WIP

Author: cicnavi

config/module_oidc.php.dist

@@ -21,8 +21,6 @@
     ModuleConfig::OPTION_TOKEN_REFRESH_TOKEN_TTL => 'P1M',
     ModuleConfig::OPTION_TOKEN_ACCESS_TOKEN_TTL => 'PT1H',
 
-    ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
-
     ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS => [
         [
             ModuleConfig::KEY_ALGORITHM => \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum::RS256,

docker/ssp/module_oidc.php

@@ -11,28 +11,54 @@ New features:
 Federation signing algorithms and key pairs. This was introduced in order to
 support signature algorithm negotiation with the clients. 
 - Clients can now be configured with new properties:
-  - ID Token Signing Algorithm (id_token_signed_response_alg)
+  - ID Token Signing Algorithm (`id_token_signed_response_alg`)
 - Initial support for OpenID for Verifiable Credential Issuance
 (OpenID4VCI). Note that the implementation is experimental. You should not use
 it in production.
 
 New configuration options:
 
-- ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS - (required) enables defining
+- `ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS` - (required) enables defining
 multiple protocol (Connect) related signing algorithms and key pairs. 
-- ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS - (required if federation
+- `ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS` - (required if federation
 capabilities are enabled) enables defining multiple key pairs for 
 Federation purposes like signing Entity Statements, publishing new key for
 key roll-ower scenarios, etc.
-- ModuleConfig::OPTION_TIMESTAMP_VALIDATION_LEEWAY - optional, used for setting
+- `ModuleConfig::OPTION_TIMESTAMP_VALIDATION_LEEWAY` - optional, used for setting
 allowed time tolerance for timestamp validation in artifacts like JWSs.
 multiple Federation related signing algorithms and key pairs.
 - Several new options regarding experimental support for OpenID4VCI.
 
 Major impact changes:
 
-- The following configuration options are removed:
-  - 
+- The following configuration options related to protocol (Connect) 
+signature algorithm and key pair are removed:
+  - `ModuleConfig::OPTION_PKI_PRIVATE_KEY_PASSPHRASE`
+  - `ModuleConfig::OPTION_PKI_PRIVATE_KEY_FILENAME`
+  - `ModuleConfig::OPTION_PKI_CERTIFICATE_FILENAME`
+  - `ModuleConfig::OPTION_TOKEN_SIGNER`
+  - `ModuleConfig::OPTION_PKI_NEW_PRIVATE_KEY_PASSPHRASE`
+  - `ModuleConfig::OPTION_PKI_NEW_PRIVATE_KEY_FILENAME`
+  - `ModuleConfig::OPTION_PKI_NEW_CERTIFICATE_FILENAME`
+
+  Instead of those options, now you must use option
+  `ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS` in which you can define
+  all supported signature keys for protocol (Connect) purposes.
+- The following configuration options related to Federation signature algorithm
+and key pair are removed:
+  - `ModuleConfig::OPTION_PKI_FEDERATION_PRIVATE_KEY_PASSPHRASE`
+  - `ModuleConfig::OPTION_PKI_FEDERATION_PRIVATE_KEY_FILENAME`
+  - `ModuleConfig::OPTION_PKI_FEDERATION_CERTIFICATE_FILENAME`
+  - `ModuleConfig::OPTION_FEDERATION_TOKEN_SIGNER`
+  - `ModuleConfig::OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_PASSPHRASE`
+  - `ModuleConfig::OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_FILENAME`
+  - `ModuleConfig::OPTION_PKI_FEDERATION_NEW_CERTIFICATE_FILENAME`
+  
+  Instead of those options, now you must use option
+  `ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS` in which you can define
+  all the supported signature keys for Federation purposes.
+- Removed config option `ModuleConfig::OPTION_HOMEPAGE_URI`. Use 
+`ModuleConfig::OPTION_ORGANIZATION_URI` instead.
 - In v6 of the module, when defining custom scopes, there was a possibility to
 use standard claims with the 'are_multiple_claim_values_allowed' option.
 This would allow multiple values (array of values) for standard claims which

