diff --git a/example/satosa/integration_test/main.py b/example/satosa/integration_test/main.py index f99af9dd..49aabe4c 100644 --- a/example/satosa/integration_test/main.py +++ b/example/satosa/integration_test/main.py @@ -7,7 +7,7 @@ from pyeudiw.jwt import DEFAULT_SIG_KTY_MAP from pyeudiw.presentation_exchange.schemas.oid4vc_presentation_definition import PresentationDefinition -from pyeudiw.tests.federation.base_ec import ( +from pyeudiw.tests.federation.base import ( EXP, leaf_cred, leaf_cred_jwk, @@ -37,7 +37,7 @@ from saml2_sp import saml2_request, IDP_BASEURL from sd_jwt.holder import SDJWTHolder -from settings_ec import ( +from settings import ( CONFIG_DB, RP_EID, WALLET_INSTANCE_ATTESTATION, diff --git a/example/satosa/integration_test/settings.py b/example/satosa/integration_test/settings.py index ea20cf4c..ae3ffe9c 100644 --- a/example/satosa/integration_test/settings.py +++ b/example/satosa/integration_test/settings.py @@ -110,7 +110,7 @@ ] } rp_signer = JWS( - rp_ec, alg="RS256", + rp_ec, alg="ES256", typ="application/entity-statement+jwt" ) @@ -125,11 +125,11 @@ } } ta_signer = JWS( - _es, alg="RS256", + _es, alg="ES256", typ="application/entity-statement+jwt" ) its_trust_chain = [ - rp_signer.sign_compact([key_from_jwk_dict(rp_jwks[0])]), + rp_signer.sign_compact([key_from_jwk_dict(rp_jwks[1])]), ta_signer.sign_compact([ta_jwk]) ] diff --git a/example/satosa/integration_test/settings_ec.py b/example/satosa/integration_test/settings_ec.py deleted file mode 100644 index 87b58886..00000000 --- a/example/satosa/integration_test/settings_ec.py +++ /dev/null @@ -1,135 +0,0 @@ - -from cryptojwt.jws.jws import JWS -from cryptojwt.jwk.jwk import key_from_jwk_dict -from pyeudiw.tests.federation.base_ec import ( - NOW, - EXP, - leaf_wallet_jwk, - ta_ec, - ta_jwk -) - -from pyeudiw.tools.utils import iat_now, exp_from_now - - -RP_EID = "https://localhost/OpenID4VP" - -CONFIG_DB = { - "mongo_db": { - "storage": { - "module": "pyeudiw.storage.mongo_storage", - "class": "MongoStorage", - "init_params": { - "url": "mongodb://localhost:27017/", - "conf": { - "db_name": "eudiw", - "db_sessions_collection": "sessions", - "db_trust_attestations_collection": "trust_attestations", - "db_trust_anchors_collection": "trust_anchors" - }, - "connection_params": {} - } - } - } -} - - -WALLET_INSTANCE_ATTESTATION = { - "iss": "https://wallet-provider.example.org", - "sub": "vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c", - "type": "WalletInstanceAttestation", - "policy_uri": "https://wallet-provider.example.org/privacy_policy", - "tos_uri": "https://wallet-provider.example.org/info_policy", - "logo_uri": "https://wallet-provider.example.org/logo.svg", - "asc": "https://wallet-provider.example.org/LoA/basic", - "cnf": - { - "jwk": leaf_wallet_jwk.serialize() - }, - "authorization_endpoint": "eudiw:", - "response_types_supported": [ - "vp_token" - ], - "vp_formats_supported": { - "jwt_vp_json": { - "alg_values_supported": ["ES256"] - }, - "jwt_vc_json": { - "alg_values_supported": ["ES256"] - } - }, - "request_object_signing_alg_values_supported": [ - "ES256" - ], - "presentation_definition_uri_supported": False, - "iat": iat_now(), - "exp": exp_from_now() -} - -rp_jwks = [ - { - "kty": "RSA", - "d": "QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q", - "e": "AQAB", - "kid": "9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w", - "n": "utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw", - "p": "2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0", - "q": "2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM" - }, - { - 'kty': 'EC', - 'kid': 'xPFTWxeGHTVTaDlzGad0MKN5JmWOSnRqEjJCtvQpoyg', - 'crv': 'P-256', - 'x': 'EkMoe7qPLGMydWO_evC3AXEeXJlLQk9tNRkYcpp7xHo', - 'y': 'VLoHFl90D1SdTTjMvNf3WssWiCBXcU1lGNPbOmcCqdU', - 'd': 'oGzjgBbIYNL9opdJ_rDPnCJF89yN8yj8wegdkYfaxw0' - } -] -rp_ec = { - "exp": EXP, - "iat": NOW, - "iss": RP_EID, - "sub": RP_EID, - 'jwks': {"keys": rp_jwks}, - "metadata": { - "wallet_relying_party": { - 'jwks': {"keys": []} - }, - "federation_entity": { - "organization_name": "OpenID Wallet Verifier example", - "homepage_uri": "https://verifier.example.org/home", - "policy_uri": "https://verifier.example.org/policy", - "logo_uri": "https://verifier.example.org/static/logo.svg", - "contacts": [ - "tech@verifier.example.org" - ] - } - }, - "authority_hints": [ - ta_ec['iss'] - ] -} -rp_signer = JWS( - rp_ec, alg="ES256", - typ="application/entity-statement+jwt" -) - - -_es = ta_es = { - "exp": EXP, - "iat": NOW, - "iss": ta_ec['iss'], - "sub": RP_EID, - 'jwks': { - 'keys': rp_jwks - } -} -ta_signer = JWS( - _es, alg="ES256", - typ="application/entity-statement+jwt" -) - -its_trust_chain = [ - rp_signer.sign_compact([key_from_jwk_dict(rp_jwks[1])]), - ta_signer.sign_compact([ta_jwk]) -] diff --git a/pyeudiw/tests/federation/base.py b/pyeudiw/tests/federation/base.py index 63b34ef9..625e1d9d 100644 --- a/pyeudiw/tests/federation/base.py +++ b/pyeudiw/tests/federation/base.py @@ -1,5 +1,5 @@ +from cryptojwt.jwk.ec import new_ec_key from cryptojwt.jws.jws import JWS -from cryptojwt.jwk.rsa import new_rsa_key import json import pyeudiw.federation.trust_chain_validator as tcv_test @@ -13,15 +13,18 @@ NOW = iat_now() EXP = exp_from_now(5000) +ec_crv = "P-256" +ec_alg = "ES256" + # Define intermediate ec -intermediate_jwk = new_rsa_key() +intermediate_jwk = new_ec_key(ec_crv, alg=ec_alg) # Define TA ec -ta_jwk = new_rsa_key() +ta_jwk = new_ec_key(ec_crv, alg=ec_alg) # Define leaf Credential Issuer -leaf_cred_jwk = new_rsa_key() -leaf_cred_jwk_prot = new_rsa_key() +leaf_cred_jwk = new_ec_key(ec_crv, alg=ec_alg) +leaf_cred_jwk_prot = new_ec_key(ec_crv, alg=ec_alg) leaf_cred = { "exp": EXP, "iat": NOW, @@ -62,7 +65,7 @@ intermediate_es_cred["jwks"]['keys'] = [leaf_cred_jwk.serialize()] # Define leaf Wallet Provider -leaf_wallet_jwk = new_rsa_key() +leaf_wallet_jwk = new_ec_key(ec_crv, alg=ec_alg) leaf_wallet = { "exp": EXP, "iat": NOW, @@ -155,17 +158,17 @@ } # Sign step -leaf_cred_signer = JWS(leaf_cred, alg='RS256', +leaf_cred_signer = JWS(leaf_cred, alg=ec_alg, typ='entity-statement+jwt') leaf_cred_signed = leaf_cred_signer.sign_compact([leaf_cred_jwk]) -leaf_wallet_signer = JWS(leaf_wallet, alg='RS256', +leaf_wallet_signer = JWS(leaf_wallet, alg=ec_alg, typ='entity-statement+jwt') leaf_wallet_signed = leaf_wallet_signer.sign_compact([leaf_wallet_jwk]) intermediate_signer_ec = JWS( - intermediate_ec, alg="RS256", + intermediate_ec, alg=ec_alg, typ="entity-statement+jwt" ) intermediate_ec_signed = intermediate_signer_ec.sign_compact([ @@ -173,19 +176,19 @@ intermediate_signer_es_cred = JWS( - intermediate_es_cred, alg='RS256', typ='entity-statement+jwt') + intermediate_es_cred, alg=ec_alg, typ='entity-statement+jwt') intermediate_es_cred_signed = intermediate_signer_es_cred.sign_compact([ intermediate_jwk]) intermediate_signer_es_wallet = JWS( - intermediate_es_wallet, alg='RS256', typ='entity-statement+jwt') + intermediate_es_wallet, alg=ec_alg, typ='entity-statement+jwt') intermediate_es_wallet_signed = intermediate_signer_es_wallet.sign_compact([ intermediate_jwk]) -ta_es_signer = JWS(ta_es, alg="RS256", typ="entity-statement+jwt") +ta_es_signer = JWS(ta_es, alg=ec_alg, typ="entity-statement+jwt") ta_es_signed = ta_es_signer.sign_compact([ta_jwk]) -ta_ec_signer = JWS(ta_ec, alg="RS256", typ="entity-statement+jwt") +ta_ec_signer = JWS(ta_ec, alg=ec_alg, typ="entity-statement+jwt") ta_ec_signed = ta_ec_signer.sign_compact([ta_jwk]) diff --git a/pyeudiw/tests/federation/base_ec.py b/pyeudiw/tests/federation/base_ec.py deleted file mode 100644 index 625e1d9d..00000000 --- a/pyeudiw/tests/federation/base_ec.py +++ /dev/null @@ -1,218 +0,0 @@ -from cryptojwt.jwk.ec import new_ec_key -from cryptojwt.jws.jws import JWS - -import json -import pyeudiw.federation.trust_chain_validator as tcv_test -from pyeudiw.tools.utils import iat_now, exp_from_now - -httpc_params = { - "connection": {"ssl": True}, - "session": {"timeout": 6}, -} - -NOW = iat_now() -EXP = exp_from_now(5000) - -ec_crv = "P-256" -ec_alg = "ES256" - -# Define intermediate ec -intermediate_jwk = new_ec_key(ec_crv, alg=ec_alg) - -# Define TA ec -ta_jwk = new_ec_key(ec_crv, alg=ec_alg) - -# Define leaf Credential Issuer -leaf_cred_jwk = new_ec_key(ec_crv, alg=ec_alg) -leaf_cred_jwk_prot = new_ec_key(ec_crv, alg=ec_alg) -leaf_cred = { - "exp": EXP, - "iat": NOW, - "iss": "https://credential_issuer.example.org", - "sub": "https://credential_issuer.example.org", - 'jwks': {"keys": []}, - "metadata": { - "openid_credential_issuer": { - 'jwks': {"keys": []} - }, - "federation_entity": { - "organization_name": "OpenID Credential Issuer example", - "homepage_uri": "https://credential_issuer.example.org/home", - "policy_uri": "https://credential_issuer.example.org/policy", - "logo_uri": "https://credential_issuer.example.org/static/logo.svg", - "contacts": [ - "tech@credential_issuer.example.org" - ] - } - }, - "authority_hints": [ - "https://intermediate.eidas.example.org" - ] -} -leaf_cred['jwks']['keys'] = [leaf_cred_jwk.serialize()] -leaf_cred['metadata']['openid_credential_issuer']['jwks']['keys'] = [ - leaf_cred_jwk_prot.serialize()] - - -# Define intermediate Entity Statement for credential -intermediate_es_cred = { - "exp": EXP, - "iat": NOW, - "iss": "https://intermediate.eidas.example.org", - "sub": "https://credential_issuer.example.org", - 'jwks': {"keys": []} -} -intermediate_es_cred["jwks"]['keys'] = [leaf_cred_jwk.serialize()] - -# Define leaf Wallet Provider -leaf_wallet_jwk = new_ec_key(ec_crv, alg=ec_alg) -leaf_wallet = { - "exp": EXP, - "iat": NOW, - "iss": "https://wallet-provider.example.org", - "sub": "https://wallet-provider.example.org", - 'jwks': {"keys": []}, - "metadata": { - "wallet_provider": { - "jwks": {"keys": []} - }, - "federation_entity": { - "organization_name": "OpenID Wallet Verifier example", - "homepage_uri": "https://wallet-provider.example.org/home", - "policy_uri": "https://wallet-provider.example.org/policy", - "logo_uri": "https://wallet-provider.example.org/static/logo.svg", - "contacts": [ - "tech@wallet-provider.example.org" - ] - } - }, - "authority_hints": [ - "https://intermediate.eidas.example.org" - ] -} -leaf_wallet['jwks']['keys'] = [leaf_wallet_jwk.serialize()] -leaf_wallet['metadata']['wallet_provider'] = [leaf_wallet_jwk.serialize()] - -# Define intermediate Entity Statement for wallet provider -intermediate_es_wallet = { - "exp": EXP, - "iat": NOW, - "iss": "https://intermediate.eidas.example.org", - "sub": "https://wallet-provider.example.org", - 'jwks': {"keys": [leaf_wallet_jwk.serialize()]} -} - -# Intermediate EC -intermediate_ec = { - "exp": EXP, - "iat": NOW, - 'iss': 'https://intermediate.eidas.example.org', - 'sub': 'https://intermediate.eidas.example.org', - 'jwks': {"keys": [intermediate_jwk.serialize()]}, - 'metadata': { - 'federation_entity': { - 'contacts': ['soggetto@intermediate.eidas.example.it'], - 'federation_fetch_endpoint': 'https://intermediate.eidas.example.org/fetch', - 'federation_resolve_endpoint': 'https://intermediate.eidas.example.org/resolve', - 'federation_list_endpoint': 'https://intermediate.eidas.example.org/list', - 'homepage_uri': 'https://soggetto.intermediate.eidas.example.it', - 'name': 'Example Intermediate intermediate.eidas.example' - } - }, - "authority_hints": [ - "https://trust-anchor.example.org" - ] -} - - -# Define TA -ta_es = { - "exp": EXP, - "iat": NOW, - "iss": "https://trust-anchor.example.org", - "sub": "https://intermediate.eidas.example.org", - 'jwks': {"keys": [intermediate_jwk.serialize()]} -} - -ta_ec = { - "exp": EXP, - "iat": NOW, - "iss": "https://trust-anchor.example.org", - "sub": "https://trust-anchor.example.org", - 'jwks': {"keys": [ta_jwk.serialize()]}, - "metadata": { - "federation_entity": { - 'federation_fetch_endpoint': 'https://trust-anchor.example.org/fetch', - 'federation_resolve_endpoint': 'https://trust-anchor.example.org/resolve', - 'federation_list_endpoint': 'https://trust-anchor.example.org/list', - "organization_name": "TA example", - "homepage_uri": "https://trust-anchor.example.org/home", - "policy_uri": "https://trust-anchor.example.org/policy", - "logo_uri": "https://trust-anchor.example.org/static/logo.svg", - "contacts": [ - "tech@trust-anchor.example.org" - ] - } - }, - 'constraints': {'max_path_length': 1} -} - -# Sign step -leaf_cred_signer = JWS(leaf_cred, alg=ec_alg, - typ='entity-statement+jwt') -leaf_cred_signed = leaf_cred_signer.sign_compact([leaf_cred_jwk]) - -leaf_wallet_signer = JWS(leaf_wallet, alg=ec_alg, - typ='entity-statement+jwt') -leaf_wallet_signed = leaf_wallet_signer.sign_compact([leaf_wallet_jwk]) - - -intermediate_signer_ec = JWS( - intermediate_ec, alg=ec_alg, - typ="entity-statement+jwt" -) -intermediate_ec_signed = intermediate_signer_ec.sign_compact([ - intermediate_jwk]) - - -intermediate_signer_es_cred = JWS( - intermediate_es_cred, alg=ec_alg, typ='entity-statement+jwt') -intermediate_es_cred_signed = intermediate_signer_es_cred.sign_compact([ - intermediate_jwk]) - -intermediate_signer_es_wallet = JWS( - intermediate_es_wallet, alg=ec_alg, typ='entity-statement+jwt') -intermediate_es_wallet_signed = intermediate_signer_es_wallet.sign_compact([ - intermediate_jwk]) - -ta_es_signer = JWS(ta_es, alg=ec_alg, typ="entity-statement+jwt") -ta_es_signed = ta_es_signer.sign_compact([ta_jwk]) - -ta_ec_signer = JWS(ta_ec, alg=ec_alg, typ="entity-statement+jwt") -ta_ec_signed = ta_ec_signer.sign_compact([ta_jwk]) - - -trust_chain_issuer = [ - leaf_cred_signed, - intermediate_es_cred_signed, - ta_es_signed, - ta_ec_signed -] - -trust_chain_wallet = [ - leaf_wallet_signed, - intermediate_es_wallet_signed, - ta_es_signed -] - -test_cred = tcv_test.StaticTrustChainValidator( - trust_chain_issuer, [ta_jwk.serialize()], httpc_params=httpc_params -) -assert test_cred.is_valid - -test_wallet = tcv_test.StaticTrustChainValidator( - trust_chain_wallet, [ta_jwk.serialize()], httpc_params=httpc_params -) -assert test_wallet.is_valid - -print(json.dumps(trust_chain_issuer, indent=2)) diff --git a/pyeudiw/tests/federation/test_static_trust_chain_validator.py b/pyeudiw/tests/federation/test_static_trust_chain_validator.py index 15b079e3..1f48df13 100644 --- a/pyeudiw/tests/federation/test_static_trust_chain_validator.py +++ b/pyeudiw/tests/federation/test_static_trust_chain_validator.py @@ -37,7 +37,7 @@ def test_is_valid(): invalid_intermediate["jwks"]['keys'] = [invalid_leaf_jwk] intermediate_signer = JWS( - invalid_intermediate, alg="RS256", + invalid_intermediate, alg="ES256", typ="application/entity-statement+jwt" ) invalid_intermediate_es_wallet_signed = intermediate_signer.sign_compact( @@ -110,7 +110,7 @@ def test_update_st_es_case_source_endpoint(): "source_endpoint": "https://trust-anchor.example.org/fetch" } - ta_signer = JWS(ta_es, alg="RS256", typ="application/entity-statement+jwt") + ta_signer = JWS(ta_es, alg="ES256", typ="application/entity-statement+jwt") ta_es_signed = ta_signer.sign_compact([ta_jwk]) def mock_method(*args, **kwargs): @@ -133,7 +133,7 @@ def test_update_st_es_case_no_source_endpoint(): 'jwks': {"keys": []}, } - ta_signer = JWS(ta_es, alg="RS256", typ="application/entity-statement+jwt") + ta_signer = JWS(ta_es, alg="ES256", typ="application/entity-statement+jwt") ta_es_signed = ta_signer.sign_compact([ta_jwk]) def mock_method_ec(*args, **kwargs): diff --git a/pyeudiw/tests/satosa/test_backend.py b/pyeudiw/tests/satosa/test_backend.py index bd8eb714..9f64f962 100644 --- a/pyeudiw/tests/satosa/test_backend.py +++ b/pyeudiw/tests/satosa/test_backend.py @@ -22,7 +22,7 @@ _adapt_keys, issue_sd_jwt, load_specification_from_yaml_string, - import_pyca_pri_rsa + import_ec ) from pyeudiw.storage.db_engine import DBEngine from pyeudiw.tools.utils import exp_from_now, iat_now @@ -188,7 +188,7 @@ def test_vp_validation_in_redirect_endpoint(self, context): {}, nonce, str(uuid.uuid4()), - import_pyca_pri_rsa(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get( + import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get( "key_binding", False) else None, sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty], ) @@ -341,7 +341,7 @@ def test_redirect_endpoint(self, context): {}, nonce, str(uuid.uuid4()), - import_pyca_pri_rsa(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get( + import_ec(holder_jwk.key.priv_key, kid=holder_jwk.kid) if sd_specification.get( "key_binding", False) else None, sign_alg=DEFAULT_SIG_KTY_MAP[holder_jwk.key.kty], ) @@ -485,7 +485,7 @@ def test_request_endpoint(self, context): "sub": self.backend.client_id, 'jwks': self.backend.entity_configuration_as_dict['jwks'] } - ta_signer = JWS(_es, alg="RS256", + ta_signer = JWS(_es, alg="ES256", typ="application/entity-statement+jwt") its_trust_chain = [