diff --git a/doc/ConfigToken.md b/doc/ConfigToken.md new file mode 100644 index 0000000..39a476b --- /dev/null +++ b/doc/ConfigToken.md @@ -0,0 +1,237 @@ +# Client-Token Test (`my_`) + +> This document belongs to the test-case [test_config_token.py](/src/test/test_config_token.py) + +Our *Client-Token* itself is consistent and all validations are successful. But the `nvidia-gridd` service fails to +verify. +This probably is, because we are using certificates which are not singed by nvidia. This maybe is done by the initial +instance-token exchange. + +Maybe the only way to get successful, is to fake the whole instance-token exchange. + +## JWT + +``` +eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJkZWU5MjRiZi1iNjg4LTQ2NzQtYmM2NC03YjYwM2UxNDUyYmYiLCJpc3MiOiJOTFMgU2VydmljZSBJbnN0YW5jZSIsImF1ZCI6Ik5MUyBMaWNlbnNlZCBDbGllbnQiLCJpYXQiOjE3NDI1NTYyMTcsIm5iZiI6MTc0MjU1NjIxNywiZXhwIjoyMTIxMjQ3NDE3LCJ1cGRhdGVfbW9kZSI6IkFCU09MVVRFIiwic2NvcGVfcmVmX2xpc3QiOlsiMjAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAxIl0sImZ1bGZpbGxtZW50X2NsYXNzX3JlZl9saXN0IjpbXSwic2VydmljZV9pbnN0YW5jZV9jb25maWd1cmF0aW9uIjp7Im5sc19zZXJ2aWNlX2luc3RhbmNlX3JlZiI6IjRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOSIsInN2Y19wb3J0X3NldF9saXN0IjpbeyJpZHgiOjAsImRfbmFtZSI6IkRMUyIsInN2Y19wb3J0X21hcCI6W3sic2VydmljZSI6ImF1dGgiLCJwb3J0Ijo0NDN9LHsic2VydmljZSI6ImxlYXNlIiwicG9ydCI6NDQzfSx7InNlcnZpY2UiOiJxdWlja19yZWxlYXNlIiwicG9ydCI6NDQzfV19XSwibm9kZV91cmxfbGlzdCI6W3siaWR4IjowLCJ1cmwiOiIxOTIuMTY4LjE3OC4xMTAiLCJ1cmxfcXIiOiIxOTIuMTY4LjE3OC4xMTAiLCJzdmNfcG9ydF9zZXRfaWR4IjowfV19LCJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfY29uZmlndXJhdGlvbiI6eyJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfbWUiOnsibW9kIjoiZWRiMGIzNjgwZGIzMDNmNWIzNTM5ZTgzZGFlMTkzM2E3MDk3Yzg3MTJjNDc2NzM5YTlkNTJhYWJlMWJiOWMwNWMyZjE0NzRiODJiOWE2ODhmOGUyODlkYTI0MDM1ODQzOTYzZGI0OTE0ZDhmM2RlYWZmNTgyOTIzMWI3YWM2NzIxMWZlMTFhNTg5ZjNhZGYyNTI1ZDkyY2JmZTQxOTgwMDFmY2M5MTJkNDg5ZTdmYWY4MzYyNWQ2Yzg3Y2NhODYzNTVmNmVhOTlmN2IwYjZmYTBiMGM4Mzg1MDFiYjIyNjM2YzEwYTQ5ZTk5ODllYjMwZDI1Y2JlYzkwODZmZGFkOTJkYWY1ZmJlZTk5YjBkZmNmNDk4OGZkY2MzY2I4ZmFjMDY0NzUwNzNhYjRhNjg4MmQ3YzcwYzY4OThkNTM4N2UwMTQyYjRhMjgxN2Q5OTE1N2I1YzE3YjRkZTVlNmEwYmFkNjZjYzg0YjE4M2M3ZmUxZjQ4ZmNhMjZkNmNlY2ViYjRmNjY0ZDhhZTIxMDkyMDA0ZTA5ZWQ5NDY4OTE2ZTA4Y2EzODhhNTAzYjFkYjVkYjQzMmM2NThlZDA3YTVjZWJhOTA3NTg0NWI5OTZhOGE2Yzg2NWZjNWQ2OWI5YTg5MmQwMGM2ZTBiZDUxZDE0MjJiNDEwYmY5Yzg4NjgyZDkiLCJleHAiOjY1NTM3fSwic2VydmljZV9pbnN0YW5jZV9wdWJsaWNfa2V5X3BlbSI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTdiQ3phQTJ6QS9XelU1NkQydUdUXG5PbkNYeUhFc1IyYzVxZFVxcStHN25BWEM4VWRMZ3JtbWlQamlpZG9rQTFoRGxqMjBrVTJQUGVyL1dDa2pHM3JHXG5jaEgrRWFXSjg2M3lVbDJTeS81Qm1BQWZ6SkV0U0o1L3I0TmlYV3lIektoalZmYnFtZmV3dHZvTERJT0ZBYnNpXG5ZMndRcEo2Wmllc3cwbHkreVFodjJ0a3RyMSsrNlpzTi9QU1lqOXpEeTQrc0JrZFFjNnRLYUlMWHh3eG9tTlU0XG5mZ0ZDdEtLQmZaa1ZlMXdYdE41ZWFndXRac3lFc1lQSC9oOUkvS0p0Yk96cnRQWmsySzRoQ1NBRTRKN1pSb2tXXG40SXlqaUtVRHNkdGR0RExHV08wSHBjNjZrSFdFVzVscWlteUdYOFhXbTVxSkxRREc0TDFSMFVJclFRdjV5SWFDXG4yUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIiwia2V5X3JldGVudGlvbl9tb2RlIjoiTEFURVNUX09OTFkifX0.Hl2EfHaP1ja18VFNYpNaIKJcddGRdtpGve7JkFcrt5rRVnbTxXNYkhYCmc4Q5EyctCchSjUkU1UKcedL0RHJQeZ25kRiUjMSEE7jaXDwU29uANY9HxiJx3I-SKUahDcFuS3KtiScKxxihcAgWTi-rNZGkXMbCT4MM08Gzn_F7R1XcH0ZXoX1ZKon9lps6w6xzhKtyzu9zsrC3Cn0W4C4P918nD3e1jLHkVXYSLR8I27KSgeCPCPKR3fMTFU0BnnYRmkHheAS1Lp3Y5KI3t518vwb-NkSgF5ucpTloot7boTv6fBHlkmcc83LpWC4GQmInu_i1gm6cDQhB7RC1zBnoA +``` + +### JWT decoded + +``` +{ + "jti": "dee924bf-b688-4674-bc64-7b603e1452bf", + "iss": "NLS Service