def create_signers(jb, ms_path, csms_def, fos): signers = {} for sig, use_def in csms_def.items(): ms_spec = {} for usage, spec in use_def.items(): ms_spec[usage] = os.path.join(ms_path, quote_plus(sig), usage) signers[sig] = Signer(InternalSigningService(sig, jb[sig]), ms_spec) for fo in fos: signers[fo] = Signer(InternalSigningService(fo, jb[fo])) return signers
def setup(keydefs, tool_iss, liss, csms_def, oa, ms_path): sig_keys = build_keyjar(keydefs)[1] key_bundle = make_fs_jwks_bundle(tool_iss, liss, sig_keys, keydefs, './') sig_keys = build_keyjar(keydefs)[1] jb = FSJWKSBundle(tool_iss, sig_keys, 'fo_jwks', key_conv={ 'to': quote_plus, 'from': unquote_plus }) # Need to save the private parts jb.bundle.value_conv['to'] = keyjar_to_jwks_private jb.bundle.sync() operator = {} for entity, _keyjar in jb.items(): operator[entity] = Operator(iss=entity, keyjar=_keyjar) signers = {} for sig, sms_def in csms_def.items(): ms_dir = os.path.join(ms_path, sig) metadata_statements = FileSystem(ms_dir) for name, spec in sms_def.items(): res = make_signed_metadata_statement(spec, operator) metadata_statements[name] = res['ms'] _iss = oa[sig] signers[_iss] = Signer( InternalSigningService(_iss, operator[_iss].keyjar), ms_dir) return signers, key_bundle
def create_federation_entity(iss, conf, fos, sup, entity=''): _keybundle = FSJWKSBundle('', fdir=conf.JWKS_DIR, key_conv={ 'to': quote_plus, 'from': unquote_plus }) # Organisation information _kj = _keybundle[sup] fname = os.path.join(conf.MS_DIR, quote_plus(sup)) signer = Signer(InternalSigningService(sup, _kj), fname) # And then the FOs jb = JWKSBundle('') for fo in fos: jb[fo] = _keybundle[fo] # The OPs own signing keys _keys = build_keyjar(conf.SIG_DEF_KEYS)[1] return FederationEntity(entity, iss=iss, keyjar=_keys, signer=signer, fo_bundle=jb)
def setup_ms(csms_def, ms_path, mds_dir, base_url, operators): """ :param csms_def: Definition of which signed metadata statements to build :param ms_path: Where to store the signed metadata statements and uris :param mds_dir: Directory where singed metadata statements published using ms_uri are kept :param base_url: Common base URL to all metadata_statement_uris :param operators: Dictionary with federation Operators :return: A tuple of (Signer dictionary and FSJWKSBundle instance) """ mds = MetaDataStore(mds_dir) mds.clear() for iss, sms_def in csms_def.items(): ms_dir = os.path.join(ms_path, quote_plus(iss)) for context, spec in sms_def.items(): _dir = os.path.join(ms_dir, context) metadata_statements = FileSystem(_dir, key_conv={ 'to': quote_plus, 'from': unquote_plus }) metadata_statements.clear() for fo, _desc in spec.items(): res = make_signed_metadata_statement(_desc, operators, mds, base_url) try: metadata_statements.update(res['ms']) except KeyError: pass try: metadata_statements.update(res['ms_uri']) except KeyError: pass signers = {} for iss, sms_def in csms_def.items(): ms_dir = os.path.join(ms_path, quote_plus(iss)) signers[iss] = Signer( InternalSigningService(iss, operators[iss].keyjar), ms_dir) return signers
def test_ace(): jb = JWKSBundle('') for iss in ['https://example.org/', 'https://example.com/']: jb[iss] = build_keyjar(KEYDEFS)[1] kj = build_keyjar(KEYDEFS)[1] sign_serv = InternalSigningService('https://signer.example.com', signing_keys=kj) signer = Signer(sign_serv) signer.metadata_statements['response'] = { 'https://example.org/': 'https://example.org/sms1' } ent = FederationEntity(None, keyjar=kj, signer=signer, fo_bundle=jb) req = MetadataStatement(foo='bar') ent.ace(req, ['https://example.org/'], 'response') assert 'metadata_statements' in req assert 'signing_keys' not in req
def create_federation_entity(iss, jwks_dir, sup='', fo_jwks=None, ms_dir='', entity=None, sig_keys=None, sig_def_keys=None): fname = os.path.join(ms_dir, quote_plus(sup)) if fo_jwks: _keybundle = FSJWKSBundle('', fdir=fo_jwks, key_conv={ 'to': quote_plus, 'from': unquote_plus }) # Organisation information _kj = _keybundle[sup] signer = Signer(InternalSigningService(sup, _kj), ms_dir=fname) else: signer = Signer(ms_dir=fname) # And then the FOs public keys _public_keybundle = FSJWKSBundle('', fdir=jwks_dir, key_conv={ 'to': quote_plus, 'from': unquote_plus }) # The OPs own signing keys if sig_keys is None: sig_keys = build_keyjar(sig_def_keys)[1] return FederationEntity(entity, iss=iss, keyjar=sig_keys, signer=signer, fo_bundle=_public_keybundle)
