nvidia/nls
2
0
Fork 0
Code Issues Pull Requests Projects Activity

added new ConfigToken test and doc

Browse Source
This commit is contained in:
Oscar Krause 2025-03-21 13:37:27 +01:00
parent cb80e709d6
commit 2dbb8f1a80
3 changed files with 372 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
doc/ConfigToken.md Normal file
View File

@ -0,0 +1,237 @@
# Client-Token Test (`my_`)
> This document belongs to the test-case [test_config_token.py](/src/test/test_config_token.py)
Our *Client-Token* itself is consistent and all validations are successful. But the `nvidia-gridd` service fails to
verify.
This probably is, because we are using certificates which are not singed by nvidia. This maybe is done by the initial
instance-token exchange.
Maybe the only way to get successful, is to fake the whole instance-token exchange.
## JWT
```
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJkZWU5MjRiZi1iNjg4LTQ2NzQtYmM2NC03YjYwM2UxNDUyYmYiLCJpc3MiOiJOTFMgU2VydmljZSBJbnN0YW5jZSIsImF1ZCI6Ik5MUyBMaWNlbnNlZCBDbGllbnQiLCJpYXQiOjE3NDI1NTYyMTcsIm5iZiI6MTc0MjU1NjIxNywiZXhwIjoyMTIxMjQ3NDE3LCJ1cGRhdGVfbW9kZSI6IkFCU09MVVRFIiwic2NvcGVfcmVmX2xpc3QiOlsiMjAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAxIl0sImZ1bGZpbGxtZW50X2NsYXNzX3JlZl9saXN0IjpbXSwic2VydmljZV9pbnN0YW5jZV9jb25maWd1cmF0aW9uIjp7Im5sc19zZXJ2aWNlX2luc3RhbmNlX3JlZiI6IjRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOSIsInN2Y19wb3J0X3NldF9saXN0IjpbeyJpZHgiOjAsImRfbmFtZSI6IkRMUyIsInN2Y19wb3J0X21hcCI6W3sic2VydmljZSI6ImF1dGgiLCJwb3J0Ijo0NDN9LHsic2VydmljZSI6ImxlYXNlIiwicG9ydCI6NDQzfSx7InNlcnZpY2UiOiJxdWlja19yZWxlYXNlIiwicG9ydCI6NDQzfV19XSwibm9kZV91cmxfbGlzdCI6W3siaWR4IjowLCJ1cmwiOiIxOTIuMTY4LjE3OC4xMTAiLCJ1cmxfcXIiOiIxOTIuMTY4LjE3OC4xMTAiLCJzdmNfcG9ydF9zZXRfaWR4IjowfV19LCJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfY29uZmlndXJhdGlvbiI6eyJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfbWUiOnsibW9kIjoiZWRiMGIzNjgwZGIzMDNmNWIzNTM5ZTgzZGFlMTkzM2E3MDk3Yzg3MTJjNDc2NzM5YTlkNTJhYWJlMWJiOWMwNWMyZjE0NzRiODJiOWE2ODhmOGUyODlkYTI0MDM1ODQzOTYzZGI0OTE0ZDhmM2RlYWZmNTgyOTIzMWI3YWM2NzIxMWZlMTFhNTg5ZjNhZGYyNTI1ZDkyY2JmZTQxOTgwMDFmY2M5MTJkNDg5ZTdmYWY4MzYyNWQ2Yzg3Y2NhODYzNTVmNmVhOTlmN2IwYjZmYTBiMGM4Mzg1MDFiYjIyNjM2YzEwYTQ5ZTk5ODllYjMwZDI1Y2JlYzkwODZmZGFkOTJkYWY1ZmJlZTk5YjBkZmNmNDk4OGZkY2MzY2I4ZmFjMDY0NzUwNzNhYjRhNjg4MmQ3YzcwYzY4OThkNTM4N2UwMTQyYjRhMjgxN2Q5OTE1N2I1YzE3YjRkZTVlNmEwYmFkNjZjYzg0YjE4M2M3ZmUxZjQ4ZmNhMjZkNmNlY2ViYjRmNjY0ZDhhZTIxMDkyMDA0ZTA5ZWQ5NDY4OTE2ZTA4Y2EzODhhNTAzYjFkYjVkYjQzMmM2NThlZDA3YTVjZWJhOTA3NTg0NWI5OTZhOGE2Yzg2NWZjNWQ2OWI5YTg5MmQwMGM2ZTBiZDUxZDE0MjJiNDEwYmY5Yzg4NjgyZDkiLCJleHAiOjY1NTM3fSwic2VydmljZV9pbnN0YW5jZV9wdWJsaWNfa2V5X3BlbSI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTdiQ3phQTJ6QS9XelU1NkQydUdUXG5PbkNYeUhFc1IyYzVxZFVxcStHN25BWEM4VWRMZ3JtbWlQamlpZG9rQTFoRGxqMjBrVTJQUGVyL1dDa2pHM3JHXG5jaEgrRWFXSjg2M3lVbDJTeS81Qm1BQWZ6SkV0U0o1L3I0TmlYV3lIektoalZmYnFtZmV3dHZvTERJT0ZBYnNpXG5ZMndRcEo2Wmllc3cwbHkreVFodjJ0a3RyMSsrNlpzTi9QU1lqOXpEeTQrc0JrZFFjNnRLYUlMWHh3eG9tTlU0XG5mZ0ZDdEtLQmZaa1ZlMXdYdE41ZWFndXRac3lFc1lQSC9oOUkvS0p0Yk96cnRQWmsySzRoQ1NBRTRKN1pSb2