docs/6-oidc-upgrade.md

@@ -8,22 +8,17 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\OpMetadataService;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
-use SimpleSAML\Module\oidc\Utils\FingerprintGenerator;
 use SimpleSAML\Module\oidc\Utils\Routes;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ContentTypesEnum;
 use SimpleSAML\OpenID\Codebooks\EntityTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
 use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum;
-use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
 use SimpleSAML\OpenID\Federation;
-use SimpleSAML\OpenID\Jwk;
 use SimpleSAML\OpenID\Jwks;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -38,14 +33,12 @@ class EntityStatementController
      */
     public function __construct(
         protected readonly ModuleConfig $moduleConfig,
-        protected readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
         protected readonly Jwks $jwks,
         protected readonly OpMetadataService $opMetadataService,
         protected readonly ClientRepository $clientRepository,
         protected readonly Helpers $helpers,
         protected readonly Routes $routes,
         protected readonly Federation $federation,
-        protected readonly Jwk $jwk,
         protected readonly LoggerService $loggerService,
         protected readonly ?FederationCache $federationCache,
     ) {
@@ -76,20 +69,14 @@ public function configuration(): Response
 
         $currentTimestamp = $this->helpers->dateTime()->getUtc()->getTimestamp();
 
-        $header = [
-            ClaimsEnum::Kid->value => FingerprintGenerator::forFile(
-                $this->moduleConfig->getFederationCertPath(),
-            ),
-        ];
-
         $jwks = $this->jwks->jwksDecoratorFactory()->fromJwkDecorators(
             ...$this->moduleConfig->getFederationSignatureKeyPairBag()->getAllPublicKeys(),
         )->jsonSerialize();
 
         $payload = [
             ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
             ClaimsEnum::Iat->value => $currentTimestamp,
-            ClaimsEnum::Jti->value => $this->helpers->random()->getIdentifier(),
+            ClaimsEnum::Jti->value => $this->federation->helpers()->random()->string(),
             // This is entity configuration (statement about itself).
             ClaimsEnum::Sub->value => $this->moduleConfig->getIssuer(),
             ClaimsEnum::Exp->value => $this->helpers->dateTime()->getUtc()->add(
@@ -211,16 +198,21 @@ public function configuration(): Response
         // Remaining claims, add if / when ready.
         // * crit
 
+        $signingKeyPair = $this->moduleConfig
+            ->getFederationSignatureKeyPairBag()
+            ->getFirstOrFail();
+
+        $header = [
+            ClaimsEnum::Kid->value => $signingKeyPair->getKeyPair()->getKeyId(),
+        ];
+
         /** @psalm-suppress ArgumentTypeCoercion */
         $entityConfigurationToken = $this->federation->entityStatementFactory()->fromData(
-            $this->jwk->jwkDecoratorFactory()->fromPkcs1Or8KeyFile(
-                $this->moduleConfig->getFederationPrivateKeyPath(),
-            ),
-            SignatureAlgorithmEnum::from($this->moduleConfig->getFederationSigner()->algorithmId()),
+            $signingKeyPair->getKeyPair()->getPrivateKey(),
+            $signingKeyPair->getSignatureAlgorithm(),
             $payload,
             $header,
-        )
-        ->getToken();
+        )->getToken();
 
         $this->federationCache?->set(
             $entityConfigurationToken,
@@ -274,47 +266,60 @@ public function fetch(Request $request): Response
             );
         }
 
