.gitlab-ci.yml bearbeiten

2025-04-16 15:07:28 +02:00
13 changed files with 158 additions and 1221 deletions
--- a/.DEBIAN/env.default
+++ b/.DEBIAN/env.default
@ -21,3 +21,7 @@ DATABASE=sqlite:////etc/fastapi-dls/db.sqlite
 #SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
 #INSTANCE_REF="10000000-0000-0000-0000-000000000001"
 #ALLOTMENT_REF="20000000-0000-0000-0000-000000000001"
 # Site-wide signing keys
 INSTANCE_KEY_RSA=/etc/fastapi-dls/instance.private.pem
 INSTANCE_KEY_PUB=/etc/fastapi-dls/instance.public.pem
--- a/.DEBIAN/postinst
+++ b/.DEBIAN/postinst
@ -3,6 +3,14 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls
 if [ ! -f $CONFIG_DIR/instance.private.pem ]; then
  echo "> Create dls-instance keypair ..."
  openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
  openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
 else
  echo "> Create dls-instance keypair skipped! (exists)"
 fi
 while true; do
  [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
  [ $default_answer == "Y" ] && V="Y/n" || V="y/N"
--- a/.PKGBUILD/PKGBUILD
+++ b/.PKGBUILD/PKGBUILD
@ -17,7 +17,7 @@ source=("git+file://${CI_PROJECT_DIR}"
        "$pkgname.service"
        "$pkgname.tmpfiles")
 sha256sums=('SKIP'
-            'a4776a0ae4671751065bf3e98aa707030b8b5ffe42dde942c51050dab5028c54'
+            'fbd015449a30c0ae82733289a56eb98151dcfab66c91b37fe8e202e39f7a5edb'
            '2719338541104c537453a65261c012dda58e1dbee99154cf4f33b526ee6ca22e'
            '3dc60140c08122a8ec0e7fa7f0937eb8c1288058890ba09478420fc30ce9e30c')
@ -30,6 +30,8 @@ pkgver() {
 check() {
    cd "$srcdir/$pkgname/test"
    mkdir "$srcdir/$pkgname/app/cert"
    openssl genrsa -out "$srcdir/$pkgname/app/cert/instance.private.pem" 2048
    openssl rsa -in "$srcdir/$pkgname/app/cert/instance.private.pem" -outform PEM -pubout -out "$srcdir/$pkgname/app/cert/instance.public.pem"
    python "$srcdir/$pkgname/test/main.py"
    rm -rf "$srcdir/$pkgname/app/cert"
 }
--- a/.PKGBUILD/fastapi-dls.default
+++ b/.PKGBUILD/fastapi-dls.default
@ -19,6 +19,10 @@ DATABASE="sqlite:////var/lib/fastapi-dls/db.sqlite"
 SITE_KEY_XID="<<sitekey>>"
 INSTANCE_REF="<<instanceref>>"
 # Site-wide signing keys
 INSTANCE_KEY_RSA="/var/lib/fastapi-dls/instance.private.pem"
 INSTANCE_KEY_PUB="/var/lib/fastapi-dls/instance.public.pem"
 # TLS certificate
 INSTANCE_SSL_CERT="/var/lib/fastapi-dls/cert/webserver.crt"
 INSTANCE_SSL_KEY="/var/lib/fastapi-dls/cert/webserver.key"
--- a/.PKGBUILD/fastapi-dls.install
+++ b/.PKGBUILD/fastapi-dls.install
@ -7,4 +7,8 @@ post_install() {
    echo
    echo 'A valid HTTPS certificate needs to be installed to /var/lib/fastapi-dls/cert/webserver.{crt,key}'
    echo 'A self-signed certificate can be generated with: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /var/lib/fastapi-dls/cert/webserver.key -out /var/lib/fastapi-dls/cert/webserver.crt'
    echo
    echo 'The signing keys for your instance need to be generated as well. Generate them with these commands:'
    echo 'openssl genrsa -out /var/lib/fastapi-dls/instance.private.pem 2048'
    echo 'openssl rsa -in /var/lib/fastapi-dls/instance.private.pem -outform PEM -pubout -out /var/lib/fastapi-dls/instance.public.pem'
 }
--- a/.UNRAID/FastAPI-DLS.xml
+++ b/.UNRAID/FastAPI-DLS.xml
@ -18,6 +18,9 @@ Make sure you create these certificates before starting the container for the fi
 WORKING_DIR=/mnt/user/appdata/fastapi-dls/cert&#xD;
 mkdir -p $WORKING_DIR&#xD;
 cd $WORKING_DIR&#xD;
