feat: extending crypto support #142;

JanssenProject · Jan 13, 2022 · 1f932c0 · 1f932c0
1 parent fda52ba
commit 1f932c0
Show file tree

Hide file tree

Showing 5 changed files with 150 additions and 34 deletions.
diff --git a/jans-ce-setup/setup_app/config.py b/jans-ce-setup/setup_app/config.py
@@ -294,7 +294,7 @@ def progress(self, service_name, msg, incr=False):
         # OpenID key generation default setting
         self.default_openid_jks_dn_name = 'CN=Jans Auth CA Certificates'
         self.default_sig_key_algs = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
-        self.default_enc_key_algs = 'RSA1_5 RSA-OAEP ECDH-ES'
+        self.default_enc_key_algs = 'RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
         self.default_key_expiration = 365
 
         self.post_messages = []

diff --git a/jans-ce-setup/setup_app/installers/jans_auth.py b/jans-ce-setup/setup_app/installers/jans_auth.py
@@ -66,7 +66,7 @@ def generate_configuration(self):
 
         self.logIt("Generating OAuth openid keys", pbar=self.service_name)
         sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
-        enc_keys = 'RSA1_5 RSA-OAEP ECDH-ES'
+        enc_keys = 'RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
         jwks = self.gen_openid_jwks_jks_keys(self.oxauth_openid_jks_fn, Config.oxauth_openid_jks_pass, key_expiration=2, key_algs=sig_keys, enc_keys=enc_keys)
         self.write_openid_keys(self.oxauth_openid_jwks_fn, jwks)
 

