added new ConfigToken test and doc
This commit is contained in:
parent
cb80e709d6
commit
2dbb8f1a80
237
doc/ConfigToken.md
Normal file
237
doc/ConfigToken.md
Normal file
@ -0,0 +1,237 @@
|
||||
# Client-Token Test (`my_`)
|
||||
|
||||
> This document belongs to the test-case [test_config_token.py](/src/test/test_config_token.py)
|
||||
|
||||
Our *Client-Token* itself is consistent and all validations are successful. But the `nvidia-gridd` service fails to
|
||||
verify.
|
||||
This probably is, because we are using certificates which are not singed by nvidia. This maybe is done by the initial
|
||||
instance-token exchange.
|
||||
|
||||
Maybe the only way to get successful, is to fake the whole instance-token exchange.
|
||||
|
||||
## JWT
|
||||
|
||||
```
|
||||
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJkZWU5MjRiZi1iNjg4LTQ2NzQtYmM2NC03YjYwM2UxNDUyYmYiLCJpc3MiOiJOTFMgU2VydmljZSBJbnN0YW5jZSIsImF1ZCI6Ik5MUyBMaWNlbnNlZCBDbGllbnQiLCJpYXQiOjE3NDI1NTYyMTcsIm5iZiI6MTc0MjU1NjIxNywiZXhwIjoyMTIxMjQ3NDE3LCJ1cGRhdGVfbW9kZSI6IkFCU09MVVRFIiwic2NvcGVfcmVmX2xpc3QiOlsiMjAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAxIl0sImZ1bGZpbGxtZW50X2NsYXNzX3JlZl9saXN0IjpbXSwic2VydmljZV9pbnN0YW5jZV9jb25maWd1cmF0aW9uIjp7Im5sc19zZXJ2aWNlX2luc3RhbmNlX3JlZiI6IjRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOSIsInN2Y19wb3J0X3NldF9saXN0IjpbeyJpZHgiOjAsImRfbmFtZSI6IkRMUyIsInN2Y19wb3J0X21hcCI6W3sic2VydmljZSI6ImF1dGgiLCJwb3J0Ijo0NDN9LHsic2VydmljZSI6ImxlYXNlIiwicG9ydCI6NDQzfSx7InNlcnZpY2UiOiJxdWlja19yZWxlYXNlIiwicG9ydCI6NDQzfV19XSwibm9kZV91cmxfbGlzdCI6W3siaWR4IjowLCJ1cmwiOiIxOTIuMTY4LjE3OC4xMTAiLCJ1cmxfcXIiOiIxOTIuMTY4LjE3OC4xMTAiLCJzdmNfcG9ydF9zZXRfaWR4IjowfV19LCJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfY29uZmlndXJhdGlvbiI6eyJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfbWUiOnsibW9kIjoiZWRiMGIzNjgwZGIzMDNmNWIzNTM5ZTgzZGFlMTkzM2E3MDk3Yzg3MTJjNDc2NzM5YTlkNTJhYWJlMWJiOWMwNWMyZjE0NzRiODJiOWE2ODhmOGUyODlkYTI0MDM1ODQzOTYzZGI0OTE0ZDhmM2RlYWZmNTgyOTIzMWI3YWM2NzIxMWZlMTFhNTg5ZjNhZGYyNTI1ZDkyY2JmZTQxOTgwMDFmY2M5MTJkNDg5ZTdmYWY4MzYyNWQ2Yzg3Y2NhODYzNTVmNmVhOTlmN2IwYjZmYTBiMGM4Mzg1MDFiYjIyNjM2YzEwYTQ5ZTk5ODllYjMwZDI1Y2JlYzkwODZmZGFkOTJkYWY1ZmJlZTk5YjBkZmNmNDk4OGZkY2MzY2I4ZmFjMDY0NzUwNzNhYjRhNjg4MmQ3YzcwYzY4OThkNTM4N2UwMTQyYjRhMjgxN2Q5OTE1N2I1YzE3YjRkZTVlNmEwYmFkNjZjYzg0YjE4M2M3ZmUxZjQ4ZmNhMjZkNmNlY2ViYjRmNjY0ZDhhZTIxMDkyMDA0ZTA5ZWQ5NDY4OTE2ZTA4Y2EzODhhNTAzYjFkYjVkYjQzMmM2NThlZDA3YTVjZWJhOTA3NTg0NWI5OTZhOGE2Yzg2NWZjNWQ2OWI5YTg5MmQwMGM2ZTBiZDUxZDE0MjJiNDEwYmY5Yzg4NjgyZDkiLCJleHAiOjY1NTM3fSwic2VydmljZV9pbnN0YW5jZV9wdWJsaWNfa2V5X3BlbSI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTdiQ3phQTJ6QS9XelU1NkQydUdUXG5PbkNYeUhFc1IyYzVxZFVxcStHN25BWEM4VWRMZ3JtbWlQamlpZG9rQTFoRGxqMjBrVTJQUGVyL1dDa2pHM3JHXG5jaEgrRWFXSjg2M3lVbDJTeS81Qm1BQWZ6SkV0U0o1L3I0TmlYV3lIektoalZmYnFtZmV3dHZvTERJT0ZBYnNpXG5ZMndRcEo2Wmllc3cwbHkreVFodjJ0a3RyMSsrNlpzTi9QU1lqOXpEeTQrc0JrZFFjNnRLYUlMWHh3eG9tTlU0XG5mZ0ZDdEtLQmZaa1ZlMXdYdE41ZWFndXRac3lFc1lQSC9oOUkvS0p0Yk96cnRQWmsySzRoQ1NBRTRKN1pSb2tXXG40SXlqaUtVRHNkdGR0RExHV08wSHBjNjZrSFdFVzVscWlteUdYOFhXbTVxSkxRREc0TDFSMFVJclFRdjV5SWFDXG4yUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIiwia2V5X3JldGVudGlvbl9tb2RlIjoiTEFURVNUX09OTFkifX0.Hl2EfHaP1ja18VFNYpNaIKJcddGRdtpGve7JkFcrt5rRVnbTxXNYkhYCmc4Q5EyctCchSjUkU1UKcedL0RHJQeZ25kRiUjMSEE7jaXDwU29uANY9HxiJx3I-SKUahDcFuS3KtiScKxxihcAgWTi-rNZGkXMbCT4MM08Gzn_F7R1XcH0ZXoX1ZKon9lps6w6xzhKtyzu9zsrC3Cn0W4C4P918nD3e1jLHkVXYSLR8I27KSgeCPCPKR3fMTFU0BnnYRmkHheAS1Lp3Y5KI3t518vwb-NkSgF5ucpTloot7boTv6fBHlkmcc83LpWC4GQmInu_i1gm6cDQhB7RC1zBnoA
