Trust mark issuers keys are published together with the federation_en…

…tity's keys.
SUNET · Dec 16, 2023 · 53bfbd0 · 53bfbd0
1 parent 9c4fa30
commit 53bfbd0
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 9 deletions.
diff --git a/src/fedservice/entity/__init__.py b/src/fedservice/entity/__init__.py
@@ -122,6 +122,10 @@ def get_metadata(self):
         metadata = self.get_context().claims.prefer
         # collect endpoints
         metadata.update(self.get_endpoint_claims())
+        if "federation_trust_mark_status_endpoint" in metadata:
+            endp = self.server.get_endpoint("status")
+            _jwks = endp.trust_mark_issuer.keyjar.export_jwks()
+            metadata["jwks"]["keys"].extend(_jwks["keys"])
         return {"federation_entity": metadata}
 
     def get_preferences(self):

diff --git a/src/fedservice/entity/function/trust_chain_collector.py b/src/fedservice/entity/function/trust_chain_collector.py
@@ -97,10 +97,11 @@ def get_document(self, url: str):
         """
         _keyjar = self.upstream_get('attribute', 'keyjar')
         _httpc_params = _keyjar.httpc_params
+        logger.debug(f"Using HTTPC Params: {_keyjar.httpc_params}")
         try:
             response = self.upstream_get('attribute', 'httpc')("GET", url, **_httpc_params)
-        except ConnectionError:
-            logger.error(f'Could not connect to {url}')
+        except ConnectionError as err:
+            logger.error(f'Could not connect to {url}:{err}')
             raise
 
         if response.status_code == 200:

diff --git a/src/fedservice/entity/function/trust_mark_verifier.py b/src/fedservice/entity/function/trust_mark_verifier.py
@@ -6,6 +6,7 @@
 from cryptojwt.jws.jws import factory
 
 from fedservice import message
+from fedservice.entity import apply_policies
 from fedservice.entity.function import collect_trust_chains
 from fedservice.entity.function import Function
 from fedservice.entity.function import get_payload
@@ -62,13 +63,22 @@ def __call__(self,
             logger.warning(f'No verified trust chain to the trust anchor: {trust_anchor}')
             return None
 
+
+
         # Now try to verify the signature on the trust_mark
         # should have the necessary keys
         _jwt = factory(trust_mark)
         keyjar = _federation_entity.get_attribute('keyjar')
 
+        keys = keyjar.get_jwt_verify_keys(_jwt.jwt)
+        if not keys:
+            _trust_chains = apply_policies(_federation_entity, _trust_chains)
+            keyjar.import_jwks(_trust_chains[0].metadata["federation_entity"]["jwks"],
+                               _trust_chains[0].iss_path[0])
+            keys = keyjar.get_jwt_verify_keys(_jwt.jwt)
+
         try:
-            _mark = _jwt.verify_compact(trust_mark, keys=keyjar.get_jwt_verify_keys(_jwt.jwt))
+            _mark = _jwt.verify_compact(trust_mark, keys=keys)
         except Exception as err:
             return None
         else:

diff --git a/src/fedservice/message.py b/src/fedservice/message.py
@@ -387,7 +387,7 @@ class EntityStatement(JsonWebToken):
         'constraints': SINGLE_OPTIONAL_CONSTRAINS,
         "crit": OPTIONAL_LIST_OF_STRINGS,
         "policy_language_crit": OPTIONAL_LIST_OF_STRINGS,
-        'trust_marks': SINGLE_OPTIONAL_DICT,
+        'trust_marks': OPTIONAL_LIST_OF_STRINGS,
         'trust_anchor_id': SINGLE_OPTIONAL_STRING
     })
 

diff --git a/src/fedservice/op/__init__.py b/src/fedservice/op/__init__.py
@@ -6,13 +6,13 @@
 from cryptojwt import KeyJar
 from cryptojwt.utils import importer
 from idpyoidc.configure import Base
+from idpyoidc.server import allow_refresh_token
 from idpyoidc.server import ASConfiguration
+from idpyoidc.server import authz
+from idpyoidc.server import build_endpoints
 from idpyoidc.server import Endpoint
 from idpyoidc.server import EndpointContext
 from idpyoidc.server import OPConfiguration
-from idpyoidc.server import allow_refresh_token
-from idpyoidc.server import authz
-from idpyoidc.server import build_endpoints
 from idpyoidc.server.client_authn import client_auth_setup
 from idpyoidc.server.endpoint_context import init_service
 from idpyoidc.server.endpoint_context import init_user_info
@@ -45,7 +45,8 @@ def __init__(
             httpc: Optional[Any] = None,
             httpc_params: Optional[dict] = None,
             entity_id: Optional[str] = "",
-            key_conf: Optional[dict] = None
+            key_conf: Optional[dict] = None,
+            server_type: Optional[str] = "oidc"
     ):
         if config is None:
             config = {}
@@ -57,7 +58,10 @@ def __init__(
         if not isinstance(config, Base):
             config['issuer'] = entity_id
             config['base_url'] = entity_id
-            config = OPConfiguration(config)
+            if server_type == "oauth2":
+                config = ASConfiguration(config)
+            else:
+                config = OPConfiguration(config)
 
         self.config = config
 

diff --git a/tests/test_08_trust_mark.py b/tests/test_08_trust_mark.py
@@ -168,3 +168,7 @@ def test_trust_mark_verifier(self):
 
         assert verified_trust_mark
         assert set(verified_trust_mark.keys()) == {'iat', 'iss', 'id', 'sub', 'ref'}
+
+    def test_metadata(self):
+        _metadata = self.entity.get_metadata()
+        assert len(_metadata["federation_entity"]["jwks"]["keys"]) == 4