def create_signers(jb, ms_path, csms_def, fos):
signers = {}
for sig, use_def in csms_def.items():
ms_spec = {}
for usage, spec in use_def.items():
ms_spec[usage] = os.path.join(ms_path, quote_plus(sig), usage)
signers[sig] = Signer(InternalSigningService(sig, jb[sig]), ms_spec)
for fo in fos:
signers[fo] = Signer(InternalSigningService(fo, jb[fo]))
return signers
def setup(keydefs, tool_iss, liss, csms_def, oa, ms_path):
sig_keys = build_keyjar(keydefs)[1]
key_bundle = make_fs_jwks_bundle(tool_iss, liss, sig_keys, keydefs, './')
sig_keys = build_keyjar(keydefs)[1]
jb = FSJWKSBundle(tool_iss,
sig_keys,
'fo_jwks',
key_conv={
'to': quote_plus,
'from': unquote_plus
})
# Need to save the private parts
jb.bundle.value_conv['to'] = keyjar_to_jwks_private
jb.bundle.sync()
operator = {}
for entity, _keyjar in jb.items():
operator[entity] = Operator(iss=entity, keyjar=_keyjar)
signers = {}
for sig, sms_def in csms_def.items():
ms_dir = os.path.join(ms_path, sig)
metadata_statements = FileSystem(ms_dir)
for name, spec in sms_def.items():
res = make_signed_metadata_statement(spec, operator)
metadata_statements[name] = res['ms']
_iss = oa[sig]
signers[_iss] = Signer(
InternalSigningService(_iss, operator[_iss].keyjar), ms_dir)
return signers, key_bundle
def create_federation_entity(iss, conf, fos, sup, entity=''):
_keybundle = FSJWKSBundle('',
fdir=conf.JWKS_DIR,
key_conv={
'to': quote_plus,
'from': unquote_plus
})
# Organisation information
_kj = _keybundle[sup]
fname = os.path.join(conf.MS_DIR, quote_plus(sup))
signer = Signer(InternalSigningService(sup, _kj), fname)
# And then the FOs
jb = JWKSBundle('')
for fo in fos:
jb[fo] = _keybundle[fo]
# The OPs own signing keys
_keys = build_keyjar(conf.SIG_DEF_KEYS)[1]
return FederationEntity(entity,
iss=iss,
keyjar=_keys,
signer=signer,
fo_bundle=jb)
def setup_ms(csms_def, ms_path, mds_dir, base_url, operators):
"""
:param csms_def: Definition of which signed metadata statements to build
:param ms_path: Where to store the signed metadata statements and uris
:param mds_dir: Directory where singed metadata statements published using
ms_uri are kept
:param base_url: Common base URL to all metadata_statement_uris
:param operators: Dictionary with federation Operators
:return: A tuple of (Signer dictionary and FSJWKSBundle instance)
"""
mds = MetaDataStore(mds_dir)
mds.clear()
for iss, sms_def in csms_def.items():
ms_dir = os.path.join(ms_path, quote_plus(iss))
for context, spec in sms_def.items():
_dir = os.path.join(ms_dir, context)
metadata_statements = FileSystem(_dir,
key_conv={
'to': quote_plus,
'from': unquote_plus
})
metadata_statements.clear()
for fo, _desc in spec.items():
res = make_signed_metadata_statement(_desc, operators, mds,
base_url)
try:
metadata_statements.update(res['ms'])
except KeyError:
pass
try:
metadata_statements.update(res['ms_uri'])
except KeyError:
pass
signers = {}
for iss, sms_def in csms_def.items():
ms_dir = os.path.join(ms_path, quote_plus(iss))
signers[iss] = Signer(
InternalSigningService(iss, operators[iss].keyjar), ms_dir)
return signers
def test_ace():
jb = JWKSBundle('')
for iss in ['https://example.org/', 'https://example.com/']:
jb[iss] = build_keyjar(KEYDEFS)[1]
kj = build_keyjar(KEYDEFS)[1]
sign_serv = InternalSigningService('https://signer.example.com',
signing_keys=kj)
signer = Signer(sign_serv)
signer.metadata_statements['response'] = {
'https://example.org/': 'https://example.org/sms1'
}
ent = FederationEntity(None, keyjar=kj, signer=signer, fo_bundle=jb)
req = MetadataStatement(foo='bar')
ent.ace(req, ['https://example.org/'], 'response')
assert 'metadata_statements' in req
assert 'signing_keys' not in req
def create_federation_entity(iss,
jwks_dir,
sup='',
fo_jwks=None,
ms_dir='',
entity=None,
sig_keys=None,
sig_def_keys=None):
fname = os.path.join(ms_dir, quote_plus(sup))
if fo_jwks:
_keybundle = FSJWKSBundle('',
fdir=fo_jwks,
key_conv={
'to': quote_plus,
'from': unquote_plus
})
# Organisation information
_kj = _keybundle[sup]
signer = Signer(InternalSigningService(sup, _kj), ms_dir=fname)
else:
signer = Signer(ms_dir=fname)
# And then the FOs public keys
_public_keybundle = FSJWKSBundle('',
fdir=jwks_dir,
key_conv={
'to': quote_plus,
'from': unquote_plus
})
# The OPs own signing keys
if sig_keys is None:
sig_keys = build_keyjar(sig_def_keys)[1]
return FederationEntity(entity,