|
||||
```
|
||||
|
||||
### JWT decoded
|
||||
|
||||
```
|
||||
{
|
||||
"jti": "dee924bf-b688-4674-bc64-7b603e1452bf",
|
||||
"iss": "NLS Service Instance",
|
||||
"aud": "NLS Licensed Client",
|
||||
"iat": 1742556217,
|
||||
"nbf": 1742556217,
|
||||
"exp": 2121247417,
|
||||
"update_mode": "ABSOLUTE",
|
||||
"scope_ref_list": [ "20000000-0000-0000-0000-000000000001" ],
|
||||
"fulfillment_class_ref_list": [],
|
||||
"service_instance_configuration": {
|
||||
"nls_service_instance_ref": "4e53a171-103b-4946-9ed8-5f4c0ee750d9",
|
||||
"svc_port_set_list": [
|
||||
{
|
||||
"idx": 0,
|
||||
"d_name": "DLS",
|
||||
"svc_port_map": [
|
||||
{ "service": "auth", "port": 443 },
|
||||
{ "service": "lease", "port": 443 },
|
||||
{ "service": "quick_release", "port": 443 }
|
||||
]
|
||||
}
|
||||
],
|
||||
"node_url_list": [{ "idx": 0, "url": "192.168.178.110", "url_qr": "192.168.178.110", "svc_port_set_idx": 0 }]
|
||||
},
|
||||
"service_instance_public_key_configuration": {
|
||||
"service_instance_public_key_me": {
|
||||
"mod": "edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9",
|
||||
"exp": 65537
|
||||
},
|
||||
"service_instance_public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bCzaA2zA/WzU56D2uGT\nOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hDlj20kU2PPer/WCkjG3rG\nchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhjVfbqmfewtvoLDIOFAbsi\nY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+sBkdQc6tKaILXxwxomNU4\nfgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzrtPZk2K4hCSAE4J7ZRokW\n4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJLQDG4L1R0UIrQQv5yIaC\n2QIDAQAB\n-----END PUBLIC KEY-----",
|
||||
"key_retention_mode": "LATEST_ONLY"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### JWT Signature
|
||||
|
||||
Signature can be verified with included `$.service_instance_public_key_configuration.service_instance_public_key_pem`
|
||||
|
||||
```
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bCzaA2zA/WzU56D2uGT
|
||||
OnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hDlj20kU2PPer/WCkjG3rG
|
||||
chH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhjVfbqmfewtvoLDIOFAbsi
|
||||
Y2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+sBkdQc6tKaILXxwxomNU4
|
||||
fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzrtPZk2K4hCSAE4J7ZRokW
|
||||
4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJLQDG4L1R0UIrQQv5yIaC
|
||||
2QIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
```
|
||||
|
||||
**Details**
|
||||
|
||||
```
|
||||
Algo RSA
|
||||
Format X.509
|
||||
ASN1 Dump
|
||||
RSA Public Key [0a:f7:53:cc:fe:4d:e3:4a:da:39:7b:65:8f:87:67:e7:86:22:3a:60]
|
||||
modulus: edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9
|
||||
public exponent: 10001
|
||||
```
|
||||
|
||||
## Config-Token
|
||||
|
||||