tXXG40SXlqaUtVRHNkdGR0RExHV08wSHBjNjZrSFdFVzVscWlteUdYOFhXbTVxSkxRREc0TDFSMFVJclFRdjV5SWFDXG4yUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIiwia2V5X3JldGVudGlvbl9tb2RlIjoiTEFURVNUX09OTFkifX0.Hl2EfHaP1ja18VFNYpNaIKJcddGRdtpGve7JkFcrt5rRVnbTxXNYkhYCmc4Q5EyctCchSjUkU1UKcedL0RHJQeZ25kRiUjMSEE7jaXDwU29uANY9HxiJx3I-SKUahDcFuS3KtiScKxxihcAgWTi-rNZGkXMbCT4MM08Gzn_F7R1XcH0ZXoX1ZKon9lps6w6xzhKtyzu9zsrC3Cn0W4C4P918nD3e1jLHkVXYSLR8I27KSgeCPCPKR3fMTFU0BnnYRmkHheAS1Lp3Y5KI3t518vwb-NkSgF5ucpTloot7boTv6fBHlkmcc83LpWC4GQmInu_i1gm6cDQhB7RC1zBnoA
```
### JWT decoded
```
{
"jti": "dee924bf-b688-4674-bc64-7b603e1452bf",
"iss": "NLS Service Instance",
"aud": "NLS Licensed Client",
"iat": 1742556217,
"nbf": 1742556217,
"exp": 2121247417,
"update_mode": "ABSOLUTE",
"scope_ref_list": [ "20000000-0000-0000-0000-000000000001" ],
"fulfillment_class_ref_list": [],
"service_instance_configuration": {
"nls_service_instance_ref": "4e53a171-103b-4946-9ed8-5f4c0ee750d9",
"svc_port_set_list": [
{
"idx": 0,
"d_name": "DLS",
"svc_port_map": [
{ "service": "auth", "port": 443 },
{ "service": "lease", "port": 443 },
{ "service": "quick_release", "port": 443 }
]
}
],
"node_url_list": [{ "idx": 0, "url": "192.168.178.110", "url_qr": "192.168.178.110", "svc_port_set_idx": 0 }]
},
"service_instance_public_key_configuration": {
"service_instance_public_key_me": {
"mod": "edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9",
"exp": 65537
},
"service_instance_public_key_pem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bCzaA2zA/WzU56D2uGT\nOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hDlj20kU2PPer/WCkjG3rG\nchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhjVfbqmfewtvoLDIOFAbsi\nY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+sBkdQc6tKaILXxwxomNU4\nfgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzrtPZk2K4hCSAE4J7ZRokW\n4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJLQDG4L1R0UIrQQv5yIaC\n2QIDAQAB\n-----END PUBLIC KEY-----",
"key_retention_mode": "LATEST_ONLY"
}
}
```
### JWT Signature
Signature can be verified with included `$.service_instance_public_key_configuration.service_instance_public_key_pem`
```
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bCzaA2zA/WzU56D2uGT
OnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hDlj20kU2PPer/WCkjG3rG
chH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhjVfbqmfewtvoLDIOFAbsi
Y2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+sBkdQc6tKaILXxwxomNU4
fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzrtPZk2K4hCSAE4J7ZRokW
4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJLQDG4L1R0UIrQQv5yIaC
2QIDAQAB
-----END PUBLIC KEY-----
```
**Details**
```
Algo RSA
Format X.509
ASN1 Dump
RSA Public Key [0a:f7:53:cc:fe:4d:e3:4a:da:39:7b:65:8f:87:67:e7:86:22:3a:60]
modulus: edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9
public exponent: 10001
```
## Config-Token
```json
{
"certificateConfiguration": {
"caChain": [