 # create instance private and public key for singing JWT's&#xD;
 openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 &#xD;
 openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem&#xD;
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl&#xD;
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt&#xD;
 ```&#xD;
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -151,6 +151,8 @@ test:python:
    - pip install -r requirements.txt
    - pip install pytest pytest-cov pytest-custom_exit_code httpx
    - mkdir -p app/cert
    - openssl genrsa -out app/cert/instance.private.pem 2048
    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
    - cd test
  script:
    - python -m pytest main.py --junitxml=report.xml
@ -261,6 +263,8 @@ test_coverage:
    - pip install -r requirements.txt
    - pip install pytest pytest-cov pytest-custom_exit_code httpx
    - mkdir -p app/cert
    - openssl genrsa -out app/cert/instance.private.pem 2048
    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
    - cd test
  script:
    - coverage run -m pytest main.py --junitxml=report.xml --suppress-no-test-exit-code
@ -376,7 +380,7 @@ deploy:pacman:
 release:
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  stage: .post
-  needs: [ build:docker, build:apt, build:pacman ]
+  needs: [ deploy:docker, deploy:apt, deploy:pacman ]
  rules:
    - if: $CI_COMMIT_TAG
  script:
--- a/README.md
+++ b/README.md
@ -2,16 +2,13 @@
 Minimal Delegated License Service (DLS).
 > [!warning] Branch support \
 > FastAPI-DLS Version 1.x supports up to **`17.x`** releases. \
 > FastAPI-DLS Version 2.x is backwards compatible to `17.x` and supports **`18.x`** releases in combination
 > with [gridd-unlock-patcher](https://git.collinwebdesigns.de/oscar.krause/gridd-unlock-patcher).
 > Other combinations of FastAPI-DLS and Driver-Branches may work but are not tested.
 > [!note] Compatibility
 > Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility
 > see [compatibility matrix](#vgpu-software-compatibility-matrix).
 > [!warning] 18.x Drivers are not yet supported!
 > Drivers are only supported until **17.x releases**.
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.
@ -69,6 +66,9 @@ The images include database drivers for `postgres`, `mariadb` and `sqlite`.
 WORKING_DIR=/opt/docker/fastapi-dls/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
 # create instance private and public key for singing JWT's
 openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
 openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 ```
@ -153,6 +153,9 @@ chown -R www-data:www-data $WORKING_DIR
 WORKING_DIR=/opt/fastapi-dls/app/cert
 mkdir -p $WORKING_DIR
 cd $WORKING_DIR
 # create instance private and public key for singing JWT's
 openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
 openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt
 chown -R www-data:www-data $WORKING_DIR
@ -252,6 +255,9 @@ CERT_DIR=${BASE_DIR}/app/cert
 SERVICE_USER=dls
 mkdir ${CERT_DIR}
 cd ${CERT_DIR}
 # create instance private and public key for singing JWT's
 openssl genrsa -out ${CERT_DIR}/instance.private.pem 2048 
 openssl rsa -in ${CERT_DIR}/instance.private.pem -outform PEM -pubout -out ${CERT_DIR}/instance.public.pem
 # create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  ${CERT_DIR}/webserver.key -out ${CERT_DIR}/webserver.crt
 chown -R ${SERVICE_USER} ${CERT_DIR}
@ -429,7 +435,9 @@ After first success you have to replace `--issue` with `--renew`.
