0001-idp_oidc-add-ecdsa-support-26253.patch

Paul Marillonnet, 09 avril 2020 09:51

Voir les différences: en ligne côte à côte

Subject: [PATCH] idp_oidc: add ecdsa support (#26253)

 src/authentic2_idp_oidc/models.py |  4 +-
 src/authentic2_idp_oidc/utils.py  | 28 ++++++++++----
 src/authentic2_idp_oidc/views.py  |  2 +-
 tests/test_idp_oidc.py            | 61 ++++++++++++++++++++++++++-----
 4 files changed, 76 insertions(+), 19 deletions(-)

         ALGO_RSA = 1
         ALGO_HMAC = 2
         ALGO_EC = 3
         ALGO_CHOICES = [
             (ALGO_HMAC, _('HMAC')),
             (ALGO_RSA, _('RSA')),
             (ALGO_EC, _('EC')),
+        ]
         FLOW_AUTHORIZATION_CODE = 1
         FLOW_IMPLICIT = 2
-...
                 utils.get_jwkset()
             except ImproperlyConfigured:
                 return [(algo_id, algo_name) for algo_id, algo_name in OIDCClient.ALGO_CHOICES
                         if algo_id != OIDCClient.ALGO_RSA]
                         if algo_id not in (OIDCClient.ALGO_RSA, OIDCClient.ALGO_EC)]
             return OIDCClient.ALGO_CHOICES
         idtoken_algo = models.PositiveIntegerField(

         return jwkset
     def get_first_rsa_sig_key():
         for key in get_jwkset()['keys']:
             if key._params['kty'] != 'RSA':
                 continue
             use = key._params.get('use')
             if use is None or use == 'sig':
                 return key
     def get_first_sig_key_by_type(kty=None):
         if kty:
             for key in get_jwkset()['keys']:
                 if key._params['kty'] != kty:
                     continue
                 use = key._params.get('use')
                 if use is None or use == 'sig':
                     return key
         return None
     def get_first_rsa_sig_key():
         return get_first_sig_key_by_type('RSA')
     def get_first_ec_sig_key():
         return get_first_sig_key_by_type('EC')
     def make_idtoken(client, claims):
         '''Make a serialized JWT targeted for this client'''
         if client.idtoken_algo == client.ALGO_HMAC:
-...
             header['kid'] = jwk.key_id
             if jwk is None:
                 raise ImproperlyConfigured('no RSA key for signature operation in A2_IDP_OIDC_JWKSET')
         elif client.idtoken_algo == client.ALGO_EC:
             header = {'alg': 'ES256'}
             jwk = get_first_ec_sig_key()
             if jwk is None:
                 raise ImproperlyConfigured('no EC key for signature operation in A2_IDP_OIDC_JWKSET')
         else:
             raise NotImplementedError
         jwt = JWT(header=header, claims=claims)

                 'clien_secret_post', 'client_secret_basic',
             ],
             'id_token_signing_alg_values_supported': [
                 'RS256', 'HS256',
                 'RS256', 'HS256', 'ES256',
             ],
             'userinfo_endpoint': request.build_absolute_uri(reverse('oidc-user-info')),
             'frontchannel_logout_supported': True,