"-----BEGIN CERTIFICATE-----\r\nMIIF3TCCA8WgAwIBAgIUD2CdXDMPoAsGOH87+lhMsIwczTswDQYJKoZIhvcNAQEL\r\nBQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNVBAsM\r\nHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAoTkxTKTEPMA0GA1UECgwGTnZpZGlh\r\nMRQwEgYDVQQDDAtOTFMgUm9vdCBDQTAeFw0yNTAzMjAxMTE3NTFaFw0zNTAzMTkx\r\nMTE3NTFaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYD\r\nVQQKDAZOdmlkaWExJzAlBgNVBAsMHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAo\r\nTkxTKTEcMBoGA1UEAwwTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN\r\nAQEBBQADggIPADCCAgoCggIBAKY8YjANHn+yYnXMZREn+NqYE+cCJd+vaEB4d2qw\r\n2VADWM7d1bo2n3iCTX30uf/j14XgC85va3ZwPNhTHXm0EObPnnuDcMzbkZc/FxR1\r\nCB8DuVIeTNrxVj3aAo4I1ET5Y1m7gxAQsD9KUUK00uP0YfJIZMdxFs+waGLuJMDn\r\nF3bJfbrl8J2paZ8BFQiDlQX6zSd2iNasigWMyFQYar87NvQdy8SRKZ4ISRaeuf/1\r\nVJQGs/014OFNFKEOXcfo2xKX0LzFrBYv8BYWx5a3bvSP1lMREhYa4Bb7PvImcHCa\r\nMoA3V5nDjp1v5wh/E0CqtlgQwD99yBbQuMcWl+zmadPWDMWZQnUxoEENLlqXQ7DW\r\nH792QjJm95MIoN9tbSqjvmIjneyy5F+dCuWes7cnZYR5F5X2/zn0pJ8jWbZdQnSl\r\nHXOOyAhqbsmUkGUohVsTVKsUcOGYVXhwS5jdMNRzuSCbbfn/ZGBG6XWUO5ELoXFc\r\nw/iNe2PSO2SixpwXbN3kCtaIjW5YJCFikqOW+Ho9Wy1yI3U261E7SuxTle89DaNQ\r\nsNfHAJKB28yHVK3sNAzWj/Vg6ZYCjMDDlu2nOFEKzJg3OIMiowkZxmkKe+1r5qQQ\r\njgAQf2k2GQNSgGQBeWujOthgx/FdpOGOmZuP6zAPCr/kEndjvFQtpjDxVBKwCIcQ\r\nZdjJAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G\r\nA1UdDgQWBBTy/9FFg3FeMCiVc1SweFWeW4gnCjAfBgNVHSMEGDAWgBQCqIgM/Kld\r\nQ+CdLvVgsfLael0/DDANBgkqhkiG9w0BAQsFAAOCAgEAC/440Dy8dPhuXS2fxSmQ\r\n7J2LwrhCWYtFNkXJW4Dnwb9mipVzr8vvBPGXJXG1LkfsVFYYv8lVqN+ErYctqv1B\r\nqLM5ZT+avnBBogcX/2Se9hqCSy24kOsYnjNqtHFxiOoK3xoMs9kdHy0Nt0su408R\r\nv+NHV1jQasvP7KuLXreRBwijHEQcIpi9Nfyh/O5aaQikN2EtQV3ZqYI87DRnPsGs\r\nBaX/TBKlFfPfVjS6mXq6YB7y8oA8NH0IiJ1xn+7nYVjTmSHGWQnTLYOMowMuGFFT\r\n3gUiWKQnD74NHZzkvEiX82WDM4SiD1dQCV6OWsTxbs0bUsM0du78CRapi/9XwoUQ\r\nzyJaIzYUtsnHBO4YM78tNi9RZbWB52cOVb7YP2Rj6vHf34SjbIU+exRXPzgs/5d5\r\n6D8eTNj6iq2XtCSGQ50NqZL8N3iDvpypVc8xnfibYA+CLIa152s9LXxTnkACVsHh\r\n9qqyJEUW2qCxKvHxpGqzcsQ6tqQlNaNd8vCJAZU28yZQyuVfhL2rqbab0dFrZdbV\r\ntMk1lk1K3a2kuZfGL5CzWTWsht3b3UOBJT383OInNwkr1UvQr/w3Ml+JdhDDIjIB\r\nz5vrl6bd6uZ/2AUED+o6cM/1mTygdt6u6m+9XFJScplyoltuI7KItXqhf50kM5Ca\r\nOHBuH+vCm1w54MOyHsWydR8=\r\n-----END CERTIFICATE-----"
],
"publicCert": "-----BEGIN CERTIFICATE-----\r\nMIID2zCCAsOgAwIBAgIUG9EvbFb33ajYzlLIYbD+Wb04Xh0wDQYJKoZIhvcNAQEL\r\nBQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoM\r\nBk52aWRpYTEnMCUGA1UECwweTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMp\r\nMRwwGgYDVQQDDBNOTFMgSW50ZXJtZWRpYXRlIENBMB4XDTI1MDMyMDExMTc1MVoX\r\nDTM1MDMxOTExMTc1MVowLzEtMCsGA1UEAwwkNGU1M2ExNzEtMTAzYi00OTQ2LTll\r\nZDgtNWY0YzBlZTc1MGQ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n7bCzaA2zA/WzU56D2uGTOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hD\r\nlj20kU2PPer/WCkjG3rGchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhj\r\nVfbqmfewtvoLDIOFAbsiY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+s\r\nBkdQc6tKaILXxwxomNU4fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzr\r\ntPZk2K4hCSAE4J7ZRokW4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJ\r\nLQDG4L1R0UIrQQv5yIaC2QIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwIDqDAdBgNV\r\nHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO7YfN6kz6TytpbG\r\nQsiVOBxXknNIMB8GA1UdIwQYMBaAFPL/0UWDcV4wKJVzVLB4VZ5biCcKMC8GA1Ud\r\nEQQoMCaCJDRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOTANBgkq\r\nhkiG9w0BAQsFAAOCAQEAsSw2FKHvL6LtxjP6lvcnRtbtqO9Y1tfanWG8ebTbiF0Z\r\nU5bok/vJ6ut/fqW9zixOSFtzzaTKe91lyeWqt9uHje2wV6SSM+Bw1RglVAvcFejd\r\nfX88/iEDSmqlDf+NAC8yyiWdZ5snboxWBaTpPcf8gziZhDUIxRUFIZCYjqJEkN1u\r\nevfJZqaVsT0zcbmwc+6W7YGD4J8JSFpkwN0odTtciAooBzXpfFzXMz0zrghjFRxA\r\nYnq1C0sQNlBb84yS+B/f4qTfDqL2eCxARZSWSl/S71VRkPn5QRs4iPE0AVeWWZAd\r\n0iHSFm6jxj1x7/+r+Q+wN9hLtT7fEXXKuW7t6ECgDg==\r\n-----END CERTIFICATE-----",
"publicKey": {
"exp": 65537,
"mod": [
"edb0b3680db303f5b3539e83dae1933a7097c8712c476739a9d52aabe1bb9c05c2f1474b82b9a688f8e289da24035843963db4914d8f3deaff5829231b7ac67211fe11a589f3adf2525d92cbfe4198001fcc912d489e7faf83625d6c87cca86355f6ea99f7b0b6fa0b0c838501bb22636c10a49e9989eb30d25cbec9086fdad92daf5fbee99b0dfcf4988fdcc3cb8fac06475073ab4a6882d7c70c6898d5387e0142b4a2817d99157b5c17b4de5e6a0bad66cc84b183c7fe1f48fca26d6cecebb4f664d8ae21092004e09ed9468916e08ca388a503b1db5db432c658ed07a5ceba9075845b996a8a6c865fc5d69b9a892d00c6e0bd51d1422b410bf9c88682d9"
]
}
},
"configToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJOTFMgU2VydmljZSBJbnN0YW5jZSIsImF1ZCI6Ik5MUyBMaWNlbnNlZCBDbGllbnQiLCJpYXQiOjE3NDI1NTU4NzEsIm5iZiI6MTc0MjU1NTg3MSwiZXhwIjoyMTIxMjQ3MDcxLCJwcm90b2NvbF92ZXJzaW9uIjoiMi4wIiwiZF9uYW1lIjoiRExTIiwic2VydmljZV9pbnN0YW5jZV9yZWYiOiI0ZTUzYTE3MS0xMDNiLTQ5NDYtOWVkOC01ZjRjMGVlNzUwZDkiLCJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfY29uZmlndXJhdGlvbiI6eyJzZXJ2aWNlX2luc3RhbmNlX3B1YmxpY19rZXlfbWUiOnsibW9kIjoiZWRiMGIzNjgwZGIzMDNmNWIzNTM5ZTgzZGFlMTkzM2E3MDk3Yzg3MTJjNDc2NzM5YTlkNTJhYWJlMWJiOWMwNWMyZjE0NzRiODJiOWE2ODhmOGUyODlkYTI0MDM1ODQzOTYzZGI0OTE0ZDhmM2RlYWZmNTgyOTIzMWI3YWM2NzIxMWZlMTFhNTg5ZjNhZGYyNTI1ZDkyY2JmZTQxOTgwMDFmY2M5MTJkNDg5ZTdmYWY4MzYyNWQ2Yzg3Y2NhODYzNTVmNmVhOTlmN2IwYjZmYTBiMGM4Mzg1MDFiYjIyNjM2YzEwYTQ5ZTk5ODllYjMwZDI1Y2JlYzkwODZmZGFkOTJkYWY1ZmJlZTk5YjBkZmNmNDk4OGZkY2MzY2I4ZmFjMDY0NzUwNzNhYjRhNjg4MmQ3YzcwYzY4OThkNTM4N2UwMTQyYjRhMjgxN2Q5OTE1N2I1YzE3YjRkZTVlNmEwYmFkNjZjYzg0YjE4M2M3ZmUxZjQ4ZmNhMjZkNmNlY2ViYjRmNjY0ZDhhZTIxMDkyMDA0ZTA5ZWQ5NDY4OTE2ZTA4Y2EzODhhNTAzYjFkYjVkYjQzMmM2NThlZDA3YTVjZWJhOTA3NTg0NWI5OTZhOGE2Yzg2NWZjNWQ2OWI5YTg5MmQwMGM2ZTBiZDUxZDE0MjJiNDEwYmY5Yzg4NjgyZDkiLCJleHAiOjY1NTM3fSwic2VydmljZV9pbnN0YW5jZV9wdWJsaWNfa2V5X3BlbSI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTdiQ3phQTJ6QS9XelU1NkQydUdUXG5PbkNYeUhFc1IyYzVxZFVxcStHN25BWEM4VWRMZ3JtbWlQamlpZG9rQTFoRGxqMjBrVTJQUGVyL1dDa2pHM3JHXG5jaEgrRWFXSjg2M3lVbDJTeS81Qm1BQWZ6SkV0U0o1L3I0TmlYV3lIektoalZmYnFtZmV3dHZvTERJT0ZBYnNpXG5ZMndRcEo2Wmllc3cwbHkreVFodjJ0a3RyMSsrNlpzTi9QU1lqOXpEeTQrc0JrZFFjNnRLYUlMWHh3eG9tTlU0XG5mZ0ZDdEtLQmZaa1ZlMXdYdE41ZWFndXRac3lFc1lQSC9oOUkvS0p0Yk96cnRQWmsySzRoQ1NBRTRKN1pSb2tXXG40SXlqaUtVRHNkdGR0RExHV08wSHBjNjZrSFdFVzVscWlteUdYOFhXbTVxSkxRREc0TDFSMFVJclFRdjV5SWFDXG4yUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIiwia2V5X3JldGVudGlvbl9tb2RlIjoiTEFURVNUX09OTFkifX0.D3soBLZ4vLVwBRwrrK3FrpX599jDfV6gJpD7OnucTfkTILg3AwLLyoPuStd9Pc0EcvW8b2BQ0B5sXgJYW3XAyeFWh08PP02T8Y0bGneWcVkY81tn1eg-zwskk9GQlMooBH3IRRAG1dg5GLjuohZqaz48hNdXY2Ok8G0A68EVELY0zrc9PyMVia0tnNIwM8msnIC3ryEymCuAqnjLpCVjPoEkmpggfgvHrJDdLsoZuMs-P-49WxgZO0vCaolHUXQIy5lYkxcI9tzy17NmXeJK-Ut0AihLIYg0_K6YhetDdxQdGQYvNliD12IzDHDE0hDHF5EasnccUjSN_dQNVWP7Sg"