 | `CORS_ORIGINS`           | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2                                                              |
 | `SITE_KEY_XID`           | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                                                            |
 | `INSTANCE_REF`           | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                                                        |
-| `ALLOTMENT_REF`          | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                                       | |
+| `ALLOTMENT_REF`          | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                                       |
 | `INSTANCE_KEY_RSA`       | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*3                                                                                      |
 | `INSTANCE_KEY_PUB`       | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*3                                                                                                            |
 \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
 every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
@ -437,6 +445,8 @@ client has 19.2 hours in which to re-establish connectivity before its license e
 \*2 Always use `https`, since guest-drivers only support secure connections!
 \*3 If you recreate your instance keys you need to **recreate client-token for each guest**!
 # Setup (Client)
 **The token file has to be copied! It's not enough to C&P file contents, because there can be special characters.**
@ -535,10 +545,6 @@ Status endpoint, used for *healthcheck*.
 Shows current runtime environment variables and their values.
 **`GET /-/config/root-ca`**
 Returns the Root-CA Certificate which is used. This is required for patching `nvidia-gridd` on 18.x releases.
 **`GET /-/readme`**
 HTML rendered README.md.
@ -611,7 +617,7 @@ Please download a new client-token. The guest have to register within an hour af
 ### `jose.exceptions.JWTError: Signature verification failed.`
- Did you recreate any certificate or keypair?
+- Did you recreate `instance.public.pem` / `instance.private.pem`?
 Then you have to download a **new** client-token on each of your guests.
@ -747,23 +753,33 @@ The error message can safely be ignored (since we have no license limitation :P)
 # vGPU Software Compatibility Matrix
 **18.x Drivers are not supported on FastAPI-DLS Versions < 1.6.0**
 <details>
  <summary>Show Table</summary>
 Successfully tested with this package versions.
-| FastAPI-DLS Version | vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver |  Release Date |      EOL Date |
+| vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver |  Release Date |      EOL Date |
-|---------------------|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:|
+|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:|
-| `2.x`               |    `18.0`     |   **R570**    | `570.124.03`       | `570.124.06` | `572.60`       |    March 2025 |    March 2026 |
+|    `17.5`     |     R550      | `550.144.02`       | `550.144.03` | `553.62`       |  January 2025 |     June 2025 |
-| `1.x` & `2.x`       |    `17.5`     |               | `550.144.02`       | `550.144.03` | `553.62`       |  January 2025 |     June 2025 |
+|    `17.4`     |     R550      | `550.127.06`       | `550.127.05` | `553.24`       |  October 2024 |               |
-|                     |    `17.4`     |               | `550.127.06`       | `550.127.05` | `553.24`       |  October 2024 |               |
+|    `17.3`     |     R550      | `550.90.05`        | `550.90.07`  | `552.74`       |     July 2024 |               |
-|                     |    `17.3`     |               | `550.90.05`        | `550.90.07`  | `552.74`       |     July 2024 |               |
+|    `17.2`     |     R550      | `550.90.05`        | `550.90.07`  | `552.55`       |     June 2024 |               |
-|                     |    `17.2`     |               | `550.90.05`        | `550.90.07`  | `552.55`       |     June 2024 |               |
+|    `17.1`     |     R550      | `550.54.16`        | `550.54.15`  | `551.78`       |    March 2024 |               |
-|                     |    `17.1`     |               | `550.54.16`        | `550.54.15`  | `551.78`       |    March 2024 |               |
+|    `17.0`     |     R550      | `550.54.10`        | `550.54.14`  | `551.61`       | February 2024 |               |
-|                     |    `17.0`     |   **R550**    | `550.54.10`        | `550.54.14`  | `551.61`       | February 2024 |               |
+|    `16.9`     |     R535      | `535.230.02`       | `535.216.01` | `539.19`       |  October 2024 |     July 2026 |
-| `1.x`               |    `16.9`     |   **R535**    | `535.230.02`       | `535.216.01` | `539.19`       |  October 2024 |     July 2026 |
+|    `16.8`     |     R535      | `535.216.01`       | `535.216.01` | `538.95`       |  October 2024 |               |
