Merge pull request #197 from jschlyter/feature/symkey_init

jschlyter · web-flow · commit f9213c1cd587 · 2026-03-24T09:46:14.000+01:00
Improve SYMKey init (allow setting k and/or key)
diff --git a/src/cryptojwt/jwk/hmac.py b/src/cryptojwt/jwk/hmac.py
@@ -59,6 +59,13 @@ def __init__(
             if isinstance(self.k, str):
                 self.k = self.k.encode("utf-8")
             self.key = b64d(bytes(self.k))
+        elif self.key and not self.k:
+            self.k = b64e(self.key)
+
+        if self.k and self.key:
+            _k_bytes = self.k.encode("utf-8") if isinstance(self.k, str) else self.k
+            if _k_bytes != b64e(self.key):
+                raise JWKException("k and key don't match")
 
         if len(self.key) < 16:
             raise UnsupportedAlgorithm("client_secret too short, it should be at least 16 digits")
diff --git a/tests/test_02_jwk.py b/tests/test_02_jwk.py
@@ -9,7 +9,12 @@
 import pytest
 from cryptography.hazmat.primitives.asymmetric import ec, ed25519, rsa
 
-from cryptojwt.exception import DeSerializationNotPossible, UnsupportedAlgorithm, WrongUsage
+from cryptojwt.exception import (
+    DeSerializationNotPossible,
+    JWKException,
+    UnsupportedAlgorithm,
+    WrongUsage,
+)
 from cryptojwt.jwk import JWK, certificate_fingerprint, pem_hash, pems_to_x5c
 from cryptojwt.jwk.ec import ECKey, new_ec_key
 from cryptojwt.jwk.hmac import SYMKey, new_sym_key, sha256_digest
@@ -656,6 +661,29 @@ def test_dump_load():
     assert key.use == "sig"
 
 
+def test_key_init():
+    # init with only key
+    secret1 = os.urandom(16)
+    k1 = SYMKey(key=secret1, alg="HS256")
+    assert k1.k == b64e(secret1)
+
+    # init with only k (base64 encoded key)
+    secret2 = os.urandom(16)
+    k2 = SYMKey(k=b64e(secret2), alg="HS256")
+    assert k2.key == secret2
+
+    # init with different key and k should fail
+    secret3a = os.urandom(16)
+    secret3b = os.urandom(16)
+    with pytest.raises(JWKException):
+        _ = SYMKey(k=b64e(secret3a), key=secret3b, alg="HS256")
+
+    # init with both matching (k as str) - should succeed
+    secret4 = os.urandom(16)
+    k4 = SYMKey(k=b64e(secret4).decode("utf-8"), key=secret4, alg="HS256")
+    assert k4.k == b64e(secret4) or bytes(k4.k, encoding="utf-8") == b64e(secret4)
+
+
 def test_key_ops():
     sk = SYMKey(
         key="df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b",