     from authentic2.models import Attribute, AuthorizedRole
     from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode, OIDCAccessToken, OIDCClaim
     from authentic2_idp_oidc.utils import make_sub, get_first_rsa_sig_key, base64url
     from authentic2_idp_oidc.utils import base64url
     from authentic2_idp_oidc.utils import get_first_rsa_sig_key
     from authentic2_idp_oidc.utils import get_first_ec_sig_key
     from authentic2_idp_oidc.utils import make_sub
     from authentic2.a2_rbac.utils import get_default_ou
     from authentic2.utils import make_url
     from authentic2_auth_oidc.utils import parse_timestamp
-...
                 "n": "0lN6CiJGFD8BSPV_azLoEl6Nq-WlHkU743D5rqvzw1sOaxstMGxAhVk2YIhWwfvapV6XjO_yvc4778VBTELOdjRw6BGUdBJepdwkL__TPyjEVhqMQj9MKhEU4GUy9w0Lsilb5D01kfrOKpmdcYw4jhcDvb0H4-LZgh1Vk84vF4WaQCUg_AX4drVDQOjoU8kuWIM8gz9w6zEsbIw-gtMRpFwS8ncA0zDX5VfyC77iMxzFftDIP2gM5GvdevMzvP9IRkRRBhP9vV4JchBFPHSA9OPJcnySjJJNW6aAJn6P6JasN1z68khjufM09J8UzmLAZYOq7gUG95Ox1KsV-g337Q",
                 "e": "AQAB",
                 "p": "-Nyj_Sw3f2HUqSssCZv84y7b3blOtGGAhfYN_JtGfcTQv2bOtxrIUzeonCi-Z_1W4hO10tqxJcOB0ibtDqkDlLhnLaIYOBfriITRFK83EJG5sC-0KTmFzUXFTA2aMc1QgP-Fu6gUfQpPqLgWxhx8EFhkBlBZshKU5-C-385Sco0"
             },
+            {
                 "kty": "EC",
                 "d": "wwULaR9UYWZW6U2oEbkz3sO1lhPSj6DyA6e7PiUfhog",
                 "use": "sig",
                 "crv": "P-256",
                 "x": "HZMHZkX-63heqA5pvWn-UR7bgcXZNEcQa5wfvG_BzTw",
                 "y": "SUCuwjjiyKvGq5Odr0sjDqjha_CBqks0JQFrR7Ei5OQ",
                 "alg": "ES256"
+            }
+        ]
+    }
-...
+        {
             'idtoken_algo': OIDCClient.ALGO_HMAC,
         },
+        {
             'idtoken_algo': OIDCClient.ALGO_EC,
         },
+        {
             'authorization_mode': OIDCClient.AUTHORIZATION_MODE_NONE,
         },
-...
     @pytest.fixture(params=OIDC_CLIENT_PARAMS)
     def oidc_client(request, superuser, app, simple_user, media):
     def oidc_client(request, superuser, app, simple_user, media, oidc_settings):
         Attribute.objects.create(
             name='cityscape_image',
             label='cityscape',
-...
             access_token = query['access_token'][0]
             id_token = query['id_token'][0]
         if oidc_client.idtoken_algo == oidc_client.ALGO_RSA:
             key = JWKSet.from_json(app.get(reverse('oidc-certs')).content)
         if oidc_client.idtoken_algo in (oidc_client.ALGO_RSA, oidc_client.ALGO_EC):
             keyset = JWKSet.from_json(app.get(reverse('oidc-certs')).content)
             for k in keyset.get('keys'):
                 if {
                     'RSA': oidc_client.ALGO_RSA,
                     'EC': oidc_client.ALGO_EC
                 }.get(k.key_type) == oidc_client.idtoken_algo:
                     algs=[{
                         oidc_client.ALGO_RSA: 'RS256',
                         oidc_client.ALGO_EC: 'ES256'
                     }.get(oidc_client.idtoken_algo)]
                     key = k
                     break
         elif oidc_client.idtoken_algo == oidc_client.ALGO_HMAC:
             k = base64.b64encode(oidc_client.client_secret.encode('utf-8'))
             key = JWK(kty='oct', k=force_text(k))
             algs = ['HS256']
         else:
             raise NotImplementedError
         jwt = JWT(jwt=id_token, key=key)
         jwt = JWT(jwt=id_token, key=key, algs=algs)
         claims = json.loads(jwt.claims)
         assert set(claims) >= set(['iss', 'sub', 'aud', 'exp', 'iat', 'nonce', 'auth_time', 'acr'])
         assert claims['nonce'] == 'yyy'
-...
             query = urlparse.parse_qs(location.fragment)
             id_token = query['id_token'][0]
         if oidc_client.idtoken_algo == oidc_client.ALGO_RSA:
             key = JWKSet.from_json(app.get(reverse('oidc-certs')).content)
         if oidc_client.idtoken_algo in (oidc_client.ALGO_RSA, oidc_client.ALGO_EC):
             keyset = JWKSet.from_json(app.get(reverse('oidc-certs')).content)
             for k in keyset.get('keys'):
                 if {
                     'RSA': oidc_client.ALGO_RSA,
                     'EC': oidc_client.ALGO_EC
                 }.get(k.key_type) == oidc_client.idtoken_algo:
                     algs=[{
                         oidc_client.ALGO_RSA: 'RS256',
                         oidc_client.ALGO_EC: 'ES256'
                     }.get(oidc_client.idtoken_algo)]
                     key = k
                     break
         elif oidc_client.idtoken_algo == oidc_client.ALGO_HMAC:
             k = base64.b64encode(oidc_client.client_secret.encode('utf-8'))
             key = JWK(kty='oct', k=force_text(k))
             algs = ['HS256']
         else:
             raise NotImplementedError
         jwt = JWT(jwt=id_token, key=key)
         jwt = JWT(jwt=id_token, key=key, algs=algs)
         claims = json.loads(jwt.claims)
         if login_first:
             assert claims['acr'] == '0'
-...
             jwk = JWK(kty='oct', k=force_text(k))
         elif oidc_client.idtoken_algo == OIDCClient.ALGO_RSA:
             jwk = get_first_rsa_sig_key()
         elif oidc_client.idtoken_algo == OIDCClient.ALGO_EC:
             jwk = get_first_ec_sig_key()
         # 1. test in-request client credentials
         params = {
-...
         token = response.json['id_token']
         header, payload, signature = token.split('.')
         jwt = JWT()
         # jwt deserialization implicitly checks the token signature:
         jwt.deserialize(token, key=jwk)
         claims = json.loads(jwt.claims)
         # xxx already verified by jwcrypto deserialization?
         assert set(claims) == set(['acr', 'aud', 'auth_time', 'exp', 'iat', 'iss', 'sub'])
         assert all(claims.values())
-...
         token = response.json['id_token']
         header, payload, signature = token.split('.')
         jwt = JWT()
         # jwt deserialization implicitly checks the token signature:
         jwt.deserialize(token, key=jwk)
         claims = json.loads(jwt.claims)
         # xxx already verified by jwcrypto deserialization?
         assert set(claims) == set(['acr', 'aud', 'auth_time', 'exp', 'iat', 'iss', 'sub'])
         assert all(claims.values())
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-idp_oidc-add-ecdsa-support-26253.patch