key loader: did: web: SCITT SCRAPI transparency-configuration

Signed-off-by: John Andersen <[email protected]>

scitt_emulator/create_statement.py

@@ -76,8 +76,6 @@ def create_claim(
     # }
 
     # Create COSE_Sign1 structure
-    # https://python-cwt.readthedocs.io/en/stable/algorithms.html
-    alg = "ES384"
     # Create an ad-hoc key
     # oct: size(int)
     # RSA: public_exponent(int), size(int)
@@ -88,6 +86,8 @@ def create_claim(
         key.import_from_pem(private_key_pem_path.read_bytes())
     else:
         key = key.generate(kty="EC", crv="P-384")
+    # https://python-cwt.readthedocs.io/en/stable/algorithms.html
+    alg = key.key_curve.replace("P-", "ES")
     kid = key.thumbprint()
     key_as_pem_bytes = key.export_to_pem(private_key=True, password=None)
     # cwt_cose_key = cwt.COSEKey.generate_symmetric_key(alg=alg, kid=kid)

scitt_emulator/key_loader_format_url_referencing_oidc_issuer.py

@@ -62,14 +62,3 @@ def key_loader_format_url_referencing_oidc_issuer(
                             )
 
     return keys
-
-
-def transform_key_instance_jwcrypto_jwk_to_cwt_cose(
-    key: jwcrypto.jwk.JWK,
-) -> cwt.COSEKey:
-    if not isinstance(key, jwcrypto.jwk.JWK):
-        raise TypeError(key)
-    return cwt.COSEKey.from_pem(
-        key.export_to_pem(),
-        kid=key.thumbprint(),
-    )

scitt_emulator/key_loader_format_url_referencing_scitt_scrapi.py

@@ -0,0 +1,72 @@
+import json
+import contextlib
+import urllib.parse
+import urllib.request
+from typing import List, Tuple
+
+import cwt
+import cwt.algs.ec2
+import pycose
+import pycose.keys.ec2
+
+# TODO Remove this once we have a example flow for proper key verification
+import jwcrypto.jwk
+
+from scitt_emulator.did_helpers import did_web_to_url
+from scitt_emulator.key_helper_dataclasses import VerificationKey
+from scitt_emulator.key_loader_format_did_jwk import to_object_jwk
+
+
+CONTENT_TYPE = "application/scitt+jwk+set+json"
+
+
+def key_loader_format_url_referencing_scitt_scrapi(
+    unverified_issuer: str,
+) -> List[Tuple[cwt.COSEKey, pycose.keys.ec2.EC2Key]]:
+    keys = []
+
+    if unverified_issuer.startswith("did:web:"):
+        unverified_issuer = did_web_to_url(unverified_issuer)
+
+    if "://" not in unverified_issuer or unverified_issuer.startswith("file://"):
+        return keys
+
+    # TODO Logging for URLErrors
+    # Check if OIDC issuer
+    unverified_issuer_parsed_url = urllib.parse.urlparse(unverified_issuer)
+    openid_configuration_url = unverified_issuer_parsed_url._replace(
+        path="/.well-known/transparency-configuration",
+    ).geturl()
+    with contextlib.suppress(urllib.request.URLError):
+        with urllib.request.urlopen(openid_configuration_url) as response:
+            if response.status == 200:
+                openid_configuration = json.loads(response.read())
+                jwks = openid_configuration["jwks"]
+                for jwk_key_as_dict in jwks["keys"]:
+                    jwk_key_as_string = json.dumps(jwk_key_as_dict)
+                    jwk_key = jwcrypto.jwk.JWK.from_json(jwk_key_as_string)
+                    keys.append(
+                        VerificationKey(
+                            transforms=[jwk_key],
+                            original=jwk_key,
+                            original_content_type=CONTENT_TYPE,
+                            original_bytes=jwk_key_as_string.encode("utf-8"),
+                            original_bytes_encoding="utf-8",
+                            usable=False,
+                            cwt=None,
+                            cose=None,
+                        )
+                    )
+
+    return keys
+
+
+def transform_key_instance_jwcrypto_jwk_to_cwt_cose(
+    key: jwcrypto.jwk.JWK,
+) -> cwt.COSEKey:
+    if not isinstance(key, jwcrypto.jwk.JWK):
+        raise TypeError(key)
+    return cwt.COSEKey.from_pem(
+        key.export_to_pem(),
+        kid=key.thumbprint(),
+    )

setup.py

@@ -13,12 +13,13 @@
         ],
         'scitt_emulator.verify_signature.key_loaders': [
             'did_jwk=scitt_emulator.key_loader_format_did_jwk:key_loader_format_did_jwk',
+            'url_referencing_scitt_scrapi=scitt_emulator.key_loader_format_url_referencing_scitt_scrapi:key_loader_format_url_referencing_scitt_scrapi',
             'url_referencing_oidc_issuer=scitt_emulator.key_loader_format_url_referencing_oidc_issuer:key_loader_format_url_referencing_oidc_issuer',
             'url_referencing_ssh_authorized_keys=scitt_emulator.key_loader_format_url_referencing_ssh_authorized_keys:key_loader_format_url_referencing_ssh_authorized_keys',
         ],
         'scitt_emulator.key_helpers.transforms_key_instances': [
             'transform_key_instance_cwt_cose_ec2_to_pycose_ec2=scitt_emulator.key_transforms:transform_key_instance_cwt_cose_ec2_to_pycose_ec2',
-            'transform_key_instance_jwcrypto_jwk_to_cwt_cose=scitt_emulator.key_loader_format_url_referencing_oidc_issuer:transform_key_instance_jwcrypto_jwk_to_cwt_cose',
+            'transform_key_instance_jwcrypto_jwk_to_cwt_cose=scitt_emulator.key_loader_format_url_referencing_scitt_scrapi:transform_key_instance_jwcrypto_jwk_to_cwt_cose',
             'transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk=scitt_emulator:key_loader_format_url_referencing_ssh_authorized_keys.transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk',
         ],
         'scitt_emulator.key_helpers.verification_key_to_object': [