-| `1.x`               |    `15.4`     |   **R525**    | `525.147.01`       | `525.147.05` | `529.19`       |     June 2023 | December 2023 |
+|    `16.7`     |     R535      | `535.183.04`       | `535.183.06` | `538.78`       |     July 2024 |               |
-| `1.x`               |    `14.4`     |   **R510**    | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 | February 2023 |
+|    `16.6`     |     R535      | `535.183.04`       | `535.183.01` | `538.67`       |     June 2024 |               |
 |    `16.5`     |     R535      | `535.161.05`       | `535.161.08` | `538.46`       | February 2024 |               |
 |    `16.4`     |     R535      | `535.161.05`       | `535.161.07` | `538.33`       | February 2024 |               |
 |    `16.3`     |     R535      | `535.154.02`       | `535.154.05` | `538.15`       |  January 2024 |               |
 |    `16.2`     |     R535      | `535.129.03`       | `535.129.03` | `537.70`       |  October 2023 |               |
 |    `16.1`     |     R535      | `535.104.06`       | `535.104.05` | `537.13`       |   August 2023 |               |
 |    `16.0`     |     R535      | `535.54.06`        | `535.54.03`  | `536.22`       |     July 2023 |               |
 |    `15.4`     |     R525      | `525.147.01`       | `525.147.05` | `529.19`       |     June 2023 | December 2023 |
 |    `14.4`     |     R510      | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 | February 2023 |
 </details>
@ -787,6 +803,5 @@ Special thanks to:
 - `Krutav Shah` who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
 - `Wim van 't Hoog` for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
 - `mrzenc` who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
 - `electricsheep49` who wrote [gridd-unlock-patcher](https://git.collinwebdesigns.de/oscar.krause/gridd-unlock-patcher)
 And thanks to all people who contributed to all these libraries!
--- a/app/main.py
+++ b/app/main.py
@ -4,7 +4,7 @@ from calendar import timegm
 from contextlib import asynccontextmanager
 from datetime import datetime, timedelta, UTC
 from hashlib import sha256
-from json import loads as json_loads, dumps as json_dumps
+from json import loads as json_loads
 from os import getenv as env
 from os.path import join, dirname
 from uuid import uuid4
@ -13,15 +13,15 @@ from dateutil.relativedelta import relativedelta
 from dotenv import load_dotenv
 from fastapi import FastAPI
 from fastapi.requests import Request
 from fastapi.responses import Response, RedirectResponse, StreamingResponse
 from jose import jws, jwk, jwt, JWTError
 from jose.constants import ALGORITHMS
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 from starlette.middleware.cors import CORSMiddleware
 from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from orm import Origin, Lease, init as db_init, migrate
-from util import CASetup, PrivateKey, Cert, ProductMapping, load_file
+from util import PrivateKey, PublicKey, load_file
 # Load variables
 load_dotenv('../version.env')
@ -42,25 +42,17 @@ DLS_PORT = int(env('DLS_PORT', '443'))
 SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
 INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
 ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
 INSTANCE_KEY_RSA = PrivateKey.from_file(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
 INSTANCE_KEY_PUB = PublicKey.from_file(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
 TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0)))
 LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
 LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
 LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
 CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
 DT_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
 PRODUCT_MAPPING = ProductMapping(filename=join(dirname(__file__), 'static/product_mapping.json'))
-# Create certificate chain and signing keys
+jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256)
-ca_setup = CASetup(service_instance_ref=INSTANCE_REF)
+jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256)
 my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename)
 my_ca_certificate = Cert.from_file(ca_setup.ca_certificate_filename)
 my_si_certificate = Cert.from_file(ca_setup.si_certificate_filename)
 my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename)
 my_si_public_key = my_si_private_key.public_key()
 jwt_encode_key = jwk.construct(my_si_private_key.pem(), algorithm=ALGORITHMS.RS256)
 jwt_decode_key = jwk.construct(my_si_private_key.public_key().pem(), algorithm=ALGORITHMS.RS256)
 # Logging
 LOG_LEVEL = logging.DEBUG if DEBUG else logging.INFO
@ -127,12 +119,12 @@ async def _index():
@app.get('/-/health', summary='* Health')
 async def _health():
-    return Response(content=json_dumps({'status': 'up'}), media_type='application/json', status_code=200)
+    return JSONr({'status': 'up'})
@app.get('/-/config', summary='* Config', description='returns environment variables.')