```json
|
||||
{
|
||||
"certificateConfiguration": {
|
||||
"caChain": [
|
||||
"-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUD2CdXDMPoAsGOH87+lhMsIwczTswDQYJKoZIhvcNAQEL\r\nBQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNVBAsM\r\nHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAoTkxTKTEPMA0GA1UECgwGTnZpZGlh\r\nMRQwEgYDVQQDDAtOTFMgUm9vdCBDQTAeFw0yNTAzMjAxMTE3NTFaFw0zNTAzMTkx\r\nMTE3NTFaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYD\r\nVQQKDAZOdmlkaWExJzAlBgNVBAsMHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAo\r\nTkxTKTEcMBoGA1UEAwwTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN\r\nAQEBBQADggIPADCCAgoCggIBAKY8YjANHn+yYnXMZREn+NqYE+cCJd+vaEB4d2qw\r\n2VADWM7d1bo2n3iCTX30uf/j14XgC85va3ZwPNhTHXm0EObPnnuDcMzbkZc/FxR1\r\nCB8DuVIeTNrxVj3aAo4I1ET5Y1m7gxAQsD9KUUK00uP0YfJIZMdxFs+waGLuJMDn\r\nF3bJfbrl8J2paZ8BFQiDlQX6zSd2iNasigWMyFQYar87NvQdy8SRKZ4ISRaeuf/1\r\nVJQGs/014OFNFKEOXcfo2xKX0LzFrBYv8BYWx5a3bvSP1lMREhYa4Bb7PvImcHCa\r\nMoA3V5nDjp1v5wh/E0CqtlgQwD99yBbQuMcWl+zmadPWDMWZQnUxoEENLlqXQ7DW\r\nH792QjJm95MIoN9tbSqjvmIjneyy5F+dCuWes7cnZYR5F5X2/zn0pJ8jWbZdQnSl\r\nHXOOyAhqbsmUkGUohVsTVKsUcOGYVXhwS5jdMNRzuSCbbfn/ZGBG6XWUO5ELoXFc\r\nw/iNe2PSO2SixpwXbN3kCtaIjW5YJCFikqOW+Ho9Wy1yI3U261E7SuxTle89DaNQ\r\nsNfHAJKB28yHVK3sNAzWj/Vg6ZYCjMDDlu2nOFEKzJg3OIMiowkZxmkKe+1r5qQQ\r\njgAQf2k2GQNSgGQBeWujOthgx/FdpOGOmZuP6zAPCr/kEndjvFQtpjDxVBKwCIcQ\r\nZdjJAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G\r\nA1UdDgQWBBTy/9FFg3FeMCiVc1SweFWeW4gnCjAfBgNVHSMEGDAWgBQCqIgM/Kld\r\nQ+CdLvVgsfLael0/DDANBgkqhkiG9w0BAQsFAAOCAgEAC/440Dy8dPhuXS2fxSmQ\r\n7J2LwrhCWYtFNkXJW4Dnwb9mipVzr8vvBPGXJXG1LkfsVFYYv8lVqN+ErYctqv1B\r\nqLM5ZT+avnBBogcX/2Se9hqCSy24kOsYnjNqtHFxiOoK3xoMs9kdHy0Nt0su408R\r\nv+NHV1jQasvP7KuLXreRBwijHEQcIpi9Nfyh/O5aaQikN2EtQV3ZqYI87DRnPsGs\r\nBaX/TBKlFfPfVjS6mXq6YB7y8oA8NH0IiJ1xn+7nYVjTmSHGWQnTLYOMowMuGFFT\r\n3gUiWKQnD74NHZzkvEiX82WDM4SiD1dQCV6OWsTxbs0bUsM0du78CRapi/9XwoUQ\r\nzyJaIzYUtsnHBO4YM78tNi9RZbWB52cOVb7YP2Rj6vHf34SjbIU+exRXPzgs/5d5\r\n6D8eTNj6iq2XtCSGQ50NqZL8N3iDvpypVc8xnfibYA+CLIa152s9LXxTnkACVsHh\r\n9qqyJEUW2qCxKvHxpGqzcsQ6tqQlNaNd8vCJAZU28yZQyuVfhL2rqbab0dFrZdbV\r\ntMk1lk1K3a2kuZfGL5CzWTWsht3b3UOBJT383OInNwkr1UvQr/w3Ml+JdhDDIjIB\r\nz5vrl6bd6uZ/2AUED+o6cM/1mTygdt6u6m+9XFJScplyoltuI7KItXqhf50kM5Ca\r\nOHBuH+vCm1w54MOyHsWydR8=\r\n-----END CERTIFICATE-----"
|
||||
],
|
||||
"publicCert": "-----BEGIN CERTIFICATE-----\r\nMIID2zCCAsOgAwIBAgIUG9EvbFb33ajYzlLIYbD+Wb04Xh0wDQYJKoZIhvcNAQEL\r\nBQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoM\r\nBk52aWRpYTEnMCUGA1UECwweTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMp\r\nMRwwGgYDVQQDDBNOTFMgSW50ZXJtZWRpYXRlIENBMB4XDTI1MDMyMDExMTc1MVoX\r\nDTM1MDMxOTExMTc1MVowLzEtMCsGA1UEAwwkNGU1M2ExNzEtMTAzYi00OTQ2LTll\r\nZDgtNWY0YzBlZTc1MGQ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n7bCzaA2zA/WzU56D2uGTOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hD\r\nlj20kU2PPer/WCkjG3rGchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhj\r\nVfbqmfewtvoLDIOFAbsiY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+s\r\nBkdQc6tKaILXxwxomNU4fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzr\r\ntPZk2K4hCSAE4J7ZRokW4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJ\r\nLQDG4L1R0UIrQQv5yIaC2QIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwIDqDAdBgNV\r\nHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO7YfN6kz6TytpbG\r\nQsiVOBxXknNIMB8GA1UdIwQYMBaAFPL/0UWDcV4wKJVzVLB4VZ5biCcKMC8GA1Ud\r\nEQQoMCaCJDRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOTANBgkq\r\nhkiG9w0BAQsFAAOCAQEAsSw2FKHvL6LtxjP6lvcnRtbtqO9Y1tfanWG8ebTbiF0Z\r\nU5bok/vJ6ut/fqW9zixOSFtzzaTKe91lyeWqt9uHje2wV6SSM+Bw1RglVAvcFejd\r\nfX88/iEDSmqlDf+NAC8yyiWdZ5snboxWBaTpPcf8gziZhDUIxRUFIZCYjqJEkN1u\r\nevfJZqaVsT0zcbmwc+6W7YGD4J8JSFpkwN0odTtciAooBzXpfFzXMz0zrghjFRxA\r\nYnq1C0sQNlBb84yS+B/f4qTfDqL2eCxARZSWSl/S71VRkPn5QRs4iPE0AVeWWZAd\r\n0iHSFm6jxj1x7/+r+Q+wN9hLtT7fEXXKuW7t6ECgDg==\r\n-----END CERTIFICATE-----",
|
||||
"publicKey": {
|
||||
"exp": 65537,
|
||||
"mod": [
|
||||
"edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9"
|
||||
]
|
||||
}
|
||||
},
|
||||
"configToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJOTFMgU2VydmljZSBJbnN0YW5jZSIsImF1ZCI6Ik5MUyBMaWNlbnNlZCBDbGllbnQiLCJpYXQiOjE3NDI1NTU4NzEsIm5iZiI6MTc0MjU1NTg3MSwiZXhwIjoyMTIxMjQ3MDcxLCJwcm90b2NvbF92ZXJzaW9uIjoiMi4wIiwiZF9uYW1lIjoiRExTIiwic2VydmljZV9pbnN0YW5jZV9yZWYiOiI0ZTUzYTE3MS0xMDNiLTQ5NDYtOWVkOC01ZjRjMGVlNzUwZDkiLCJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfY29uZmlndXJhdGlvbiI6eyJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfbWUiOnsibW9kIjoiZWRiMGIzNjgwZGIzMDNmNWIzNTM5ZTgzZGFlMTkzM2E3MDk3Yzg3MTJjNDc2NzM5YTlkNTJhYWJlMWJiOWMwNWMyZjE0NzRiODJiOWE2ODhmOGUyODlkYTI0MDM1ODQzOTYzZGI0OTE0ZDhmM2RlYWZmNTgyOTIzMWI3YWM2NzIxMWZlMTFhNTg5ZjNhZGYyNTI1ZDkyY2JmZTQxOTgwMDFmY2M5MTJkNDg5ZTdmYWY4MzYyNWQ2Yzg3Y2NhODYzNTVmNmVhOTlmN2IwYjZmYTBiMGM4Mzg1MDFiYjIyNjM2YzEwYTQ5ZTk5ODllYjMwZDI1Y2JlYzkwODZmZGFkOTJkYWY1ZmJlZTk5YjBkZmNmNDk4OGZkY2MzY2I4ZmFjMDY0NzUwNzNhYjRhNjg4MmQ3YzcwYzY4OThkNTM4N2UwMTQyYjRhMjgxN2Q5OTE1N2I1YzE3YjRkZTVlNmEwYmFkNjZjYzg0YjE4M2M3ZmUxZjQ4ZmNhMjZkNmNlY2ViYjRmNjY0ZDhhZTIxMDkyMDA0ZTA5ZWQ5NDY4OTE2ZTA4Y2EzODhhNTAzYjFkYjVkYjQzMmM2NThlZDA3YTVjZWJhOTA3NTg0NWI5OTZhOGE2Yzg2NWZjNWQ2OWI5YTg5MmQwMGM2ZTBiZDUxZDE0MjJiNDEwYmY5Yzg4NjgyZDkiLCJleHAiOjY1NTM3fSwic2VydmljZV9pbnN0YW5jZV9wdWJsaWNfa2V5X3BlbSI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTdiQ3phQTJ6QS9XelU1NkQydUdUXG5PbkNYeUhFc1IyYzVxZFVxcStHN25BWEM4VWRMZ3JtbWlQamlpZG9rQTFoRGxqMjBrVTJQUGVyL1dDa2pHM3JHXG5jaEgrRWFXSjg2M3lVbDJTeS81Qm1BQWZ6SkV0U0o1L3I0TmlYV3lIektoalZmYnFtZmV3dHZvTERJT0ZBYnNpXG5ZMndRcEo2Wmllc3cwbHkreVFodjJ0a3RyMSsrNlpzTi9QU1lqOXpEeTQrc0JrZFFjNnRLYUlMWHh3eG9tTlU0XG5mZ0ZDdEtLQmZaa1ZlMXdYdE41ZWFndXRac3lFc1lQSC9oOUkvS0p0Yk96cnRQWmsySzRoQ1NBRTRKN1pSb2tXXG40SXlqaUtVRHNkdGR0RExHV08wSHBjNjZrSFdFVzVscWlteUdYOFhXbTVxSkxRREc0TDFSMFVJclFRdjV5SWFDXG4yUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIiwia2V5X3JldGVudGlvbl9tb2RlIjoiTEFURVNUX09OTFkifX0.D3soBLZ4vLVwBRwrrK3FrpX599jDfV6gJpD7OnucTfkTILg3AwLLyoPuStd9Pc0EcvW8b2BQ0B5sXgJYW3XAyeFWh08PP02T8Y0bGneWcVkY81tn1eg-zwskk9GQlMooBH3IRRAG1dg5GLjuohZqaz48hNdXY2Ok8G0A68EVELY0zrc9PyMVia0tnNIwM8msnIC3ryEymCuAqnjLpCVjPoEkmpggfgvHrJDdLsoZuMs-P-49WxgZO0vCaolHUXQIy5lYkxcI9tzy17NmXeJK-Ut0AihLIYg0_K6YhetDdxQdGQYvNliD12IzDHDE0hDHF5EasnccUjSN_dQNVWP7Sg"
|
||||
}
|
||||
```
|
||||
|
||||
### CA-Chain
|
||||
|
||||
```
