def jwks(self):
# TODO: some cache with respect of self.issuer_config
# now keys are being reloaded every time
# (doesn't matter for Zappa until keys are cached to Redis)
keys = KEYS()
keys.load_from_url(self.oidc_config['jwks_uri'])
return keys
def __missing__(self, kid):
""" Loads the public key for this handler from the OIDC service. Raises PublicKeyLoadException
on failure.
"""
keys_url = self._login_service._oidc_config()["jwks_uri"]
# Load the keys.
try:
keys = KEYS()
keys.load_from_url(
keys_url,
verify=not self._login_service.config.get("DEBUGGING", False))
except Exception as ex:
logger.exception("Exception loading public key")
raise PublicKeyLoadException(str(ex))
# Find the matching key.
keys_found = keys.by_kid(kid)
if len(keys_found) == 0:
raise PublicKeyLoadException("Public key %s not found" % kid)
rsa_keys = [key for key in keys_found if key.kty == "RSA"]
if len(rsa_keys) == 0:
raise PublicKeyLoadException(
"No RSA form of public key %s not found" % kid)
matching_key = rsa_keys[0]
matching_key.deserialize()
# Reload the key so that we can give a key *instance* to PyJWT to work around its weird parsing
# issues.
final_key = load_der_public_key(matching_key.key.exportKey("DER"),
backend=default_backend())
self[kid] = final_key
return final_key
def get_jwks_keys(self):
keys = KEYS()
keys.load_from_url(self.jwks_uri())
# Add client secret as oct key so it can be used for HMAC signatures
client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def get_jwks_keys(self):
keys = KEYS()
keys.load_from_url(self.jwks_uri())
# Add client secret as oct key so it can be used for HMAC signatures
client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def signing_keys(self):
if self.signing_alg == self.RS256:
# TODO perform caching, OBVIOUS
key = KEYS()
key.load_from_url(self.jwks_uri)
rsa_key = key.as_dict()['RSA']
return rsa_key
return [SYMKey(key=str(self.client_secret))]
def _get_jwks_keys(shared_key):
""" Returns JWKS keys used to decrypt id_token values. """
# The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public
# keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should
# be used to decrypt the JWS - JSON Web Signature.
jwks_keys = KEYS()
jwks_keys.load_from_url(oidc_rp_settings.PROVIDER_JWKS_ENDPOINT)
# Adds the shared key (which can correspond to the client_secret) as an oct key so it can be
# used for HMAC signatures.
jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'})
return jwks_keys
def get_jwks_keys(self):
"""
Returns the keys used by the IdP.
Merges client secret into JWK set from server
Response is cached for 24 hours.
"""
keys = KEYS()
keys.load_from_url(self.JWKS_URI)
# Add client secret as oct key so it can be used for HMAC signatures
_client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def get_jwks_keys(self):
"""
Returns the keys used by the IdP.
Merges client secret into JWK set from server
Response is cached for 24 hours.
"""
keys = KEYS()
keys.load_from_url(self.JWKS_URI)
# Add client secret as oct key so it can be used for HMAC signatures
_client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def _get_keys(self):
if "jwk" in self:
return [self["jwk"]]
elif "jku" in self:
keys = KEYS()
keys.load_from_url(self["jku"])
return keys.as_dict()
elif "x5u" in self:
try:
return {"rsa": [load_x509_cert(self["x5u"], {})]}
except Exception:
# ca_chain = load_x509_cert_chain(self["x5u"])
pass
return {}
def _get_keys(self):
if "jwk" in self:
return [self["jwk"]]
elif "jku" in self:
keys = KEYS()
keys.load_from_url(self["jku"])
return keys.as_dict()
elif "x5u" in self:
try:
return {"rsa": [load_x509_cert(self["x5u"], {})]}
except Exception:
# ca_chain = load_x509_cert_chain(self["x5u"])
pass
return {}
def _get_jwks_keys(shared_key):
""" Returns JWKS keys used to decrypt id_token values. """
# The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public
# keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should
# be used to decrypt the JWS - JSON Web Signature.
log_prompt = "Get jwks keys: {}"
logger.debug(log_prompt.format('Start'))
jwks_keys = KEYS()
logger.debug(log_prompt.format('Load from provider jwks endpoint'))
jwks_keys.load_from_url(settings.AUTH_OPENID_PROVIDER_JWKS_ENDPOINT)
# Adds the shared key (which can correspond to the client_secret) as an oct key so it can be
# used for HMAC signatures.
logger.debug(log_prompt.format('Add key'))
jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'})
logger.debug(log_prompt.format('End'))
return jwks_keys
def _get_keys(self):
logger.debug("_get_keys(): self._dict.keys={0}".format(
self._dict.keys()))
if "jwk" in self:
return [self["jwk"]]
elif "jku" in self:
keys = KEYS()
keys.load_from_url(self["jku"])
return keys.as_dict()
elif "x5u" in self:
try:
return {"rsa": [load_x509_cert(self["x5u"], {})]}
except Exception:
# ca_chain = load_x509_cert_chain(self["x5u"])
pass
return {}
def _get_keys(self):
logger.debug("_get_keys(): self._dict.keys={0}".format(
self._dict.keys()))
if "jwk" in self:
return [self["jwk"]]
elif "jku" in self:
keys = KEYS()
keys.load_from_url(self["jku"])
return keys.as_dict()
elif "x5u" in self:
try:
return {"rsa": [load_x509_cert(self["x5u"], {})]}
except Exception:
# ca_chain = load_x509_cert_chain(self["x5u"])
pass
return {}
kid=_kid))
if args.hmac_key:
keys.append(SYMKey(key=args.hmac_key))
if args.jwk:
kspec = json.loads(open(args.jwk).read())
keys.append(keyrep(kspec))
if args.jwks:
_k = KEYS()
_k.load_jwks(open(args.jwks).read())
keys.extend(_k._keys)
if args.jwks_url:
_k = KEYS()
_k.load_from_url(args.jwks_url, False)
keys.extend(_k._keys)
if not keys:
exit(-1)
if args.msg_file:
message = open(args.msg_file).read().strip("\n")
elif args.message == "-":
message = sys.stdin.read()
else:
message = args.message
if args.sign:
_msg = sign(message, keys, args.alg, args.msgtype)
if args.encrypt:
def jwks(self):
keys = KEYS()
keys.load_from_url(self.oidc_config['jwks_uri'])
return keys
def jwks(self):
keys = KEYS()
keys.load_from_url(self.oidc_config['jwks_uri'])
return keys
RSAKey(key=import_rsa_key_from_file(args.rsa_file), kid=_kid))
if args.hmac_key:
keys.append(SYMKey(key=args.hmac_key))
if args.jwk:
kspec = json.loads(open(args.jwk).read())
keys.append(keyrep(kspec))
if args.jwks:
_k = KEYS()
_k.load_jwks(open(args.jwks).read())
keys.extend(_k._keys)
if args.jwks_url:
_k = KEYS()
_k.load_from_url(args.jwks_url, False)
keys.extend(_k._keys)
if not keys:
exit(-1)
if args.msg_file:
message = open(args.msg_file).read().strip("\n")
elif args.message == "-":
message = sys.stdin.read()
else:
message = args.message
if args.sign:
_msg = sign(message, keys, args.alg, args.msgtype)
if args.encrypt: