def test_dump_private_jwks(): keys = [ { "type": "RSA", "use": ["enc", "sig"] }, { "type": "EC", "crv": "P-256", "use": ["sig"] }, ] jwks, keyjar, kidd = build_keyjar(keys) kbl = keyjar.issuer_keys[''] dump_jwks(kbl, 'foo.jwks', private=True) kb_public = KeyBundle(source='file://./foo.jwks') # All RSA keys for k in kb_public.keys(): if k.kty == 'RSA': assert k.d assert k.p assert k.q else: # MUST be 'EC' assert k.d
def export(self): # has to be there self.trace.info("EXPORT") if self.client.keyjar is None: self.client.keyjar = KeyJar() kbl = [] kid_template = "a%d" kid = 0 for typ, info in self.cconf["keys"].items(): kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) for k in kb.keys(): k.serialize() k.kid = kid_template % kid kid += 1 self.client.kid[k.use][k.kty] = k.kid self.client.keyjar.add_kb("", kb) kbl.append(kb) try: new_name = "static/jwks.json" dump_jwks(kbl, new_name) self.client.jwks_uri = "%s%s" % (self.cconf["_base_url"], new_name) except KeyError: pass if self.args.internal_server: self._pop = start_key_server(self.cconf["_base_url"], self.args.script_path or None) self.environ["keyprovider"] = self._pop self.trace.info("Started key provider") time.sleep(1)
def test_dump_public_jwks(): keys = [ { "type": "RSA", "use": ["enc", "sig"] }, { "type": "EC", "crv": "P-256", "use": ["sig"] }, ] jwks, keyjar, kidd = build_keyjar(keys) kbl = keyjar.issuer_keys[""] dump_jwks(kbl, "foo.jwks") kb_public = KeyBundle(source="file://./foo.jwks") # All RSA keys for k in kb_public.keys(): if k.kty == "RSA": assert not k.d assert not k.p assert not k.q else: # MUST be 'EC' assert not k.d
def export(self, client, cconf, role): # has to be there self.trace.info("EXPORT") if client.keyjar is None: client.keyjar = KeyJar() kbl = [] for typ, info in cconf["keys"].items(): kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) for k in kb.keys(): k.serialize() client.keyjar.add_kb("", kb) kbl.append(kb) try: new_name = "static/%s_jwks.json" % role dump_jwks(kbl, new_name) client.jwks_uri = "%s%s" % (cconf["_base_url"], new_name) except KeyError: pass if not self.args.external_server and not self.keysrv_running: self._pop = start_key_server(cconf["_base_url"]) self.environ["keyprovider"] = self._pop self.trace.info("Started key provider") time.sleep(1) self.keysrv_running = True
def __call__(self, conv, **kwargs): # find the name of the file to which the JWKS should be written try: _uri = conv.client.registration_response["jwks_uri"] except KeyError: raise RequirementsNotMet("No dynamic key handling") r = urlparse(_uri) # find the old key for this key usage and mark that as inactive for kb in conv.client.keyjar.issuer_keys[""]: for key in kb.keys(): if key.use in self.new_key["use"]: key.inactive = True kid = 0 # only one key _nk = self.new_key _typ = _nk["type"].upper() if _typ == "RSA": kb = KeyBundle(source="file://%s" % _nk["key"], fileformat="der", keytype=_typ, keyusage=_nk["use"]) else: kb = {} for k in kb.keys(): k.serialize() k.kid = self.kid_template % kid kid += 1 conv.client.kid[k.use][k.kty] = k.kid conv.client.keyjar.add_kb("", kb) dump_jwks(conv.client.keyjar[""], r.path[1:])
def __call__(self): # find the name of the file to which the JWKS should be written try: _uri = self.conv.entity.registration_response["jwks_uri"] except KeyError: raise RequirementsNotMet("No dynamic key handling") r = urlparse(_uri) # find the old key for this key usage and mark that as inactive for kb in self.conv.entity.keyjar.issuer_keys[""]: for key in list(kb.keys()): if key.use in self.new_key["use"]: key.inactive = True kid = 0 # only one key _nk = self.new_key _typ = _nk["type"].upper() if _typ == "RSA": kb = KeyBundle(source="file://%s" % _nk["key"], fileformat="der", keytype=_typ, keyusage=_nk["use"]) else: kb = {} for k in list(kb.keys()): k.serialize() k.kid = self.kid_template % kid kid += 1 self.conv.entity.kid[k.use][k.kty] = k.kid self.conv.entity.keyjar.add_kb("", kb) dump_jwks(self.conv.entity.keyjar[""], r.path[1:])
def export_keys(keys): kbl = [] keyjar = KeyJar() for typ, info in keys.items(): kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) keyjar.add_kb("", kb) kbl.append(kb) try: new_name = "static/jwks.json" dump_jwks(kbl, new_name) except KeyError: pass return keyjar
def test_dump_private_jwks(): keys = [ {"type": "RSA", "use": ["enc", "sig"]}, {"type": "EC", "crv": "P-256", "use": ["sig"]}, ] jwks, keyjar, kidd = build_keyjar(keys) kbl = keyjar.issuer_keys[''] dump_jwks(kbl, 'foo.jwks', private=True) kb_public = KeyBundle(source='file://./foo.jwks') # All RSA keys for k in kb_public.keys(): if k.kty == 'RSA': assert k.d assert k.p assert k.q else: # MUST be 'EC' assert k.d