Instance", + "aud": "NLS Licensed Client", + "iat": 1742556217, + "nbf": 1742556217, + "exp": 2121247417, + "update_mode": "ABSOLUTE", + "scope_ref_list": [ "20000000-0000-0000-0000-000000000001" ], + "fulfillment_class_ref_list": [], + "service_instance_configuration": { + "nls_service_instance_ref": "4e53a171-103b-4946-9ed8-5f4c0ee750d9", + "svc_port_set_list": [ + { + "idx": 0, + "d_name": "DLS", + "svc_port_map": [ + { "service": "auth", "port": 443 }, + { "service": "lease", "port": 443 }, + { "service": "quick_release", "port": 443 } + ] + } + ], + "node_url_list": [{ "idx": 0, "url": "192.168.178.110", "url_qr": "192.168.178.110", "svc_port_set_idx": 0 }] + }, + "service_instance_public_key_configuration": { + "service_instance_public_key_me": { + "mod": "edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9", + "exp": 65537 + }, + "service_instance_public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bCzaA2zA/WzU56D2uGT\nOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hDlj20kU2PPer/WCkjG3rG\nchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhjVfbqmfewtvoLDIOFAbsi\nY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+sBkdQc6tKaILXxwxomNU4\nfgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzrtPZk2K4hCSAE4J7ZRokW\n4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJLQDG4L1R0UIrQQv5yIaC\n2QIDAQAB\n-----END PUBLIC KEY-----", + "key_retention_mode": "LATEST_ONLY" + } +} +``` + +### JWT Signature + +Signature can be verified with included `$.service_instance_public_key_configuration.service_instance_public_key_pem` + +``` +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bCzaA2zA/WzU56D2uGT +OnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hDlj20kU2PPer/WCkjG3rG +chH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhjVfbqmfewtvoLDIOFAbsi +Y2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+sBkdQc6tKaILXxwxomNU4 +fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzrtPZk2K4hCSAE4J7ZRokW +4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJLQDG4L1R0UIrQQv5yIaC +2QIDAQAB +-----END PUBLIC KEY----- +``` + +**Details** + +``` +Algo RSA +Format X.509 + ASN1 Dump +RSA Public Key [0a:f7:53:cc:fe:4d:e3:4a:da:39:7b:65:8f:87:67:e7:86:22:3a:60] + modulus: edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9 + public exponent: 10001 +``` + +## Config-Token + +```json +{ + "certificateConfiguration": { + "caChain": [ + "-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUD2CdXDMPoAsGOH87+lhMsIwczTswDQYJKoZIhvcNAQEL\r\nBQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNVBAsM\r\nHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAoTkxTKTEPMA0GA1UECgwGTnZpZGlh\r\nMRQwEgYDVQQDDAtOTFMgUm9vdCBDQTAeFw0yNTAzMjAxMTE3NTFaFw0zNTAzMTkx\r\nMTE3NTFaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYD\r\nVQQKDAZOdmlkaWExJzAlBgNVBAsMHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAo\r\nTkxTKTEcMBoGA1UEAwwTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN\r\nAQEBBQADggIPADCCAgoCggIBAKY8YjANHn+yYnXMZREn+NqYE+cCJd+vaEB4d2qw\r\n2VADWM7d1bo2n3iCTX30uf/j14XgC85va3ZwPNhTHXm0EObPnnuDcMzbkZc/FxR1\r\nCB8DuVIeTNrxVj3aAo4I1ET5Y1m7gxAQsD9KUUK00uP0YfJIZMdxFs+waGLuJMDn\r\nF3bJfbrl8J2paZ8BFQiDlQX6zSd2iNasigWMyFQYar87NvQdy8SRKZ4ISRaeuf/1\r\nVJQGs/014OFNFKEOXcfo2xKX0LzFrBYv8BYWx5a3bvSP1lMREhYa4Bb7PvImcHCa\r\nMoA3V5nDjp1v5wh/E0CqtlgQwD99yBbQuMcWl+zmadPWDMWZQnUxoEENLlqXQ7DW\r\nH792QjJm95MIoN9tbSqjvmIjneyy5F+dCuWes7cnZYR5F5X2/zn0pJ8jWbZdQnSl\r\nHXOOyAhqbsmUkGUohVsTVKsUcOGYVXhwS5jdMNRzuSCbbfn/ZGBG6XWUO5ELoXFc\r\nw/iNe2PSO2SixpwXbN3kCtaIjW5YJCFikqOW+Ho9Wy1yI3U