def __init__(self, msg=None, with_digest=False, **kwargs):
self.msg = msg
self._dict = {}
self.with_digest = with_digest
self.jwt = None
if kwargs:
for key in self.args:
try:
_val = kwargs[key]
except KeyError:
if key == "alg":
self._dict[key] = "none"
continue
if key == "jwk":
if isinstance(_val, dict):
self._dict["jwk"] = keyrep(_val)
elif isinstance(_val, str):
self._dict["jwk"] = keyrep(json.loads(_val))
else:
self._dict["jwk"] = _val
elif key == "x5c" or key == "crit":
self._dict["x5c"] = _val or []
else:
self._dict[key] = _val
def __init__(self, msg=None, with_digest=False, **kwargs):
self.msg = msg
self._dict = {}
self.with_digest = with_digest
self.jwt = None
if kwargs:
for key in self.args:
try:
_val = kwargs[key]
except KeyError:
if key == "alg":
self._dict[key] = "none"
continue
if key == "jwk":
if isinstance(_val, dict):
self._dict["jwk"] = keyrep(_val)
elif isinstance(_val, str):
self._dict["jwk"] = keyrep(json.loads(_val))
else:
self._dict["jwk"] = _val
elif key == "x5c" or key == "crit":
self._dict["x5c"] = _val or []
else:
self._dict[key] = _val
def __init__(self, auth_req_callback_func, internal_attributes, conf):
super().__init__(auth_req_callback_func, internal_attributes, conf)
self.root_key = keyrep(conf["root_key_jwk"])
self.software_statements = conf["software_statements"]
self.federation_keys = []
for k in conf["federations_jwk"]:
self.federation_keys.append(keyrep(k))
def init_oidc_fed_rp(cnf):
name = cnf["SERVER_NAME"]
with open(cnf["RELYING_PARTY_CONFIG"]) as f:
rp_config = yaml.safe_load(f)
root_key = keyrep(rp_config["root_key_jwk"])
federation_keys = [keyrep(jwk) for jwk in rp_config["federations_jwk"]]
return RP(name, root_key, rp_config["software_statements"], federation_keys, name + "/signed_jwks")
def init_fed_op(cnf):
with open(cnf["PROVIDER_CONFIG"]) as f:
provider_config = yaml.safe_load(f)
root_key = keyrep(provider_config["root_key_jwk"])
federation_keys = [keyrep(jwk) for jwk in provider_config["federations_jwk"]]
authn_broker = AuthnBroker()
name = "https://" + cnf["SERVER_NAME"]
user = "******"
authn_broker.add("password", NoAuthn(None, user))
provider = Provider(name, SessionDB(name), {}, authn_broker, None, AuthzHandling(), verify_client, None)
return OP(name, root_key, provider_config["software_statements"], federation_keys, name + "/signed_jwks",
provider, name + "/jwks")
def test_private_key_from_jwk():
keys = []
kspec = json.loads(open(full_path("jwk_private_key.json")).read())
keys.append(keyrep(kspec))
key = keys[0]
assert isinstance(key.n, six.integer_types)
assert isinstance(key.e, six.integer_types)
assert isinstance(key.d, six.integer_types)
assert isinstance(key.p, six.integer_types)
assert isinstance(key.q, six.integer_types)
assert isinstance(key.dp, six.integer_types)
assert isinstance(key.dq, six.integer_types)
assert isinstance(key.qi, six.integer_types)
_d = key.to_dict()
print(_d)
print(_d.keys())
assert _eq(list(_d.keys()), [
'n', 'alg', 'dq', 'e', 'q', 'p', 'dp', 'd', 'ext', 'key_ops', 'kty',
'qi'
])
assert _eq(list(_d.keys()), kspec.keys())
def parse_header(self, encheader):
for attr, val in json.loads(b64d(str(encheader))).items():
if attr == "jwk":
self["jwk"] = keyrep(val)
else:
self[attr] = val
if "kid" in self:
try:
assert isinstance(self["kid"], basestring)
except AssertionError:
raise HeaderError("kid of wrong value type")
def _get_client_public_key(self, access_token):
_jws = jws.factory(access_token)
if _jws:
data = _jws.verify_compact(access_token,
self.keyjar.get_verify_key(owner=""))
try:
return keyrep(data["cnf"]["jwk"])
except KeyError:
raise NonPoPTokenError(
"Could not extract public key as JWK from access token")
raise NonPoPTokenError("Unsigned access token, maybe not PoP?")
def _get_client_public_key(self, access_token):
_jws = jws.factory(access_token)
if _jws:
data = _jws.verify_compact(access_token,
self.keyjar.get_verify_key(owner=""))
try:
return keyrep(data["cnf"]["jwk"])
except KeyError:
raise NonPoPTokenError(
"Could not extract public key as JWK from access token")
raise NonPoPTokenError("Unsigned access token, maybe not PoP?")
