def test_dump_private_jwks():
keys = [
{
"type": "RSA",
"use": ["enc", "sig"]
},
{
"type": "EC",
"crv": "P-256",
"use": ["sig"]
},
]
jwks, keyjar, kidd = build_keyjar(keys)
kbl = keyjar.issuer_keys['']
dump_jwks(kbl, 'foo.jwks', private=True)
kb_public = KeyBundle(source='file://./foo.jwks')
# All RSA keys
for k in kb_public.keys():
if k.kty == 'RSA':
assert k.d
assert k.p
assert k.q
else: # MUST be 'EC'
assert k.d
def export(self):
# has to be there
self.trace.info("EXPORT")
if self.client.keyjar is None:
self.client.keyjar = KeyJar()
kbl = []
kid_template = "a%d"
kid = 0
for typ, info in self.cconf["keys"].items():
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ)
for k in kb.keys():
k.serialize()
k.kid = kid_template % kid
kid += 1
self.client.kid[k.use][k.kty] = k.kid
self.client.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
self.client.jwks_uri = "%s%s" % (self.cconf["_base_url"], new_name)
except KeyError:
pass
if self.args.internal_server:
self._pop = start_key_server(self.cconf["_base_url"], self.args.script_path or None)
self.environ["keyprovider"] = self._pop
self.trace.info("Started key provider")
time.sleep(1)
def test_dump_public_jwks():
keys = [
{
"type": "RSA",
"use": ["enc", "sig"]
},
{
"type": "EC",
"crv": "P-256",
"use": ["sig"]
},
]
jwks, keyjar, kidd = build_keyjar(keys)
kbl = keyjar.issuer_keys[""]
dump_jwks(kbl, "foo.jwks")
kb_public = KeyBundle(source="file://./foo.jwks")
# All RSA keys
for k in kb_public.keys():
if k.kty == "RSA":
assert not k.d
assert not k.p
assert not k.q
else: # MUST be 'EC'
assert not k.d
def export(self, client, cconf, role):
# has to be there
self.trace.info("EXPORT")
if client.keyjar is None:
client.keyjar = KeyJar()
kbl = []
for typ, info in cconf["keys"].items():
kb = KeyBundle(source="file://%s" % info["key"],
fileformat="der", keytype=typ)
for k in kb.keys():
k.serialize()
client.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/%s_jwks.json" % role
dump_jwks(kbl, new_name)
client.jwks_uri = "%s%s" % (cconf["_base_url"], new_name)
except KeyError:
pass
if not self.args.external_server and not self.keysrv_running:
self._pop = start_key_server(cconf["_base_url"])
self.environ["keyprovider"] = self._pop
self.trace.info("Started key provider")
time.sleep(1)
self.keysrv_running = True
def __call__(self, conv, **kwargs):
# find the name of the file to which the JWKS should be written
try:
_uri = conv.client.registration_response["jwks_uri"]
except KeyError:
raise RequirementsNotMet("No dynamic key handling")
r = urlparse(_uri)
# find the old key for this key usage and mark that as inactive
for kb in conv.client.keyjar.issuer_keys[""]:
for key in kb.keys():
if key.use in self.new_key["use"]:
key.inactive = True
kid = 0
# only one key
_nk = self.new_key
_typ = _nk["type"].upper()
if _typ == "RSA":
kb = KeyBundle(source="file://%s" % _nk["key"],
fileformat="der",
keytype=_typ,
keyusage=_nk["use"])
else:
kb = {}
for k in kb.keys():
k.serialize()
k.kid = self.kid_template % kid
kid += 1
conv.client.kid[k.use][k.kty] = k.kid
conv.client.keyjar.add_kb("", kb)
dump_jwks(conv.client.keyjar[""], r.path[1:])
def export(self, client, cconf, role):
# has to be there
self.trace.info("EXPORT")
if client.keyjar is None:
client.keyjar = KeyJar()
kbl = []
for typ, info in cconf["keys"].items():
kb = KeyBundle(source="file://%s" % info["key"],
fileformat="der",
keytype=typ)
for k in kb.keys():
k.serialize()
client.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/%s_jwks.json" % role
dump_jwks(kbl, new_name)
client.jwks_uri = "%s%s" % (cconf["_base_url"], new_name)
except KeyError:
pass
if not self.args.external_server and not self.keysrv_running:
self._pop = start_key_server(cconf["_base_url"])
self.environ["keyprovider"] = self._pop
self.trace.info("Started key provider")
time.sleep(1)
self.keysrv_running = True
def __call__(self):
# find the name of the file to which the JWKS should be written
try:
