Auth Server: new endpoint for key management

[nynymike]

The JWKS for OpenID Connect is published on the jwks_endpoint, which can be found on the OpenID configuration page (i.e. .well-known/openid-configuration. What we need is a way to import an external key, with a certain kid.

[yuriyz]

Import consists of :

1. import new key to /etc/certs/jans-auth-keys.jks file (alias=kid)
2. add new key to JWKS stored in jansConfWebKeys of jansAppConf

It will work for single instance. @moabu how cluster is going to propagate modified keystore file between nodes?

[pujavs]

Implemented and tested import locally. PR#24 raised for the same => https://github.com/JanssenProject/jans-config-api/pull/24 1) logs - Refer line#7300 - 11-Mar-2021 23:30:06 DEBUG [io.ja.co.se.KeyStoreService] (executor-thread-2) config-api_3.log 2) karate test result - Refer POST src.test.resources.feature.config.jwks.jwks.pdf

[pujavs]

@yuriyz , following is the request and response details for this request. Please confirm 1) Spec post: tags:

• Configuration – JWK - JSON Web Key (JWK) summary: Imports key to keystore and persists it in auth serves JSON Web Key Set (JWKS) description: Imports JSON Web Keys (JWK) to keystore operationId: post-config-key parameters:
• schema: type: string in: query name: publicKey description: Public key to be imported. responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JsonWebKey' '401': $ref: '#/components/responses/Unauthorized' '500': $ref: '#/components/responses/InternalServerError' security:
• jans-auth: [https://jans.io/oauth/config/jwks.write]

[yuriyz]

@pujavs I guess json web key can be generated our of key. Shouldn't we expect here actual key (not jwk) ? (E.g. in pem or der formats.) @nynymike what is your vision on request/response for it ?

[pujavs]

@yuriyz , I needed help in getting the requirement right. As per your suggestion and going through the OB doc (https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1150124033/Directory+2.0+Technical+Overview+v1.5), I understand that the input to our endpoint will be the content of key in PEM format and i have to;

• generate an alias store the key in the keystore
• generate JWKS

The issue that i am facing is If i get the public key as pem format it does not have all the required details to create the JWK. So the question is will the pem be of the cert which has all the required details + public key. I assume that it cannot be pair or cert cannot have private key for obvious reasons. However using cert pem gives error "17-Mar-2021 16:55:54 ERROR [io.ja.co.se.KeyStoreService] (executor-thread-2) Failed to parse X.509 certificates from bytes: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length" Am i on right track.. I am stuck and will e able to proceed base on your response. cert_n_log.zip

[yuriyz]

My understanding is that import endpoint must accept : 1) alias (kid) - it has to be provided outside. 2) PEM should contain both private and public keys. If it doesn't contain pair it must be rejected with appropriate error. (Private key is required, otherwise how would we validate tokens.) JWK has to be generated based on pair and updated : a) keystore file b) jwks in persistence.

[pujavs]

@yuriyz , based on the above the input pem will be something like below -----BEGIN PRIVATE KEY----- (Private Key content) -----END PRIVATE KEY----- -----BEGIN PUBLIC KEY----- (Public Key content) -----END PUBLIC KEY----- -----BEGIN CERTIFICATE----- (Certificate content) -----END CERTIFICATE----

[pujavs]

@yuriyz , combined pem seems error prone and hence think that a custom data object with required details is better Details: Issue23_Details.zip Ley me know if this is ok

[yuriyz]

What exactly does look error prone to you ? We can take as basis bouncy castle PEM parser: https://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/openssl/PEMParser.html

I didn't dive into it but it seems to cover all cases. re: custom format, I'm not sure I got the goal. Can you ask for PEM sample, so we have exact example and can make sure we support it?

[pujavs]

Thanks @yuriyz , i have asked for PEM sample. I am not stuck technically ay this point the blocker is the not clarity of the exact input. And as you have rightly suggested have asked for the sample PEM. Also what I meant with error prone is parsing a PEM with multiple things, like cert, public key and private key. PEM with single content can be easily identified and parsed. Based on my search and analysis i understand that the PEM can have anything with appropriate headers & footers. A cert PEM has the public key also but not the private key and if a single PEM has combined data of the cert+public key and the private key then the content will be as below 1) Example # : Cert + Private Key PEM -----BEGIN CERTIFICATE-----

-----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- 2) Example # : Private Key + Public Key PEM -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- -----BEGIN PUBLIC KEY----- -----END PUBLIC KEY-----

[pujavs]

Endpoint Spec:

Input: format: => PEM/DER/CRT... alias : => to be used as kid keyContent: => private and public key => Example if PER format -----BEGIN PRIVATE KEY----- (Private Key content) -----END PRIVATE KEY----- -----BEGIN PUBLIC KEY----- (Public Key content) -----END PUBLIC KEY-----

Logic: 1) All input details mandatory. If null throw exception 2) Parse and extract Public key 3) Parse and extract Private key 4) Generated JWK based on keys 5) Import JWK to keystore file 6) Persistence JWK to auth severs jansConfWebKeys

[pujavs]

Code checked in https://github.com/JanssenProject/jans-config-api/tree/jans-config-api_23

[anishnath]

There is a useful online version of the PEM parser https://8gwifi.org/PemParserFunctions.jsp with different configuration usefull