}
```
### CA-Chain
```
-----BEGIN CERTIFICATE-----
MIIF3TCCA8WgAwIBAgIUD2CdXDMPoAsGOH87+lhMsIwczTswDQYJKoZIhvcNAQEL
BQAwcjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNVBAsM
Hk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAoTkxTKTEPMA0GA1UECgwGTnZpZGlh
MRQwEgYDVQQDDAtOTFMgUm9vdCBDQTAeFw0yNTAzMjAxMTE3NTFaFw0zNTAzMTkx
MTE3NTFaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMQ8wDQYD
VQQKDAZOdmlkaWExJzAlBgNVBAsMHk52aWRpYSBMaWNlbnNpbmcgU2VydmljZSAo
TkxTKTEcMBoGA1UEAwwTTkxTIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKY8YjANHn+yYnXMZREn+NqYE+cCJd+vaEB4d2qw
2VADWM7d1bo2n3iCTX30uf/j14XgC85va3ZwPNhTHXm0EObPnnuDcMzbkZc/FxR1
CB8DuVIeTNrxVj3aAo4I1ET5Y1m7gxAQsD9KUUK00uP0YfJIZMdxFs+waGLuJMDn
F3bJfbrl8J2paZ8BFQiDlQX6zSd2iNasigWMyFQYar87NvQdy8SRKZ4ISRaeuf/1
VJQGs/014OFNFKEOXcfo2xKX0LzFrBYv8BYWx5a3bvSP1lMREhYa4Bb7PvImcHCa
MoA3V5nDjp1v5wh/E0CqtlgQwD99yBbQuMcWl+zmadPWDMWZQnUxoEENLlqXQ7DW
H792QjJm95MIoN9tbSqjvmIjneyy5F+dCuWes7cnZYR5F5X2/zn0pJ8jWbZdQnSl
HXOOyAhqbsmUkGUohVsTVKsUcOGYVXhwS5jdMNRzuSCbbfn/ZGBG6XWUO5ELoXFc
w/iNe2PSO2SixpwXbN3kCtaIjW5YJCFikqOW+Ho9Wy1yI3U261E7SuxTle89DaNQ
sNfHAJKB28yHVK3sNAzWj/Vg6ZYCjMDDlu2nOFEKzJg3OIMiowkZxmkKe+1r5qQQ
jgAQf2k2GQNSgGQBeWujOthgx/FdpOGOmZuP6zAPCr/kEndjvFQtpjDxVBKwCIcQ
ZdjJAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBTy/9FFg3FeMCiVc1SweFWeW4gnCjAfBgNVHSMEGDAWgBQCqIgM/Kld
Q+CdLvVgsfLael0/DDANBgkqhkiG9w0BAQsFAAOCAgEAC/440Dy8dPhuXS2fxSmQ
7J2LwrhCWYtFNkXJW4Dnwb9mipVzr8vvBPGXJXG1LkfsVFYYv8lVqN+ErYctqv1B
qLM5ZT+avnBBogcX/2Se9hqCSy24kOsYnjNqtHFxiOoK3xoMs9kdHy0Nt0su408R
v+NHV1jQasvP7KuLXreRBwijHEQcIpi9Nfyh/O5aaQikN2EtQV3ZqYI87DRnPsGs
BaX/TBKlFfPfVjS6mXq6YB7y8oA8NH0IiJ1xn+7nYVjTmSHGWQnTLYOMowMuGFFT
3gUiWKQnD74NHZzkvEiX82WDM4SiD1dQCV6OWsTxbs0bUsM0du78CRapi/9XwoUQ
zyJaIzYUtsnHBO4YM78tNi9RZbWB52cOVb7YP2Rj6vHf34SjbIU+exRXPzgs/5d5
6D8eTNj6iq2XtCSGQ50NqZL8N3iDvpypVc8xnfibYA+CLIa152s9LXxTnkACVsHh
9qqyJEUW2qCxKvHxpGqzcsQ6tqQlNaNd8vCJAZU28yZQyuVfhL2rqbab0dFrZdbV
tMk1lk1K3a2kuZfGL5CzWTWsht3b3UOBJT383OInNwkr1UvQr/w3Ml+JdhDDIjIB
z5vrl6bd6uZ/2AUED+o6cM/1mTygdt6u6m+9XFJScplyoltuI7KItXqhf50kM5Ca
OHBuH+vCm1w54MOyHsWydR8=
-----END CERTIFICATE-----
```
**Details**
- Serial Number: `0F:60:9D:5C:33:0F:A0:0B:06:38:7F:3B:FA:58:4C:B0:8C:1C:CD:3B` (
`87789441104157334067027060312294361915113393467`)
- Subject DN: `CN=NLS Intermediate CA, OU=Nvidia Licensing Service (NLS), O=Nvidia, ST=California, C=US`
- Issuer DN: `CN=NLS Root CA, O=Nvidia, OU=Nvidia Licensing Service (NLS), ST=California, C=US`
- Critical Extensions
```
Certificate Signing
CRL Signing
Subject is a CA
Path Length Constraint: None
```
- Non Critical Extensions
```
Key Identifier: 0xF2FF D145 8371 5E30 2895 7354 B078 559E 5B88 270A
Key Identifier: 0x02A8 880C FCA9 5D43 E09D 2EF5 60B1 F2DA 7A5D 3F0C
```
### Public-Cert
This is used to verify JWT-Signature.