from fedoidc import MetadataStatement from fedoidc.signing_service import InternalSigningService from fedoidc.signing_service import Signer from oic.utils.keyio import build_keyjar KEYDEFS= [{"type": "RSA", "key": "keys/{}.key", "use": ["sig"]}] parser = argparse.ArgumentParser() parser.add_argument('-i', dest='iss') parser.add_argument('-m', dest='ms_dir', default='ms_dir') parser.add_argument(dest="statement") args = parser.parse_args() _keydefs = [] for spec in KEYDEFS: spec['key'] = spec['key'].format(quote_plus(args.iss)) _keydefs.append(spec) sig_keys = build_keyjar(KEYDEFS)[1] signing_service = InternalSigningService(iss=args.iss, signing_keys=sig_keys) signer = Signer(signing_service, args.ms_dir) _args = json.loads(open(args.statement,'r').read()) _mds = MetadataStatement(**_args) _mds.verify() print(signer.create_signed_metadata_statement(_mds, single=True))
from oic.utils.keyio import KeyJar parser = argparse.ArgumentParser() parser.add_argument('-i', dest='issuer', help="issuer id of the OP") parser.add_argument('-c', dest='context', help="OIDC operation") parser.add_argument('-t', dest='target') parser.add_argument(dest="filename") args = parser.parse_args() oa = args.issuer qpoa = quote_plus(oa) _kj = KeyJar() _jwks = json.loads(open(os.path.join('fo_jwks', qpoa)).read()) _kj.import_jwks(_jwks, oa) sign_serv = InternalSigningService(iss=oa, signing_keys=_kj) signer = Signer(sign_serv, ms_dir=os.path.join('ms', qpoa)) _req = open(args.filename, 'r').read() _msg = MetadataStatement() _msg.from_json(_req) _res = signer.create_signed_metadata_statement(_msg, context=args.context) for iss, sms in _res.items(): _qp = quote_plus(iss) _dn = os.path.join(args.target, qpoa, args.context) if not os.path.isdir(_dn): os.makedirs(_dn) _fn = os.path.join(_dn, _qp) _fp = open(_fn, 'w') _fp.write(sms)
sys.path.insert(0, ".") config = importlib.import_module(args.config) if args.port: _signer_id = "{}:{}".format(config.SIGNER_ID, args.port) else: _signer_id = config.SIGNER_ID _keydefs = [] for spec in config.KEYDEFS: spec['key'] = spec['key'].format(quote_plus(_signer_id)) _keydefs.append(spec) sig_keys = build_keyjar(_keydefs)[1] signing_service = InternalSigningService(iss=_signer_id, signing_keys=sig_keys) signer = Signer(signing_service, config.MS_DIR) cherrypy.tree.mount(Operator(signer), '/', operator_config) # If HTTPS if args.tls: cherrypy.server.ssl_certificate = config.SERVER_CERT cherrypy.server.ssl_private_key = config.SERVER_KEY if config.CA_BUNDLE: cherrypy.server.ssl_certificate_chain = config.CA_BUNDLE cherrypy.engine.start() cherrypy.engine.block()
pi['signing_keys'] = sign_kj.export_jwks(issuer=_op.baseurl) print(pi.to_json()) elif args.context == 'response': req = {'signing_keys': sign_kj.export_jwks(issuer=_op.baseurl)} print(json.dumps(req)) exit(0) fed_ent = create_federation_entity(iss=_op.baseurl, ms_dir=config.MS_DIR, jwks_dir=config.JWKS_DIR, sup=config.SUPERIOR, fo_jwks=config.FO_JWKS, sig_keys=sign_kj, sig_def_keys=config.SIG_DEF_KEYS) fed_ent.signer.signing_service = InternalSigningService( _op.baseurl, sign_kj) _op.federation_entity = fed_ent fed_ent.httpcli = _op # WebFinger webfinger_config = {'/': {'base_url': _op.baseurl}} cherrypy.tree.mount(cpop.WebFinger(webfinger.WebFinger()), '/.well-known/webfinger', webfinger_config) cherrypy.tree.mount(cpop.Provider(_op), '/', provider_config) # If HTTPS if args.tls: cherrypy.server.ssl_certificate = config.SERVER_CERT cherrypy.server.ssl_private_key = config.SERVER_KEY
import argparse import json import os from oic.utils.keyio import KeyJar from fedoidc import MetadataStatement from fedoidc.signing_service import InternalSigningService parser = argparse.ArgumentParser() parser.add_argument('-r', dest='request') parser.add_argument('-a', dest='alg', default='RS256') parser.add_argument(dest="nickname") args = parser.parse_args() if not os.path.isdir(args.nickname): print('No such entity') exit(-1) kj = KeyJar() iss = open(os.path.join(args.nickname, 'iss')).read() jwks = open(os.path.join(args.nickname, 'jwks')).read() kj.import_jwks(jwks=json.loads(jwks), issuer=iss) sigserv = InternalSigningService(iss=iss, signing_keys=kj, alg=args.alg) msg = MetadataStatement() msg.from_json(open(args.request).read()) print(sigserv(msg))