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIF3TCCA8WgAwIBAgIUD2CdXDMPoAsGOH87+lhMsIwczTswDQYJKoZIhvcNAQEL
|
||||
BQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNVBAsM
|
||||
Hk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAoTkxTKTEPMA0GA1UECgwGTnZpZGlh
|
||||
MRQwEgYDVQQDDAtOTFMgUm9vdCBDQTAeFw0yNTAzMjAxMTE3NTFaFw0zNTAzMTkx
|
||||
MTE3NTFaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYD
|
||||
VQQKDAZOdmlkaWExJzAlBgNVBAsMHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAo
|
||||
TkxTKTEcMBoGA1UEAwwTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN
|
||||
AQEBBQADggIPADCCAgoCggIBAKY8YjANHn+yYnXMZREn+NqYE+cCJd+vaEB4d2qw
|
||||
2VADWM7d1bo2n3iCTX30uf/j14XgC85va3ZwPNhTHXm0EObPnnuDcMzbkZc/FxR1
|
||||
CB8DuVIeTNrxVj3aAo4I1ET5Y1m7gxAQsD9KUUK00uP0YfJIZMdxFs+waGLuJMDn
|
||||
F3bJfbrl8J2paZ8BFQiDlQX6zSd2iNasigWMyFQYar87NvQdy8SRKZ4ISRaeuf/1
|
||||
VJQGs/014OFNFKEOXcfo2xKX0LzFrBYv8BYWx5a3bvSP1lMREhYa4Bb7PvImcHCa
|
||||
MoA3V5nDjp1v5wh/E0CqtlgQwD99yBbQuMcWl+zmadPWDMWZQnUxoEENLlqXQ7DW
|
||||
H792QjJm95MIoN9tbSqjvmIjneyy5F+dCuWes7cnZYR5F5X2/zn0pJ8jWbZdQnSl
|
||||
HXOOyAhqbsmUkGUohVsTVKsUcOGYVXhwS5jdMNRzuSCbbfn/ZGBG6XWUO5ELoXFc
|
||||
w/iNe2PSO2SixpwXbN3kCtaIjW5YJCFikqOW+Ho9Wy1yI3U261E7SuxTle89DaNQ
|
||||
sNfHAJKB28yHVK3sNAzWj/Vg6ZYCjMDDlu2nOFEKzJg3OIMiowkZxmkKe+1r5qQQ
|
||||
jgAQf2k2GQNSgGQBeWujOthgx/FdpOGOmZuP6zAPCr/kEndjvFQtpjDxVBKwCIcQ
|
||||
ZdjJAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
|
||||
A1UdDgQWBBTy/9FFg3FeMCiVc1SweFWeW4gnCjAfBgNVHSMEGDAWgBQCqIgM/Kld
|
||||
Q+CdLvVgsfLael0/DDANBgkqhkiG9w0BAQsFAAOCAgEAC/440Dy8dPhuXS2fxSmQ
|
||||
7J2LwrhCWYtFNkXJW4Dnwb9mipVzr8vvBPGXJXG1LkfsVFYYv8lVqN+ErYctqv1B
|
||||
qLM5ZT+avnBBogcX/2Se9hqCSy24kOsYnjNqtHFxiOoK3xoMs9kdHy0Nt0su408R
|
||||
v+NHV1jQasvP7KuLXreRBwijHEQcIpi9Nfyh/O5aaQikN2EtQV3ZqYI87DRnPsGs
|
||||
BaX/TBKlFfPfVjS6mXq6YB7y8oA8NH0IiJ1xn+7nYVjTmSHGWQnTLYOMowMuGFFT
|
||||
3gUiWKQnD74NHZzkvEiX82WDM4SiD1dQCV6OWsTxbs0bUsM0du78CRapi/9XwoUQ
|
||||
zyJaIzYUtsnHBO4YM78tNi9RZbWB52cOVb7YP2Rj6vHf34SjbIU+exRXPzgs/5d5
|
||||
6D8eTNj6iq2XtCSGQ50NqZL8N3iDvpypVc8xnfibYA+CLIa152s9LXxTnkACVsHh
|
||||
9qqyJEUW2qCxKvHxpGqzcsQ6tqQlNaNd8vCJAZU28yZQyuVfhL2rqbab0dFrZdbV
|
||||
tMk1lk1K3a2kuZfGL5CzWTWsht3b3UOBJT383OInNwkr1UvQr/w3Ml+JdhDDIjIB
|
||||
z5vrl6bd6uZ/2AUED+o6cM/1mTygdt6u6m+9XFJScplyoltuI7KItXqhf50kM5Ca
|
||||
OHBuH+vCm1w54MOyHsWydR8=
|
||||
-----END CERTIFICATE-----
|
||||
```
|
||||
|
||||
**Details**
|
||||
|
||||
- Serial Number: `0F:60:9D:5C:33:0F:A0:0B:06:38:7F:3B:FA:58:4C:B0:8C:1C:CD:3B` (
|
||||
`87789441104157334067027060312294361915113393467`)
|
||||
- Subject DN: `CN=NLS Intermediate CA, OU=Nvidia Licensing Service (NLS), O=Nvidia, ST=California, C=US`
|
||||
- Issuer DN: `CN=NLS Root CA, O=Nvidia, OU=Nvidia Licensing Service (NLS), ST=California, C=US`
|
||||
- Critical Extensions
|
||||
```
|
||||
Certificate Signing
|
||||
CRL Signing
|
||||
Subject is a CA
|
||||
Path Length Constraint: None
|
||||
```
|
||||
- Non Critical Extensions
|
||||
```
|
||||
Key Identifier: 0xF2FF D145 8371 5E30 2895 7354 B078 559E 5B88 270A
|
||||
Key Identifier: 0x02A8 880C FCA9 5D43 E09D 2EF5 60B1 F2DA 7A5D 3F0C
|
||||
```
|
||||
|
||||
### Public-Cert
|
||||
|
||||
This is used to verify JWT-Signature.
