anip-crypto 0.11.0__tar.gz

anip_crypto-0.11.0/PKG-INFO

@@ -0,0 +1,19 @@
+Metadata-Version: 2.4
+Name: anip-crypto
+Version: 0.11.0
+Summary: ANIP cryptographic primitives — key management, JWT, JWS, JWKS
+Author-email: ANIP Protocol <team@anip.dev>
+License: Apache-2.0
+Project-URL: Repository, https://github.com/anip-protocol/anip
+Keywords: anip,agent,protocol
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.11
+Requires-Dist: anip-core==0.11.0
+Requires-Dist: cryptography>=42.0
+Requires-Dist: PyJWT[crypto]>=2.8
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"

anip_crypto-0.11.0/README.md

@@ -0,0 +1,15 @@
+# anip-crypto
+
+ANIP cryptographic primitives — key management, JWT, JWS, JWKS
+
+Part of the [ANIP](https://github.com/anip-protocol/anip) protocol ecosystem.
+
+## Install
+
+```bash
+pip install anip-crypto
+```
+
+## Documentation
+
+See the [ANIP repository](https://github.com/anip-protocol/anip) for full documentation.

anip_crypto-0.11.0/pyproject.toml

@@ -0,0 +1,33 @@
+[project]
+name = "anip-crypto"
+version = "0.11.0"
+description = "ANIP cryptographic primitives — key management, JWT, JWS, JWKS"
+requires-python = ">=3.11"
+dependencies = [
+    "anip-core==0.11.0",
+    "cryptography>=42.0",
+    "PyJWT[crypto]>=2.8",
+]
+authors = [{ name = "ANIP Protocol", email = "team@anip.dev" }]
+license = { text = "Apache-2.0" }
+keywords = ["anip", "agent", "protocol"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+
+[project.optional-dependencies]
+dev = ["pytest>=8.0"]
+
+[project.urls]
+Repository = "https://github.com/anip-protocol/anip"
+
+[build-system]
+requires = ["setuptools>=68.0"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools.packages.find]
+where = ["src"]

anip_crypto-0.11.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

anip_crypto-0.11.0/src/anip_crypto/__init__.py

@@ -0,0 +1,27 @@
+"""ANIP Crypto — key management, JWT, JWS, JWKS."""
+
+from .canonicalize import canonicalize
+from .jwks import build_jwks
+from .jws import (
+    sign_jws_detached,
+    sign_jws_detached_audit,
+    verify_jws_detached,
+    verify_jws_detached_audit,
+)
+from .jwt import sign_jwt, verify_jwt
+from .keys import KeyManager
+from .verify import verify_audit_entry_signature, verify_manifest_signature
+
+__all__ = [
+    "KeyManager",
+    "canonicalize",
+    "sign_jwt",
+    "verify_jwt",
+    "sign_jws_detached",
+    "verify_jws_detached",
+    "sign_jws_detached_audit",
+    "verify_jws_detached_audit",
+    "build_jwks",
+    "verify_audit_entry_signature",
+    "verify_manifest_signature",
+]

anip_crypto-0.11.0/src/anip_crypto/canonicalize.py

@@ -0,0 +1,13 @@
+"""Canonical JSON helpers for verifiable ANIP artifacts."""
+
+import json
+from typing import Any
+
+
+def canonicalize(data: dict[str, Any], *, exclude: set[str] | None = None) -> bytes:
+    """Produce canonical JSON bytes for signing/hashing.
+
+    Sorts keys, uses compact separators, optionally excludes fields.
+    """
+    filtered = {k: v for k, v in sorted(data.items()) if k not in (exclude or set())}
+    return json.dumps(filtered, separators=(",", ":"), sort_keys=True).encode()

anip_crypto-0.11.0/src/anip_crypto/jwks.py

@@ -0,0 +1,8 @@
+"""JWKS construction for ANIP services."""
+
+from .keys import KeyManager
+
+
+def build_jwks(key_manager: KeyManager) -> dict:
+    """Build a JWKS response containing both public keys."""
+    return key_manager.get_jwks()

