feat: extending crypto support: sub pr3 #142;

JanssenProject · Jan 13, 2022 · feb5407 · feb5407
1 parent 8885810
commit feb5407
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 73 deletions.
diff --git a/jans-ce-setup/openbanking/templates/jans-auth/jans-auth-config.json b/jans-ce-setup/openbanking/templates/jans-auth/jans-auth-config.json
@@ -68,6 +68,26 @@
     ],
     "defaultSubjectType": "pairwise",
     "keySignWithSameKeyButDiffAlg": true,
+    "jwksAlgorithmsSupported":[
+        "RS256",
+        "RS384",
+        "RS512",
+        "ES256",
+        "ES256K",
+        "ES384",
+        "ES512",
+        "PS256",
+        "PS384",
+        "PS512",
+        "RSA1_5",
+        "RSA-OAEP",
+        "Ed25519",
+        "Ed448",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW"
+    ],
     "authorizationSigningAlgValuesSupported":[
         "HS256",
         "HS384",
@@ -114,19 +134,6 @@
         "RS256",
         "PS256"
     ],
-    "jwksAlgorithmsSupported":[
-        "RS256",
-        "RS384",
-        "RS512",
-        "ES256",
-        "ES384",
-        "ES512",
-        "PS256",
-        "PS384",
-        "PS512",
-        "RSA1_5",
-        "RSA-OAEP"
-    ],
     "requestObjectEncryptionAlgValuesSupported":[
     ],
     "requestObjectEncryptionEncValuesSupported":[

diff --git a/jans-ce-setup/setup_app/config.py b/jans-ce-setup/setup_app/config.py
@@ -294,7 +294,7 @@ def progress(self, service_name, msg, incr=False):
         # OpenID key generation default setting
         self.default_openid_jks_dn_name = 'CN=Jans Auth CA Certificates'
         self.default_sig_key_algs = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
-        self.default_enc_key_algs = 'RSA1_5 RSA-OAEP ECDH-ES'
+        self.default_enc_key_algs = 'RSA1_5 RSA-OAEP ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
         self.default_key_expiration = 365
 
         self.post_messages = []

diff --git a/jans-ce-setup/setup_app/installers/jans_auth.py b/jans-ce-setup/setup_app/installers/jans_auth.py
@@ -66,7 +66,7 @@ def generate_configuration(self):
 
         self.logIt("Generating OAuth openid keys", pbar=self.service_name)
         sig_keys = 'RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448'
-        enc_keys = 'RSA1_5 RSA-OAEP ECDH-ES'
+        enc_keys = 'RSA1_5 RSA-OAEP ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW'
         jwks = self.gen_openid_jwks_jks_keys(self.oxauth_openid_jks_fn, Config.oxauth_openid_jks_pass, key_expiration=2, key_algs=sig_keys, enc_keys=enc_keys)
         self.write_openid_keys(self.oxauth_openid_jwks_fn, jwks)
 

diff --git a/jans-ce-setup/setup_app/utils/crypto64.py b/jans-ce-setup/setup_app/utils/crypto64.py
@@ -12,6 +12,8 @@
 from setup_app import static
 from setup_app.config import Config
 
+pass_fmt = 'pass:%s'
+
 class Crypto64:
 
     def get_ssl_subject(self, ssl_fn):
@@ -49,58 +51,70 @@ def gen_cert(self, suffix, password, user='root', cn=None, truststore_fn=None):
             truststore_fn = Config.defaultTrustStoreFN
 
         self.run([paths.cmd_openssl,
-                  'genrsa',
-                  '-des3',
-                  '-out',
-                  key_with_password,
-                  '-passout',
-                  'pass:%s' % password,
-                  '2048'
-                  ])
+                'genpkey',
+                '-out',
+                key_with_password,
+                '-algorithm',
+                'EC',
+                '-pkeyopt',
+                'ec_paramgen_curve:P-384',
+                '-aes256',
+                '-pass',
+                pass_fmt % password
+                ])
+
         self.run([paths.cmd_openssl,
-                  'rsa',
-                  '-in',
-                  key_with_password,
-                  '-passin',
-                  'pass:%s' % password,
-                  '-out',
-                  key
-                  ])
+                'ec',
+                '-in',
+                key_with_password,
+                '-inform',
+                'PEM',
+                '-out',
+                key,
+                '-outform',
+                'PEM',
+                '-passin',
+                pass_fmt % password
+                ])
 
         certCn = cn
         if certCn == None:
             certCn = Config.hostname
 
         self.run([paths.cmd_openssl,
-                  'req',
-                  '-new',
-                  '-key',
-                  key,
-                  '-out',
-                  csr,
-                  '-subj',
-                  '/C=%s/ST=%s/L=%s/O=%s/CN=%s/emailAddress=%s' % (Config.countryCode, Config.state, Config.city, Config.orgName, certCn, Config.admin_email)
-                  ])
+                'req',
+                '-new',
+                '-key',
+                key,
+                '-out',
+                csr,
+                '-subj',
+                '/C=%s/ST=%s/L=%s/O=%s/CN=%s/emailAddress=%s' % (Config.countryCode, Config.state, Config.city, Config.orgName, certCn, Config.admin_email),
+                '-sha384'
+                ])
+
         self.run([paths.cmd_openssl,
-                  'x509',
-                  '-req',
-                  '-days',
-                  '365',
-                  '-in',
-                  csr,
-                  '-signkey',
-                  key,
-                  '-out',
-                  public_certificate
-                  ])
+                'x509',
+                '-req',
+                '-days',
+                '365',
+                '-sha384',
+                '-in',
+                csr,
+                '-signkey',
+                key,
+                '-out',
+                public_certificate
+                ])
+
         self.run([paths.cmd_chown, '%s:%s' % (user, user), key_with_password])
         self.run([paths.cmd_chmod, '700', key_with_password])
         self.run([paths.cmd_chown, '%s:%s' % (user, user), key])
         self.run([paths.cmd_chmod, '700', key])
 