def init_keyjar(instance, keyspec, dump_filename="static/jwks.json"): try: instance.keyjar[""] = [] except (AttributeError, TypeError): instance.keyjar = KeyJar() instance.jwks_uri = [] instance.keyjar[""] = [] kbl = [] for typ, info in list(keyspec.items()): typ = typ.upper() kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) instance.keyjar.add_kb("", kb) kbl.append(kb) try: if dump_filename: dump_jwks(kbl, dump_filename) instance.jwks_uri.append("%s%s" % (instance.baseurl, dump_filename)) except KeyError: pass
def __call__(self): # find the name of the file to which the JWKS should be written try: _uri = self.conv.entity.registration_response["jwks_uri"] except KeyError: raise RequirementsNotMet("No dynamic key handling") r = urlparse(_uri) # find the old key for this key usage and mark that as inactive for kb in self.conv.entity.keyjar.issuer_keys[""]: for key in list(kb.keys()): if key.use in self.new_key["use"]: key.inactive = True kid = 0 # only one key _nk = self.new_key _typ = _nk["type"].upper() if _typ == "RSA": error_to_catch = getattr(builtins, 'FileNotFoundError', getattr(builtins, 'IOError')) try: kb = KeyBundle(source="file://%s" % _nk["key"], fileformat="der", keytype=_typ, keyusage=_nk["use"]) except error_to_catch: kb = _new_rsa_key(_nk) else: kb = {} for k in list(kb.keys()): k.serialize() k.add_kid() self.conv.entity.kid[k.use][k.kty] = k.kid self.conv.entity.keyjar.add_kb("", kb) dump_jwks(self.conv.entity.keyjar[""], r.path[1:])
def export(self): # has to be there self.trace.info("EXPORT") kbl = [] for typ, info in self.cconf["keys"].items(): kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) self.client.keyjar.add_kb("", kb) kbl.append(kb) try: new_name = "static/jwks.json" dump_jwks(kbl, new_name) self.client.jwks_uri = "%s%s" % (self.cconf["_base_url"], new_name) except KeyError: pass if self.args.internal_server: self._pop = start_key_server(self.cconf["_base_url"]) self.environ["keyprovider"] = self._pop self.trace.info("Started key provider") time.sleep(1)
def __init__(self, base_url, client_metadata_func): # Read OP configuration from file with open("conf/op_config.json", "r") as f: op_capabilities = json.load(f) for key, value in op_capabilities.iteritems(): if isinstance(value, basestring): op_capabilities[key] = value.format(base=base_url) # replace placeholder with the actual base name self.OP = Provider(base_url, {}, client_metadata_func, None, None, None, None, None, capabilities=op_capabilities) self.OP.baseurl = op_capabilities["issuer"] # Setup up keys for signing and encrypting self.OP.keyjar = KeyJar() kb = keybundle_from_local_file("inAcademia", "RSA", ["sig", "enc"]) self.OP.keyjar.add_kb("", kb) try: file_name = "static/jwks.json" dump_jwks([kb], file_name) self.OP.jwks_uri.append("{}/{}".format(base_url, file_name)) except Exception as e: logger.exception("Signing and encryption keys could not be written to jwks.json.") raise
# Add own keys for signing/encrypting JWTs try: OAS.keyjar[""] = [] kbl = [] for typ, info in config.keys.items(): typ = typ.upper() LOGGER.info("OC server key init: %s, %s" % (typ, info)) kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) OAS.keyjar.add_kb("", kb) kbl.append(kb) try: new_name = "static/jwks.json" dump_jwks(kbl, new_name) OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name)) except KeyError: pass for b in OAS.keyjar[""]: LOGGER.info("OC3 server keys: %s" % b) except Exception, err: LOGGER.error("Key setup failed: %s" % err) OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"}) # Setup the web server SRV = wsgiserver.CherryPyWSGIServer(('0.0.0.0', args.port), application) SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(config.SERVER_CERT, config.SERVER_KEY,
# Add own keys for signing/encrypting JWTs try: OAS.keyjar[""] = [] kbl = [] for typ, info in config.keys.items(): typ = typ.upper() LOGGER.info("OC server key init: %s, %s" % (typ, info)) kb = KeyBundle(source="file://%s" % info["key"], fileformat="der", keytype=typ) OAS.keyjar.add_kb("", kb) kbl.append(kb) try: new_name = "static/jwks.json" dump_jwks(kbl, new_name) OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name)) except KeyError: pass for b in OAS.keyjar[""]: LOGGER.info("OC3 server keys: %s" % b) except Exception, err: LOGGER.error("Key setup failed: %s" % err) OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"}) # Setup the web server SRV = wsgiserver.CherryPyWSGIServer(('0.0.0.0', args.port), application) if config.SERVICE_URL.startswith("https"): SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(
import json from oic.utils.keyio import build_keyjar from oic.utils.keyio import dump_jwks __author__ = 'roland' key_conf = [{"type": "RSA", "use": ["enc", "sig"]}] pub_jwks, keyjar, kdd = build_keyjar(key_conf, "tre%d", None, None) dump_jwks(keyjar.issuer_keys[''], 'tre.jwks') # # To get the private keys # priv_jwks = keyjar.export_jwks(private=True) # # f = open('tre.jwks', 'w') # f.write(json.dumps(priv_jwks)) # f.close()