diff options
| author | Simo Sorce <simo@redhat.com> | 2015-06-05 15:18:23 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-06-05 15:18:23 -0400 |
| commit | 43e1f39ebe1c58408b05329644007fb1799751fa (patch) | |
| tree | ce84262647ba52e591b9a43bf71705719c23d702 | |
| parent | 3cf9508e5b018bc242bc1ceed6c2cb522e90a00f (diff) | |
| download | custodia-43e1f39ebe1c58408b05329644007fb1799751fa.tar.gz custodia-43e1f39ebe1c58408b05329644007fb1799751fa.tar.xz custodia-43e1f39ebe1c58408b05329644007fb1799751fa.zip | |
Use reasonable algorithms based on key type
If 'signing_algorithms' is not explicitly set in the configuration
file use a reasonable default based on the server key type.
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | custodia/message/kem.py | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/custodia/message/kem.py b/custodia/message/kem.py index 3b01a1f..205a5fa 100644 --- a/custodia/message/kem.py +++ b/custodia/message/kem.py @@ -84,7 +84,13 @@ class KEMKeysStore(SimplePathAuthz): if self._alg is None: alg = self.config.get('signing_algorithm', None) if alg is None: - raise ValueError('Signing algorithm not configured') + ktype = self.server_keys[KEY_USAGE_SIG].key_type + if ktype == 'RSA': + alg = 'RS256' + elif ktype == 'EC': + alg = 'ES256' + else: + raise ValueError('Key type unsupported for signing') self._alg = alg return self._alg @@ -165,21 +171,21 @@ class KEMHandler(MessageHandler): raise InvalidMessage('Message Expired') return {'type': 'kem', - 'value': {'kid': self.client_keys[0].key_id, + 'value': {'kid': self.client_keys[KEY_USAGE_ENC].key_id, 'claims': claims}} def reply(self, output): if self.client_keys is None: raise UnknownPublicKey("Peer key not defined") - ktype = self.client_keys[1].key_type + ktype = self.client_keys[KEY_USAGE_ENC].key_type if ktype == 'RSA': enc = ('RSA1_5', 'A256CBC-HS512') else: raise ValueError("'%s' type not supported yet" % ktype) value = make_enc_kem(self.name, output, - self.kkstore.server_keys[0], + self.kkstore.server_keys[KEY_USAGE_SIG], self.kkstore.alg, self.client_keys[1], enc) @@ -322,10 +328,7 @@ class KEMTests(unittest.TestCase): @classmethod def setUpClass(cls): - config = { - 'server_keys': test_keys[0]['kid'], - 'signing_algorithm': 'RS256', - 'encryption_algorithms': 'RSA1_5 A128CBC-HS256'} + config = {'server_keys': test_keys[0]['kid']} with open('examples/client_enc.key') as f: data = f.read() cls.client_keys = json_decode(data) |