> [!alert]
> On offical DLS we have no private/prublic key. This certificate is only
> present in database "configuration" => "DLS_SI_CERTIFICATE".
> There also is an encrypted private-key, which probably is the private-key
> belonging to this certificate.
```
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIUG9EvbFb33ajYzlLIYbD+Wb04Xh0wDQYJKoZIhvcNAQEL
BQAwejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAoM
Bk52aWRpYTEnMCUGA1UECwweTnZpZGlhIExpY2Vuc2luZyBTZXJ2aWNlIChOTFMp
MRwwGgYDVQQDDBNOTFMgSW50ZXJtZWRpYXRlIENBMB4XDTI1MDMyMDExMTc1MVoX
DTM1MDMxOTExMTc1MVowLzEtMCsGA1UEAwwkNGU1M2ExNzEtMTAzYi00OTQ2LTll
ZDgtNWY0YzBlZTc1MGQ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
7bCzaA2zA/WzU56D2uGTOnCXyHEsR2c5qdUqq+G7nAXC8UdLgrmmiPjiidokA1hD
lj20kU2PPer/WCkjG3rGchH+EaWJ863yUl2Sy/5BmAAfzJEtSJ5/r4NiXWyHzKhj
VfbqmfewtvoLDIOFAbsiY2wQpJ6Ziesw0ly+yQhv2tktr1++6ZsN/PSYj9zDy4+s
BkdQc6tKaILXxwxomNU4fgFCtKKBfZkVe1wXtN5eagutZsyEsYPH/h9I/KJtbOzr
tPZk2K4hCSAE4J7ZRokW4IyjiKUDsdtdtDLGWO0Hpc66kHWEW5lqimyGX8XWm5qJ
LQDG4L1R0UIrQQv5yIaC2QIDAQABo4GjMIGgMA4GA1UdDwEB/wQEAwIDqDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFO7YfN6kz6TytpbG
QsiVOBxXknNIMB8GA1UdIwQYMBaAFPL/0UWDcV4wKJVzVLB4VZ5biCcKMC8GA1Ud
EQQoMCaCJDRlNTNhMTcxLTEwM2ItNDk0Ni05ZWQ4LTVmNGMwZWU3NTBkOTANBgkq
hkiG9w0BAQsFAAOCAQEAsSw2FKHvL6LtxjP6lvcnRtbtqO9Y1tfanWG8ebTbiF0Z
U5bok/vJ6ut/fqW9zixOSFtzzaTKe91lyeWqt9uHje2wV6SSM+Bw1RglVAvcFejd
fX88/iEDSmqlDf+NAC8yyiWdZ5snboxWBaTpPcf8gziZhDUIxRUFIZCYjqJEkN1u
evfJZqaVsT0zcbmwc+6W7YGD4J8JSFpkwN0odTtciAooBzXpfFzXMz0zrghjFRxA
Ynq1C0sQNlBb84yS+B/f4qTfDqL2eCxARZSWSl/S71VRkPn5QRs4iPE0AVeWWZAd
0iHSFm6jxj1x7/+r+Q+wN9hLtT7fEXXKuW7t6ECgDg==
-----END CERTIFICATE-----
```
**Details**
- Serial Number: `1B:D1:2F:6C:56:F7:DD:A8:D8:CE:52:C8:61:B0:FE:59:BD:38:5E:1D` (
`158807737702271588335335063867501016171838725661`)
- Subject DN: `CN=4e53a171-103b-4946-9ed8-5f4c0ee750d9`
- Issuer DN: `CN=NLS Intermediate CA, OU=Nvidia Licensing Service (NLS), O=Nvidia, ST=California, C=US`
- SASNS: `4e53a171-103b-4946-9ed8-5f4c0ee750d9`
- Critical Extensions
```
Digital Signature
Key Encipherment
Key Agreement
````
- Non Critical Extensions
```
Key Identifier: 0xEED8 7CDE A4CF A4F2 B696 C642 C895 381C 5792 7348
DNS Name: 4e53a171-103b-4946-9ed8-5f4c0ee750d9
Key Identifier: 0xF2FF D145 8371 5E30 2895 7354 B078 559E 5B88 270A
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
```
## Error Message from `nvidia-gridd`
**Result from current `config-token`**
```
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to verify public certificate (error:0A000126:SSL routines::unexpected eof while reading)
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to verify public certificate (error:00000000:lib(0)::reason(0))
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to validate public certificates
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Server configuration validation failed. Invalid certificate received from server.
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Failed to setup cloud License Manager: 3
Mär 21 12:22:10 debian-grid-test nvidia-gridd[586]: Shutdown (586)
Mär 21 12:22:10 debian-grid-test systemd[1]: nvidia-gridd.service: Main process exited, code=exited, status=1/FAILURE
Mär 21 12:22:10 debian-grid-test systemd[1]: nvidia-gridd.service: Failed with result 'exit-code'.