|
||||
|
||||
> [!alert]
|
||||
> On offical DLS we have no private/prublic key. This certificate is only
|
||||
> present in database "configuration" => "DLS_SI_CERTIFICATE".
|
||||
> There also is an encrypted private-key, which probably is the private-key
|
||||
> belonging to this certificate.
|
||||
|
||||
```
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID2zCCAsOgAwIBAgIUG9EvbFb33ajYzlLIYbD+Wb04Xh0wDQYJKoZIhvcNAQEL
|
||||
BQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoM
|
||||
Bk52aWRpYTEnMCUGA1UECwweTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMp
|
||||
MRwwGgYDVQQDDBNOTFMgSW50ZXJtZWRpYXRlIENBMB4XDTI1MDMyMDExMTc1MVoX
|
||||
DTM1MDMxOTExMTc1MVowLzEtMCsGA1UEAwwkNGU1M2ExNzEtMTAzYi00OTQ2LTll
|
||||
ZDgtNWY0YzBlZTc1MGQ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
|
||||
7bCzaA2zA/WzU56D2uGTOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hD
|
||||
lj20kU2PPer/WCkjG3rGchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhj
|
||||
VfbqmfewtvoLDIOFAbsiY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+s
|
||||
BkdQc6tKaILXxwxomNU4fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzr
|
||||
tPZk2K4hCSAE4J7ZRokW4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJ
|
||||
LQDG4L1R0UIrQQv5yIaC2QIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwIDqDAdBgNV
|
||||
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO7YfN6kz6TytpbG
|
||||
QsiVOBxXknNIMB8GA1UdIwQYMBaAFPL/0UWDcV4wKJVzVLB4VZ5biCcKMC8GA1Ud
|
||||
EQQoMCaCJDRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOTANBgkq
|
||||
hkiG9w0BAQsFAAOCAQEAsSw2FKHvL6LtxjP6lvcnRtbtqO9Y1tfanWG8ebTbiF0Z
|
||||
U5bok/vJ6ut/fqW9zixOSFtzzaTKe91lyeWqt9uHje2wV6SSM+Bw1RglVAvcFejd
|
||||
fX88/iEDSmqlDf+NAC8yyiWdZ5snboxWBaTpPcf8gziZhDUIxRUFIZCYjqJEkN1u
|
||||
evfJZqaVsT0zcbmwc+6W7YGD4J8JSFpkwN0odTtciAooBzXpfFzXMz0zrghjFRxA
|
||||
Ynq1C0sQNlBb84yS+B/f4qTfDqL2eCxARZSWSl/S71VRkPn5QRs4iPE0AVeWWZAd
|
||||
0iHSFm6jxj1x7/+r+Q+wN9hLtT7fEXXKuW7t6ECgDg==
|
||||
-----END CERTIFICATE-----
|
||||
```
|
||||
|
||||
**Details**
|
||||
|
||||
- Serial Number: `1B:D1:2F:6C:56:F7:DD:A8:D8:CE:52:C8:61:B0:FE:59:BD:38:5E:1D` (
|
||||
`158807737702271588335335063867501016171838725661`)
|
||||
- Subject DN: `CN=4e53a171-103b-4946-9ed8-5f4c0ee750d9`
|
||||
- Issuer DN: `CN=NLS Intermediate CA, OU=Nvidia Licensing Service (NLS), O=Nvidia, ST=California, C=US`
|
||||
- SASNS: `4e53a171-103b-4946-9ed8-5f4c0ee750d9`
|
||||
- Critical Extensions
|
||||
```
|
||||
Digital Signature
|
||||
Key Encipherment
|
||||
Key Agreement
|
||||
````
|
||||
- Non Critical Extensions
|
||||
```
|
||||
Key Identifier: 0xEED8 7CDE A4CF A4F2 B696 C642 C895 381C 5792 7348
|
||||
DNS Name: 4e53a171-103b-4946-9ed8-5f4c0ee750d9
|
||||
Key Identifier: 0xF2FF D145 8371 5E30 2895 7354 B078 559E 5B88 270A
|
||||
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
|
||||
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
|
||||
```
|
||||
|
||||
## Error Message from `nvidia-gridd`
|
||||
|
||||
**Result from current `config-token`**
|
||||
|
||||
```
|
||||
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to verify public certificate (error:0A000126:SSL routines::unexpected eof while reading)
|
||||
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to verify public certificate (error:00000000:lib(0)::reason(0))
|
||||
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to validate public certificates
|
||||
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Server configuration validation failed. Invalid certificate received from server.
|
||||
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to setup cloud License Manager: 3
|
||||
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Shutdown (586)
|
||||
Mär 21 12:22:10 debian-grid-test systemd[1]: nvidia-gridd.service: Main process exited, code=exited, status=1/FAILURE
|
||||
Mär 21 12:22:10 debian-grid-test systemd[1]: nvidia-gridd.service: Failed with result 'exit-code'.
|
||||
```
|
||||
|
||||
# Sources
|
||||
|
||||
- https://8gwifi.org/PemParserFunctions.jsp
|
@ -4,6 +4,16 @@
|
||||
> - [README](README.md) or
|
||||
> - [Installation / Docker Setup](DockerSetup.md)
|
||||
|
||||
[TOC]
|
||||
|
||||
# Config-Token
|
||||
|
||||
See [ConfigToken.md](ConfigToken.md).
|
||||
|
||||
# Certificate and CA-Chain
|
||||
|
||||
Certificate has a `public_key` which is not present in any database.
|
||||
|
||||
# `master_pwd.bin` and `master_pwd_v100.bin`
|
||||
|
||||
There are two files in `/var/lib/docker/overlay2/<nls-container-id>/merged/etc/dls/config`.
