Skip to content

Commit

Permalink
feat: extending crypto support #142;
Browse files Browse the repository at this point in the history
  • Loading branch information
smansoft committed Jan 13, 2022
1 parent fda52ba commit 1f932c0
Show file tree
Hide file tree
Showing 5 changed files with 150 additions and 34 deletions.
2 changes: 1 addition & 1 deletion jans-ce-setup/setup_app/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ def progress(self, service_name, msg, incr=False):
# OpenID key generation default setting
self.default_openid_jks_dn_name = 'CN=Jans Auth CA Certificates'
self.default_sig_key_algs = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
self.default_enc_key_algs = 'RSA1_5 RSA-OAEP ECDH-ES'
self.default_enc_key_algs = 'RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
self.default_key_expiration = 365

self.post_messages = []
Expand Down
2 changes: 1 addition & 1 deletion jans-ce-setup/setup_app/installers/jans_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ def generate_configuration(self):

self.logIt("Generating OAuth openid keys", pbar=self.service_name)
sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
enc_keys = 'RSA1_5 RSA-OAEP ECDH-ES'
enc_keys = 'RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
jwks = self.gen_openid_jwks_jks_keys(self.oxauth_openid_jks_fn, Config.oxauth_openid_jks_pass, key_expiration=2, key_algs=sig_keys, enc_keys=enc_keys)
self.write_openid_keys(self.oxauth_openid_jwks_fn, jwks)

