spiffe 0.1.0__tar.gz

spiffe-0.1.0/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

spiffe-0.1.0/PKG-INFO

@@ -0,0 +1,111 @@
+Metadata-Version: 2.1
+Name: spiffe
+Version: 0.1.0
+Summary: Python library for SPIFFE support
+License: Apache-2.0
+Author: Max Lambrecht
+Author-email: maxlambrecht@gmail.com
+Requires-Python: >=3.9,<4.0
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Dist: cryptography (>=42.0,<43.0)
+Requires-Dist: grpcio (>=1.62,<2.0)
+Requires-Dist: pem (>=23.0,<24.0)
+Requires-Dist: pyasn1 (>=0.6.0,<0.7.0)
+Requires-Dist: pyasn1-modules (>=0.4.0,<0.5.0)
+Requires-Dist: pyjwt[crypto] (>=2.0,<3.0)
+Description-Content-Type: text/markdown
+
+# `spiffe` Module
+
+## Overview
+
+The `spiffe` module, part of the `py-spiffe` library, provides Python developers with essential tools for interacting
+with
+the [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md). It streamlines
+the management and validation of SPIFFE identities, including support for
+both [X509-SVIDs](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md)
+and [JWT-SVIDs](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md), and
+[SPIFFE Bundles](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#3-spiffe-bundles).
+
+## Usage
+
+Below are examples demonstrating the core functionalities of the `spiffe` module.
+
+Prerequisites:
+
+1. Running [SPIRE](https://spiffe.io/spire/) or another SPIFFE Workload API implementation.
+2. `SPIFFE_ENDPOINT_SOCKET` environment variable set to the address of the Workload
+   API (e.g. `unix:/tmp/spire-agent/public/api.sock`). Alternatively the socket address can be
+   provided programmatically.
+
+### WorkloadApiClient
+
+Facilitates fetching X.509 and JWT SVIDs and Bundles, and validating JWT tokens communicating with the SPIFFE Workload
+API.
+
+```python
+from spiffe import WorkloadApiClient
+
+# Interacting with the Workload API to fetch SVIDs
+with WorkloadApiClient() as client:
+    # Fetch a X.509 SVID
+    x509_svid = client.fetch_x509_svid()
+    print(f'SPIFFE ID: {x509_svid.spiffe_id}')
+    print(f'Certificate chain: {x509_svid.cert_chain}')
+
+    # Fetch a JWT SVID
+    jwt_svid = client.fetch_jwt_svid(audience={'test'})
+
+    # Validate JWT SVID
+    validated_svid = client.validate_jwt_svid(jwt_svid.token, audience='test')
+    print(f'Validated JWT SVID for audience `test`: {jwt_svid.spiffe_id}')
+
+    # Fetch bundles of public keys
+    x509_bundles = client.fetch_x509_bundles()
+    jwt_bundles = client.fetch_jwt_bundles
+```
+
+### X509Source
+
+Automatically fetches X.509 SVIDs and Bundles from the SPIFFE Workload API and continuously receives updates. This
+ensures your application always uses valid certificates without manual intervention.
+
+```python
+from spiffe import X509Source
+from spiffe import TrustDomain
+
+with X509Source() as source:
+    # Access the fetched X.509 SVID
+    x509_svid = source.svid
+    print(f'SPIFFE ID: {x509_svid.spiffe_id}')
+    print(f'Certificate chain: {[cert for cert in x509_svid.cert_chain]}')
+
+    # Access the fetched X.509 Bundle for a specific Trust Domain
+    x509_bundle = source.get_bundle_for_trust_domain(TrustDomain('example.org'))
+    print(f'X.509 Bundle for example.org: {x509_bundle}')
+```
+
+### JwtSource
+
+Facilitates the management and validation of JWT SVIDs and Bundles. It automatically fetches JWT SVIDs from the SPIFFE
+Workload API and validates them against the JWT bundles for their trust domains.
+
+```python
+from spiffe import JwtSource
+from spiffe import TrustDomain
+from spiffe import JwtSvid
+
+with JwtSource() as source:
+    jwt_svid = source.fetch_svid(audience={'test'})
+    print(f'SPIFFE ID: {jwt_svid.spiffe_id}')
+
+    jwt_bundle = source.get_bundle_for_trust_domain(TrustDomain('example.org'))
+    validated_svid = JwtSvid.parse_and_validate(jwt_svid.token, jwt_bundle, audience={'test'})
+```
+
+