|
||||
|
@ -130,6 +130,10 @@ def test_official_cert():
|
||||
nv_response_parsed_ca_cert = x509.load_pem_x509_certificate(nv_response_ca_cert)
|
||||
nv_response_parsed_cert = x509.load_pem_x509_certificate(nv_response_public_cert)
|
||||
|
||||
assert 4096 == nv_response_parsed_ca_cert.public_key().key_size
|
||||
assert 2048 == nv_response_parsed_cert.public_key().key_size
|
||||
#assert nv_response_parsed_cert.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) == nv_si_public_key.public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)
|
||||
|
||||
nv_response_parsed_cert_exp = nv_response_parsed_cert.public_key().public_numbers().e
|
||||
nv_response_parsed_cert_mod = f'{nv_response_parsed_cert.public_key().public_numbers().n:x}' # hex value without "0x" prefix
|
||||
assert nv_response_parsed_cert_exp == nv_response_public_key.get('exp')
|
||||
@ -255,69 +259,132 @@ def test_our_config_token_with_our_key():
|
||||
:return:
|
||||
"""
|
||||
|
||||
my_private_key = generate_private_key(public_exponent=65537, key_size=2024)
|
||||
my_public_key = my_private_key.public_key()
|
||||
""" Create Root Key and Certificate """
|
||||
|
||||
my_private_key_pem = my_private_key.private_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PrivateFormat.TraditionalOpenSSL,
|
||||
encryption_algorithm=serialization.NoEncryption()
|
||||
)
|
||||
my_public_key_pem = my_public_key.public_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PublicFormat.SubjectPublicKeyInfo
|
||||
)
|
||||
# create root keypair
|
||||
my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096)
|
||||
my_root_public_key = my_root_private_key.public_key()
|
||||
|
||||
my_si_public_key_exp = my_public_key.public_numbers().e
|
||||
my_si_public_key_mod = f'{my_public_key.public_numbers().n:x}' # hex value without "0x" prefix
|
||||
# create root-certificate subject
|
||||
my_root_subject = x509.Name([
|
||||
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
|
||||
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
|
||||
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
|
||||
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
|
||||
x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'),
|
||||
])
|
||||
|
||||
# create self-signed root-certificate
|
||||
my_root_certificate = (
|
||||
x509.CertificateBuilder()
|
||||
.subject_name(my_root_subject)
|
||||
.issuer_name(my_root_subject)
|
||||
.public_key(my_root_public_key)
|
||||
.serial_number(x509.random_serial_number())
|
||||
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
|
||||
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
|
||||
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
|
||||
.add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False)
|
||||
.sign(my_root_private_key, hashes.SHA256()))
|
||||
|
||||
""" Create CA (Intermediate) Key and Certificate """
|
||||
|
||||
# create ca keypair
|
||||
my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096)
|
||||
my_ca_public_key = my_ca_private_key.public_key()
|
||||
|
||||
# create ca-certificate subject
|
||||
my_ca_subject = x509.Name([
|
||||
x509.NameAttribute(NameOID.COUNTRY_NAME, u"DE"),
|
||||
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Hessen"),
|
||||
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wiesbaden"),
|
||||
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Ihr Unternehmen"),
|
||||
x509.NameAttribute(NameOID.COMMON_NAME, u"CA Root"),
|
||||
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
|
||||
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
|
||||
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
|
||||
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
|
||||
x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'),
|
||||
])
|
||||
|
||||
# create self-signed ca-certificate
|
||||
my_ca_certificate = (
|
||||
x509.CertificateBuilder()
|
||||
.subject_name(my_ca_subject)
|
||||
.issuer_name(my_ca_subject)
|
||||
.public_key(my_public_key)
|
||||
.issuer_name(my_root_subject)
|
||||
.public_key(my_ca_public_key)
|
||||
.serial_number(x509.random_serial_number())
|
||||
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
|
||||
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
|
||||
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
|
||||
.sign(my_private_key, hashes.SHA256()))
|
||||
.add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True,
|
||||
key_agreement=False, content_commitment=False, data_encipherment=False,
|
||||
crl_sign=True, encipher_only=False, decipher_only=False), critical=True)
|
||||
.add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False)
|
||||
# .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False)
|
||||
.add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
|
||||
my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
|
||||
), critical=False)
|
||||
.sign(my_root_private_key, hashes.SHA256()))
|
||||
|
||||
# create certificate subject
|
||||
my_subject = x509.Name([
|
||||
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
|
||||
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
|
||||
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
|
||||
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
|
||||
x509.NameAttribute(NameOID.COMMON_NAME, u"NLS Intermediate CA"),
|
||||
])
|
||||
with open('caChain_my.pem', 'wb') as f:
|
||||
f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM))
|
||||
|
||||
my_issuer_name = my_ca_subject if my_ca_subject is not None else my_subject
|
||||
""" Create Service-Instance Key and Certificate """
|
||||
|
||||
# create self-signed certificate
|
||||
my_certificate = (
|
||||
x509.CertificateBuilder()
|
||||
.subject_name(my_subject)
|
||||
.issuer_name(my_issuer_name)
|
||||
.public_key(my_public_key)
|
||||
.serial_number(x509.random_serial_number())