anip_crypto-0.11.0/src/anip_crypto/jws.py

@@ -0,0 +1,23 @@
+"""Detached JWS operations for ANIP signed artifacts."""
+
+from .keys import KeyManager
+
+
+def sign_jws_detached(key_manager: KeyManager, payload: bytes) -> str:
+    """Sign with the delegation key (for manifests)."""
+    return key_manager.sign_jws_detached(payload)
+
+
+def verify_jws_detached(key_manager: KeyManager, jws: str, payload: bytes) -> None:
+    """Verify with the delegation public key."""
+    key_manager.verify_jws_detached(jws, payload)
+
+
+def sign_jws_detached_audit(key_manager: KeyManager, payload: bytes) -> str:
+    """Sign with the audit key (for checkpoints)."""
+    return key_manager.sign_jws_detached_audit(payload)
+
+
+def verify_jws_detached_audit(key_manager: KeyManager, jws: str, payload: bytes) -> None:
+    """Verify with the audit public key."""
+    key_manager.verify_jws_detached_audit(jws, payload)

anip_crypto-0.11.0/src/anip_crypto/jwt.py

@@ -0,0 +1,13 @@
+"""JWT signing and verification for ANIP delegation tokens."""
+
+from .keys import KeyManager
+
+
+def sign_jwt(key_manager: KeyManager, payload: dict) -> str:
+    """Sign a JWT with the delegation key (ES256)."""
+    return key_manager.sign_jwt(payload)
+
+
+def verify_jwt(key_manager: KeyManager, token: str, *, audience: str) -> dict:
+    """Verify a JWT signature and audience."""
+    return key_manager.verify_jwt(token, audience=audience)