_uri = self.conv.entity.registration_response["jwks_uri"]
except KeyError:
raise RequirementsNotMet("No dynamic key handling")
r = urlparse(_uri)
# find the old key for this key usage and mark that as inactive
for kb in self.conv.entity.keyjar.issuer_keys[""]:
for key in list(kb.keys()):
if key.use in self.new_key["use"]:
key.inactive = True
kid = 0
# only one key
_nk = self.new_key
_typ = _nk["type"].upper()
if _typ == "RSA":
kb = KeyBundle(source="file://%s" % _nk["key"],
fileformat="der", keytype=_typ,
keyusage=_nk["use"])
else:
kb = {}
for k in list(kb.keys()):
k.serialize()
k.kid = self.kid_template % kid
kid += 1
self.conv.entity.kid[k.use][k.kty] = k.kid
self.conv.entity.keyjar.add_kb("", kb)
dump_jwks(self.conv.entity.keyjar[""], r.path[1:])
def export_keys(keys):
kbl = []
keyjar = KeyJar()
for typ, info in keys.items():
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der",
keytype=typ)
keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
except KeyError:
pass
return keyjar
def export_keys(keys):
kbl = []
keyjar = KeyJar()
for typ, info in keys.items():
kb = KeyBundle(source="file://%s" % info["key"],
fileformat="der",
keytype=typ)
keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
except KeyError:
pass
return keyjar
def test_dump_private_jwks():
keys = [
{"type": "RSA", "use": ["enc", "sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]},
]
jwks, keyjar, kidd = build_keyjar(keys)
kbl = keyjar.issuer_keys['']
dump_jwks(kbl, 'foo.jwks', private=True)
kb_public = KeyBundle(source='file://./foo.jwks')
# All RSA keys
for k in kb_public.keys():
if k.kty == 'RSA':
assert k.d
assert k.p
assert k.q
else: # MUST be 'EC'
assert k.d
def init_keyjar(instance, keyspec, dump_filename="static/jwks.json"):
try:
instance.keyjar[""] = []
except (AttributeError, TypeError):
instance.keyjar = KeyJar()
instance.jwks_uri = []
instance.keyjar[""] = []
kbl = []
for typ, info in list(keyspec.items()):
typ = typ.upper()
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der",
keytype=typ)
instance.keyjar.add_kb("", kb)
kbl.append(kb)
try:
if dump_filename:
dump_jwks(kbl, dump_filename)
instance.jwks_uri.append("%s%s" % (instance.baseurl, dump_filename))
except KeyError:
pass
def __call__(self):
# find the name of the file to which the JWKS should be written
try:
_uri = self.conv.entity.registration_response["jwks_uri"]
except KeyError:
raise RequirementsNotMet("No dynamic key handling")
r = urlparse(_uri)
# find the old key for this key usage and mark that as inactive
for kb in self.conv.entity.keyjar.issuer_keys[""]:
for key in list(kb.keys()):
if key.use in self.new_key["use"]:
key.inactive = True
kid = 0
# only one key
_nk = self.new_key
_typ = _nk["type"].upper()
if _typ == "RSA":
error_to_catch = getattr(builtins, 'FileNotFoundError',
getattr(builtins, 'IOError'))
try:
kb = KeyBundle(source="file://%s" % _nk["key"],
fileformat="der",
keytype=_typ,
keyusage=_nk["use"])
except error_to_catch:
kb = _new_rsa_key(_nk)
else:
kb = {}
for k in list(kb.keys()):
k.serialize()
k.add_kid()
self.conv.entity.kid[k.use][k.kty] = k.kid
self.conv.entity.keyjar.add_kb("", kb)
dump_jwks(self.conv.entity.keyjar[""], r.path[1:])
def export(self):
# has to be there
self.trace.info("EXPORT")
kbl = []
for typ, info in self.cconf["keys"].items():
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der",
keytype=typ)
self.client.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
self.client.jwks_uri = "%s%s" % (self.cconf["_base_url"], new_name)
except KeyError:
pass
if self.args.internal_server:
self._pop = start_key_server(self.cconf["_base_url"])
self.environ["keyprovider"] = self._pop
self.trace.info("Started key provider")
time.sleep(1)
def export(self):
# has to be there
self.trace.info("EXPORT")
if self.client.keyjar is None:
self.client.keyjar = KeyJar()
kbl = []
kid_template = "a%d"
kid = 0
for typ, info in self.cconf["keys"].items():