|
||||
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
|
||||
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=3650))
|
||||
.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=False)
|
||||
.sign(my_private_key, hashes.SHA256())
|
||||
# create si keypair
|
||||
my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048)
|
||||
my_si_public_key = my_si_private_key.public_key()
|
||||
|
||||
my_si_private_key_as_pem = my_si_private_key.private_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PrivateFormat.TraditionalOpenSSL,
|
||||
encryption_algorithm=serialization.NoEncryption(),
|
||||
)
|
||||
my_si_public_key_as_pem = my_si_public_key.public_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PublicFormat.SubjectPublicKeyInfo,
|
||||
)
|
||||
|
||||
### build payload
|
||||
with open('instance.private.pem', 'wb') as f:
|
||||
f.write(my_si_private_key_as_pem)
|
||||
|
||||
with open('instance.public.pem', 'wb') as f:
|
||||
f.write(my_si_public_key_as_pem)
|
||||
|
||||
# create si-certificate subject
|
||||
my_si_subject = x509.Name([
|
||||
x509.NameAttribute(NameOID.COMMON_NAME, u'4e53a171-103b-4946-9ed8-5f4c0ee750d9'),
|
||||
])
|
||||
|
||||
# create self-signed si-certificate
|
||||
my_si_certificate = (
|
||||
x509.CertificateBuilder()
|
||||
.subject_name(my_si_subject)
|
||||
.issuer_name(my_ca_subject)
|
||||
.public_key(my_si_public_key)
|
||||
.serial_number(x509.random_serial_number())
|
||||
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
|
||||
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
|
||||
.add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False,
|
||||
key_agreement=True, content_commitment=False, data_encipherment=False,
|
||||
crl_sign=False, encipher_only=False, decipher_only=False), critical=True)
|
||||
.add_extension(x509.ExtendedKeyUsage([
|
||||
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
|
||||
x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]
|
||||
), critical=False)
|
||||
.add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False)
|
||||
# .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False)
|
||||
.add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
|
||||
my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
|
||||
), critical=False)
|
||||
.add_extension(x509.SubjectAlternativeName([
|
||||
x509.DNSName('4e53a171-103b-4946-9ed8-5f4c0ee750d9')
|
||||
]), critical=False)
|
||||
.sign(my_si_private_key, hashes.SHA256()))
|
||||
|
||||
my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e
|
||||
my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix
|
||||
|
||||
with open('cert_my.pem', 'wb') as f:
|
||||
f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
|
||||
|
||||
""" build out payload """
|
||||
|
||||
cur_time = datetime.now(UTC)
|
||||
exp_time = cur_time + MY_CLIENT_TOKEN_EXPIRE_DELTA
|
||||
@ -333,36 +400,41 @@ def test_our_config_token_with_our_key():
|
||||
"service_instance_ref": NV_SI_SITE_ID,
|
||||
"service_instance_public_key_configuration": {
|
||||
"service_instance_public_key_me": {
|
||||
"mod": hex(my_public_key.public_numbers().n)[2:],
|
||||
"exp": int(my_public_key.public_numbers().e),
|
||||
"mod": hex(my_si_public_key.public_numbers().n)[2:],
|
||||
"exp": int(my_si_public_key.public_numbers().e),
|
||||
},
|
||||
"service_instance_public_key_pem": my_public_key_pem.decode('utf-8'),
|
||||
"service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(),
|
||||
"key_retention_mode": "LATEST_ONLY"
|
||||
},
|
||||
}
|
||||
|
||||
my_sign_key = jwk.construct(my_private_key_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256)
|
||||
my_sign_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256)
|
||||
my_config_token = jws.sign(payload, key=my_sign_key, headers=None, algorithm=ALGORITHMS.RS256)
|
||||
|
||||
response = {
|
||||
"certificateConfiguration": {
|
||||
"caChain": [my_ca_certificate.public_bytes(encoding=Encoding.PEM)],
|
||||
"publicCert": my_ca_certificate.public_bytes(encoding=Encoding.PEM),
|
||||
"caChain": [my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8').strip().replace('\n','\r\n')],
|
||||
"publicCert": my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8').strip().replace('\n','\r\n'),
|
||||
"publicKey": {
|
||||
"exp": int(my_certificate.public_key().public_numbers().e),
|
||||
"mod": [hex(my_certificate.public_key().public_numbers().n)[2:]],
|
||||
"exp": int(my_si_certificate.public_key().public_numbers().e),
|
||||
"mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]],
|
||||
},
|
||||
},
|
||||
"configToken": my_config_token,
|
||||
}
|
||||
|
||||
###
|
||||
# this would be our response on fastapi-dls
|
||||
print(json.dumps(response))
|
||||
|
||||
my_jws_sign_key = jwk.construct(my_certificate.public_bytes(encoding=Encoding.PEM), algorithm=ALGORITHMS.RS256)
|
||||
#my_si_certificate_as_pem = my_si_certificate.public_bytes(encoding=Encoding.PEM)
|
||||
#my_jws_verify_key = jwk.construct(my_si_certificate_as_pem, algorithm=ALGORITHMS.RS256)
|
||||
my_response_certificate = x509.load_pem_x509_certificate(response['certificateConfiguration']['publicCert'].encode('utf-8'))
|
||||
my_response_certificate_as_pem = my_response_certificate.public_bytes(encoding=Encoding.PEM)
|
||||
my_jws_verify_key = jwk.construct(my_response_certificate_as_pem, algorithm=ALGORITHMS.RS256)
|
||||
|
||||
my_response_config_token = response.get('configToken')
|
||||
|
||||
payload = jws.verify(my_response_config_token, key=my_jws_sign_key, algorithms=ALGORITHMS.RS256)
|
||||
payload = jws.verify(my_response_config_token, key=my_jws_verify_key, algorithms=ALGORITHMS.RS256)
|
||||
payload = json.loads(payload)
|
||||
assert payload.get('iss') == 'NLS Service Instance'
|
||||
assert payload.get('aud') == 'NLS Licensed Client'
|
Loading…
Reference in New Issue
Block a user