-        $builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder()
-            ->withHeader(ClaimsEnum::Typ->value, JwtTypesEnum::EntityStatementJwt->value)
-            ->relatedTo($subject)
-            ->expiresAt(
-                $this->helpers->dateTime()->getUtc()->add($this->moduleConfig->getFederationEntityStatementDuration()),
-            )->withClaim(
-                ClaimsEnum::Jwks->value,
-                $jwks,
-            )
-            ->withClaim(
-                ClaimsEnum::Metadata->value,
-                [
-                    EntityTypesEnum::OpenIdRelyingParty->value => [
-                        ClaimsEnum::ClientName->value => $client->getName(),
-                        ClaimsEnum::ClientId->value => $client->getIdentifier(),
-                        ClaimsEnum::RedirectUris->value => $client->getRedirectUris(),
-                        ClaimsEnum::Scope->value => implode(' ', $client->getScopes()),
-                        ClaimsEnum::ClientRegistrationTypes->value => $client->getClientRegistrationTypes(),
-                        // Optional claims...
-                        ...(array_filter(
-                            [
-                                ClaimsEnum::BackChannelLogoutUri->value => $client->getBackChannelLogoutUri(),
-                                ClaimsEnum::PostLogoutRedirectUris->value => $client->getPostLogoutRedirectUri(),
-                            ],
-                        )),
-                        // TODO v7 mivanci Continue
-                        // https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
-                        // https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata
-                    ],
+        $currentTimestamp = $this->helpers->dateTime()->getUtc()->getTimestamp();
+
+        $payload = [
+            ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::Iat->value => $currentTimestamp,
+            ClaimsEnum::Jti->value => $this->helpers->random()->getIdentifier(),
+
+            ClaimsEnum::Sub->value => $subject,
+            ClaimsEnum::Exp->value => $this->helpers->dateTime()->getUtc()->add(
+                $this->moduleConfig->getFederationEntityStatementDuration(),
+            )->getTimestamp(),
+            ClaimsEnum::Jwks->value => $jwks,
+            ClaimsEnum::Metadata->value => [
+                EntityTypesEnum::OpenIdRelyingParty->value => [
+                    ClaimsEnum::ClientName->value => $client->getName(),
+                    ClaimsEnum::ClientId->value => $client->getIdentifier(),
+                    ClaimsEnum::RedirectUris->value => $client->getRedirectUris(),
+                    ClaimsEnum::Scope->value => implode(' ', $client->getScopes()),
+                    ClaimsEnum::ClientRegistrationTypes->value => $client->getClientRegistrationTypes(),
+                    // Optional claims...
+                    ...(array_filter(
+                        [
+                            ClaimsEnum::BackChannelLogoutUri->value => $client->getBackChannelLogoutUri(),
+                            ClaimsEnum::PostLogoutRedirectUris->value => $client->getPostLogoutRedirectUri(),
+                        ],
+                    )),
+                    // TODO v7 mivanci Continue
+                    // https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
+                    // https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata
                 ],
-            );
+            ],
+        ];
 
         // TODO v7 mivanci Continue
         // Note: claims which can be present in subordinate statements:
         // * metadata_policy
         // * constraints
         // * metadata_policy_crit
 
-        $jws = $this->jsonWebTokenBuilderService->getSignedFederationJwt($builder);
+        $signingKeyPair = $this->moduleConfig
+            ->getFederationSignatureKeyPairBag()
+            ->getFirstOrFail();
+
+
+        $header = [
+            ClaimsEnum::Kid->value => $signingKeyPair->getKeyPair()->getKeyId(),
+        ];
 
-        $subordinateStatementToken = $jws->toString();
+        $subordinateStatementToken = $this->federation->entityStatementFactory()->fromData(
+            $signingKeyPair->getKeyPair()->getPrivateKey(),
+            $signingKeyPair->getSignatureAlgorithm(),
+            $payload,
+            $header,
+        )->getToken();
 
         $this->federationCache?->set(
             $subordinateStatementToken,

src/Controllers/Federation/EntityStatementController.php

@@ -40,7 +40,7 @@ public function configuration(): Response
     {
         // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-issuer-metadata-p
 
-        $signer = $this->moduleConfig->getProtocolSigner();
+        $signatureKeyPair = $this->moduleConfig->getProtocolSignatureKeyPairBag()->getFirstOrFail();
 
         $credentialConfigurationsSupported = $this->moduleConfig->getCredentialConfigurationsSupported();
 
@@ -50,12 +50,12 @@ public function configuration(): Response
             if (is_array($credentialConfiguration)) {
                 // Draft 17
                 $credentialConfiguration[ClaimsEnum::CredentialSigningAlgValuesSupported->value] = [
-                    $signer->algorithmId(),
+                    $signatureKeyPair->getSignatureAlgorithm()->value,
                 ];
                 // Earlier drafts
                 // TODO mivanci Delete CryptographicSuitesSupported once we are on the final draft.
                 $credentialConfiguration[ClaimsEnum::CryptographicSuitesSupported->value] = [
-                    $signer->algorithmId(),
+                    $signatureKeyPair->getSignatureAlgorithm()->value,
                 ];
                 $credentialConfigurationsSupported[$credentialConfigurationId] = $credentialConfiguration;
             }

src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php

@@ -17,7 +17,6 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\Routes;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Codebooks\AtContextsEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
@@ -27,7 +26,6 @@
 use SimpleSAML\OpenID\Did;
 use SimpleSAML\OpenID\Exceptions\OpenId4VciProofException;
 use SimpleSAML\OpenID\Exceptions\OpenIdException;
-use SimpleSAML\OpenID\Jwk;
 use SimpleSAML\OpenID\VerifiableCredentials;
 use SimpleSAML\OpenID\VerifiableCredentials\OpenId4VciProof;
 use Symfony\Component\HttpFoundation\Request;
@@ -50,7 +48,6 @@ public function __construct(
         protected readonly Routes $routes,
         protected readonly PsrHttpBridge $psrHttpBridge,
         protected readonly VerifiableCredentials $verifiableCredentials,
-        protected readonly Jwk $jwk,
         protected readonly LoggerService $loggerService,
         protected readonly RequestParamsResolver $requestParamsResolver,
         protected readonly UserRepository $userRepository,
@@ -592,18 +589,13 @@ public function credential(Request $request): Response
             $sub,
         );
 