 async def _config():
-    response = {
+    return JSONr({
        'VERSION': str(VERSION),
        'COMMIT': str(COMMIT),
        'DEBUG': str(DEBUG),
@ -146,23 +138,14 @@ async def _config():
        'LEASE_RENEWAL_PERIOD': str(LEASE_RENEWAL_PERIOD),
        'CORS_ORIGINS': str(CORS_ORIGINS),
        'TZ': str(TZ),
-    }
+    })
    return Response(content=json_dumps(response), media_type='application/json', status_code=200)
@app.get('/-/config/root-ca', summary='* Root CA', description='returns Root-CA needed for patching nvidia-gridd')
 async def _config():
    return Response(content=my_root_certificate.pem().decode('utf-8'), media_type='text/plain')
@app.get('/-/readme', summary='* Readme')
 async def _readme():
    from markdown import markdown
    content = load_file(join(dirname(__file__), '../README.md')).decode('utf-8')
-    response = markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc'])
+    return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
    return Response(response, media_type='text/html', status_code=200)
@app.get('/-/manage', summary='* Management UI')
@ -200,7 +183,7 @@ async def _manage(request: Request):
        </body>
    </html>
    '''
-    return Response(response, media_type='text/html', status_code=200)
+    return HTMLr(response)
@app.get('/-/origins', summary='* Origins')
@ -214,7 +197,7 @@ async def _origins(request: Request, leases: bool = False):
            x['leases'] = list(map(lambda _: _.serialize(**serialize), Lease.find_by_origin_ref(db, origin.origin_ref)))
        response.append(x)
    session.close()
-    return Response(content=json_dumps(response), media_type='application/json', status_code=200)
+    return JSONr(response)
@app.delete('/-/origins', summary='* Origins')
@ -236,7 +219,7 @@ async def _leases(request: Request, origin: bool = False):
                x['origin'] = lease_origin.serialize()
        response.append(x)
    session.close()
-    return Response(content=json_dumps(response), media_type='application/json', status_code=200)
+    return JSONr(response)
@app.delete('/-/leases/expired', summary='* Leases')
@ -249,8 +232,7 @@ async def _lease_delete_expired(request: Request):
 async def _lease_delete(request: Request, lease_ref: str):
    if Lease.delete(db, lease_ref) == 1:
        return Response(status_code=201)
-    response = {'status': 404, 'detail': 'lease not found'}
+    return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
    return Response(content=json_dumps(response), media_type='application/json', status_code=404)
 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
@ -266,7 +248,6 @@ async def _client_token():
        "iat": timegm(cur_time.timetuple()),
        "nbf": timegm(cur_time.timetuple()),
        "exp": timegm(exp_time.timetuple()),
        "protocol_version": "2.0",
        "update_mode": "ABSOLUTE",
        "scope_ref_list": [ALLOTMENT_REF],
        "fulfillment_class_ref_list": [],
@ -276,7 +257,6 @@ async def _client_token():
                {
                    "idx": 0,
                    "d_name": "DLS",
                    # todo: {"service": "quick_release", "port": 80} - see "shutdown for windows"
                    "svc_port_map": [{"service": "auth", "port": DLS_PORT}, {"service": "lease", "port": DLS_PORT}]
                }
            ],
@ -284,10 +264,10 @@ async def _client_token():
        },
        "service_instance_public_key_configuration": {
            "service_instance_public_key_me": {
-                "mod": my_si_public_key.mod(),
+                "mod": hex(INSTANCE_KEY_PUB.raw().public_numbers().n)[2:],
-                "exp": my_si_public_key.exp(),
+                "exp": int(INSTANCE_KEY_PUB.raw().public_numbers().e),
            },
-            "service_instance_public_key_pem": my_si_private_key.public_key().pem().decode('utf-8'),
+            "service_instance_public_key_pem": INSTANCE_KEY_PUB.pem().decode('utf-8'),
            "key_retention_mode": "LATEST_ONLY"
        },
    }
@ -318,22 +298,17 @@ async def auth_v1_origin(request: Request):
    Origin.create_or_update(db, data)
    environment = {
        'raw_env': j.get('environment')
    }
    environment.update(j.get('environment'))
    response = {
