search

italia / spid-cie-oidc-django

The SPID/CIE OIDC Federation SDK, written in Python
Apache License 2.0
27 stars 28 forks source link

[fetch endpoint] Signature of entity statement #198

Closed damikael closed 2 years ago

damikael commented 2 years ago

Seems that the JWS returned from the fetch endpoint of the trust anchor is not properly signed. Infact the kid in the header is not present in the JKWS. Following is an example of json returned:

{
  "alg": "RS256",
  "kid": "FifYx03bnosD8m6gYQIfNHNP9cM_Sam9Tc5nLloIIrc",
  "typ": "entity-statement+jwt"
}
.
{
  "exp": 1648816457,
  "iat": 1648643657,
  "iss": "http://127.0.0.1:8000/",
  "sub": "http://127.0.0.1:8000/oidc/op/",
  "jwks": {
    "keys": [
      {
        "kty": "RSA",
        "kid": "w69fCls2d8cOKXuvOQ0hRZOd5u28jCAP3qLqBJfP1SI",
        ...
      }
   ]
  },
  ...
}
peppelinux commented 2 years ago

It must be this way @damikael because the entity statement issued by a federation entity MUST be signed with its federation JWK (the kid in the head) and contains the public jwk of the descendant.

only the entity configuration of a leaf MUST have a matching kid in the alg of the public jwk contained in the statement

damikael commented 2 years ago

Ok @peppelinux, so the kid in the header of the JWS returned from the fetch endpoint should match with a key in the JWKS in the payload of federation entity statement (.well-known/openid-federation).

But the kid in the header from the fetch endpoint is:

"kid": "FifYx03bnosD8m6gYQIfNHNP9cM_Sam9Tc5nLloIIrc"

instead the JWKS returned from entity statement of federation is:

jwks": {
    "keys": [
      {
        "kty": "RSA",
        "n": "tXiKzIQA2mSCqbOzP2SyVKLKQs0b8z-2yEPJ0Sm3-nQAiGJp7BYfZi5xA3z_KyNQFrUb5QcV1W1cm-hDYHDKoKd3RJaYllQhHOktOL_1ZhrZjjBjOM1WkVYl6A9PuJ2T4YWBZu77DVZ-mOjlsLhG38ThavanGOiNpBkUBzATOMkWKcbLxBE5aXVfuFufn5fWyaNzs6NdSeA3Yy5OWfPPuzZsWoJdPzGP8jPzR294ocU0PcFzFWN0IpTQzvP6itB8WZqT8cH1l72IsjLQssJYbTefMBtcFGdeG4KRz1RoEaxeBcx1_Rlh84UmuJMM9BCWRCCGsyb1qhZUoT68gRSbyw",
        "e": "AQAB",
        "kid": "hR3XOruWxTATBtu0rlyOs_PXLRqKmBJrCckHfNWwvS0"
      }
    ]
  }
peppelinux commented 2 years ago

