From f12bb4b091db35f7b1886edfb889846a9964a8f4 Mon Sep 17 00:00:00 2001
From: Martin van Es <martin@mrvanes.com>
Date: Wed, 20 Apr 2022 12:37:33 +0200
Subject: [PATCH] Make key_spec and cert_spec configurable
---
mdsigner.yaml.example | 9 ++++++--
signers.py | 52 +++++++++++++++++++++++++------------------
utils.py | 4 ++--
3 files changed, 39 insertions(+), 26 deletions(-)
diff --git a/mdsigner.yaml.example b/mdsigner.yaml.example
index 1d636e9..cbf091c 100644
--- a/mdsigner.yaml.example
+++ b/mdsigner.yaml.example
@@ -1,7 +1,12 @@
---
test:
- signer: test_signer
+ signer:
+ name: test_signer
+ key_spec: meta.key
+ cert_spec: meta.crt
metadir: metadata/test
foobar:
- signer: foobar_signer
+ signer:
+ name: hsm_signer
+ key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
metadir: metadata/foobar
diff --git a/signers.py b/signers.py
index e9717f0..16276f1 100644
--- a/signers.py
+++ b/signers.py
@@ -1,31 +1,39 @@
import xmlsec
-cert = "meta.crt"
-key = "meta.key"
+def _normal_signer(xml, key_spec, cert_spec):
+ print(f"Normal signer {key_spec} {cert_spec}")
+ return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)
-def Signers(signer):
- def _normal_signer(xml):
- print("Normal signer")
- return xmlsec.sign(xml, key_spec=key, cert_spec=cert)
- def _test_signer(xml):
- print("Test signer")
- return xmlsec.sign(xml, key_spec=key, cert_spec=cert)
+def _test_signer(xml, key_spec, cert_spec):
+ print(f"Test signer {key_spec} {cert_spec}")
+ return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)
- def _foobar_signer(xml):
- print("Foobar signer")
- return xmlsec.sign(xml, key_spec=key, cert_spec=cert)
- def _hsm_signer(xml):
- print("HSM signer")
- return xmlsec.sign(xml, key_spec="pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret")
+def _foobar_signer(xml, key_spec, cert_spec):
+ print(f"Foobar signer {key_spec} {cert_spec}")
+ return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)
- signers = {
- 'normal_signer': _normal_signer,
- 'test_signer': _test_signer,
- 'foobar_signer': _foobar_signer,
- 'hsm_signer': _hsm_signer
- }
- return signers[signer]
+def _hsm_signer(xml, key_spec, cert_spec):
+ print(f"HSM signer {key_spec} {cert_spec}")
+ return xmlsec.sign(xml, key_spec=key_spec, cert_spec=cert_spec)
+
+
+_signers = {
+ 'normal_signer': _normal_signer,
+ 'test_signer': _test_signer,
+ 'foobar_signer': _foobar_signer,
+ 'hsm_signer': _hsm_signer
+}
+
+
+class Signers():
+ def __init__(self, signer):
+ self.name = signer['name']
+ self.key_spec = signer['key_spec']
+ self.cert_spec = signer.get('cert_spec', None)
+
+ def sign(self, xml):
+ return _signers[self.name](xml, self.key_spec, self.cert_spec)
diff --git a/utils.py b/utils.py
index b523990..5a059ac 100755
--- a/utils.py
+++ b/utils.py
@@ -163,7 +163,7 @@ class Realm:
print(f"sign {sha1}")
valid_until = self.idps[sha1].valid_until
if valid_until > datetime.now(tz.tzutc()):
- signed_element = self.signer(self.idps[sha1].md)
+ signed_element = self.signer.sign(self.idps[sha1].md)
signed_xml = ET.tostring(signed_element,
pretty_print=True).decode()
signed_entity = Entity()
@@ -208,7 +208,7 @@ class Realm:
root.set('cacheDuration', duration_isoformat(cache_duration))
last_modified = datetime.now(tz.tzutc())
- signed_root = self.signer(root)
+ signed_root = self.signer.sign(root)
data.md = ET.tostring(signed_root, pretty_print=True)
data.valid_until = valid_until
data.last_modified = last_modified
--
GitLab