261E7SuxTle89DaNQ\r\nsNfHAJKB28yHVK3sNAzWj/Vg6ZYCjMDDlu2nOFEKzJg3OIMiowkZxmkKe+1r5qQQ\r\njgAQf2k2GQNSgGQBeWujOthgx/FdpOGOmZuP6zAPCr/kEndjvFQtpjDxVBKwCIcQ\r\nZdjJAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G\r\nA1UdDgQWBBTy/9FFg3FeMCiVc1SweFWeW4gnCjAfBgNVHSMEGDAWgBQCqIgM/Kld\r\nQ+CdLvVgsfLael0/DDANBgkqhkiG9w0BAQsFAAOCAgEAC/440Dy8dPhuXS2fxSmQ\r\n7J2LwrhCWYtFNkXJW4Dnwb9mipVzr8vvBPGXJXG1LkfsVFYYv8lVqN+ErYctqv1B\r\nqLM5ZT+avnBBogcX/2Se9hqCSy24kOsYnjNqtHFxiOoK3xoMs9kdHy0Nt0su408R\r\nv+NHV1jQasvP7KuLXreRBwijHEQcIpi9Nfyh/O5aaQikN2EtQV3ZqYI87DRnPsGs\r\nBaX/TBKlFfPfVjS6mXq6YB7y8oA8NH0IiJ1xn+7nYVjTmSHGWQnTLYOMowMuGFFT\r\n3gUiWKQnD74NHZzkvEiX82WDM4SiD1dQCV6OWsTxbs0bUsM0du78CRapi/9XwoUQ\r\nzyJaIzYUtsnHBO4YM78tNi9RZbWB52cOVb7YP2Rj6vHf34SjbIU+exRXPzgs/5d5\r\n6D8eTNj6iq2XtCSGQ50NqZL8N3iDvpypVc8xnfibYA+CLIa152s9LXxTnkACVsHh\r\n9qqyJEUW2qCxKvHxpGqzcsQ6tqQlNaNd8vCJAZU28yZQyuVfhL2rqbab0dFrZdbV\r\ntMk1lk1K3a2kuZfGL5CzWTWsht3b3UOBJT383OInNwkr1UvQr/w3Ml+JdhDDIjIB\r\nz5vrl6bd6uZ/2AUED+o6cM/1mTygdt6u6m+9XFJScplyoltuI7KItXqhf50kM5Ca\r\nOHBuH+vCm1w54MOyHsWydR8=\r\n-----END CERTIFICATE-----" + ], + "publicCert": "-----BEGIN CERTIFICATE-----\r\nMIID2zCCAsOgAwIBAgIUG9EvbFb33ajYzlLIYbD+Wb04Xh0wDQYJKoZIhvcNAQEL\r\nBQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoM\r\nBk52aWRpYTEnMCUGA1UECwweTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMp\r\nMRwwGgYDVQQDDBNOTFMgSW50ZXJtZWRpYXRlIENBMB4XDTI1MDMyMDExMTc1MVoX\r\nDTM1MDMxOTExMTc1MVowLzEtMCsGA1UEAwwkNGU1M2ExNzEtMTAzYi00OTQ2LTll\r\nZDgtNWY0YzBlZTc1MGQ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n7bCzaA2zA/WzU56D2uGTOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hD\r\nlj20kU2PPer/WCkjG3rGchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhj\r\nVfbqmfewtvoLDIOFAbsiY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+s\r\nBkdQc6tKaILXxwxomNU4fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzr\r\ntPZk2K4hCSAE4J7ZRokW4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJ\r\nLQDG4L1R0UIrQQv5yIaC2QIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwIDqDAdBgNV\r\nHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO7YfN6kz6TytpbG\r\nQsiVOBxXknNIMB8GA1UdIwQYMBaAFPL/0UWDcV4wKJVzVLB4VZ5biCcKMC8GA1Ud\r\nEQQoMCaCJDRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOTANBgkq\r\nhkiG9w0BAQsFAAOCAQEAsSw2FKHvL6LtxjP6lvcnRtbtqO9Y1tfanWG8ebTbiF0Z\r\nU5bok/vJ6ut/fqW9zixOSFtzzaTKe91lyeWqt9uHje2wV6SSM+Bw1RglVAvcFejd\r\nfX88/iEDSmqlDf+NAC8yyiWdZ5snboxWBaTpPcf8gziZhDUIxRUFIZCYjqJEkN1u\r\nevfJZqaVsT0zcbmwc+6W7YGD4J8JSFpkwN0odTtciAooBzXpfFzXMz0zrghjFRxA\r\nYnq1C0sQNlBb84yS+B/f4qTfDqL2eCxARZSWSl/S71VRkPn5QRs4iPE0AVeWWZAd\r\n0iHSFm6jxj1x7/+r+Q+wN9hLtT7fEXXKuW7t6ECgDg==\r\n-----END CERTIFICATE-----", + "publicKey": { + "exp": 65537, + "mod": [ + "edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9" + ] + } + }, + "configToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJOTFMgU2VydmljZSBJbnN0YW5jZSIsImF1ZCI6Ik5MUyBMaWNlbnNlZCBDbGllbnQiLCJpYXQiOjE3NDI1NTU4NzEsIm5iZiI6MTc0MjU1NTg3MSwiZXhwIjoyMTIxMjQ3MDcxLCJwcm90b2NvbF92ZXJzaW9uIjoiMi4wIiwiZF9uYW1lIjoiRExTIiwic2VydmljZV9pbnN0YW5jZV9yZWYiOiI0ZTUzYTE3MS0xMDNiLTQ5NDYtOWVkOC01ZjRjMGVlNzUwZDkiLCJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfY29uZmlndXJhdGlvbiI6eyJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfbWUiOnsibW9kIjoiZWRiMGIzNjgwZGIzMDNmNWIzNTM5ZTgzZGFlMTkzM2E3MDk3Yzg3MTJjNDc2NzM5YTlkNTJhYWJlMWJiOWMwNWMyZjE0NzRiODJiOWE2ODhmOGUyODlkYTI0MDM1ODQzOTYzZGI0OTE0ZDhmM2RlYWZmNTgyOTIzMWI3YWM2NzIxMWZlMTFhNTg5ZjNhZGYyNTI1ZDkyY2JmZTQxOTgwMDFmY2M5MTJkNDg5ZTdmYWY4MzYyNWQ2Yzg3Y2NhODYzNTVmNmVhOTlmN2IwYjZmYTBiMGM4Mzg1MDFiYjIyNjM2YzEwYTQ5ZTk5ODllYjMwZDI1Y2JlYzkwODZmZGFkOTJkYWY1ZmJlZTk5YjBkZmNmNDk4OGZkY2MzY2I4ZmFjMDY0NzUwNzNhYjRhNjg4MmQ3YzcwYzY4OThkNTM4N2UwMTQyYjRhMjgxN2Q5OTE1N2I1YzE3YjRkZTVlNmEwYmFkNjZjYzg0YjE4M2M3ZmUxZjQ4ZmNhMjZkNmNlY2ViYjRmNjY0ZDhhZTIxMDkyMDA0ZTA5ZWQ5NDY4OTE2ZTA4Y2EzODhhNTAzYjFkYjVkYjQzMmM2NThlZDA3YTVjZWJhOTA3NTg0NWI5OTZhOGE2Yzg2NWZjNWQ2OWI5YTg5MmQwMGM2ZTBiZDUxZDE0MjJiNDEwYmY5Yzg4NjgyZDkiLCJleHAiOjY1NTM3fSwic2VydmljZV9pbnN0YW5jZV9wdWJsaWNfa2V5X3BlbSI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTdiQ3phQTJ6QS9XelU1NkQydUdUXG5PbkNYeUhFc1IyYzVxZFVxcStHN25BWEM4VWRMZ3JtbWlQamlpZG9rQTFoRGxqMjBrVTJQUGVyL1dDa2pHM3JHXG5jaEgrRWFXSjg2M3lVbDJTeS81Qm1BQWZ6SkV0U0o1L3I0TmlYV3lIektoalZmYnFtZmV3dHZvTERJT0ZBYnNpXG5ZMndRcEo2Wmllc3cwbHkreVFodjJ0a3RyMSsrNlpzTi9QU1lqOXpEeTQrc0JrZFFjNnRLYUlMWHh3eG9tTlU0XG5mZ0ZDdEtLQmZaa1ZlMXdYdE41ZWFndXRac3lFc1lQSC9oOUkvS0p0Yk96cnRQWmsySzRoQ1NBRTRKN1pSb2tXXG40SXlqaUtVRHNkdGR0RExHV08wSHBjNjZrSFdFVzVscWlteUdYOFhXbTVxSkxRREc0TDFSMFVJclFRdjV5SWFDXG4yUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIiwia2V5X3JldGVudGlvbl9tb2RlIjoiTEFURVNUX09OTFkifX0.D3soBLZ4vLVwBRwrrK3FrpX599jDfV6gJpD7OnucTfkTILg3AwLLyoPuStd9Pc0EcvW8b2BQ0B5sXgJYW3XAyeFWh08PP02T8Y0bGneWcVkY81tn1eg-zwskk9GQlMooBH3IRRAG1dg5GLjuohZqaz48hNdXY2Ok8G0A68EVELY0zrc9PyMVia0tnNIwM8msnIC3ryEymCuAqnjLpCVjPoEkmpggfgvHrJDdLsoZuMs-P-49WxgZO0vCaolHUXQIy5lYkxcI9tzy17NmXeJK-Ut0AihLIYg0_K6YhetDdxQdGQYvNliD12IzDHDE0hDHF5EasnccUjSN_dQNVWP7Sg" +} +``` + +### CA-Chain + +``` +-----BEGIN CERTIFICATE----- +MIIF3TCCA8WgAwIBAgIUD2CdXDMPoAsGOH87+lhMsIwczTswDQYJKoZIhvcNAQEL +BQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNVBAsM +Hk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAoTkxTKTEPMA0GA1UECgwGTnZpZGlh +MRQwEgYDVQQDDAtOTFMgUm9vdCBDQTAeFw0yNTAzMjAxMTE3NTFaFw0zNTAzMTkx +MTE3NTFaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYD +VQQKDAZOdmlkaWExJzAlBgNVBAsMHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAo +TkxTKTEcMBoGA1UEAwwTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAKY8YjANHn+yYnXMZREn+NqYE+cCJd+vaEB4d2qw +2VADWM7d1bo2n3iCTX30uf/j14XgC85va3ZwPNhTHXm0EObPnnuDcMzbkZc/FxR1 +CB8DuVIeTNrxVj3aAo4I1ET5Y1m7gxAQsD9KUUK00uP0YfJIZMdxFs+waGLuJMDn +F3bJfbrl8J2paZ8BFQiDlQX6zSd2iNasigWMyFQYar87NvQdy8SRKZ4ISRaeuf/1 +VJQGs/014OFNFKEOXcfo2xKX0LzFrBYv8BYWx5a3bvSP1lMREhYa4Bb7PvImcHCa +MoA3V5nDjp1v5wh/E0CqtlgQwD99yBbQuMcWl+zmadPWDMWZQnUxoEENLlqXQ7DW +H792QjJm95MIoN9tbSqjvmIjneyy5F+dCuWes7cnZYR5F5X2/zn0pJ8jWbZdQnSl +HXOOyAhqbsmUkGUohVsTVKsUcOGYVXhwS5jdMNRzuSCbbfn/ZGBG6XWUO5ELoXFc +w/iNe2PSO2SixpwXbN3kCtaIjW5YJCFikqOW+Ho9Wy1yI3U261E7SuxTle89DaNQ +sNfHAJKB28yHVK3sNAzWj/Vg6ZYCjMDDlu2nOFEKzJg3OIMiowkZxmkKe+1r5qQQ +jgAQf2k2GQNSgGQBeWujOthgx/FdpOGOmZuP6zAPCr/kEndjvFQtpjDxVBKwCIcQ +ZdjJAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G +A1UdDgQWBBTy/9FFg3FeMCiVc1SweFWeW4gnCjAfBgNVHSMEGDAWgBQCqIgM/Kld +Q+CdLvVgsfLael0/DDANBgkqhkiG9w0BAQsFAAOCAgEAC/440Dy8dPhuXS2fxSmQ +7J2LwrhCWYtFNkXJW4Dnwb9mipVzr8vvBPGXJXG1LkfsVFYYv8lVqN+ErYctqv1B +qLM5ZT+avnBBogcX/2Se9hqCSy24kOsYnjNqtHFxiOoK3xoMs9kdHy0Nt0su408R +v+NHV1jQasvP7KuLXreRBwijHEQcIpi9Nfyh/O5aaQikN2EtQV3ZqYI87DRnPsGs +BaX/TBKlFfPfVjS6mXq6YB7y8oA8NH0IiJ1xn+7nYVjTmSHGWQnTLYOMowMuGFFT +3gUiWKQnD74NHZzkvEiX82WDM4SiD1dQCV6OWsTxbs0bUsM0du78CRapi/9XwoUQ +zyJaIzYUtsnHBO4YM78tNi9RZbWB52cOVb7YP2Rj6vHf34SjbIU+exRXPzgs/5d5 +6D8eTNj6iq2XtCSGQ50NqZL8N3iDvpypVc8xnfibYA+CLIa152s9LXxTnkACVsHh +9qqyJEUW2qCxKvHxpGqzcsQ6tqQlNaNd8vCJAZU28yZQyuVfhL2rqbab0dFrZdbV +tMk1lk1K3a2kuZfGL5CzWTWsht3b3UOBJT383OInNwkr1UvQr/w3Ml+JdhDDIjIB +z5vrl6bd6uZ/2AUED+o6cM/1mTygdt6u6m+9XFJScplyoltuI7KItXqhf50kM5Ca +OHBuH+vCm1w54MOyHsWydR8= +-----END CERTIFICATE----- +``` + +**Details** + +- Serial Number: `0F:60:9D:5C:33:0F:A0:0B:06:38:7F:3B:FA:58:4C:B0:8C:1C:CD:3B` ( + `87789441104157334067027060312294361915113393467`) +- Subject DN: `CN=NLS Intermediate CA, OU=Nvidia Licensing Service (NLS), O=Nvidia, ST=California, C=US` +- Issuer DN: `CN=NLS Root CA, O=Nvidia, OU=Nvidia Licensing Service (NLS), ST=California, C=US` +- Critical Extensions + ``` + Certificate Signing + CRL Signing + Subject is a CA + Path Length Constraint: None + ``` +- Non Critical Extensions + ``` + Key Identifier: 0xF2FF D145 8371 5E30 2895 7354 B078 559E 5B88 270A + Key Identifier: 0x02A8 880C FCA9 5D43 E09D 2EF5 60B1 F2DA 7A5D 3F0C + ``` + +### Public-Cert + +This is used to verify JWT-Signature. + +> [!alert] +> On offical DLS we have no private/prublic key. This certificate is only +> present in database "configuration" => "DLS_SI_CERTIFICATE". +> There also is an encrypted private-key, which probably is the private-key +> belonging to this certificate. + +``` +-----BEGIN CERTIFICATE----- +MIID2zCCAsOgAwIBAgIUG9EvbFb33ajYzlLIYbD+Wb04Xh0wDQYJKoZIhvcNAQEL +BQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoM +Bk52aWRpYTEnMCUGA1UECwweTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMp +MRwwGgYDVQQDDBNOTFMgSW50ZXJtZWRpYXRlIENBMB4XDTI1MDMyMDExMTc1MVoX +DTM1MDMxOTExMTc1MVowLzEtMCsGA1UEAwwkNGU1M2ExNzEtMTAzYi00OTQ2LTll +ZDgtNWY0YzBlZTc1MGQ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +7bCzaA2zA/WzU56D2uGTOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hD +lj20kU2PPer/WCkjG3rGchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhj +VfbqmfewtvoLDIOFAbsiY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+s +BkdQc6tKaILXxwxomNU4fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzr +tPZk2K4hCSAE4J7ZRokW4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJ +LQDG4L1R0UIrQQv5yIaC2QIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwIDqDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO7YfN6kz6TytpbG +QsiVOBxXknNIMB8GA1UdIwQYMBaAFPL/0UWDcV4wKJVzVLB4VZ5biCcKMC8GA1Ud +EQQoMCaCJDRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOTANBgkq +hkiG9w0BAQsFAAOCAQEAsSw2FKHvL6LtxjP6lvcnRtbtqO9Y1tfanWG8ebTbiF0Z +U5bok/vJ6ut/fqW9zixOSFtzzaTKe91lyeWqt9uHje2wV6SSM+Bw1RglVAvcFejd +fX88/iEDSmqlDf+NAC8yyiWdZ5snboxWBaTpPcf8gziZhDUIxRUFIZCYjqJEkN1u +evfJZqaVsT0zcbmwc+6W7YGD4J8JSFpkwN0odTtciAooBzXpfFzXMz0zrghjFRxA +Ynq1C0sQNlBb84yS+B/f4qTfDqL2eCxARZSWSl/S71VRkPn5QRs4iPE0AVeWWZAd +0iHSFm6jxj1x7/+r+Q+wN9hLtT7fEXXKuW7t6ECgDg== +-----END CERTIFICATE----- +``` + +**Details** + +- Serial Number: `1B:D1:2F:6C:56:F7:DD:A8:D8:CE:52:C8:61:B0:FE:59:BD:38:5E:1D` ( + `158807737702271588335335063867501016171838725661`) +- Subject DN: `CN=4e53a171-103b-4946-9ed8-5f4c0ee750d9` +- Issuer DN: `CN=NLS Intermediate CA, OU=Nvidia Licensing Service (NLS), O=Nvidia, ST=California, C=US` +- SASNS: `4e53a171-103b-4946-9ed8-5f4c0ee750d9` +- Critical Extensions + ``` + Digital Signature + Key Encipherment + Key Agreement + ```` +- Non Critical Extensions + ``` + Key Identifier: 0xEED8 7CDE A4CF A4F2 B696 C642 C895 381C 5792 7348 + DNS Name: 4e53a171-103b-4946-9ed8-5f4c0ee750d9 + Key Identifier: 0xF2FF D145 8371 5E30 2895 7354 B078 559E 5B88 270A + TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) + TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) + ``` + +## Error Message from `nvidia-gridd` + +**Result from current `config-token`** + +``` +Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to