Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support cryptographic functions from AWS KMS #86

Open
jtalir opened this issue Jan 31, 2020 · 5 comments
Open

Support cryptographic functions from AWS KMS #86

jtalir opened this issue Jan 31, 2020 · 5 comments
Labels
enhancement New feature or request

Comments

@jtalir
Copy link
Collaborator

jtalir commented Jan 31, 2020
edited by jiri-janousek
Loading

There should be a possibility to use https://aws.amazon.com/kms/ for cryptographic functions. One possible integration is described in the fork master...vrk-kpa:kms_support

Design

API

  • abstract class eidas_node.xml.security.XmlSigner - defines the interface
    • abstract sign_node(node: Element, position: int = 0) - sign the XML node
  • class XmlSecSigner(XmlSigner) - signs with xmlsec
    • __init__(key_file: str, cert_file: str, signature_method: str, digest_method: str) - initialized with values from settings.
  • class AwsKmsSigner(XmlSigner) - signs with AWS KMS.
    • The first implementation may use XmlSecSigner internally and then overwrite the signature with that from AWS KMS.
    • __init__(key_alias: str, cert_file: str, signature_method: str, digest_method: str) - initialized with values from settings.
  • Port SAMLRequest.sign_request(key_file: str, cert_file: str, signature_method: str, digest_method: str) to SAMLRequest.sign_request(signer: XmlSigner).
  • SAMLResponse.sign_assertion, SAMLResponse.sign_response: As above.

Settings

  • PROXY_SERVICE_IDENTITY_PROVIDER['REQUEST_SIGNATURE'] becomes DictSetting. Key class specifies the backend to use (defaults to 'eidas_node.xml.security.XmlSecSigner'). Other parameters are used for initialization.
  • CONNECTOR_SERVICE_PROVIDER['RESPONSE_SIGNATURE']: As above.

Requirements

setup.py: extras_require['aws_kms'] = ['boto3']
@jiri-janousek jiri-janousek added the enhancement New feature or request label Feb 3, 2020
@jiri-janousek jiri-janousek self-assigned this Feb 3, 2020
@jiri-janousek
Copy link
Contributor

@tpazderka, could you make a design review? Thanks.

@jiri-janousek
Copy link
Contributor

Hello @samikarvonen, could you join us for the design review? Thanks.

@tpazderka
Copy link
Contributor

I do believe that the AwsKmsSigner should be able to prepare the needed structure for the signature withou the use of XmlSecSigner.

I think that the default implementation of creating the structure could be in the ABC as a _presign method?

@samikarvonen
Copy link

Yes, it would be better not to sign the xml twice. I just didn't find any simple way of preparing the xml for signing in my implementation. Also, I think specifying that exact version of boto3 is unnecessary latest should work just fine.

@jiri-janousek
Copy link
Contributor

I do believe that the AwsKmsSigner should be able to prepare the needed structure for the signature withou the use of XmlSecSigner.

It isn't only about creating the structure but about filling the structure with certificate data and <ds:SignedInfo> data. AWS KMS client only signs the contents of <ds:SignedInfo> to fill <ds:SignatureValue>.

@jiri-janousek jiri-janousek removed their assignment May 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jtalir @jiri-janousek @tpazderka @samikarvonen