anip_crypto-0.11.0/src/anip_crypto/keys.py

@@ -0,0 +1,272 @@
+"""Key management and cryptographic operations for ANIP trust layer."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+from pathlib import Path
+
+import jwt
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric.utils import (
+    decode_dss_signature,
+    encode_dss_signature,
+)
+
+
+def _b64url_encode(data: bytes) -> str:
+    """Base64url encode without padding."""
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def _b64url_decode(s: str) -> bytes:
+    """Base64url decode, adding padding as needed."""
+    s += "=" * (4 - len(s) % 4)
+    return base64.urlsafe_b64decode(s)
+
+
+class KeyManager:
+    """Manages EC P-256 key pairs for JWT signing and JWKS publication."""
+
+    def __init__(self, key_path: str | None = None) -> None:
+        if key_path and Path(key_path).exists():
+            self._load_keys(key_path)
+        else:
+            self._generate_keys()
+            if key_path:
+                self._save_keys(key_path)
+
+    # ------------------------------------------------------------------ #
+    # Key lifecycle
+    # ------------------------------------------------------------------ #
+
+    def _generate_keys(self) -> None:
+        self._private_key = ec.generate_private_key(ec.SECP256R1())
+        self._public_key = self._private_key.public_key()
+        self._kid = self._derive_kid(self._public_key)
+        # Audit key pair (separate from delegation signing key)
+        self._audit_private_key = ec.generate_private_key(ec.SECP256R1())
+        self._audit_public_key = self._audit_private_key.public_key()
+        self._audit_kid = self._derive_kid(self._audit_public_key)
+
+    def _derive_kid(self, public_key: ec.EllipticCurvePublicKey) -> str:
+        pub_der = public_key.public_bytes(
+            serialization.Encoding.DER,
+            serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+        return hashlib.sha256(pub_der).hexdigest()[:16]
+
+    def _save_keys(self, path: str) -> None:
+        pem = self._private_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        ).decode("utf-8")
+        audit_pem = self._audit_private_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        ).decode("utf-8")
+        data = {
+            "private_key_pem": pem,
+            "kid": self._kid,
+            "audit_private_key_pem": audit_pem,
+            "audit_kid": self._audit_kid,
+        }
+        Path(path).write_text(json.dumps(data))
+
+    def _load_keys(self, path: str) -> None:
+        data = json.loads(Path(path).read_text())
+        loaded_key = serialization.load_pem_private_key(
+            data["private_key_pem"].encode("utf-8"), password=None
+        )
+        if not isinstance(loaded_key, ec.EllipticCurvePrivateKey):
+            raise TypeError("Expected EC private key, got " + type(loaded_key).__name__)
+        self._private_key = loaded_key
+        self._public_key = self._private_key.public_key()
+        self._kid = data["kid"]
+        # Load audit key pair (generate if missing for backward compatibility)
+        if "audit_private_key_pem" in data:
+            audit_key = serialization.load_pem_private_key(
+                data["audit_private_key_pem"].encode("utf-8"), password=None
+            )
+            if not isinstance(audit_key, ec.EllipticCurvePrivateKey):
+                raise TypeError("Expected EC private key for audit, got " + type(audit_key).__name__)
+            self._audit_private_key = audit_key
+            self._audit_public_key = self._audit_private_key.public_key()
+            self._audit_kid = data["audit_kid"]
+        else:
+            self._audit_private_key = ec.generate_private_key(ec.SECP256R1())
+            self._audit_public_key = self._audit_private_key.public_key()
+            self._audit_kid = self._derive_kid(self._audit_public_key)
+
+    # ------------------------------------------------------------------ #
+    # Properties
+    # ------------------------------------------------------------------ #
+
+    @property
+    def private_key(self) -> ec.EllipticCurvePrivateKey:
+        return self._private_key
+
+    @property
+    def public_key(self) -> ec.EllipticCurvePublicKey:
+        return self._public_key
+
+    @property
+    def kid(self) -> str:
+        """Delegation key ID."""
+        return self._kid
+
+    @property
+    def audit_private_key(self) -> ec.EllipticCurvePrivateKey:
+        """Audit private key."""
+        return self._audit_private_key
+
+    @property
+    def audit_public_key(self) -> ec.EllipticCurvePublicKey:
+        """Audit public key."""
+        return self._audit_public_key
+
+    @property
+    def audit_kid(self) -> str:
+        """Audit key ID."""
+        return self._audit_kid
+
+    # ------------------------------------------------------------------ #
+    # JWKS
+    # ------------------------------------------------------------------ #
+
+    def get_jwks(self) -> dict:
+        """Return a JWKS containing both public keys (no private material)."""
+        # Delegation signing key
+        numbers = self._public_key.public_numbers()
+        x_bytes = numbers.x.to_bytes(32, "big")
+        y_bytes = numbers.y.to_bytes(32, "big")
+        # Audit signing key