verify public certificate (error:0A000126:SSL routines::unexpected eof while reading) +Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to verify public certificate (error:00000000:lib(0)::reason(0)) +Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to validate public certificates +Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Server configuration validation failed. Invalid certificate received from server. +Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to setup cloud License Manager: 3 +Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Shutdown (586) +Mär 21 12:22:10 debian-grid-test systemd[1]: nvidia-gridd.service: Main process exited, code=exited, status=1/FAILURE +Mär 21 12:22:10 debian-grid-test systemd[1]: nvidia-gridd.service: Failed with result 'exit-code'. +``` + +# Sources + +- https://8gwifi.org/PemParserFunctions.jsp \ No newline at end of file diff --git a/doc/LATEST.md b/doc/LATEST.md index bf74d30..509e5ef 100644 --- a/doc/LATEST.md +++ b/doc/LATEST.md @@ -4,6 +4,16 @@ > - [README](README.md) or > - [Installation / Docker Setup](DockerSetup.md) +[TOC] + +# Config-Token + +See [ConfigToken.md](ConfigToken.md). + +# Certificate and CA-Chain + +Certificate has a `public_key` which is not present in any database. + # `master_pwd.bin` and `master_pwd_v100.bin` There are two files in `/var/lib/docker/overlay2//merged/etc/dls/config`. diff --git a/src/test/test.py b/src/test/test_config_token.py similarity index 75% rename from src/test/test.py rename to src/test/test_config_token.py index c0e75e0..26bed89 100644 --- a/src/test/test.py +++ b/src/test/test_config_token.py @@ -130,6 +130,10 @@ def test_official_cert(): nv_response_parsed_ca_cert = x509.load_pem_x509_certificate(nv_response_ca_cert) nv_response_parsed_cert = x509.load_pem_x509_certificate(nv_response_public_cert) + assert 4096 == nv_response_parsed_ca_cert.public_key().key_size + assert 2048 == nv_response_parsed_cert.public_key().key_size + #assert nv_response_parsed_cert.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) == nv_si_public_key.public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) + nv_response_parsed_cert_exp = nv_response_parsed_cert.public_key().public_numbers().e nv_response_parsed_cert_mod = f'{nv_response_parsed_cert.public_key().public_numbers().n:x}' # hex value without "0x" prefix assert nv_response_parsed_cert_exp == nv_response_public_key.get('exp') @@ -255,69 +259,132 @@ def test_our_config_token_with_our_key(): :return: """ - my_private_key = generate_private_key(public_exponent=65537, key_size=2024) - my_public_key = my_private_key.public_key() + """ Create Root Key and Certificate """ - my_private_key_pem = my_private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption() - ) - my_public_key_pem = my_public_key.public_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PublicFormat.SubjectPublicKeyInfo - ) + # create root keypair + my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_root_public_key = my_root_private_key.public_key() - my_si_public_key_exp = my_public_key.public_numbers().e - my_si_public_key_mod = f'{my_public_key.public_numbers().n:x}' # hex value without "0x" prefix + # create root-certificate subject + my_root_subject = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'), + ]) + # create self-signed root-certificate + my_root_certificate = ( + x509.CertificateBuilder() + .subject_name(my_root_subject) + .issuer_name(my_root_subject) + .public_key(my_root_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False) + .sign(my_root_private_key, hashes.SHA256())) + + """ Create CA (Intermediate) Key and Certificate """ + + # create ca keypair + my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096) + my_ca_public_key = my_ca_private_key.public_key() # create ca-certificate subject my_ca_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u"DE"), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Hessen"), - x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wiesbaden"), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Ihr Unternehmen"), - x509.NameAttribute(NameOID.COMMON_NAME, u"CA Root"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), + x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'), ]) # create self-signed ca-certificate my_ca_certificate = ( x509.CertificateBuilder() .subject_name(my_ca_subject) - .issuer_name(my_ca_subject) - .public_key(my_public_key) + .issuer_name(my_root_subject) + .public_key(my_ca_public_key) .serial_number(x509.random_serial_number()) .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) - .sign(my_private_key, hashes.SHA256())) + .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True, + key_agreement=False, content_commitment=False, data_encipherment=False, + crl_sign=True, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .sign(my_root_private_key, hashes.SHA256())) - # create certificate subject - my_subject = x509.Name([ - x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), - x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'), - x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'), - x509.NameAttribute(NameOID.COMMON_NAME, u"NLS Intermediate CA"), - ]) + with open('caChain_my.pem', 'wb') as f: + f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM)) - my_issuer_name = my_ca_subject if my_ca_subject is not None else my_subject + """ Create Service-Instance Key and Certificate """ - # create self-signed certificate - my_certificate = ( - x509.CertificateBuilder() - .subject_name(my_subject) - .issuer_name(my_issuer_name) - .public_key(my_public_key) - .serial_number(x509.random_serial_number()) - .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) - .not_valid_after(datetime.now(tz=UTC) + timedelta(days=3650)) - .add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=False) - .sign(my_private_key, hashes.SHA256()) + # create si keypair + my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048) + my_si_public_key = my_si_private_key.public_key() + + my_si_private_key_as_pem = my_si_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + my_si_public_key_as_pem = my_si_public_key.public_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PublicFormat.SubjectPublicKeyInfo, ) - ### build payload + with open('instance.private.pem', 'wb') as f: + f.write(my_si_private_key_as_pem) + + with open('instance.public.pem', 'wb') as f: + f.write(my_si_public_key_as_pem) + + # create si-certificate subject + my_si_subject = x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u'4e53a171-103b-4946-9ed8-5f4c0ee750d9'), + ]) + + # create self-signed si-certificate + my_si_certificate = ( + x509.CertificateBuilder() + .subject_name(my_si_subject) + .issuer_name(my_ca_subject) + .public_key(my_si_public_key) + .serial_number(x509.random_serial_number()) + .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) + .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) + .