        "origin_ref": origin_ref,
-        "environment": environment,
+        "environment": j.get('environment'),
        "svc_port_set_list": None,
        "node_url_list": None,
        "node_query_order": None,
        "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT)
+        "sync_timestamp": cur_time.isoformat()
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
@ -356,10 +331,10 @@ async def auth_v1_origin_update(request: Request):
    response = {
        "environment": j.get('environment'),
        "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT)
+        "sync_timestamp": cur_time.isoformat()
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
@ -387,11 +362,11 @@ async def auth_v1_code(request: Request):
    response = {
        "auth_code": auth_code,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
@ -403,8 +378,7 @@ async def auth_v1_token(request: Request):
    try:
        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256)
    except JWTError as e:
-        response = {'status': 400, 'title': 'invalid token', 'detail': str(e)}
+        return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
        return Response(content=json_dumps(response), media_type='application/json', status_code=400)
    origin_ref = payload.get('origin_ref')
    logger.info(f'> [   auth   ]: {origin_ref}: {j}')
@ -412,8 +386,7 @@ async def auth_v1_token(request: Request):
    # validate the code challenge
    challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8')
    if payload.get('challenge') != challenge:
-        response = {'status': 401, 'detail': 'expected challenge did not match verifier'}
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})
        return Response(content=json_dumps(response), media_type='application/json', status_code=401)
    access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
@ -423,72 +396,20 @@ async def auth_v1_token(request: Request):
        'iss': 'https://cls.nvidia.org',
        'aud': 'https://cls.nvidia.org',
        'exp': timegm(access_expires_on.timetuple()),
        'origin_ref': origin_ref,
        'key_ref': SITE_KEY_XID,
        'kid': SITE_KEY_XID,
        'origin_ref': origin_ref,
    }
    auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
    response = {
        "expires": access_expires_on.isoformat(),
        "auth_token": auth_token,
-        "expires": access_expires_on.strftime(DT_FORMAT),
+        "sync_timestamp": cur_time.isoformat(),
        "prompts": None,
        "sync_timestamp": cur_time.strftime(DT_FORMAT),
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 # NLS 3.4.0 - venv/lib/python3.12/site-packages/nls_services_lease/test/test_lease_single_controller.py
@app.post('/leasing/v1/config-token', description='request to get config token for lease operations')
 async def leasing_v1_config_token(request: Request):
    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
    cur_time = datetime.now(UTC)
    exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
    payload = {
        "iss": "NLS Service Instance",
        "aud": "NLS Licensed Client",
        "iat": timegm(cur_time.timetuple()),
        "nbf": timegm(cur_time.timetuple()),
        "exp": timegm(exp_time.timetuple()),
        "protocol_version": "2.0",
        "d_name": "DLS",
        "service_instance_ref": j.get('service_instance_ref'),
        "service_instance_public_key_configuration": {
            "service_instance_public_key_me": {
                "mod": my_si_public_key.mod(),
                "exp": my_si_public_key.exp(),
            },
            # 64 chars per line (pem default)
            "service_instance_public_key_pem": my_si_private_key.public_key().pem().decode('utf-8').strip(),
            "key_retention_mode": "LATEST_ONLY"
        },
    }
    my_jwt_encode_key = jwk.construct(my_si_private_key.pem().decode('utf-8'), algorithm=ALGORITHMS.RS256)
    config_token = jws.sign(payload, key=my_jwt_encode_key, headers=None, algorithm=ALGORITHMS.RS256)
    response_ca_chain = my_ca_certificate.pem().decode('utf-8')
    response_si_certificate = my_si_certificate.pem().decode('utf-8')
    response = {
        "certificateConfiguration": {
            # 76 chars per line