+        audit_numbers = self._audit_public_key.public_numbers()
+        audit_x_bytes = audit_numbers.x.to_bytes(32, "big")
+        audit_y_bytes = audit_numbers.y.to_bytes(32, "big")
+        return {
+            "keys": [
+                {
+                    "kty": "EC",
+                    "crv": "P-256",
+                    "alg": "ES256",
+                    "use": "sig",
+                    "kid": self._kid,
+                    "x": _b64url_encode(x_bytes),
+                    "y": _b64url_encode(y_bytes),
+                },
+                {
+                    "kty": "EC",
+                    "crv": "P-256",
+                    "alg": "ES256",
+                    "use": "audit",
+                    "kid": self._audit_kid,
+                    "x": _b64url_encode(audit_x_bytes),
+                    "y": _b64url_encode(audit_y_bytes),
+                },
+            ]
+        }
+
+    # ------------------------------------------------------------------ #
+    # Audit entry signing
+    # ------------------------------------------------------------------ #
+
+    def sign_audit_entry(self, entry_data: dict) -> str:
+        """Sign an audit entry with the dedicated audit key.
+
+        Creates canonical JSON (excluding 'signature' and 'id'), hashes it,
+        and produces a JWT containing the hash, signed with the audit key.
+        """
+        canonical = json.dumps(
+            {k: v for k, v in sorted(entry_data.items()) if k not in ("signature", "id")},
+            separators=(",", ":"),
+            sort_keys=True,
+        ).encode()
+        hash_hex = hashlib.sha256(canonical).hexdigest()
+        return jwt.encode(
+            {"audit_hash": hash_hex},
+            self._audit_private_key,
+            algorithm="ES256",
+            headers={"kid": self._audit_kid},
+        )
+
+    # ------------------------------------------------------------------ #
+    # JWT operations
+    # ------------------------------------------------------------------ #
+
+    def sign_jwt(self, payload: dict) -> str:
+        """Sign a JWT with ES256, including kid in the header."""
+        return jwt.encode(
+            payload,
+            self._private_key,
+            algorithm="ES256",
+            headers={"kid": self._kid},
+        )
+
+    def verify_jwt(self, token: str, *, audience: str) -> dict:
+        """Verify a JWT signature and audience claim."""
+        return jwt.decode(
+            token,
+            self._public_key,
+            algorithms=["ES256"],
+            audience=audience,
+        )
+
+    # ------------------------------------------------------------------ #
+    # Detached JWS
+    # ------------------------------------------------------------------ #
+
+    def _sign_jws_detached_with(self, payload: bytes, private_key: ec.EllipticCurvePrivateKey, kid: str) -> str:
+        """Create a detached JWS using the specified key."""
+        header = json.dumps(
+            {"alg": "ES256", "kid": kid}, separators=(",", ":")
+        )
+        header_b64 = _b64url_encode(header.encode("utf-8"))
+        payload_b64 = _b64url_encode(payload)
+
+        signing_input = f"{header_b64}.{payload_b64}".encode("ascii")
+        der_sig = private_key.sign(signing_input, ec.ECDSA(hashes.SHA256()))
+
+        # Convert DER signature to raw r||s (32 bytes each for P-256)
+        r, s = decode_dss_signature(der_sig)
+        raw_sig = r.to_bytes(32, "big") + s.to_bytes(32, "big")
+        sig_b64 = _b64url_encode(raw_sig)
+
+        return f"{header_b64}..{sig_b64}"
+
+    def sign_jws_detached(self, payload: bytes) -> str:
+        """Create a detached JWS with the delegation key (for manifests)."""
+        return self._sign_jws_detached_with(payload, self._private_key, self._kid)
+
+    def sign_jws_detached_audit(self, payload: bytes) -> str:
+        """Create a detached JWS with the audit key (for checkpoints)."""
+        return self._sign_jws_detached_with(payload, self._audit_private_key, self._audit_kid)
+
+    def _verify_jws_detached_with(self, jws: str, payload: bytes, public_key: ec.EllipticCurvePublicKey) -> None:
+        """Verify a detached JWS against the provided payload using the specified key."""
+        parts = jws.split(".")
+        if len(parts) != 3 or parts[1] != "":
+            raise ValueError("Invalid detached JWS format: expected 'header..signature'")
+        header_b64, _, sig_b64 = parts
+
+        payload_b64 = _b64url_encode(payload)
+        signing_input = f"{header_b64}.{payload_b64}".encode("ascii")
+
+        raw_sig = _b64url_decode(sig_b64)
+        r = int.from_bytes(raw_sig[:32], "big")
+        s = int.from_bytes(raw_sig[32:], "big")
+        der_sig = encode_dss_signature(r, s)
+
+        public_key.verify(der_sig, signing_input, ec.ECDSA(hashes.SHA256()))
+
+    def verify_jws_detached(self, jws: str, payload: bytes) -> None:
+        """Verify a detached JWS with the delegation public key (for manifests)."""
+        self._verify_jws_detached_with(jws, payload, self._public_key)
+
+    def verify_jws_detached_audit(self, jws: str, payload: bytes) -> None:
+        """Verify a detached JWS with the audit public key (for checkpoints)."""
+        self._verify_jws_detached_with(jws, payload, self._audit_public_key)

