Open jtalir opened 4 years ago
@tpazderka, could you make a design review? Thanks.
Hello @samikarvonen, could you join us for the design review? Thanks.
I do believe that the AwsKmsSigner
should be able to prepare the needed structure for the signature withou the use of XmlSecSigner
.
I think that the default implementation of creating the structure could be in the ABC as a _presign
method?
Yes, it would be better not to sign the xml twice. I just didn't find any simple way of preparing the xml for signing in my implementation. Also, I think specifying that exact version of boto3 is unnecessary latest should work just fine.
I do believe that the
AwsKmsSigner
should be able to prepare the needed structure for the signature withou the use ofXmlSecSigner
.
It isn't only about creating the structure but about filling the structure with certificate data and <ds:SignedInfo>
data. AWS KMS client only signs the contents of <ds:SignedInfo>
to fill <ds:SignatureValue>
.
There should be a possibility to use https://aws.amazon.com/kms/ for cryptographic functions. One possible integration is described in the fork https://github.com/CZ-NIC/django-eidas-specific-node/compare/master...vrk-kpa:kms_support
Design
API
eidas_node.xml.security.XmlSigner
- defines the interfacesign_node(node: Element, position: int = 0)
- sign the XML nodeXmlSecSigner(XmlSigner)
- signs with xmlsec__init__(key_file: str, cert_file: str, signature_method: str, digest_method: str)
- initialized with values from settings.AwsKmsSigner(XmlSigner)
- signs with AWS KMS.XmlSecSigner
internally and then overwrite the signature with that from AWS KMS.__init__(key_alias: str, cert_file: str, signature_method: str, digest_method: str)
- initialized with values from settings.SAMLRequest.sign_request(key_file: str, cert_file: str, signature_method: str, digest_method: str)
toSAMLRequest.sign_request(signer: XmlSigner)
.SAMLResponse.sign_assertion
,SAMLResponse.sign_response
: As above.Settings
PROXY_SERVICE_IDENTITY_PROVIDER['REQUEST_SIGNATURE']
becomesDictSetting
. Keyclass
specifies the backend to use (defaults to'eidas_node.xml.security.XmlSecSigner'
). Other parameters are used for initialization.CONNECTOR_SERVICE_PROVIDER['RESPONSE_SIGNATURE']
: As above.Requirements
setup.py
:extras_require['aws_kms'] = ['boto3']