def post(self):
access_token = super().request.body
# Verify if valid CWT from AS
try:
decoded = cwt.decode(access_token,
key=super().ace_rs.as_public_key)
except SignatureVerificationFailed as error:
self.set_status(401)
self.set_header('Content-Type', 'application/json')
self.write(json.dumps([{'error': {'error': str(error)}}]))
return
# Check if audience claim in token matches audience id of this RS
if decoded[Keys.AUD] != super().ace_rs.audience:
self.set_status(403)
self.set_header('Content-Type', 'application/json')
self.write(json.dumps([{'error': 'Audience mismatch'}]))
return
# Extract PoP CoseKey
pop_key = CoseKey.from_cose(decoded[Keys.CNF][Key.COSE_KEY])
# Store token and PoP key id
super().ace_rs.token_cache.add_token(token=decoded,
pop_key_id=pop_key.key_id)
# Inform EDHOC Server about new key
super().ace_rs.edhoc_server.add_peer_identity(key_id=pop_key.key_id,
key=pop_key.key)
self.set_status(201)
async def render_post(self, request):
access_token = request.payload
# introspect_payload = self.introspect(access_token)
# Verify if valid CWT from AS
try:
decoded = cwt.decode(access_token,
key=self.resource_server.as_public_key)
except SignatureVerificationFailed as err:
return aiocoap.Message(code=aiocoap.UNAUTHORIZED)
# Check if audience claim in token matches audience identifier of this resource server
if decoded[CK.AUD] != self.resource_server.audience:
return aiocoap.Message(code=aiocoap.FORBIDDEN)
# Extract PoP Key
pop_key = CoseKey.from_cose(decoded[CK.CNF][Cose.COSE_KEY])
# Store token and store by PoP key id
self.resource_server.token_cache.add_token(token=decoded,
pop_key_id=pop_key.key_id)
# Inform EDHOC Server about new key
self.resource_server.edhoc_server.add_peer_identity(
pop_key.key_id, pop_key.key)
return aiocoap.Message(code=aiocoap.CREATED)
async def render_post(self, request):
access_token: bytes = request.payload
# Verify if CWT from AS is valid
try:
decoded = cwt.decode(encoded = access_token,
key = AceHandler.rs.as_public_key)
except SignatureVerificationFailed:
return aiocoap.Message(code = Code.UNAUTHORIZED)
# Check if audience claim in token matches audience id of this RS.
if decoded[Keys.AUD] != AceHandler.rs.audience:
return aiocoap.Message(code = Code.FORBIDDEN)
# Extract PoP CoseKey.
pop_key: CoseKey = CoseKey.from_cose(decoded[Keys.CNF][Key.COSE_KEY])
# Store token and PoP key id.
AceHandler.rs.token_cache.add_token(token = decoded,
pop_key_id = pop_key.key_id)
# Inform EDHOC Server about new key.
AceHandler.rs.edhoc_server.add_peer_identity(key_id = pop_key.key_id,
key = pop_key.key)
logging.info('AuthzInfo returning.')
return aiocoap.Message(code = Code.CREATED)
async def authz_info(self, request):
# Extract access token
access_token = await request.content.read()
# introspect_payload = self.introspect(access_token)
# Verify if valid CWT from AS
try:
decoded = cwt.decode(access_token, key=self.as_public_key)
except SignatureVerificationFailed as err:
return web.Response(status=401, body=dumps({'error': str(err)}))
# Check if audience claim in token matches audience identifier of this resource server
if decoded[CK.AUD] != self.audience:
return web.Response(status=403,
body=dumps({'error': 'Audience mismatch'}))
# Extract PoP Key
pop_key = CoseKey.from_cose(decoded[CK.CNF][Cose.COSE_KEY])
# Store token and store by PoP key id
self.token_cache.add_token(token=decoded, pop_key_id=pop_key.key_id)
# Inform EDHOC Server about new key
self.edhoc_server.add_peer_identity(pop_key.key_id, pop_key.key)
return web.Response(status=201)
def test_parse_token(self):
key = SigningKey.generate(curve=NIST256p)
pk = key.get_verifying_key()
cose_key = ecdsa_key_to_cose(pk, kid=b'you-know-that-one')
claims = {
CK.AUD: 'thatSensor01',
CK.SCOPE: 'r',
CK.IAT: 234234,
CK.CNF: { Key.COSE_KEY: cose_key }
}
token = cwt.encode(claims, key, kid=b'')
print(token.hex())
payload = cwt.decode(token, pk)
print(payload)
async def authz_info(self, request):
access_token = request.payload
# Verify if valid CWT from AS
try:
decoded = cwt.decode(access_token, key=self.as_public_key)
except SignatureVerificationFailed as err:
return aiocoap.Message(code=aiocoap.UNAUTHORIZED)
# Check if audience claim in token matches audience identifier of this resource server
if decoded[CK.AUD] != self.audience:
return web.Response(status=403,
body=dumps({'error': 'Audience mismatch'}))
# Extract PoP Key
pop_key = CoseKey.from_cose(decoded[CK.CNF][Cose.COSE_KEY])
# Store token and store by PoP key id
self.token_cache.add_token(token=decoded, pop_key_id=pop_key.key_id)
# Inform EDHOC Server about new key
self.edhoc_server.add_peer_identity(pop_key.key_id, pop_key.key)
return aiocoap.Message(code=aiocoap.CREATED)