def jwk_dict_to_public_key(jwk):
""" Converts the specified JWK into a public key. """
jwkest_key = keyrep(jwk)
if isinstance(jwkest_key, RSAKey):
pycrypto_key = jwkest_key.key
return RSAPublicNumbers(e=pycrypto_key.e,
n=pycrypto_key.n).public_key(default_backend())
elif isinstance(jwkest_key, ECKey):
x, y = jwkest_key.get_key()
return EllipticCurvePublicNumbers(x, y, jwkest_key.curve).public_key(
default_backend())
raise Exception("Unsupported kind of JWK: %s", str(type(jwkest_key)))
def __init__(self, msg=None, **kwargs):
self.msg = msg
self._dict = {"kid": ""}
if kwargs:
for key in self.args:
try:
_val = kwargs[key]
except KeyError:
if key == "alg":
self._dict[key] = "none"
continue
if key == "jwk":
if isinstance(_val, dict):
self._dict["jwk"] = keyrep(_val)
elif isinstance(_val, basestring):
self._dict["jwk"] = keyrep(json.loads(_val))
else:
self._dict["jwk"] = _val
elif key == "x5c" or key == "crit":
self._dict["x5c"] = _val or []
else:
self._dict[key] = _val
def main():
parser = ArgumentParser()
parser.add_argument("entity_data_path", help="path to the data for the software statement")
parser.add_argument("keypath",
help="path to private JWK key to use for signing the software statement")
args = parser.parse_args()
with open(args.keypath) as f:
jwk = f.read()
key = keyrep(json.loads(jwk))
with open(args.entity_data_path) as f:
entity_data = f.read()
print(Federation(key).create_software_statement(json.loads(entity_data)))
def _verify_signature_chain(self, software_statements, signing_key):
# type: (Sequence[str], str) -> Tuple[str, Key]
"""
Verify the signature chain: signature of software statement (containing root key) and
signature of a signing key (in the form of a JWS).
:param software_statements: all software statements from the provider
:param signing_key: the entity's intermediate signing key
:return:
"""
software_statement = self._verify_software_statements(software_statements)
root_key = keyrep(software_statement.msg["root_key"])
signing_key = self._verify_signing_key(signing_key, root_key)
return software_statement, signing_key
def _verify_signing_key(self, signing_key, verification_key):
# type: (str, Key) -> Key
"""
Verify the signature of an intermediate signing key.
:param signing_key: JWS containing the providers intermediate key
:param verification_key: key to verify the signature with
:raise OIDCFederationError: if the signature could not be verified
:return: key contained in the JWS
"""
try:
signing_key = self._verify(signing_key, keys=[verification_key]).msg
except JWKESTException as e:
raise OIDCFederationError("The entity's signing key could not be verified.")
return keyrep(signing_key)
def test_private_key_from_jwk():
keys = []
kspec = json.loads(open(full_path("jwk_private_key.json")).read())
keys.append(keyrep(kspec))
key = keys[0]
assert isinstance(key.n, six.integer_types)
assert isinstance(key.e, six.integer_types)
assert isinstance(key.d, six.integer_types)
assert isinstance(key.p, six.integer_types)
assert isinstance(key.q, six.integer_types)
assert isinstance(key.dp, six.integer_types)
assert isinstance(key.dq, six.integer_types)
assert isinstance(key.qi, six.integer_types)
_d = key.to_dict()
print(_d)
print(_d.keys())
assert _eq(list(_d.keys()), ["n", "alg", "dq", "e", "q", "p", "dp", "d", "ext", "key_ops", "kty", "qi"])
assert _eq(list(_d.keys()), kspec.keys())
def test_private_key_from_jwk():
keys = []
kspec = json.loads(open("jwk_private_key.json").read())
keys.append(keyrep(kspec))
key = keys[0]
assert isinstance(key.n, six.integer_types)
assert isinstance(key.e, six.integer_types)
assert isinstance(key.d, six.integer_types)
assert isinstance(key.p, six.integer_types)
assert isinstance(key.q, six.integer_types)
assert isinstance(key.dp, six.integer_types)
assert isinstance(key.dq, six.integer_types)
assert isinstance(key.qi, six.integer_types)
_d = key.to_dict()
print(_d)
print(_d.keys())
assert _eq(list(_d.keys()),
['n', 'alg', 'dq', 'e', 'q', 'p', 'dp', 'd', 'ext', 'key_ops',
'kty', 'qi'])
assert _eq(list(_d.keys()), kspec.keys())
args = parser.parse_args()
if args.log:
setup_logging(args.log)
_kid = args.kid
keys = []
if args.rsa_file:
keys.append(
RSAKey(key=import_rsa_key_from_file(args.rsa_file), kid=_kid))
if args.hmac_key:
keys.append(SYMKey(key=args.hmac_key))
if args.jwk:
kspec = json.loads(open(args.jwk).read())
keys.append(keyrep(kspec))
if args.jwks:
txt = open(args.jwks).read()
keys.extend(jwks_load(txt))
if not keys:
exit(-1)
if args.msg_file:
message = open(args.msg_file).read().strip("\n")
elif args.message == "-":
message = sys.stdin.read()
else:
message = args.message
def parse_header(self, encheader):
for attr, val in json.loads(b64d(str(encheader))).items():
if attr == "jwk":
self["jwk"] = keyrep(val)
else:
self[attr] = val
def parse_header(self, encheader):
for attr, val in json.loads(b64d(str(encheader))).items():
if attr == "jwk":
self["jwk"] = keyrep(val)
else:
self[attr] = val
parser.add_argument('-j', dest="jwk", help="JSON Web Key")
parser.add_argument('-J', dest="jwks", help="JSON Web Keys")
parser.add_argument("message", nargs="?", help="The message")
args = parser.parse_args()
keys = []
if args.rsa_file:
keys = [RSAKey(key=import_rsa_key_from_file(args.rsa_file))]
elif args.hmac_key:
keys = [SYMKey(key=args.hmac_key)]
if args.jwk:
kspec = json.loads(open(args.jwk).read())
keys.append(keyrep(kspec))
if args.jwks:
keys.extend(load_jwks(open(args.jwk).read()))
if not keys:
exit(-1)
if args.msg_file:
if args.msg_file == "A.2.1":
message = open("A.2.1").read().replace("\n","\r\n")
else:
message = open(args.msg_file).read().strip("\n")
elif args.message == "-":
message = sys.stdin.read()
else:
