Support cryptographic functions from AWS KMS

jtalir commented 4 years ago

There should be a possibility to use https://aws.amazon.com/kms/ for cryptographic functions. One possible integration is described in the fork https://github.com/CZ-NIC/django-eidas-specific-node/compare/master...vrk-kpa:kms_support

Design

API

abstract class eidas_node.xml.security.XmlSigner - defines the interface
- abstract sign_node(node: Element, position: int = 0) - sign the XML node
class XmlSecSigner(XmlSigner) - signs with xmlsec
- __init__(key_file: str, cert_file: str, signature_method: str, digest_method: str) - initialized with values from settings.
class AwsKmsSigner(XmlSigner) - signs with AWS KMS.
- The first implementation may use XmlSecSigner internally and then overwrite the signature with that from AWS KMS.
- __init__(key_alias: str, cert_file: str, signature_method: str, digest_method: str) - initialized with values from settings.
Port SAMLRequest.sign_request(key_file: str, cert_file: str, signature_method: str, digest_method: str) to SAMLRequest.sign_request(signer: XmlSigner).
SAMLResponse.sign_assertion, SAMLResponse.sign_response: As above.

Settings

PROXY_SERVICE_IDENTITY_PROVIDER['REQUEST_SIGNATURE'] becomes DictSetting. Key class specifies the backend to use (defaults to 'eidas_node.xml.security.XmlSecSigner'). Other parameters are used for initialization.
CONNECTOR_SERVICE_PROVIDER['RESPONSE_SIGNATURE']: As above.

Requirements

setup.py: extras_require['aws_kms'] = ['boto3']

jiri-janousek commented 4 years ago

@tpazderka, could you make a design review? Thanks.

jiri-janousek commented 4 years ago

Hello @samikarvonen, could you join us for the design review? Thanks.

tpazderka commented 4 years ago

I do believe that the AwsKmsSigner should be able to prepare the needed structure for the signature withou the use of XmlSecSigner.

I think that the default implementation of creating the structure could be in the ABC as a _presign method?

samikarvonen commented 4 years ago

Yes, it would be better not to sign the xml twice. I just didn't find any simple way of preparing the xml for signing in my implementation. Also, I think specifying that exact version of boto3 is unnecessary latest should work just fine.

jiri-janousek commented 4 years ago

I do believe that the AwsKmsSigner should be able to prepare the needed structure for the signature withou the use of XmlSecSigner.

It isn't only about creating the structure but about filling the structure with certificate data and <ds:SignedInfo> data. AWS KMS client only signs the contents of <ds:SignedInfo> to fill <ds:SignatureValue>.

CZ-NIC / django-eidas-specific-node