diff --git a/jans-ce-setup/templates/jans-auth/jans-auth-config.json b/jans-ce-setup/templates/jans-auth/jans-auth-config.json
@@ -58,58 +58,120 @@
         "pairwise"
     ],
     "defaultSubjectType": "pairwise",
+    "jwksAlgorithmsSupported":[
+        "RS256",
+        "RS384",
+        "RS512",
+        "ES256",
+        "ES256K",
+        "ES384",
+        "ES512",
+        "PS256",
+        "PS384",
+        "PS512",
+        "RSA1_5",
+        "RSA-OAEP",
+        "RSA-OAEP-256",
+        "Ed25519",
+        "Ed448",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW"
+    ],
     "authorizationSigningAlgValuesSupported":[
+        "none",
         "HS256",
         "HS384",
         "HS512",
         "RS256",
         "RS384",
         "RS512",
         "ES256",
+        "ES256K",
         "ES384",
         "ES512",
         "ES512",
         "PS256",
         "PS384",
-        "PS512"
-    ],
+        "PS512",
+        "Ed25519",
+        "Ed448"
+    ],    
     "authorizationEncryptionAlgValuesSupported":[
         "RSA1_5",
         "RSA-OAEP",
         "A128KW",
-        "A256KW"
+        "A256KW",
+        "RSA-OEAP-256",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW",
+        "A192KW",
+        "A128GCMKW",
+        "A192GCMKW",
+        "A256GCMKW",
+        "PBES2-HS256+A128KW",
+        "PBES2-HS384+A192KW",
+        "PBES2-HS512+A256KW",
+        "dir"
     ],
     "authorizationEncryptionEncValuesSupported":[
         "A128CBC+HS256",
         "A256CBC+HS512",
+        "A128CBC-HS256",
+        "A192CBC-HS384",
+        "A256CBC-HS512",
         "A128GCM",
+        "A192GCM",
         "A256GCM"
-    ],
+    ],    
     "userInfoSigningAlgValuesSupported":[
+        "none",
         "HS256",
         "HS384",
         "HS512",
         "RS256",
         "RS384",
         "RS512",
         "ES256",
+        "ES256K",
         "ES384",
         "ES512",
-        "ES512",
         "PS256",
         "PS384",
-        "PS512"
+        "PS512",
+        "Ed25519",
+        "Ed448"
     ],
     "userInfoEncryptionAlgValuesSupported":[
         "RSA1_5",
         "RSA-OAEP",
         "A128KW",
-        "A256KW"
+        "A256KW",
+        "RSA-OEAP-256",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW",
+        "A192KW",
+        "A128GCMKW",
+        "A192GCMKW",
+        "A256GCMKW",
+        "PBES2-HS256+A128KW",
+        "PBES2-HS384+A192KW",
+        "PBES2-HS512+A256KW",
+        "dir"
     ],
     "userInfoEncryptionEncValuesSupported":[
         "A128CBC+HS256",
         "A256CBC+HS512",
+        "A128CBC-HS256",
+        "A192CBC-HS384",
+        "A256CBC-HS512",
         "A128GCM",
+        "A192GCM",
         "A256GCM"
     ],
     "idTokenSigningAlgValuesSupported":[
@@ -121,23 +183,42 @@
         "RS384",
         "RS512",
         "ES256",
+        "ES256K",
         "ES384",
         "ES512",
-        "ES512",
         "PS256",
         "PS384",
-        "PS512"
+        "PS512",
+        "Ed25519",
+        "Ed448"
     ],
     "idTokenEncryptionAlgValuesSupported":[
         "RSA1_5",
         "RSA-OAEP",
         "A128KW",
-        "A256KW"
+        "A256KW",
+        "RSA-OEAP-256",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW",
+        "A192KW",
+        "A128GCMKW",
+        "A192GCMKW",
+        "A256GCMKW",
+        "PBES2-HS256+A128KW",
+        "PBES2-HS384+A192KW",
+        "PBES2-HS512+A256KW",
+        "dir"
     ],
     "idTokenEncryptionEncValuesSupported":[
         "A128CBC+HS256",
         "A256CBC+HS512",
+        "A128CBC-HS256",
+        "A192CBC-HS384",
+        "A256CBC-HS512",
         "A128GCM",
+        "A192GCM",
         "A256GCM"
     ],
     "requestObjectSigningAlgValuesSupported":[
@@ -149,36 +230,42 @@
         "RS384",
         "RS512",
         "ES256",
-        "ES384",
-        "ES512",
-        "ES512",
-        "PS256",
-        "PS384",
-        "PS512"
-    ],
-    "jwksAlgorithmsSupported":[
-        "RS256",
-        "RS384",
-        "RS512",
-        "ES256",
+        "ES256K",
         "ES384",
         "ES512",
         "PS256",
         "PS384",
         "PS512",
-        "RSA1_5",
-        "RSA-OAEP"
+        "Ed25519",
+        "Ed448"
     ],
     "requestObjectEncryptionAlgValuesSupported":[
         "RSA1_5",
         "RSA-OAEP",
         "A128KW",
-        "A256KW"
+        "A256KW",
+        "RSA-OEAP-256",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW",
+        "A192KW",
+        "A128GCMKW",
+        "A192GCMKW",
+        "A256GCMKW",
+        "PBES2-HS256+A128KW",
+        "PBES2-HS384+A192KW",
+        "PBES2-HS512+A256KW",
+        "dir"
     ],
     "requestObjectEncryptionEncValuesSupported":[
         "A128CBC+HS256",
         "A256CBC+HS512",
+        "A128CBC-HS256",
+        "A192CBC-HS384",
+        "A256CBC-HS512",
         "A128GCM",
+        "A192GCM",
         "A256GCM"
     ],
     "tokenEndpointAuthMethodsSupported":[
@@ -190,31 +277,40 @@
         "self_signed_tls_client_auth"
     ],
     "tokenEndpointAuthSigningAlgValuesSupported":[
+        "none",
         "HS256",
         "HS384",
         "HS512",
         "RS256",
         "RS384",
         "RS512",
         "ES256",
+        "ES256K",
         "ES384",
         "ES512",
-        "ES512",
         "PS256",
         "PS384",
-        "PS512"
-    ],
+        "PS512",
+        "Ed25519",
+        "Ed448"
+    ],    
     "dpopSigningAlgValuesSupported":[
+        "none",
+        "HS256",
+        "HS384",
+        "HS512",
         "RS256",
         "RS384",
         "RS512",
         "ES256",
+        "ES256K",
         "ES384",
         "ES512",
-        "ES512",
         "PS256",
         "PS384",
-        "PS512"
+        "PS512",
+        "Ed25519",
+        "Ed448"
     ],
     "dpopTimeframe": 5,
     "dpopJtiCacheTime": 3600,
@@ -282,7 +378,7 @@
     "cleanServiceBatchChunkSize": 10000,
     "keyRegenerationEnabled":true,
     "keyRegenerationInterval":48,
-    "defaultSignatureAlgorithm":"RS256",
+    "defaultSignatureAlgorithm":"ES384",    
     "oxOpenIdConnectVersion":"openidconnect-1.0",
     "oxId":"https://%(hostname)s/oxid/service/jans/inum",
     "dynamicRegistrationExpirationTime":-1,
@@ -396,7 +492,24 @@
         "ping",
         "push"
      ],
-    "backchannelAuthenticationRequestSigningAlgValuesSupported": [],
+    "backchannelAuthenticationRequestSigningAlgValuesSupported": [
+        "none",
+        "HS256",
+        "HS384",
+        "HS512",
+        "RS256",
+        "RS384",
+        "RS512",
+        "ES256",
+        "ES256K",
+        "ES384",
+        "ES512",
+        "PS256",
+        "PS384",
+        "PS512",
+        "Ed25519",
+        "Ed448"
+     ],     
     "backchannelClientId": "",
     "backchannelRedirectUri": "https://%(hostname)s/jans-auth/ciba/home.htm",
     "backchannelUserCodeParameterSupported": false,

diff --git a/jans-ce-setup/templates/test/jans-auth/client/config-oxauth-test-data.properties b/jans-ce-setup/templates/test/jans-auth/client/config-oxauth-test-data.properties
@@ -25,3 +25,4 @@ sector.identifier.id.bad=840ef58d-a7d0-4986-af7b-71ed0089ce61
 clientKeyStoreFile=profiles/%(hostname)s/client_keystore.p12
 clientKeyStoreSecret=secret
 
+clientKeyJwksFile=profiles/%(hostname)s/keys_client_keystore.json
diff --git a/jans-ce-setup/templates/test/jans-auth/server/config-oxauth-test-data.properties b/jans-ce-setup/templates/test/jans-auth/server/config-oxauth-test-data.properties
@@ -31,3 +31,5 @@ test.keep.clients=%(scim_client_id)s, %(jca_client_id)s, AB77-1A2B, 3E20, FF81-2
 
 clientKeyStoreFile=profiles/%(hostname)s/client_keystore.p12
 clientKeyStoreSecret=secret
+
+clientKeyJwksFile=profiles/%(hostname)s/keys_client_keystore.json