Skip to content

Commit

Permalink
feat: extending crypto support, ed255519, ed448 -> eddsa #142;
Browse files Browse the repository at this point in the history
  • Loading branch information
@smansoft
smansoft committed Jan 18, 2022
1 parent 01d3266 commit 232c2a1
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 34 deletions.
2 changes: 1 addition & 1 deletion jans-ce-setup/setup_app/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ def progress(self, service_name, msg, incr=False):

# OpenID key generation default setting
self.default_openid_jks_dn_name = 'CN=Jans Auth CA Certificates'
self.default_sig_key_algs = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
self.default_sig_key_algs = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA'
self.default_enc_key_algs = 'RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
self.default_key_expiration = 365

Expand Down
2 changes: 1 addition & 1 deletion jans-ce-setup/setup_app/installers/jans_auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ def generate_configuration(self):
Config.encoded_admin_password = self.ldap_encode(Config.admin_password)

self.logIt("Generating OAuth openid keys", pbar=self.service_name)
sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA'
enc_keys = 'RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
jwks = self.gen_openid_jwks_jks_keys(self.oxauth_openid_jks_fn, Config.oxauth_openid_jks_pass, key_expiration=2, key_algs=sig_keys, enc_keys=enc_keys)
self.write_openid_keys(self.oxauth_openid_jwks_fn, jwks)
Expand Down
41 changes: 27 additions & 14 deletions jans-ce-setup/setup_app/test_data_loader.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,15 @@ def __init__(self):
self.template_base = os.path.join(Config.templateFolder, 'test')

def create_test_client_keystore(self):
self.logIt("Creating client_keystore.p12")
client_keystore_fn = os.path.join(Config.outputFolder, 'test/jans-auth/client/client_keystore.p12')
keys_json_fn = os.path.join(Config.outputFolder, 'test/jans-auth/client/keys_client_keystore.json')
self.logIt("Creating client_keystore.jks")
client_keystore_fn = os.path.join(Config.outputFolder, 'test/jans-auth/client/client_keystore.jks')
keys_json_fn = os.path.join(Config.outputFolder, 'test/jans-auth/client/keys_client_keystore.json')
keys_props_fn = os.path.join(Config.outputFolder, 'test/jans-auth/client/keys_client_keystore.properties')

args = [Config.cmd_keytool, '-genkey', '-alias', 'dummy', '-keystore',
client_keystore_fn, '-storepass', 'secret', '-keypass',
'secret', '-dname',
"'{}'".format(Config.default_openid_jks_dn_name),
'-storetype', 'PKCS12'
"'{}'".format(Config.default_openid_jks_dn_name)
]

self.run(' '.join(args), shell=True)
Expand All @@ -53,14 +53,17 @@ def create_test_client_keystore(self):
'-sig_keys', Config.default_sig_key_algs,
'-enc_keys', Config.default_enc_key_algs,
'-dnname', "'{}'".format(Config.default_openid_jks_dn_name),
'-expiration', '365','>', keys_json_fn]
'-expiration', '365',
'-test_prop_file', keys_props_fn,
'>', keys_json_fn]

cmd = ' '.join(args)

self.run(cmd, shell=True)

self.copyFile(client_keystore_fn, os.path.join(Config.outputFolder, 'test/jans-auth/server'))
self.copyFile(keys_json_fn, os.path.join(Config.outputFolder, 'test/jans-auth/server'))
self.copyFile(keys_props_fn, os.path.join(Config.outputFolder, 'test/jans-auth/server'))

def load_test_data(self):
Config.pbar.progress(self.service_name, "Loading Test Data", False)
Expand Down Expand Up @@ -193,6 +196,7 @@ def load_test_data(self):