```
# Sources
- https://8gwifi.org/PemParserFunctions.jsp

10
doc/LATEST.md
View File

@ -4,6 +4,16 @@
> - [README](README.md) or > - [README](README.md) or
> - [Installation / Docker Setup](DockerSetup.md) > - [Installation / Docker Setup](DockerSetup.md)
[TOC]
# Config-Token
See [ConfigToken.md](ConfigToken.md).
# Certificate and CA-Chain
Certificate has a `public_key` which is not present in any database.
# `master_pwd.bin` and `master_pwd_v100.bin` # `master_pwd.bin` and `master_pwd_v100.bin`
There are two files in `/var/lib/docker/overlay2/<nls-container-id>/merged/etc/dls/config`. There are two files in `/var/lib/docker/overlay2/<nls-container-id>/merged/etc/dls/config`.

178
src/test/test.py → src/test/test_config_token.py
View File

@ -130,6 +130,10 @@ def test_official_cert():
nv_response_parsed_ca_cert = x509.load_pem_x509_certificate(nv_response_ca_cert) nv_response_parsed_ca_cert = x509.load_pem_x509_certificate(nv_response_ca_cert)
nv_response_parsed_cert = x509.load_pem_x509_certificate(nv_response_public_cert) nv_response_parsed_cert = x509.load_pem_x509_certificate(nv_response_public_cert)
assert 4096 == nv_response_parsed_ca_cert.public_key().key_size
assert 2048 == nv_response_parsed_cert.public_key().key_size
#assert nv_response_parsed_cert.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) == nv_si_public_key.public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)
nv_response_parsed_cert_exp = nv_response_parsed_cert.public_key().public_numbers().e nv_response_parsed_cert_exp = nv_response_parsed_cert.public_key().public_numbers().e
nv_response_parsed_cert_mod = f'{nv_response_parsed_cert.public_key().public_numbers().n:x}' # hex value without "0x" prefix nv_response_parsed_cert_mod = f'{nv_response_parsed_cert.public_key().public_numbers().n:x}' # hex value without "0x" prefix
assert nv_response_parsed_cert_exp == nv_response_public_key.get('exp') assert nv_response_parsed_cert_exp == nv_response_public_key.get('exp')
@ -255,69 +259,132 @@ def test_our_config_token_with_our_key():
:return: :return:
""" """
my_private_key = generate_private_key(public_exponent=65537, key_size=2024) """ Create Root Key and Certificate """
my_public_key = my_private_key.public_key()
my_private_key_pem = my_private_key.private_bytes( # create root keypair
encoding=serialization.Encoding.PEM, my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096)
format=serialization.PrivateFormat.TraditionalOpenSSL, my_root_public_key = my_root_private_key.public_key()
encryption_algorithm=serialization.NoEncryption()
)
my_public_key_pem = my_public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
my_si_public_key_exp = my_public_key.public_numbers().e # create root-certificate subject
my_si_public_key_mod = f'{my_public_key.public_numbers().n:x}' # hex value without "0x" prefix my_root_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'),
])
# create self-signed root-certificate
my_root_certificate = (
x509.CertificateBuilder()
.subject_name(my_root_subject)
.issuer_name(my_root_subject)
.public_key(my_root_public_key)
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
.add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False)
.sign(my_root_private_key, hashes.SHA256()))
""" Create CA (Intermediate) Key and Certificate """
# create ca keypair
my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096)
my_ca_public_key = my_ca_private_key.public_key()
# create ca-certificate subject # create ca-certificate subject
my_ca_subject = x509.Name([ my_ca_subject = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"DE"), x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Hessen"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"Wiesbaden"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Ihr Unternehmen"), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
x509.NameAttribute(NameOID.COMMON_NAME, u"CA Root"), x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'),
]) ])
# create self-signed ca-certificate # create self-signed ca-certificate
my_ca_certificate = ( my_ca_certificate = (
x509.CertificateBuilder() x509.CertificateBuilder()
.subject_name(my_ca_subject) .subject_name(my_ca_subject)
.issuer_name(my_ca_subject) .issuer_name(my_root_subject)
.public_key(my_public_key) .public_key(my_ca_public_key)
.serial_number(x509.random_serial_number()) .serial_number(x509.random_serial_number())
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10)) .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
.add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True) .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
.sign(my_private_key, hashes.SHA256())) .add_extension(x509.KeyUsage(digital_signature=False, key_encipherment=False, key_cert_sign=True,
key_agreement=False, content_commitment=False, data_encipherment=False,
crl_sign=True, encipher_only=False, decipher_only=False), critical=True)
.add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False)
# .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False)
.add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
), critical=False)
.sign(my_root_private_key, hashes.SHA256()))
# create certificate subject with open('caChain_my.pem', 'wb') as f:
my_subject = x509.Name([ f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM))
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
x509.NameAttribute(NameOID.COMMON_NAME, u"NLS Intermediate CA"),
])
my_issuer_name = my_ca_subject if my_ca_subject is not None else my_subject """ Create Service-Instance Key and Certificate """
# create self-signed certificate # create si keypair
my_certificate = ( my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048)