Expand Down
177 changes: 145 additions & 32 deletions jans-ce-setup/templates/jans-auth/jans-auth-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -58,58 +58,120 @@
"pairwise"
],
"defaultSubjectType": "pairwise",
"jwksAlgorithmsSupported":[
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512",
"RSA1_5",
"RSA-OAEP",
"RSA-OAEP-256",
"Ed25519",
"Ed448",
"ECDH-ES",
"ECDH-ES+A128KW",
"ECDH-ES+A192KW",
"ECDH-ES+A256KW"
],
"authorizationSigningAlgValuesSupported":[
"none",
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"ES512",
"PS256",
"PS384",
"PS512"
],
"PS512",
"Ed25519",
"Ed448"
],
"authorizationEncryptionAlgValuesSupported":[
"RSA1_5",
"RSA-OAEP",
"A128KW",
"A256KW"
"A256KW",
"RSA-OEAP-256",
"ECDH-ES",
"ECDH-ES+A128KW",
"ECDH-ES+A192KW",
"ECDH-ES+A256KW",
"A192KW",
"A128GCMKW",
"A192GCMKW",
"A256GCMKW",
"PBES2-HS256+A128KW",
"PBES2-HS384+A192KW",
"PBES2-HS512+A256KW",
"dir"
],
"authorizationEncryptionEncValuesSupported":[
"A128CBC+HS256",
"A256CBC+HS512",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512",
"A128GCM",
"A192GCM",
"A256GCM"
],
],
"userInfoSigningAlgValuesSupported":[
"none",
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"ES512",
"PS256",
"PS384",
"PS512"
"PS512",
"Ed25519",
"Ed448"
],
"userInfoEncryptionAlgValuesSupported":[
"RSA1_5",
"RSA-OAEP",
"A128KW",
"A256KW"
"A256KW",
"RSA-OEAP-256",
"ECDH-ES",
"ECDH-ES+A128KW",
"ECDH-ES+A192KW",
"ECDH-ES+A256KW",
"A192KW",
"A128GCMKW",
"A192GCMKW",
"A256GCMKW",
"PBES2-HS256+A128KW",
"PBES2-HS384+A192KW",
"PBES2-HS512+A256KW",
"dir"
],
"userInfoEncryptionEncValuesSupported":[
"A128CBC+HS256",
"A256CBC+HS512",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512",
"A128GCM",
"A192GCM",
"A256GCM"
],
"idTokenSigningAlgValuesSupported":[
Expand All @@ -121,23 +183,42 @@
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"ES512",
"PS256",
"PS384",
"PS512"
"PS512",
"Ed25519",
"Ed448"
],
"idTokenEncryptionAlgValuesSupported":[
"RSA1_5",
"RSA-OAEP",
"A128KW",
"A256KW"
"A256KW",
"RSA-OEAP-256",
"ECDH-ES",
"ECDH-ES+A128KW",
"ECDH-ES+A192KW",
"ECDH-ES+A256KW",
"A192KW",
"A128GCMKW",
"A192GCMKW",
"A256GCMKW",
"PBES2-HS256+A128KW",
"PBES2-HS384+A192KW",
"PBES2-HS512+A256KW",
"dir"
],
"idTokenEncryptionEncValuesSupported":[
"A128CBC+HS256",
"A256CBC+HS512",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512",
"A128GCM",
"A192GCM",
"A256GCM"
],
"requestObjectSigningAlgValuesSupported":[
Expand All @@ -149,36 +230,42 @@
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"ES512",
"PS256",
"PS384",
"PS512"
],
"jwksAlgorithmsSupported":[
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512",
"RSA1_5",
"RSA-OAEP"
"Ed25519",
"Ed448"
],
"requestObjectEncryptionAlgValuesSupported":[
"RSA1_5",
"RSA-OAEP",
"A128KW",
"A256KW"
"A256KW",
"RSA-OEAP-256",
"ECDH-ES",
"ECDH-ES+A128KW",
"ECDH-ES+A192KW",
"ECDH-ES+A256KW",
"A192KW",
"A128GCMKW",
"A192GCMKW",
"A256GCMKW",
"PBES2-HS256+A128KW",
"PBES2-HS384+A192KW",
"PBES2-HS512+A256KW",
"dir"
],
"requestObjectEncryptionEncValuesSupported":[
"A128CBC+HS256",
"A256CBC+HS512",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512",
"A128GCM",
"A192GCM",
"A256GCM"
],
"tokenEndpointAuthMethodsSupported":[
Expand All @@ -190,31 +277,40 @@
"self_signed_tls_client_auth"
],
"tokenEndpointAuthSigningAlgValuesSupported":[
"none",
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"ES512",
"PS256",
"PS384",
"PS512"
],
"PS512",
"Ed25519",
"Ed448"
],
"dpopSigningAlgValuesSupported":[
"none",
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"ES512",
"PS256",
"PS384",
"PS512"
"PS512",
"Ed25519",
"Ed448"
],
"dpopTimeframe": 5,
"dpopJtiCacheTime": 3600,
Expand Down Expand Up @@ -282,7 +378,7 @@
"cleanServiceBatchChunkSize": 10000,
"keyRegenerationEnabled":true,
"keyRegenerationInterval":48,
"defaultSignatureAlgorithm":"RS256",
"defaultSignatureAlgorithm":"ES384",
"oxOpenIdConnectVersion":"openidconnect-1.0",
"oxId":"https://%(hostname)s/oxid/service/jans/inum",
"dynamicRegistrationExpirationTime":-1,
Expand Down Expand Up @@ -396,7 +492,24 @@
"ping",
"push"
],
"backchannelAuthenticationRequestSigningAlgValuesSupported": [],
"backchannelAuthenticationRequestSigningAlgValuesSupported": [
"none",
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES256K",
"ES384",
"ES512",
"PS256",
"PS384",
"PS512",
"Ed25519",
"Ed448"
],
"backchannelClientId": "",
"backchannelRedirectUri": "https://%(hostname)s/jans-auth/ciba/home.htm",
"backchannelUserCodeParameterSupported": false,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ sector.identifier.id.bad=840ef58d-a7d0-4986-af7b-71ed0089ce61
clientKeyStoreFile=profiles/%(hostname)s/client_keystore.p12
clientKeyStoreSecret=secret

clientKeyJwksFile=profiles/%(hostname)s/keys_client_keystore.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,5 @@ test.keep.clients=%(scim_client_id)s, %(jca_client_id)s, AB77-1A2B, 3E20, FF81-2

clientKeyStoreFile=profiles/%(hostname)s/client_keystore.p12
clientKeyStoreSecret=secret

clientKeyJwksFile=profiles/%(hostname)s/keys_client_keystore.json

0 comments on commit 1f932c0

Please sign in to comment.