# Client keys deployment
base.download('https://raw.githubusercontent.com/JanssenProject/jans-auth-server/master/client/src/test/resources/jans_test_client_keys.zip', '/var/www/html/jans_test_client_keys.zip')
#base.download('https://jans-ce.smansoft.net/jans_test_client_keys.zip', '/var/www/html/jans_test_client_keys.zip')
self.run([paths.cmd_unzip, '-o', '/var/www/html/jans_test_client_keys.zip', '-d', '/var/www/html/'])
self.run([paths.cmd_rm, '-rf', 'jans_test_client_keys.zip'])
self.run([paths.cmd_chown, '-R', 'root:'+apache_user, '/var/www/html/jans-auth-client'])
Expand All @@ -202,7 +206,6 @@ def load_test_data(self):
'dynamicRegistrationCustomObjectClass': 'jansClntCustomAttributes',
'dynamicRegistrationCustomAttributes': [ "jansTrustedClnt", "myCustomAttr1", "myCustomAttr2", "jansInclClaimsInIdTkn" ],
'dynamicRegistrationExpirationTime': 86400,
'grantTypesAndResponseTypesAutofixEnabled': True,
'dynamicGrantTypeDefault': [ "authorization_code", "implicit", "password", "client_credentials", "refresh_token", "urn:ietf:params:oauth:grant-type:uma-ticket", "urn:openid:params:grant-type:ciba", "urn:ietf:params:oauth:grant-type:device_code" ],
'legacyIdTokenClaims': True,
'authenticationFiltersEnabled': True,
Expand All @@ -213,16 +216,26 @@ def load_test_data(self):
'dynamicRegistrationPasswordGrantTypeEnabled' : True,
'cibaEnabled': True,
'backchannelTokenDeliveryModesSupported': ["poll", "ping", "push"],
'backchannelAuthenticationRequestSigningAlgValuesSupported': [ "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512" ],
'jwksAlgorithmsSupported':[ "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "EdDSA", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ],
'authorizationSigningAlgValuesSupported':[ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512", "EdDSA" ],
'authorizationEncryptionAlgValuesSupported':[ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW", "RSA-OEAP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A192KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW", "dir" ],
'authorizationEncryptionEncValuesSupported':[ "A128CBC+HS256", "A256CBC+HS512", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ],
'backchannelAuthenticationRequestSigningAlgValuesSupported': [ "none", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA" ],
'backchannelClientId': '123-123-123',
'backchannelUserCodeParameterSupported': True,
'tokenEndpointAuthSigningAlgValuesSupported': [ 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' ],
'userInfoSigningAlgValuesSupported': [ 'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' ],
'tokenEndpointAuthSigningAlgValuesSupported':[ "none", "HS256", "HS384", "HS512", "RS256","RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA" ],
'userInfoSigningAlgValuesSupported':[ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA" ],
'userInfoEncryptionAlgValuesSupported':[ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW", "RSA-OEAP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A192KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW", "dir" ],
'userInfoEncryptionEncValuesSupported':[ "A128CBC+HS256", "A256CBC+HS512", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ],
'consentGatheringScriptBackwardCompatibility': False,
'claimsParameterSupported': True,
'grantTypesSupported': [ 'urn:openid:params:grant-type:ciba', 'authorization_code', 'urn:ietf:params:oauth:grant-type:uma-ticket', 'urn:ietf:params:oauth:grant-type:device_code', 'client_credentials', 'implicit', 'refresh_token', 'password' ],
'idTokenSigningAlgValuesSupported': [ 'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' ],
'requestObjectSigningAlgValuesSupported': [ 'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' ],
'idTokenSigningAlgValuesSupported':[ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA" ],
'idTokenEncryptionAlgValuesSupported':[ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW", "RSA-OEAP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A192KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW", "dir" ],
'idTokenEncryptionEncValuesSupported':[ "A128CBC+HS256", "A256CBC+HS512", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ],
'requestObjectSigningAlgValuesSupported':[ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA" ],
'requestObjectEncryptionAlgValuesSupported':[ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW", "RSA-OEAP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A192KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW", "dir" ],
'requestObjectEncryptionEncValuesSupported':[ "A128CBC+HS256", "A256CBC+HS512", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ],
'softwareStatementValidationClaimName': 'jwks_uri',
'softwareStatementValidationType': 'jwks_uri',
'umaGrantAccessIfNoPolicies': True,
Expand All @@ -235,8 +248,8 @@ def load_test_data(self):
'tokenEndpointAuthMethodsSupported': [ 'client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt', 'tls_client_auth', 'self_signed_tls_client_auth', 'none' ],
'sessionIdRequestParameterEnabled': True,
'skipRefreshTokenDuringRefreshing': False,
'enabledComponents': ['unknown', 'health_check', 'userinfo', 'clientinfo', 'id_generation', 'registration', 'introspection', 'revoke_token', 'revoke_session', 'end_session', 'status_session', 'jans_configuration', 'ciba', 'uma', 'u2f', 'device_authz', 'stat', 'par'],
'cleanServiceInterval':7200
'enabledComponents': ['unknown', 'health_check', 'userinfo', 'clientinfo', 'id_generation', 'registration', 'introspection', 'revoke_token', 'revoke_session', 'end_session', 'status_session', 'jans_configuration', 'ciba', 'uma', 'u2f', 'device_authz', 'stat', 'par' ],
'cleanServiceInterval': 7200
}

if Config.get('config_patch_creds'):
Expand Down
4 changes: 2 additions & 2 deletions jans-ce-setup/static/scripts/key_regeneration.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@
oxauth_keys_json_fn = 'jans-keys.json'

algs_for_versions = {
'1.0.0': {'sig_keys': 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448', 'enc_keys': 'RSA1_5 RSA-OAEP ECDH-ES'},
'1.0.0': {'sig_keys': 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA', 'enc_keys': 'RSA1_5 RSA-OAEP ECDH-ES'},
}

sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA'
enc_keys = 'RSA1_5 RSA-OAEP ECDH-ES'


Expand Down
24 changes: 8 additions & 16 deletions jans-ce-setup/templates/jans-auth/jans-auth-config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,7 @@
"RSA1_5",
"RSA-OAEP",
"RSA-OAEP-256",
"Ed25519",
"Ed448",
"EdDSA",
"ECDH-ES",
"ECDH-ES+A128KW",
"ECDH-ES+A192KW",
Expand All @@ -95,8 +94,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"authorizationEncryptionAlgValuesSupported":[
"RSA1_5",
Expand Down Expand Up @@ -142,8 +140,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"userInfoEncryptionAlgValuesSupported":[
"RSA1_5",
Expand Down Expand Up @@ -189,8 +186,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"idTokenEncryptionAlgValuesSupported":[
"RSA1_5",
Expand Down Expand Up @@ -236,8 +232,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"requestObjectEncryptionAlgValuesSupported":[
"RSA1_5",
Expand Down Expand Up @@ -291,8 +286,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"dpopSigningAlgValuesSupported":[
"none",
Expand All @@ -309,8 +303,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"dpopTimeframe": 5,
"dpopJtiCacheTime": 3600,
Expand Down Expand Up @@ -507,8 +500,7 @@
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
"EdDSA"
],
"backchannelClientId": "",
"backchannelRedirectUri": "https://%(hostname)s/jans-auth/ciba/home.htm",
Expand Down

0 comments on commit 232c2a1

Please sign in to comment.