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False, + key_agreement=True, content_commitment=False, data_encipherment=False, + crl_sign=False, encipher_only=False, decipher_only=False), critical=True) + .add_extension(x509.ExtendedKeyUsage([ + x509.oid.ExtendedKeyUsageOID.SERVER_AUTH, + x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH] + ), critical=False) + .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False) + # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False) + .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ), critical=False) + .add_extension(x509.SubjectAlternativeName([ + x509.DNSName('4e53a171-103b-4946-9ed8-5f4c0ee750d9') + ]), critical=False) + .sign(my_si_private_key, hashes.SHA256())) + + my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e + my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix + + with open('cert_my.pem', 'wb') as f: + f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM)) + + """ build out payload """ cur_time = datetime.now(UTC) exp_time = cur_time + MY_CLIENT_TOKEN_EXPIRE_DELTA @@ -333,36 +400,41 @@ def test_our_config_token_with_our_key(): "service_instance_ref": NV_SI_SITE_ID, "service_instance_public_key_configuration": { "service_instance_public_key_me": { - "mod": hex(my_public_key.public_numbers().n)[2:], - "exp": int(my_public_key.public_numbers().e), + "mod": hex(my_si_public_key.public_numbers().n)[2:], + "exp": int(my_si_public_key.public_numbers().e), }, - "service_instance_public_key_pem": my_public_key_pem.decode('utf-8'), + "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(), "key_retention_mode": "LATEST_ONLY" }, } - my_sign_key = jwk.construct(my_private_key_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) + my_sign_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) my_config_token = jws.sign(payload, key=my_sign_key, headers=None, algorithm=ALGORITHMS.RS256) response = { "certificateConfiguration": { - "caChain": [my_ca_certificate.public_bytes(encoding=Encoding.PEM)], - "publicCert": my_ca_certificate.public_bytes(encoding=Encoding.PEM), + "caChain": [my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8').strip().replace('\n','\r\n')], + "publicCert": my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8').strip().replace('\n','\r\n'), "publicKey": { - "exp": int(my_certificate.public_key().public_numbers().e), - "mod": [hex(my_certificate.public_key().public_numbers().n)[2:]], + "exp": int(my_si_certificate.public_key().public_numbers().e), + "mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]], }, }, "configToken": my_config_token, } - ### + # this would be our response on fastapi-dls + print(json.dumps(response)) - my_jws_sign_key = jwk.construct(my_certificate.public_bytes(encoding=Encoding.PEM), algorithm=ALGORITHMS.RS256) + #my_si_certificate_as_pem = my_si_certificate.public_bytes(encoding=Encoding.PEM) + #my_jws_verify_key = jwk.construct(my_si_certificate_as_pem, algorithm=ALGORITHMS.RS256) + my_response_certificate = x509.load_pem_x509_certificate(response['certificateConfiguration']['publicCert'].encode('utf-8')) + my_response_certificate_as_pem = my_response_certificate.public_bytes(encoding=Encoding.PEM) + my_jws_verify_key = jwk.construct(my_response_certificate_as_pem, algorithm=ALGORITHMS.RS256) my_response_config_token = response.get('configToken') - payload = jws.verify(my_response_config_token, key=my_jws_sign_key, algorithms=ALGORITHMS.RS256) + payload = jws.verify(my_response_config_token, key=my_jws_verify_key, algorithms=ALGORITHMS.RS256) payload = json.loads(payload) assert payload.get('iss') == 'NLS Service Instance' assert payload.get('aud') == 'NLS Licensed Client'