kb = KeyBundle(source="file://%s" % info["key"],
fileformat="der",
keytype=typ)
for k in kb.keys():
k.serialize()
k.kid = kid_template % kid
kid += 1
self.client.kid[k.use][k.kty] = k.kid
self.client.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
self.client.jwks_uri = "%s%s" % (self.cconf["_base_url"], new_name)
except KeyError:
pass
if self.args.internal_server:
self._pop = start_key_server(self.cconf["_base_url"],
self.args.script_path or None)
self.environ["keyprovider"] = self._pop
self.trace.info("Started key provider")
time.sleep(1)
def init_keyjar(instance, keyspec, dump_filename="static/jwks.json"):
try:
instance.keyjar[""] = []
except (AttributeError, TypeError):
instance.keyjar = KeyJar()
instance.jwks_uri = []
instance.keyjar[""] = []
kbl = []
for typ, info in list(keyspec.items()):
typ = typ.upper()
kb = KeyBundle(source="file://%s" % info["key"],
fileformat="der",
keytype=typ)
instance.keyjar.add_kb("", kb)
kbl.append(kb)
try:
if dump_filename:
dump_jwks(kbl, dump_filename)
instance.jwks_uri.append("%s%s" %
(instance.baseurl, dump_filename))
except KeyError:
pass
def __init__(self, base_url, client_metadata_func):
# Read OP configuration from file
with open("conf/op_config.json", "r") as f:
op_capabilities = json.load(f)
for key, value in op_capabilities.iteritems():
if isinstance(value, basestring):
op_capabilities[key] = value.format(base=base_url) # replace placeholder with the actual base name
self.OP = Provider(base_url, {}, client_metadata_func, None, None, None, None, None,
capabilities=op_capabilities)
self.OP.baseurl = op_capabilities["issuer"]
# Setup up keys for signing and encrypting
self.OP.keyjar = KeyJar()
kb = keybundle_from_local_file("inAcademia", "RSA", ["sig", "enc"])
self.OP.keyjar.add_kb("", kb)
try:
file_name = "static/jwks.json"
dump_jwks([kb], file_name)
self.OP.jwks_uri.append("{}/{}".format(base_url, file_name))
except Exception as e:
logger.exception("Signing and encryption keys could not be written to jwks.json.")
raise
# Add own keys for signing/encrypting JWTs
try:
OAS.keyjar[""] = []
kbl = []
for typ, info in config.keys.items():
typ = typ.upper()
LOGGER.info("OC server key init: %s, %s" % (typ, info))
kb = KeyBundle(source="file://%s" % info["key"],
fileformat="der",
keytype=typ)
OAS.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
except KeyError:
pass
for b in OAS.keyjar[""]:
LOGGER.info("OC3 server keys: %s" % b)
except Exception, err:
LOGGER.error("Key setup failed: %s" % err)
OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
# Setup the web server
SRV = wsgiserver.CherryPyWSGIServer(('0.0.0.0', args.port), application)
SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(config.SERVER_CERT,
config.SERVER_KEY,
# Add own keys for signing/encrypting JWTs
try:
OAS.keyjar[""] = []
kbl = []
for typ, info in config.keys.items():
typ = typ.upper()
LOGGER.info("OC server key init: %s, %s" % (typ, info))
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der",
keytype=typ)
OAS.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
except KeyError:
pass
for b in OAS.keyjar[""]:
LOGGER.info("OC3 server keys: %s" % b)
except Exception, err:
LOGGER.error("Key setup failed: %s" % err)
OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
# Setup the web server
SRV = wsgiserver.CherryPyWSGIServer(('0.0.0.0', args.port), application)
if config.SERVICE_URL.startswith("https"):
SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(
import json
from oic.utils.keyio import build_keyjar
from oic.utils.keyio import dump_jwks
__author__ = 'roland'
key_conf = [{"type": "RSA", "use": ["enc", "sig"]}]
pub_jwks, keyjar, kdd = build_keyjar(key_conf, "tre%d", None, None)
dump_jwks(keyjar.issuer_keys[''], 'tre.jwks')
# # To get the private keys
# priv_jwks = keyjar.export_jwks(private=True)
#
# f = open('tre.jwks', 'w')
# f.write(json.dumps(priv_jwks))
# f.close()