Ok, using the example project I got image

and from http://127.0.0.1:8000/fetch/?sub=http://127.0.0.1:8000/oidc/rp/

I get this

eyJhbGciOiJSUzI1NiIsImtpZCI6IkZpZll4MDNibm9zRDhtNmdZUUlmTkhOUDljTV9TYW05VGM1bkxsb0lJcmMiLCJ0eXAiOiJlbnRpdHktc3RhdGVtZW50K2p3dCJ9.eyJleHAiOjE2NDg4OTgwOTgsImlhdCI6MTY0ODcyNTI5OCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MDAwLyIsInN1YiI6Imh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9vaWRjL3JwLyIsImp3a3MiOnsia2V5cyI6W3sia3R5IjoiUlNBIiwibiI6IjVzNHFpMVRhLXNFdUtiNXJKOFR6SG15R0thU3U4OXBJWElpNnc0RWt4NkdMNTZtSkRORV9NV0pIc0ZqV1hhamZNZE1RbVpyU1hBdkx0WHhtYmhVdWk5TXFfSW9ybWhtRXl5RUpTMFN5RTlVS1R4V3ppMHlkX25fQzdPakZCaE0tMFp5VWxnbDgxRV9zci0zNVAxQTZiNVdTWXdNdlJTUi1QOXl4X05JLVhCUTQ4R196ZG1rM0NidXV6WnNYWnFxZ2o1VTdPR1dILTRIdW9zbjluSDNGVmt3WDBPbFdrZ1dNLUo5REVXekdCamw5aGZiYnJNdE1fb2JsakhMMk5mVDZSSllFUjJJcGRJOFJDeVFTM3NNUHQ2WkhEc2ttdU5seU1ETkFUQ0NoWFFKTG5sdHdFanhjZ3Z6andfRzlKMjVEd2ZkZlZFaERGXzBrQ3A0NFVNbVMzUSIsImUiOiJBUUFCIiwia2lkIjoiMkhub0ZTM1luQzl0amlDYWl2aFdMVlVKM0F4d0dHel85OHVSRmFxTUVFcyJ9XX0sIm1ldGFkYXRhX3BvbGljeSI6eyJvcGVuaWRfcmVseWluZ19wYXJ0eSI6eyJzY29wZXMiOnsic3VwZXJzZXRfb2YiOlsib3BlbmlkIl0sInN1YnNldF9vZiI6WyJvcGVuaWQiLCJvZmZsaW5lX2FjY2VzcyIsInByb2ZpbGUiLCJlbWFpbCJdfSwiY29udGFjdHMiOnsiYWRkIjpbImNpYW9AZW1haWwuaXQiXX19fSwidHJ1c3RfbWFya3MiOlt7ImlkIjoiaHR0cHM6Ly93d3cuc3BpZC5nb3YuaXQvb3BlbmlkLWZlZGVyYXRpb24vYWdyZWVtZW50L3NwLXB1YmxpYy8iLCJ0cnVzdF9tYXJrIjoiZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrWnBabGw0TUROaWJtOXpSRGh0Tm1kWlVVbG1Ua2hPVURsalRWOVRZVzA1VkdNMWJreHNiMGxKY21NaUxDSjBlWEFpT2lKMGNuVnpkQzF0WVhKcksycDNkQ0o5LmV5SnBjM01pT2lKb2RIUndPaTh2TVRJM0xqQXVNQzR4T2pnd01EQXZJaXdpYzNWaUlqb2lhSFIwY0Rvdkx6RXlOeTR3TGpBdU1UbzRNREF3TDI5cFpHTXZjbkF2SWl3aWFXRjBJam94TmpRNE56STFNams0TENKcFpDSTZJbWgwZEhCek9pOHZkM2QzTG5Od2FXUXVaMjkyTG1sMEwyTmxjblJwWm1sallYUnBiMjR2Y25BaUxDSnRZWEpySWpvaWFIUjBjSE02THk5M2QzY3VZV2RwWkM1bmIzWXVhWFF2ZEdobGJXVnpMMk4xYzNSdmJTOWhaMmxrTDJ4dloyOHVjM1puSWl3aWNtVm1Jam9pYUhSMGNITTZMeTlrYjJOekxtbDBZV3hwWVM1cGRDOXBkR0ZzYVdFdmMzQnBaQzl6Y0dsa0xYSmxaMjlzWlMxMFpXTnVhV05vWlMxdmFXUmpMMmwwTDNOMFlXSnBiR1V2YVc1a1pYZ3VhSFJ0YkNKOS52c2NCUms3V3N2dUhTSG4ySU5qM0QyMUl3SjNUV2pGa1MzNlM4azhUMjJTT2U1WDZIX2prclA1a1BKT0pFMndXQVF2Ymg4MjIzUVFVb2FYeFc2UHZ3MzlaSWNoU1RCXzZPOEFlcFdDTjlyUC1DdFJaTk11RUF5VlZ4V01XdmNXaEpSUXhNWkhOby1nM0hfc1NVMWQtWUs4ZXVUYld2WGZfNnFMQlVBdG9mVGRxZktuMGhWeEhfVG9Bb2ZMbm16SDJublpmZUVUeFBab0x6S2lXTk16NTNlaFpVQW8xcEdtQktIYkJNTFlldm5IZjRuZW42WUFKcWdrR3M0UUU0SXluWVQwcmZhSjd3WTJDZFprOVd2Rm9WenJoVThsYWlWUVZ0eGQwLU9pdGZXakVkUENZYzgzZmxfRVAzcTRhVnZxeEpRaVE3M3RVcXZzeXh4OVZSWGZqQlEifSx7ImlkIjoiaHR0cHM6Ly93d3cuc3BpZC5nb3YuaXQvb3BlbmlkLWZlZGVyYXRpb24vYWdyZWVtZW50L3NwLXByaXZhdGUiLCJ0cnVzdF9tYXJrIjoiZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklrWnBabGw0TUROaWJtOXpSRGh0Tm1kWlVVbG1Ua2hPVURsalRWOVRZVzA1VkdNMWJreHNiMGxKY21NaUxDSjBlWEFpT2lKMGNuVnpkQzF0WVhKcksycDNkQ0o5LmV5SnBjM01pT2lKb2RIUndPaTh2TVRJM0xqQXVNQzR4T2pnd01EQXZJaXdpYzNWaUlqb2lhSFIwY0Rvdkx6RXlOeTR3TGpBdU1UbzRNREF3TDI5cFpHTXZjbkF2SWl3aWFXRjBJam94TmpRNE56STFNams0TENKcFpDSTZJbWgwZEhCek9pOHZkM2QzTG5Od2FXUXVaMjkyTG1sMEwyTmxjblJwWm1sallYUnBiMjR2Y25BdmNISnBkbUYwWlNJc0lteHZaMjlmZFhKcElqb2lhSFIwY0hNNkx5OTNkM2N1WVdkcFpDNW5iM1l1YVhRdmRHaGxiV1Z6TDJOMWMzUnZiUzloWjJsa0wyeHZaMjh1YzNabklpd2ljbVZtSWpvaWFIUjBjSE02THk5a2IyTnpMbWwwWVd4cFlTNXBkQzlwZEdGc2FXRXZjM0JwWkM5emNHbGtMWEpsWjI5c1pTMTBaV051YVdOb1pTMXZhV1JqTDJsMEwzTjBZV0pwYkdVdmFXNWtaWGd1YUhSdGJDSjkuQy1ReldDNHRjOTdPTjNmUEhfYnZKYU0tUHRVaU1XWEMzdGtKT0JBeHV1THV1ZUNybE5SeWczZXVwN0kzYTNrUkctOEkyeGhmVVJiZEplalhhajBsdDhLcUpvYjFLakdReUZIWnc1aFhocmdpUG9CTkp4SVo3blRjTUlXZ1U5aElXN3duS25rdFBRRE9xZkh2MkhqZnlWSzVXZlJFbmU3akFrX1VsV1ktNXE3a3I5VGl4UUxHVEFSLUNpVGFBRzhTNFAzblRfdVRYR1NtVmV3RnJja2JqeEJ1VUt4RGlWMXRjRE1TS1J2NW1hT004TkNEcS01M3p3OW43OHdRQ2VIc1ViMTRHZWVzc05GZGMwcmI5Snd2X3lQTDBleTZ3bVBDRnZHOTQ4WmtNVXZHZ0t6SFFMWHBqUXZrSlpBcUVXaUw4b2trWkpNTndJWXB0R1o1d252RXdRIn1dfQ.Hq_66jMmFvREycrorQEGiT6I2HzYRaXXB3L6Gu61uUkKdVyTrUL6ncU2NEkCrqG7kiGH956m6_bCYTqQnVx23RhaOhn4Qa0quCue57eSNlCIcOqdAG9U6pWthJv0LP5MU49yhU0_OQ6M59zH3cWEHlDz6TeivpOe9blwCK5kGa9j_5lb62bVcDXuoKbPYUE2Gonx3YFGgwqhKzKx87nXUpXbKCXteE2edLbgclnk6GtOPKDU8ZHWdZwhDL5tJ3_eZjCbl79RxgHAlaLxPJ-kD5ZdXjFtlQFYww-QChXHKNiVNLTJ0i94pTmtGPkvlqM__BmyPvltHYlKPgT-BCPoGw

And I see

image

damikael commented 2 years ago

And what is the kid from federation entity statement, http://127.0.0.1:8000/.well-known/openid-federation ? In this we should have the key, with same kid, to verify the fetched jws. Is it right?

peppelinux commented 2 years ago

The fed entity signs a statement related to its descendants using its private JWK. The resulting statement is signed by fed entity (issuer), is related to the descendant (sub), contains in the header the KID of the fed entity and in the payload the jwks of the descendant.

In this way the fed entity signs the descendant jwks