,6 +162,7 @@ def __init__(
         keytype="RSA",
         keyusage=None,
         kid="",
+        ignore_invalid_keys=True,
         httpc=None,
         httpc_params=None,
     ):
@@ -181,6 +182,7 @@ def __init__(
             presently 'rsa' and 'ec' are supported.
         :param keyusage: What the key loaded from file should be used for.
             Only applicable for DER files
+        :param ignore_invalid_keys: Ignore invalid keys
         :param httpc: A HTTP client function
         :param httpc_params: Additional parameters to pass to the HTTP client
             function
@@ -202,6 +204,7 @@ def __init__(
         self.last_updated = 0
         self.last_remote = None  # HTTP Date of last remote update
         self.last_local = None  # UNIX timestamp of last local update
+        self.ignore_invalid_keys = ignore_invalid_keys
 
         if httpc:
             self.httpc = httpc
@@ -274,6 +277,8 @@ def do_keys(self, keys):
             elif inst["kty"].upper() in K2C:
                 inst["kty"] = inst["kty"].upper()
             else:
+                if not self.ignore_invalid_keys:
+                    raise UnknownKeyType(inst)
                 LOGGER.warning("While loading keys, unknown key type: %s", inst["kty"])
                 continue
 
@@ -290,12 +295,18 @@ def do_keys(self, keys):
                 try:
                     _key = K2C[_typ](use=_use, **inst)
                 except KeyError:
+                    if not self.ignore_invalid_keys:
+                        raise UnknownKeyType(inst)
                     _error = "UnknownKeyType: {}".format(_typ)
                     continue
                 except (UnsupportedECurve, UnsupportedAlgorithm) as err:
+                    if not self.ignore_invalid_keys:
+                        raise err
                     _error = str(err)
                     break
                 except JWKException as err:
+                    if not self.ignore_invalid_keys:
+                        raise err
                     LOGGER.warning("While loading keys: %s", err)
                     _error = str(err)
                 else:
diff --git a/tests/test_03_key_bundle.py b/tests/test_03_key_bundle.py
@@ -10,6 +10,7 @@
 import responses
 from cryptography.hazmat.primitives.asymmetric import rsa
 
+from cryptojwt.exception import UnknownKeyType
 from cryptojwt.jwk.ec import ECKey
 from cryptojwt.jwk.ec import new_ec_key
 from cryptojwt.jwk.hmac import SYMKey
@@ -1067,3 +1068,14 @@ def test_ignore_errors_period():
         kb.source = source_good
         res = kb.do_remote()
         assert res == True
+
+
+def test_ignore_invalid_keys():
+    rsa_key_dict = new_rsa_key().serialize()
+    rsa_key_dict["kty"] = "b0rken"
+
+    kb = KeyBundle(keys={"keys": [rsa_key_dict]}, ignore_invalid_keys=True)
+    assert len(kb) == 0
+
+    with pytest.raises(UnknownKeyType):
+        KeyBundle(keys={"keys": [rsa_key_dict]}, ignore_invalid_keys=False)
