From 43e1f39ebe1c58408b05329644007fb1799751fa Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 5 Jun 2015 15:18:23 -0400
Subject: Use reasonable algorithms based on key type

If 'signing_algorithms' is not explicitly set in the configuration
file use a reasonable default based on the server key type.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 custodia/message/kem.py | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'custodia/message/kem.py')

diff --git a/custodia/message/kem.py b/custodia/message/kem.py
index 3b01a1f..205a5fa 100644
--- a/custodia/message/kem.py
+++ b/custodia/message/kem.py
@@ -84,7 +84,13 @@ class KEMKeysStore(SimplePathAuthz):
         if self._alg is None:
             alg = self.config.get('signing_algorithm', None)
             if alg is None:
-                raise ValueError('Signing algorithm not configured')
+                ktype = self.server_keys[KEY_USAGE_SIG].key_type
+                if ktype == 'RSA':
+                    alg = 'RS256'
+                elif ktype == 'EC':
+                    alg = 'ES256'
+                else:
+                    raise ValueError('Key type unsupported for signing')
             self._alg = alg
         return self._alg
 
@@ -165,21 +171,21 @@ class KEMHandler(MessageHandler):
             raise InvalidMessage('Message Expired')
 
         return {'type': 'kem',
-                'value': {'kid': self.client_keys[0].key_id,
+                'value': {'kid': self.client_keys[KEY_USAGE_ENC].key_id,
                           'claims': claims}}
 
     def reply(self, output):
         if self.client_keys is None:
             raise UnknownPublicKey("Peer key not defined")
 
-        ktype = self.client_keys[1].key_type
+        ktype = self.client_keys[KEY_USAGE_ENC].key_type
         if ktype == 'RSA':
             enc = ('RSA1_5', 'A256CBC-HS512')
         else:
             raise ValueError("'%s' type not supported yet" % ktype)
 
         value = make_enc_kem(self.name, output,
-                             self.kkstore.server_keys[0],
+                             self.kkstore.server_keys[KEY_USAGE_SIG],
                              self.kkstore.alg,
                              self.client_keys[1], enc)
 
@@ -322,10 +328,7 @@ class KEMTests(unittest.TestCase):
 
     @classmethod
     def setUpClass(cls):
-        config = {
-            'server_keys': test_keys[0]['kid'],
-            'signing_algorithm': 'RS256',
-            'encryption_algorithms': 'RSA1_5 A128CBC-HS256'}
+        config = {'server_keys': test_keys[0]['kid']}
         with open('examples/client_enc.key') as f:
             data = f.read()
             cls.client_keys = json_decode(data)
-- 
cgit