spiffe-0.1.0/README.md

@@ -0,0 +1,88 @@
+# `spiffe` Module
+
+## Overview
+
+The `spiffe` module, part of the `py-spiffe` library, provides Python developers with essential tools for interacting
+with
+the [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md). It streamlines
+the management and validation of SPIFFE identities, including support for
+both [X509-SVIDs](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md)
+and [JWT-SVIDs](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md), and
+[SPIFFE Bundles](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#3-spiffe-bundles).
+
+## Usage
+
+Below are examples demonstrating the core functionalities of the `spiffe` module.
+
+Prerequisites:
+
+1. Running [SPIRE](https://spiffe.io/spire/) or another SPIFFE Workload API implementation.
+2. `SPIFFE_ENDPOINT_SOCKET` environment variable set to the address of the Workload
+   API (e.g. `unix:/tmp/spire-agent/public/api.sock`). Alternatively the socket address can be
+   provided programmatically.
+
+### WorkloadApiClient
+
+Facilitates fetching X.509 and JWT SVIDs and Bundles, and validating JWT tokens communicating with the SPIFFE Workload
+API.
+
+```python
+from spiffe import WorkloadApiClient
+
+# Interacting with the Workload API to fetch SVIDs
+with WorkloadApiClient() as client:
+    # Fetch a X.509 SVID
+    x509_svid = client.fetch_x509_svid()
+    print(f'SPIFFE ID: {x509_svid.spiffe_id}')
+    print(f'Certificate chain: {x509_svid.cert_chain}')
+
+    # Fetch a JWT SVID
+    jwt_svid = client.fetch_jwt_svid(audience={'test'})
+
+    # Validate JWT SVID
+    validated_svid = client.validate_jwt_svid(jwt_svid.token, audience='test')
+    print(f'Validated JWT SVID for audience `test`: {jwt_svid.spiffe_id}')
+
+    # Fetch bundles of public keys
+    x509_bundles = client.fetch_x509_bundles()
+    jwt_bundles = client.fetch_jwt_bundles
+```
+
+### X509Source
+
+Automatically fetches X.509 SVIDs and Bundles from the SPIFFE Workload API and continuously receives updates. This
+ensures your application always uses valid certificates without manual intervention.
+
+```python
+from spiffe import X509Source
+from spiffe import TrustDomain
+
+with X509Source() as source:
+    # Access the fetched X.509 SVID
+    x509_svid = source.svid
+    print(f'SPIFFE ID: {x509_svid.spiffe_id}')
+    print(f'Certificate chain: {[cert for cert in x509_svid.cert_chain]}')
+
+    # Access the fetched X.509 Bundle for a specific Trust Domain
+    x509_bundle = source.get_bundle_for_trust_domain(TrustDomain('example.org'))
+    print(f'X.509 Bundle for example.org: {x509_bundle}')
+```
+
+### JwtSource
+
+Facilitates the management and validation of JWT SVIDs and Bundles. It automatically fetches JWT SVIDs from the SPIFFE
+Workload API and validates them against the JWT bundles for their trust domains.
+
+```python
+from spiffe import JwtSource
+from spiffe import TrustDomain
+from spiffe import JwtSvid
+
+with JwtSource() as source:
+    jwt_svid = source.fetch_svid(audience={'test'})
+    print(f'SPIFFE ID: {jwt_svid.spiffe_id}')
+
+    jwt_bundle = source.get_bundle_for_trust_domain(TrustDomain('example.org'))
+    validated_svid = JwtSvid.parse_and_validate(jwt_svid.token, jwt_bundle, audience={'test'})
+```
+