anip_crypto-0.11.0/src/anip_crypto/verify.py

@@ -0,0 +1,40 @@
+"""Verification helpers for ANIP signed artifacts."""
+
+import hashlib
+
+import jwt as pyjwt
+
+from .canonicalize import canonicalize
+from .keys import KeyManager
+
+
+def verify_audit_entry_signature(
+    key_manager: KeyManager, entry: dict, signature: str
+) -> dict:
+    """Verify an audit entry's signature using the audit public key.
+
+    Returns the decoded JWT claims on success, raises on failure.
+    """
+    claims = pyjwt.decode(
+        signature,
+        key_manager.audit_public_key,
+        algorithms=["ES256"],
+    )
+    canonical = canonicalize(entry, exclude={"signature", "id"})
+    expected_hash = hashlib.sha256(canonical).hexdigest()
+    if claims.get("audit_hash") != expected_hash:
+        raise ValueError("Audit hash mismatch")
+    return claims
+
+
+def verify_manifest_signature(
+    key_manager: KeyManager, manifest_bytes: bytes, signature: str
+) -> None:
+    """Verify a manifest's detached JWS signature using the delegation public key.
+
+    *manifest_bytes* is the raw JSON body returned by ``GET /anip/manifest``.
+    *signature* is the ``X-ANIP-Signature`` header value (detached JWS).
+
+    Raises on verification failure.
+    """
+    key_manager.verify_jws_detached(signature, manifest_bytes)

anip_crypto-0.11.0/src/anip_crypto.egg-info/PKG-INFO

@@ -0,0 +1,19 @@
+Metadata-Version: 2.4
+Name: anip-crypto
+Version: 0.11.0
+Summary: ANIP cryptographic primitives — key management, JWT, JWS, JWKS
+Author-email: ANIP Protocol <team@anip.dev>
+License: Apache-2.0
+Project-URL: Repository, https://github.com/anip-protocol/anip
+Keywords: anip,agent,protocol
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.11
+Requires-Dist: anip-core==0.11.0
+Requires-Dist: cryptography>=42.0
+Requires-Dist: PyJWT[crypto]>=2.8
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"

anip_crypto-0.11.0/src/anip_crypto.egg-info/SOURCES.txt

@@ -0,0 +1,16 @@
+README.md
+pyproject.toml
+src/anip_crypto/__init__.py
+src/anip_crypto/canonicalize.py
+src/anip_crypto/jwks.py
+src/anip_crypto/jws.py
+src/anip_crypto/jwt.py
+src/anip_crypto/keys.py
+src/anip_crypto/verify.py
+src/anip_crypto.egg-info/PKG-INFO
+src/anip_crypto.egg-info/SOURCES.txt
+src/anip_crypto.egg-info/dependency_links.txt
+src/anip_crypto.egg-info/requires.txt
+src/anip_crypto.egg-info/top_level.txt
+tests/test_jwt_jws.py
+tests/test_keys.py

anip_crypto-0.11.0/src/anip_crypto.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

anip_crypto-0.11.0/src/anip_crypto.egg-info/requires.txt

@@ -0,0 +1,6 @@
+anip-core==0.11.0
+cryptography>=42.0
+PyJWT[crypto]>=2.8
+
+[dev]
+pytest>=8.0