x509.CertificateBuilder() my_si_public_key = my_si_private_key.public_key()
.subject_name(my_subject)
.issuer_name(my_issuer_name) my_si_private_key_as_pem = my_si_private_key.private_bytes(
.public_key(my_public_key) encoding=serialization.Encoding.PEM,
.serial_number(x509.random_serial_number()) format=serialization.PrivateFormat.TraditionalOpenSSL,
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1)) encryption_algorithm=serialization.NoEncryption(),
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=3650)) )
.add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=False) my_si_public_key_as_pem = my_si_public_key.public_bytes(
.sign(my_private_key, hashes.SHA256()) encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
) )
### build payload with open('instance.private.pem', 'wb') as f:
f.write(my_si_private_key_as_pem)
with open('instance.public.pem', 'wb') as f:
f.write(my_si_public_key_as_pem)
# create si-certificate subject
my_si_subject = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'4e53a171-103b-4946-9ed8-5f4c0ee750d9'),
])
# create self-signed si-certificate
my_si_certificate = (
x509.CertificateBuilder()
.subject_name(my_si_subject)
.issuer_name(my_ca_subject)
.public_key(my_si_public_key)
.serial_number(x509.random_serial_number())
.not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
.not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
.add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False,
key_agreement=True, content_commitment=False, data_encipherment=False,
crl_sign=False, encipher_only=False, decipher_only=False), critical=True)
.add_extension(x509.ExtendedKeyUsage([
x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]
), critical=False)
.add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False)
# .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False)
.add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
), critical=False)
.add_extension(x509.SubjectAlternativeName([
x509.DNSName('4e53a171-103b-4946-9ed8-5f4c0ee750d9')
]), critical=False)
.sign(my_si_private_key, hashes.SHA256()))
my_si_public_key_exp = my_si_certificate.public_key().public_numbers().e
my_si_public_key_mod = f'{my_si_certificate.public_key().public_numbers().n:x}' # hex value without "0x" prefix
with open('cert_my.pem', 'wb') as f:
f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
""" build out payload """
cur_time = datetime.now(UTC) cur_time = datetime.now(UTC)
exp_time = cur_time + MY_CLIENT_TOKEN_EXPIRE_DELTA exp_time = cur_time + MY_CLIENT_TOKEN_EXPIRE_DELTA
@ -333,36 +400,41 @@ def test_our_config_token_with_our_key():
"service_instance_ref": NV_SI_SITE_ID, "service_instance_ref": NV_SI_SITE_ID,
"service_instance_public_key_configuration": { "service_instance_public_key_configuration": {
"service_instance_public_key_me": { "service_instance_public_key_me": {
"mod": hex(my_public_key.public_numbers().n)[2:], "mod": hex(my_si_public_key.public_numbers().n)[2:],
"exp": int(my_public_key.public_numbers().e), "exp": int(my_si_public_key.public_numbers().e),
}, },
"service_instance_public_key_pem": my_public_key_pem.decode('utf-8'), "service_instance_public_key_pem": my_si_public_key_as_pem.decode('utf-8').strip(),
"key_retention_mode": "LATEST_ONLY" "key_retention_mode": "LATEST_ONLY"
}, },
} }
my_sign_key = jwk.construct(my_private_key_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256) my_sign_key = jwk.construct(my_si_private_key_as_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256)
my_config_token = jws.sign(payload, key=my_sign_key, headers=None, algorithm=ALGORITHMS.RS256) my_config_token = jws.sign(payload, key=my_sign_key, headers=None, algorithm=ALGORITHMS.RS256)
response = { response = {
"certificateConfiguration": { "certificateConfiguration": {
"caChain": [my_ca_certificate.public_bytes(encoding=Encoding.PEM)], "caChain": [my_ca_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8').strip().replace('\n','\r\n')],
"publicCert": my_ca_certificate.public_bytes(encoding=Encoding.PEM), "publicCert": my_si_certificate.public_bytes(encoding=Encoding.PEM).decode('utf-8').strip().replace('\n','\r\n'),
"publicKey": { "publicKey": {
"exp": int(my_certificate.public_key().public_numbers().e), "exp": int(my_si_certificate.public_key().public_numbers().e),
"mod": [hex(my_certificate.public_key().public_numbers().n)[2:]], "mod": [hex(my_si_certificate.public_key().public_numbers().n)[2:]],
}, },
}, },
"configToken": my_config_token, "configToken": my_config_token,
} }
### # this would be our response on fastapi-dls
print(json.dumps(response))
my_jws_sign_key = jwk.construct(my_certificate.public_bytes(encoding=Encoding.PEM), algorithm=ALGORITHMS.RS256) #my_si_certificate_as_pem = my_si_certificate.public_bytes(encoding=Encoding.PEM)
#my_jws_verify_key = jwk.construct(my_si_certificate_as_pem, algorithm=ALGORITHMS.RS256)
my_response_certificate = x509.load_pem_x509_certificate(response['certificateConfiguration']['publicCert'].encode('utf-8'))
my_response_certificate_as_pem = my_response_certificate.public_bytes(encoding=Encoding.PEM)
my_jws_verify_key = jwk.construct(my_response_certificate_as_pem, algorithm=ALGORITHMS.RS256)
my_response_config_token = response.get('configToken') my_response_config_token = response.get('configToken')
payload = jws.verify(my_response_config_token, key=my_jws_sign_key, algorithms=ALGORITHMS.RS256) payload = jws.verify(my_response_config_token, key=my_jws_verify_key, algorithms=ALGORITHMS.RS256)
payload = json.loads(payload) payload = json.loads(payload)
assert payload.get('iss') == 'NLS Service Instance' assert payload.get('iss') == 'NLS Service Instance'
assert payload.get('aud') == 'NLS Licensed Client' assert payload.get('aud') == 'NLS Licensed Client'