         self.run([Config.cmd_keytool, "-import", "-trustcacerts", "-alias", "%s_%s" % (Config.hostname, suffix), \
-                  "-file", public_certificate, "-keystore", truststore_fn, \
-                  "-storepass", "changeit", "-noprompt"])
+                    "-file", public_certificate, "-keystore", truststore_fn, \
+                    "-storepass", "changeit", "-noprompt"])
 
     def prepare_base64_extension_scripts(self, extensions=[]):
         self.logIt("Preparing scripts")
@@ -153,7 +167,7 @@ def gen_keystore(self, suffix, keystoreFN, keystorePW, inKey, inCert, alias=None
                   '-name',
                   alias or Config.hostname,
                   '-passout',
-                  'pass:%s' % keystorePW
+                  pass_fmt % keystorePW
                   ])
         # Import p12 to keystore
         import_cmd = [Config.cmd_keytool,

diff --git a/jans-ce-setup/static/scripts/renew_certs.py b/jans-ce-setup/static/scripts/renew_certs.py
@@ -45,12 +45,11 @@ def import_key(suffix):
 
     os.system(cmd)
 
-
 def create_new_certs():
     print "Creating certificates"
     cmd_list = [
-        '/usr/bin/openssl genrsa -des3 -out /etc/certs/{0}.key.orig -passout pass:secret 2048',
-        '/usr/bin/openssl rsa -in /etc/certs/{0}.key.orig -passin pass:secret -out /etc/certs/{0}.key',
+        '/usr/bin/openssl ecparam -name "secp384r1" -genkey -noout -out /etc/certs/{0}.key',
+        '/usr/bin/openssl ec -des3 -in /etc/certs/{0}.key -inform PEM -out /etc/certs/{0}.key.orig -outform PEM -passout pass:secret',
         '/usr/bin/openssl req -new -key /etc/certs/{0}.key -out /etc/certs/{0}.csr -subj '
         '"/C={4}/ST={5}/L={1}/O=Gluu/CN={2}/emailAddress={3}"'.format('{0}', prop['city'], prop['hostname'], prop['admin_email'] , prop['countryCode'] , prop['state']),
         '/usr/bin/openssl x509 -req -days 365 -in /etc/certs/{0}.csr -signkey /etc/certs/{0}.key -out /etc/certs/{0}.crt',
@@ -60,7 +59,6 @@ def create_new_certs():
         'chmod 700 /etc/certs/{0}.key',
         ]
 
-
     cert_list = ['httpd', 'asimba', 'idp-encryption', 'idp-signing', 'shibIDP', 'saml.pem']
 
     for crt in cert_list:

diff --git a/jans-ce-setup/templates/apache/https_jans.conf b/jans-ce-setup/templates/apache/https_jans.conf
@@ -13,9 +13,9 @@
     ### If this is using options file from letsencrypt, the below changes should be applied there as well
     ### Example is: Include /etc/letsencrypt/options-ssl-apache.conf
     # SSLProtocol -all +TLSv1.1 +TLSv1.2
-    # SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+    # SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
     SSLProtocol -all +TLSv1.2
-    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
+    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
     SSLHonorCipherOrder On
     SSLCertificateFile %(httpdCertFn)s
     SSLCertificateKeyFile %(httpdKeyFn)s

diff --git a/jans-ce-setup/templates/jans-auth/jans-auth-config.json b/jans-ce-setup/templates/jans-auth/jans-auth-config.json
@@ -58,6 +58,26 @@
         "pairwise"
     ],
     "defaultSubjectType": "pairwise",
+    "jwksAlgorithmsSupported":[
+        "RS256",
+        "RS384",
+        "RS512",
+        "ES256",
+        "ES256K",
+        "ES384",
+        "ES512",
+        "PS256",
+        "PS384",
+        "PS512",
+        "RSA1_5",
+        "RSA-OAEP",
+        "Ed25519",
+        "Ed448",
+        "ECDH-ES",
+        "ECDH-ES+A128KW",
+        "ECDH-ES+A192KW",
+        "ECDH-ES+A256KW"
+    ],
     "authorizationSigningAlgValuesSupported":[
         "HS256",
         "HS384",
@@ -156,19 +176,6 @@
         "PS384",
         "PS512"
     ],
-    "jwksAlgorithmsSupported":[
-        "RS256",
-        "RS384",
-        "RS512",
-        "ES256",
-        "ES384",
-        "ES512",
-        "PS256",
-        "PS384",
-        "PS512",
-        "RSA1_5",
-        "RSA-OAEP"
-    ],
     "requestObjectEncryptionAlgValuesSupported":[
         "RSA1_5",
         "RSA-OAEP",