spiffe-0.1.0/pyproject.toml

@@ -0,0 +1,53 @@
+[tool.poetry]
+name = "spiffe"
+version = "0.1.0"
+description = "Python library for SPIFFE support"
+authors = ["Max Lambrecht <maxlambrecht@gmail.com>"]
+readme = "README.md"
+license = "Apache-2.0"
+
+[tool.poetry.dependencies]
+python = "^3.9" # >= 3.9, < 4.0
+grpcio = "^1.62"
+cryptography = "^42.0"
+pyjwt = { version = "^2.0", extras = ["crypto"] }
+pyasn1 = "~0.6.0"
+pyasn1-modules = "~0.4.0"
+pem = "^23.0"
+
+[tool.poetry.dev-dependencies]
+black = "^24.3"
+mypy = "^1.9"
+mypy-protobuf = "^3.0"
+pytest = "^8.1"
+pytest-mock = "^3.0"
+pre-commit = "^3.7"
+flake8 = "^7.0"
+testutils = { path = "../testutils" }
+
+[build-system]
+requires = ["poetry-core>=1.9.0"]
+build-backend = "poetry.core.masonry.api"
+
+# Tool configurations
+[tool.black]
+line-length = 95
+skip-string-normalization = true
+target-version = ['py39']
+exclude = '''
+/(
+    src/spiffe/proto
+)/
+'''
+
+[tool.mypy]
+ignore_missing_imports = true
+files = ["src", "tests"]
+
+[tool.pytest.ini_options]
+addopts = [
+    "--doctest-modules",
+]
+testpaths = [
+    "tests",
+]

spiffe-0.1.0/src/spiffe/__init__.py

@@ -0,0 +1,12 @@
+# Re-exports main types for user convenience
+from .workloadapi.x509_source import X509Source  # noqa: F401
+from .workloadapi.jwt_source import JwtSource  # noqa: F401
+from .workloadapi.workload_api_client import WorkloadApiClient  # noqa: F401
+
+from .spiffe_id.spiffe_id import SpiffeId, TrustDomain  # noqa: F401
+from .svid.x509_svid import X509Svid  # noqa: F401
+from .svid.jwt_svid import JwtSvid  # noqa: F401
+from .bundle.x509_bundle.x509_bundle import X509Bundle  # noqa: F401
+from .bundle.x509_bundle.x509_bundle_set import X509BundleSet  # noqa: F401
+from .bundle.jwt_bundle.jwt_bundle import JwtBundle  # noqa: F401
+from .bundle.jwt_bundle.jwt_bundle_set import JwtBundleSet  # noqa: F401

spiffe-0.1.0/src/spiffe/bundle/__init__.py

@@ -0,0 +1,3 @@
+"""
+Bundles Package. Contains information related to X509 and JWT Bundles.
+"""

spiffe-0.1.0/src/spiffe/bundle/jwt_bundle/__init__.py

@@ -0,0 +1,3 @@
+"""
+JWT Bundle Module. Contains information for JWT Bundles.
+"""

spiffe-0.1.0/src/spiffe/bundle/jwt_bundle/errors.py

@@ -0,0 +1,39 @@
+"""
+(C) Copyright 2021 Hewlett Packard Enterprise Development LP
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may
+not use this file except in compliance with the License. You may obtain
+a copy of the License at
+
+https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+License for the specific language governing permissions and limitations
+under the License.
+"""
+
+"""
+This module handles JWT bundle exceptions.
+"""
+
+from spiffe.errors import PySpiffeError
+
+
+class JwtBundleError(PySpiffeError):
+    """Exception raised for JwtBundle module related errors."""
+
+
+class ParseJWTBundleError(JwtBundleError):
+    """Error raised when unable to parse a JWT bundle from bytes."""
+
+    def __init__(self, detail: str) -> None:
+        super().__init__(f'Error parsing JWT bundle: {detail}')
+
+
+class AuthorityNotFoundError(JwtBundleError):
+    """Error raised when an authority is not found for a given key ID."""
+
+    def __init__(self, key_id: str) -> None:
+        super().__init__(f'Authority not found for key ID: {key_id}')

