Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use ED25519 For Large Blob Data Signature #2

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ For the app to work properly, some environment variables need to be set:

Generate the OIDC config file using the environment variables by running `envsubst < client_secrets.tmpl.json > client_secrets.json`

Generate the signing key by running `openssl ecparam -name prime192v1 -genkey -out sk.pem`
Generate the signing key by running `openssl genpkey -algorithm Ed25519 -out sk.pem`
You can export the verifying key for the locks by running `openssl ec -in sk.pem -pubout -out vk.pem`

### Running in current shell session
Expand Down
14 changes: 11 additions & 3 deletions app.py
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
import hashlib
import json
import os
from base64 import b64encode
import re
import sys

import cbor2
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ed25519
from flask import Flask, render_template, request, redirect, session
from flask_oidc import OpenIDConnect
from keycloak import KeycloakAdmin
Expand Down Expand Up @@ -36,6 +35,12 @@
if "WAU_SIGNING_KEY_PATH" in os.environ:
with open(os.environ["WAU_SIGNING_KEY_PATH"], "rb") as f:
signing_key = serialization.load_pem_private_key(f.read(), None)
verification_key = signing_key.public_key()
verification_key_bytes = verification_key.public_bytes(
encoding=serialization.Encoding.Raw,
format=serialization.PublicFormat.Raw,
)
print('WAU verification key is: ', verification_key_bytes.hex(), file=sys.stderr)

keycloak_admin = KeycloakAdmin(server_url=f"https://{os.environ['WAU_KEYCLOAK_HOST_NAME']}/auth/",
client_id=os.environ['WAU_KEYCLOAK_CLIENT_ID'],
Expand All @@ -56,6 +61,9 @@ def get_credentials_for_user(user_id):


def get_signed_access_rights():
public_key = cbor2.loads(base64url_to_bytes(session["selected_credential_publicKey"]))[-2]
signature = signing_key.sign(public_key) if signing_key is not None else bytes()
return public_key + signature
access_rights = str(oidc.user_getfield("access_rights")).encode('utf-8')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the part that is currently skipped?

public_key = base64url_to_bytes(session["selected_credential_publicKey"])
signature = signing_key.sign(access_rights + public_key, ec.ECDSA(hashes.SHA256())) if signing_key is not None else bytes()
Expand Down