anip_crypto-0.11.0/src/anip_crypto.egg-info/top_level.txt

@@ -0,0 +1 @@
+anip_crypto

anip_crypto-0.11.0/tests/test_jwt_jws.py

@@ -0,0 +1,93 @@
+"""Tests for JWT, JWS, JWKS, and verification."""
+import json
+
+import pytest
+
+from anip_crypto import (
+    KeyManager,
+    build_jwks,
+    canonicalize,
+    sign_jws_detached,
+    sign_jws_detached_audit,
+    sign_jwt,
+    verify_audit_entry_signature,
+    verify_jws_detached,
+    verify_jws_detached_audit,
+    verify_jwt,
+    verify_manifest_signature,
+)
+
+
+def test_jwt_sign_verify():
+    km = KeyManager()
+    token = sign_jwt(km, {"sub": "agent", "aud": "test-svc"})
+    claims = verify_jwt(km, token, audience="test-svc")
+    assert claims["sub"] == "agent"
+
+
+def test_jwt_wrong_audience_fails():
+    km = KeyManager()
+    token = sign_jwt(km, {"sub": "agent", "aud": "svc-a"})
+    with pytest.raises(Exception):
+        verify_jwt(km, token, audience="svc-b")
+
+
+def test_jws_detached_delegation():
+    km = KeyManager()
+    payload = b"manifest-bytes"
+    jws = sign_jws_detached(km, payload)
+    parts = jws.split(".")
+    assert len(parts) == 3
+    assert parts[1] == ""
+    verify_jws_detached(km, jws, payload)
+
+
+def test_jws_detached_audit():
+    km = KeyManager()
+    payload = b"checkpoint-body"
+    jws = sign_jws_detached_audit(km, payload)
+    verify_jws_detached_audit(km, jws, payload)
+
+
+def test_jws_delegation_key_cannot_verify_audit_signature():
+    km = KeyManager()
+    payload = b"data"
+    jws = sign_jws_detached_audit(km, payload)
+    with pytest.raises(Exception):
+        verify_jws_detached(km, jws, payload)
+
+
+def test_build_jwks():
+    km = KeyManager()
+    jwks = build_jwks(km)
+    assert len(jwks["keys"]) == 2
+    assert jwks["keys"][0]["alg"] == "ES256"
+
+
+def test_canonicalize():
+    data = {"b": 2, "a": 1, "signature": "remove-me"}
+    canonical = canonicalize(data, exclude={"signature"})
+    parsed = json.loads(canonical)
+    assert list(parsed.keys()) == ["a", "b"]
+
+
+def test_verify_audit_entry_signature():
+    km = KeyManager()
+    entry = {"capability": "test", "timestamp": "2026-01-01T00:00:00Z", "success": True}
+    sig = km.sign_audit_entry(entry)
+    verify_audit_entry_signature(km, entry, sig)
+
+
+def test_verify_manifest_signature():
+    km = KeyManager()
+    manifest_bytes = b'{"protocol":"anip/0.11","capabilities":{}}'
+    sig = sign_jws_detached(km, manifest_bytes)
+    verify_manifest_signature(km, manifest_bytes, sig)
+
+
+def test_verify_manifest_signature_wrong_bytes_fails():
+    km = KeyManager()
+    manifest_bytes = b'{"protocol":"anip/0.11"}'
+    sig = sign_jws_detached(km, manifest_bytes)
+    with pytest.raises(Exception):
+        verify_manifest_signature(km, b"tampered", sig)

anip_crypto-0.11.0/tests/test_keys.py

@@ -0,0 +1,48 @@
+"""Tests for KeyManager and key operations."""
+
+import tempfile
+from pathlib import Path
+
+from anip_crypto.keys import KeyManager
+
+
+def test_generate_keys():
+    km = KeyManager()
+    jwks = km.get_jwks()
+    assert len(jwks["keys"]) == 2
+    assert jwks["keys"][0]["use"] == "sig"
+    assert jwks["keys"][1]["use"] == "audit"
+
+
+def test_separate_key_ids():
+    km = KeyManager()
+    jwks = km.get_jwks()
+    delegation_kid = jwks["keys"][0]["kid"]
+    audit_kid = jwks["keys"][1]["kid"]
+    assert delegation_kid != audit_kid
+
+
+def test_persist_and_load():
+    with tempfile.NamedTemporaryFile(suffix=".json", delete=False) as f:
+        path = f.name
+    # Remove the empty file so KeyManager generates fresh keys
+    Path(path).unlink()
+    km1 = KeyManager(key_path=path)
+    jwks1 = km1.get_jwks()
+    km2 = KeyManager(key_path=path)
+    jwks2 = km2.get_jwks()
+    assert jwks1["keys"][0]["kid"] == jwks2["keys"][0]["kid"]
+    assert jwks1["keys"][1]["kid"] == jwks2["keys"][1]["kid"]
+    Path(path).unlink()
+
+
+def test_kid_property():
+    km = KeyManager()
+    assert isinstance(km.kid, str)
+    assert len(km.kid) == 16
+
+
+def test_audit_kid_property():
+    km = KeyManager()
+    assert isinstance(km.audit_kid, str)
+    assert km.audit_kid != km.kid