spiffe-0.1.0/src/spiffe/bundle/jwt_bundle/jwt_bundle.py

@@ -0,0 +1,151 @@
+"""
+(C) Copyright 2021 Hewlett Packard Enterprise Development LP
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may
+not use this file except in compliance with the License. You may obtain
+a copy of the License at
+
+https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+License for the specific language governing permissions and limitations
+under the License.
+"""
+
+"""
+JwtBundle module manages JwtBundle objects.
+"""
+
+import threading
+from json import JSONDecodeError
+from jwt.api_jwk import PyJWKSet
+from jwt.exceptions import InvalidKeyError, PyJWKSetError
+from typing import Dict, Union, Optional
+from cryptography.hazmat.primitives.asymmetric import ec, rsa, dsa, ed25519, ed448
+
+from spiffe.spiffe_id.spiffe_id import TrustDomain
+from spiffe.bundle.jwt_bundle.errors import JwtBundleError, ParseJWTBundleError
+from spiffe.errors import ArgumentError
+
+_PUBLIC_KEY_TYPES = Union[
+    dsa.DSAPublicKey,
+    rsa.RSAPublicKey,
+    ec.EllipticCurvePublicKey,
+    ed25519.Ed25519PublicKey,
+    ed448.Ed448PublicKey,
+]
+
+
+class JwtBundle(object):
+    """Represents a JWT Bundle.
+
+    JwtBundle is a collection of trusted JWT public keys for a trust domain.
+    """
+
+    def __init__(
+        self, trust_domain: TrustDomain, jwt_authorities: Dict[str, _PUBLIC_KEY_TYPES]
+    ) -> None:
+        """Creates a JwtBundle instance.
+
+        Args:
+            trust_domain: The TrustDomain to associate with the JwtBundle instance.
+            jwt_authorities: A dictionary with key_id->PublicKey valid for the given TrustDomain.
+
+        Raises:
+            JWTBundleError: In case the trust_domain is empty.
+        """
+        self.lock = threading.Lock()
+
+        if not trust_domain:
+            raise JwtBundleError("Trust domain cannot be empty")
+
+        self._trust_domain = trust_domain
+        self._jwt_authorities = jwt_authorities.copy() if jwt_authorities else {}
+
+    @property
+    def trust_domain(self) -> TrustDomain:
+        """Returns the trust domain of the bundle."""
+        return self._trust_domain
+
+    @property
+    def jwt_authorities(self) -> Dict[str, _PUBLIC_KEY_TYPES]:
+        """Returns a copy of JWT authorities in the bundle."""
+        with self.lock:
+            return self._jwt_authorities.copy()
+
+    def get_jwt_authority(self, key_id: Optional[str]) -> Optional[_PUBLIC_KEY_TYPES]:
+        """Returns the authority for the specified key_id.
+
+        Args:
+            key_id: Key id of the token to return the correspondent authority.
+
+        Returns:
+            The authority associated with the supplied key_id.
+            None if the key_id is not found.
+
+        Raises:
+            ArgumentError: When key_id is not valid (empty or None).
+        """
+        if not key_id:
+            raise ArgumentError('key_id cannot be empty')
+
+        with self.lock:
+            return self._jwt_authorities.get(key_id)
+
+    @classmethod
+    def parse(cls, trust_domain: TrustDomain, bundle_bytes: bytes) -> 'JwtBundle':
+        """Parses a bundle from bytes. The data must be a standard RFC 7517 JWKS document.
+
+        Args:
+            trust_domain: A TrustDomain to associate to the bundle.
+            bundle_bytes: An array of bytes that represents a set of JWKs.
+
+        Returns:
+            An instance of 'JWTBundle' with the JWT authorities associated to the given trust domain.
+
+        Raises:
+            ArgumentError: In case the trust_domain is empty or bundle_bytes is empty.
+            ParseJWTBundleError: In case the set of jwt_authorities cannot be parsed from the bundle_bytes.
+        """
+
+        if not trust_domain:
+            raise ArgumentError("Trust domain cannot be empty")
+
+        if not bundle_bytes:
+            raise ArgumentError('Bundle bytes cannot be empty')
+
+        try:
+            jwks = PyJWKSet.from_json(bundle_bytes.decode('utf-8'))
+        except InvalidKeyError as err:
+            raise ParseJWTBundleError(str(err)) from err
+        except (PyJWKSetError, JSONDecodeError, AttributeError) as err:
+            raise ParseJWTBundleError(
+                '"bundle_bytes" does not represent a valid jwks'
+            ) from err
+
+        jwt_authorities = {}
+        for jwk in jwks.keys:
+            if not jwk.key_id:
+                raise ParseJWTBundleError(
+                    'Error adding authority from JWKS: "keyID" cannot be empty'
+                )
+
+            jwt_authorities[jwk.key_id] = jwk.key
+
+        return JwtBundle(trust_domain, jwt_authorities)
+
+    def __eq__(self, o: object) -> bool:
+        if not isinstance(o, JwtBundle):
+            return False
+        with self.lock:
+            return (
+                self._trust_domain.__eq__(o._trust_domain)
+                and self._jwt_authorities == o._jwt_authorities
+            )
+
+    def __hash__(self):
+        trust_domain_hash = hash(self.trust_domain)
+        authorities_hash = hash(tuple(hash(authority) for authority in self._jwt_authorities))
+        return hash((trust_domain_hash, authorities_hash))