Skip to content

Add support for optional encryption of RSA key at rest #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion oidc_provider/lib/utils/token.py
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ def get_client_alg_keys(client):
if client.jwt_alg == 'RS256':
keys = []
for rsakey in RSAKey.objects.all():
keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))
keys.append(jwk_RSAKey(key=importKey(rsakey.pem), kid=rsakey.kid))
if not keys:
raise Exception('You must add at least one RSA Key.')
elif client.jwt_alg == 'HS256':
Expand Down
32 changes: 24 additions & 8 deletions oidc_provider/management/commands/creatersakey.py
Original file line number Diff line number Diff line change
@@ -1,16 +1,32 @@
from Cryptodome.PublicKey import RSA
from django.core.management.base import BaseCommand
from oidc_provider.models import RSAKey
from oidc_provider import settings


encrypt = settings.import_hook('OIDC_RSA_ENCRYPT_HOOK')
decrypt = settings.import_hook('OIDC_RSA_DECRYPT_HOOK')


class Command(BaseCommand):
help = 'Randomly generate a new RSA key for the OpenID server'

def handle(self, *args, **options):
try:
key = RSA.generate(2048)
rsakey = RSAKey(key=key.exportKey('PEM').decode('utf8'))
rsakey.save()
self.stdout.write(u'RSA key successfully created with kid: {0}'.format(rsakey.kid))
except Exception as e:
self.stdout.write('Something goes wrong: {0}'.format(e))
def add_arguments(self, parser):
if encrypt is None:
return

parser.add_argument(
'--encrypted',
'-e',
action='store_true',
help='Encrypt key',
)

def handle(self, *_, **options):
key = RSA.generate(2048)
rsakey = RSAKey(
key=key.exportKey('PEM').decode('utf8'),
encrypted=options.get('encrypted', False),
)
rsakey.save()
self.stdout.write(u'RSA key successfully created with kid: {0}'.format(rsakey.kid))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.stdout.write(u'RSA key successfully created with kid: {0}'.format(rsakey.kid))
self.stdout.write(f'RSA key successfully created with kid: {rsakey.kid}')

18 changes: 18 additions & 0 deletions oidc_provider/migrations/0027_add_rsakey_encrypted.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Generated by Django 3.2.18 on 2024-04-05 16:57

from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
('oidc_provider', '0026_client_multiple_response_types'),
]

operations = [
migrations.AddField(
model_name='rsakey',
name='encrypted',
field=models.BooleanField(default=False),
),
]
39 changes: 37 additions & 2 deletions oidc_provider/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@
from hashlib import sha256
import json

from django.core.exceptions import ValidationError
from django.db import models
from django.utils import timezone
from django.utils.translation import gettext_lazy as _
from django.conf import settings
from oidc_provider import settings as oidc_settings


CLIENT_TYPE_CHOICES = [
Expand All @@ -30,6 +32,10 @@
]


rsa_encrypt = oidc_settings.import_hook("OIDC_RSA_ENCRYPT_HOOK")
rsa_decrypt = oidc_settings.import_hook("OIDC_RSA_DECRYPT_HOOK")


class ResponseTypeManager(models.Manager):
def get_by_natural_key(self, value):
return self.get(value=value)
Expand Down Expand Up @@ -251,6 +257,7 @@ class RSAKey(models.Model):

key = models.TextField(
verbose_name=_(u'Key'), help_text=_(u'Paste your private RSA Key here.'))
encrypted = models.BooleanField(default=False)

class Meta:
verbose_name = _(u'RSA Key')
Expand All @@ -262,10 +269,38 @@ def __str__(self):
def __unicode__(self):
return self.__str__()

def clean(self):
super().clean()
if self.encrypted and rsa_encrypt is None:
raise ValidationError(
"Could not encrypt key value. settings.OIDC_RSA_ENCRYPT_HOOK is not defined."
)

def save(self, *args, **kwargs):
if self.encrypted:
encrypted = rsa_encrypt(self.key.encode())
self.key = base64.b64encode(encrypted).decode()
super().save(*args, **kwargs)

@property
def pem(self):
if not self.encrypted:
return self.key

if rsa_decrypt is None:
raise AttributeError(
"Could not decrypt key value. settings.OIDC_RSA_DECRYPT_HOOK is not defined."
)

encrypted = base64.b64decode(self.key)
return rsa_decrypt(encrypted).decode()

@property
def kid(self):
return u'{0}'.format(
hashlib.new("md5", self.key.encode('utf-8'), usedforsecurity=False).hexdigest()
return "{0}".format(
hashlib.new(
"md5", self.pem.encode("utf-8"), usedforsecurity=False
).hexdigest()
if self.key
else ''
)
16 changes: 16 additions & 0 deletions oidc_provider/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,20 @@ def OIDC_INTROSPECTION_RESPONSE_SCOPE_ENABLE(self):
"""
return False

@property
def OIDC_RSA_ENCRYPT_HOOK(self):
"""
OPTIONAL. A string with the location of a function used to encrypt RSA keys.
"""
return None

@property
def OIDC_RSA_DECRYPT_HOOK(self):
"""
OPTIONAL. A string with the location of a function used to decrypt RSA keys.
"""
return None


default_settings = DefaultSettings()

Expand All @@ -234,6 +248,8 @@ def import_from_str(value):

def import_hook(hook_name):
hook_path = get(hook_name.upper())
if hook_path is None:
return None
return import_from_str(hook_path)


Expand Down
2 changes: 1 addition & 1 deletion oidc_provider/version.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = '0.8.3+orm'
__version__ = '0.8.4+orm'
2 changes: 1 addition & 1 deletion oidc_provider/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ def get(self, request, *args, **kwargs):
dic = dict(keys=[])

for rsakey in RSAKey.objects.all():
public_key = RSA.importKey(rsakey.key).publickey()
public_key = RSA.importKey(rsakey.pem).publickey()
dic['keys'].append({
'kty': 'RSA',
'alg': 'RS256',
Expand Down