iss=iss,
keyjar=sig_keys,
signer=signer,
fo_bundle=_public_keybundle)
from fedoidc import MetadataStatement
from fedoidc.signing_service import InternalSigningService
from fedoidc.signing_service import Signer
from oic.utils.keyio import build_keyjar
KEYDEFS= [{"type": "RSA", "key": "keys/{}.key", "use": ["sig"]}]
parser = argparse.ArgumentParser()
parser.add_argument('-i', dest='iss')
parser.add_argument('-m', dest='ms_dir', default='ms_dir')
parser.add_argument(dest="statement")
args = parser.parse_args()
_keydefs = []
for spec in KEYDEFS:
spec['key'] = spec['key'].format(quote_plus(args.iss))
_keydefs.append(spec)
sig_keys = build_keyjar(KEYDEFS)[1]
signing_service = InternalSigningService(iss=args.iss, signing_keys=sig_keys)
signer = Signer(signing_service, args.ms_dir)
_args = json.loads(open(args.statement,'r').read())
_mds = MetadataStatement(**_args)
_mds.verify()
print(signer.create_signed_metadata_statement(_mds, single=True))
from oic.utils.keyio import KeyJar
parser = argparse.ArgumentParser()
parser.add_argument('-i', dest='issuer', help="issuer id of the OP")
parser.add_argument('-c', dest='context', help="OIDC operation")
parser.add_argument('-t', dest='target')
parser.add_argument(dest="filename")
args = parser.parse_args()
oa = args.issuer
qpoa = quote_plus(oa)
_kj = KeyJar()
_jwks = json.loads(open(os.path.join('fo_jwks', qpoa)).read())
_kj.import_jwks(_jwks, oa)
sign_serv = InternalSigningService(iss=oa, signing_keys=_kj)
signer = Signer(sign_serv, ms_dir=os.path.join('ms', qpoa))
_req = open(args.filename, 'r').read()
_msg = MetadataStatement()
_msg.from_json(_req)
_res = signer.create_signed_metadata_statement(_msg, context=args.context)
for iss, sms in _res.items():
_qp = quote_plus(iss)
_dn = os.path.join(args.target, qpoa, args.context)
if not os.path.isdir(_dn):
os.makedirs(_dn)
_fn = os.path.join(_dn, _qp)
_fp = open(_fn, 'w')
_fp.write(sms)
sys.path.insert(0, ".")
config = importlib.import_module(args.config)
if args.port:
_signer_id = "{}:{}".format(config.SIGNER_ID, args.port)
else:
_signer_id = config.SIGNER_ID
_keydefs = []
for spec in config.KEYDEFS:
spec['key'] = spec['key'].format(quote_plus(_signer_id))
_keydefs.append(spec)
sig_keys = build_keyjar(_keydefs)[1]
signing_service = InternalSigningService(iss=_signer_id,
signing_keys=sig_keys)
signer = Signer(signing_service, config.MS_DIR)
cherrypy.tree.mount(Operator(signer), '/', operator_config)
# If HTTPS
if args.tls:
cherrypy.server.ssl_certificate = config.SERVER_CERT
cherrypy.server.ssl_private_key = config.SERVER_KEY
if config.CA_BUNDLE:
cherrypy.server.ssl_certificate_chain = config.CA_BUNDLE
cherrypy.engine.start()
cherrypy.engine.block()
pi['signing_keys'] = sign_kj.export_jwks(issuer=_op.baseurl)
print(pi.to_json())
elif args.context == 'response':
req = {'signing_keys': sign_kj.export_jwks(issuer=_op.baseurl)}
print(json.dumps(req))
exit(0)
fed_ent = create_federation_entity(iss=_op.baseurl,
ms_dir=config.MS_DIR,
jwks_dir=config.JWKS_DIR,
sup=config.SUPERIOR,
fo_jwks=config.FO_JWKS,
sig_keys=sign_kj,
sig_def_keys=config.SIG_DEF_KEYS)
fed_ent.signer.signing_service = InternalSigningService(
_op.baseurl, sign_kj)
_op.federation_entity = fed_ent
fed_ent.httpcli = _op
# WebFinger
webfinger_config = {'/': {'base_url': _op.baseurl}}
cherrypy.tree.mount(cpop.WebFinger(webfinger.WebFinger()),
'/.well-known/webfinger', webfinger_config)
cherrypy.tree.mount(cpop.Provider(_op), '/', provider_config)
# If HTTPS
if args.tls:
cherrypy.server.ssl_certificate = config.SERVER_CERT
cherrypy.server.ssl_private_key = config.SERVER_KEY
import argparse
import json
import os
from oic.utils.keyio import KeyJar
from fedoidc import MetadataStatement
from fedoidc.signing_service import InternalSigningService
parser = argparse.ArgumentParser()
parser.add_argument('-r', dest='request')
parser.add_argument('-a', dest='alg', default='RS256')
parser.add_argument(dest="nickname")
args = parser.parse_args()
if not os.path.isdir(args.nickname):
print('No such entity')
exit(-1)
kj = KeyJar()
iss = open(os.path.join(args.nickname, 'iss')).read()
jwks = open(os.path.join(args.nickname, 'jwks')).read()
kj.import_jwks(jwks=json.loads(jwks), issuer=iss)
sigserv = InternalSigningService(iss=iss, signing_keys=kj, alg=args.alg)
msg = MetadataStatement()
msg.from_json(open(args.request).read())
print(sigserv(msg))