-        $signingKey = $this->jwk->jwkDecoratorFactory()->fromPkcs1Or8KeyFile(
-            $this->moduleConfig->getProtocolPrivateKeyPath(),
-            null,
-        );
+        $protocolSignatureKeyPair = $this->moduleConfig
+            ->getProtocolSignatureKeyPairBag()
+            ->getFirstOrFail();
 
-        $publicKey = $this->jwk->jwkDecoratorFactory()->fromPkcs1Or8KeyFile(
-            $this->moduleConfig->getProtocolCertPath(),
-            null,
-            [
-                //ClaimsEnum::Use->value => 'sig',
-            ],
-        );
+        $signingKey = $protocolSignatureKeyPair->getKeyPair()->getPrivateKey();
+
+        $publicKey = $protocolSignatureKeyPair->getKeyPair()->getPublicKey();
 
         $base64PublicKey = json_encode($publicKey->jwk()->all(), JSON_UNESCAPED_SLASHES);
         $base64PublicKey = Base64Url::encode($base64PublicKey);
@@ -613,7 +605,7 @@ public function credential(Request $request): Response
         $issuedAt = new \DateTimeImmutable();
 
         $vcId = $this->moduleConfig->getIssuer() . '/vc/' . uniqid();
-        $signatureAlgorithm = SignatureAlgorithmEnum::from($this->moduleConfig->getProtocolSigner()->algorithmId());
+        $signatureAlgorithm = $protocolSignatureKeyPair->getSignatureAlgorithm();
 
         $verifiableCredential = null;
 

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -7,10 +7,7 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmBag;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Jwks;
-use SimpleSAML\OpenID\SupportedAlgorithms;
 
 class JwksFactory
 {
@@ -27,14 +24,8 @@ public function __construct(
      */
     public function build(): Jwks
     {
-        $supportedAlgorithms = new SupportedAlgorithms(
-            new SignatureAlgorithmBag(
-                SignatureAlgorithmEnum::from($this->moduleConfig->getFederationSigner()->algorithmId()),
-            ),
-        );
-
         return new Jwks(
-            supportedAlgorithms: $supportedAlgorithms,
+            supportedAlgorithms: $this->moduleConfig->getSupportedAlgorithms(),
             maxCacheDuration: $this->moduleConfig->getFederationCacheMaxDurationForFetched(),
             cache: $this->federationCache?->cache,
             logger: $this->loggerService,

src/Factories/JwksFactory.php

@@ -6,9 +6,6 @@
 
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\LoggerService;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmBag;
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
-use SimpleSAML\OpenID\SupportedAlgorithms;
 use SimpleSAML\OpenID\VerifiableCredentials;
 
 class VerifiableCredentialsFactory
@@ -25,23 +22,8 @@ public function __construct(
      */
     public function build(): VerifiableCredentials
     {
-        $supportedAlgorithms = new SupportedAlgorithms(
-            new SignatureAlgorithmBag(
-                SignatureAlgorithmEnum::from($this->moduleConfig->getProtocolSigner()->algorithmId()),
-                SignatureAlgorithmEnum::RS256,
-                SignatureAlgorithmEnum::RS384,
-                SignatureAlgorithmEnum::RS512,
-                SignatureAlgorithmEnum::ES256,
-                SignatureAlgorithmEnum::ES384,
-                SignatureAlgorithmEnum::ES512,
-                SignatureAlgorithmEnum::PS256,
-                SignatureAlgorithmEnum::PS384,
-                SignatureAlgorithmEnum::PS512,
-            ),
-        );
-
         return new VerifiableCredentials(
-            supportedAlgorithms: $supportedAlgorithms,
+            supportedAlgorithms: $this->moduleConfig->getSupportedAlgorithms(),
             logger: $this->loggerService,
         );
     }