Make key_spec and cert_spec configurable

f12bb4b0 · Martin van Es · b3e4d8c0 · f12bb4b0 · f12bb4b0 · f12bb4b0
Commit f12bb4b0 authored 3 years ago by Martin van Es
--- a/mdsigner.yaml.example
+++ b/mdsigner.yaml.example
 ---
 test:
-  signer: test_signer
+  signer:
+    name: test_signer
+    key_spec: meta.key
+    cert_spec: meta.crt
  metadir: metadata/test
 foobar:
-  signer: foobar_signer
+  signer:
+    name: hsm_signer
+    key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
  metadir: metadata/foobar
--- a/signers.py
+++ b/signers.py
 import xmlsec

-cert = "meta.crt"
-key = "meta.key"

+def _normal_signer(xml, key_spec, cert_spec):
+    print(f"Normal signer {key_spec} {cert_spec}")
+    return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)

-def Signers(signer):
-    def _normal_signer(xml):
-        print("Normal signer")
-        return xmlsec.sign(xml, key_spec=key, cert_spec=cert)

-    def _test_signer(xml):
-        print("Test signer")
-        return xmlsec.sign(xml, key_spec=key, cert_spec=cert)
+def _test_signer(xml, key_spec, cert_spec):
+    print(f"Test signer {key_spec} {cert_spec}")
+    return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)

-    def _foobar_signer(xml):
-        print("Foobar signer")
-        return xmlsec.sign(xml, key_spec=key, cert_spec=cert)

-    def _hsm_signer(xml):
-        print("HSM signer")
-        return xmlsec.sign(xml, key_spec="pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret")
+def _foobar_signer(xml, key_spec, cert_spec):
+    print(f"Foobar signer {key_spec} {cert_spec}")
+    return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)

-    signers = {
-        'normal_signer': _normal_signer,
-        'test_signer': _test_signer,
-        'foobar_signer': _foobar_signer,
-        'hsm_signer': _hsm_signer
-    }

-    return signers[signer]
+def _hsm_signer(xml, key_spec, cert_spec):
+    print(f"HSM signer {key_spec} {cert_spec}")
+    return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)
+
+
+_signers = {
+    'normal_signer': _normal_signer,
+    'test_signer': _test_signer,
+    'foobar_signer': _foobar_signer,
+    'hsm_signer': _hsm_signer
+}
+
+
+class Signers():
+    def __init__(self, signer):
+        self.name = signer['name']
+        self.key_spec = signer['key_spec']
+        self.cert_spec = signer.get('cert_spec', None)
+
+    def sign(self, xml):
+        return _signers[self.name](xml, self.key_spec, self.cert_spec)
--- a/utils.py
+++ b/utils.py
@@ -163,7 +163,7 @@ class Realm:
                print(f"sign {sha1}")
                valid_until = self.idps[sha1].valid_until
                if valid_until > datetime.now(tz.tzutc()):
-                    signed_element = self.signer(self.idps[sha1].md)
+                    signed_element = self.signer.sign(self.idps[sha1].md)
                    signed_xml = ET.tostring(signed_element,
                                             pretty_print=True).decode()
                    signed_entity = Entity()
@@ -208,7 +208,7 @@ class Realm:
            root.set('cacheDuration', duration_isoformat(cache_duration))
            last_modified = datetime.now(tz.tzutc())

-            signed_root = self.signer(root)
+            signed_root = self.signer.sign(root)
            data.md = ET.tostring(signed_root, pretty_print=True)
            data.valid_until = valid_until
            data.last_modified = last_modified