            "caChain": [response_ca_chain],
            # 76 chars per line
            "publicCert": response_si_certificate,
            "publicKey": {
                "exp": int(my_si_certificate.raw().public_key().public_numbers().e),
                "mod": [hex(my_si_certificate.raw().public_key().public_numbers().n)[2:]],
            },
        },
        "configToken": config_token,
    }
    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@ -499,67 +420,43 @@ async def leasing_v1_lessor(request: Request):
    try:
        token = __get_token(request)
    except JWTError:
-        response = {'status': 401, 'detail': 'token is not valid'}
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})
        return Response(content=json_dumps(response), media_type='application/json', status_code=401)
    origin_ref = token.get('origin_ref')
    scope_ref_list = j.get('scope_ref_list')
    lease_proposal_list = j.get('lease_proposal_list')
    logger.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
    lease_result_list = []
    for scope_ref in scope_ref_list:
        # if scope_ref not in [ALLOTMENT_REF]:
-        #     response = {'status': 400, 'detail': f'service instances not found for scopes: ["{scope_ref}"]')}
+        #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
        #     return Response(content=json_dumps(response), media_type='application/json', status_code=400)
        pass
    lease_result_list = []
    for lease_proposal in lease_proposal_list:
        lease_ref = str(uuid4())
        expires = cur_time + LEASE_EXPIRE_DELTA
        product_name = lease_proposal.get('product').get('name')
        feature_name = PRODUCT_MAPPING.get_feature_name(product_name=product_name)
        lease_result_list.append({
-            "error": None,
+            "ordinal": 0,
            # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
            "lease": {
                "created": cur_time.strftime(DT_FORMAT),
                "expires": expires.strftime(DT_FORMAT),  # todo: lease_proposal.get('duration') => "P0Y0M0DT12H0M0S
                "feature_name": feature_name,
                "lease_intent_id": None,
                "license_type": "CONCURRENT_COUNTED_SINGLE",
                "metadata": None,
                "offline_lease": False,  # todo
                "product_name": product_name,
                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
                "ref": lease_ref,
-            },
+                "created": cur_time.isoformat(),
-            "ordinal": None,
+                "expires": expires.isoformat(),
                "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
                "offline_lease": "true",
                "license_type": "CONCURRENT_COUNTED_SINGLE"
            }
        })
        data = Lease(origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
        Lease.create_or_update(db, data)
    response = {
        "client_challenge": j.get('client_challenge'),
        "lease_result_list": lease_result_list,
-        "prompts": None,
+        "result_code": "SUCCESS",
-        "result_code": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
    }
-    content = json_dumps(response, separators=(',', ':'))
+    return JSONr(response)
    content = f'{content}\n'.encode('ascii')
    signature = my_si_private_key.generate_signature(content)
    headers = {
        'Content-Type': 'application/json',
        'access-control-expose-headers': 'X-NLS-Signature',
        'X-NLS-Signature': f'{signature.hex().encode()}'
    }
    return Response(content=content, media_type='application/json', headers=headers)
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@ -575,54 +472,39 @@ async def leasing_v1_lessor_lease(request: Request):
    response = {
        "active_lease_list": active_lease_list,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
@app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
+    token, cur_time = __get_token(request), datetime.now(UTC)
    origin_ref = token.get('origin_ref')
    logger.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
    entity = Lease.find_by_origin_ref_and_lease_ref(db, origin_ref, lease_ref)
    if entity is None:
-        response = {'status': 404, 'detail': 'requested lease not available'}
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
        return Response(content=json_dumps(response), media_type='application/json', status_code=404)
    expires = cur_time + LEASE_EXPIRE_DELTA
    response = {
        "client_challenge": j.get('client_challenge'),
        "expires": expires.strftime('%Y-%m-%dT%H:%M:%S.%f'),  # DT_FORMAT => "trailing 'Z' missing in this response
        "feature_expired": False,
        "lease_ref": lease_ref,
-        "metadata": None,
+        "expires": expires.isoformat(),
        "offline_lease": False,  # todo
        "prompts": None,
        "recommended_lease_renewal": LEASE_RENEWAL_PERIOD,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "offline_lease": True,
        "prompts": None,
        "sync_timestamp": cur_time.isoformat(),
    }
    Lease.renew(db, entity, expires, cur_time)
-    content = json_dumps(response, separators=(',', ':'))
+    return JSONr(response)
    content = f'{content}\n'.encode('ascii')
    signature = my_si_private_key.generate_signature(content)
    headers = {
        'Content-Type': 'application/json',
        'access-control-expose-headers': 'X-NLS-Signature',
        'X-NLS-Signature': f'{signature.hex().encode()}'
    }
    return Response(content=content, media_type='application/json', headers=headers)
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
@ -635,24 +517,20 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
    entity = Lease.find_by_lease_ref(db, lease_ref)
    if entity.origin_ref != origin_ref:
-        response = {'status': 403, 'detail': 'access or operation forbidden'}
+        return JSONr(status_code=403, content={'status': 403, 'detail': 'access or operation forbidden'})
        return Response(content=json_dumps(response), media_type='application/json', status_code=403)
    if entity is None:
-        response = {'status': 404, 'detail': 'requested lease not available'}
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})
        return Response(content=json_dumps(response), media_type='application/json', status_code=404)
    if Lease.delete(db, lease_ref) == 0:
-        response = {'status': 404, 'detail': 'lease not found'}
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})
        return Response(content=json_dumps(response), media_type='application/json', status_code=404)
    response = {
        "client_challenge": None,
        "lease_ref": lease_ref,
        "prompts": None,
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "sync_timestamp": cur_time.isoformat(),
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@ -669,11 +547,11 @@ async def leasing_v1_lessor_lease_remove(request: Request):
    response = {
        "released_lease_list": released_lease_list,
        "release_failure_list": None,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
@app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases')
@ -691,11 +569,11 @@ async def leasing_v1_lessor_shutdown(request: Request):
    response = {
        "released_lease_list": released_lease_list,
        "release_failure_list": None,
-        "prompts": None,
+        "sync_timestamp": cur_time.isoformat(),
-        "sync_timestamp": cur_time.strftime(DT_FORMAT),
+        "prompts": None
    }
-    return Response(content=json_dumps(response, separators=(',', ':')), media_type='application/json', status_code=200)
+    return JSONr(response)
 if __name__ == '__main__':
--- a/app/static/product_mapping.json
+++ b/app/static/product_mapping.json
@ -1,643 +0,0 @@
 {
  "product": [
    {
      "xid": "c0ce7114-d8a5-40d4-b8b0-df204f4ff631",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA-vComputeServer-9.0",
      "name": "NVIDIA-vComputeServer-9.0",
      "description": null
    },
    {
      "xid": "2a99638e-493f-424b-bc3a-629935307490",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "vGaming_Flexera_License-0.1",
      "name": "vGaming_Flexera_License-0.1",
      "description": null
    },
    {
      "xid": "a013d60c-3cd6-4e61-ae51-018b5e342178",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID-Virtual-Apps-3.0",
      "name": "GRID-Virtual-Apps-3.0",
      "description": null
    },
    {
      "xid": "bb99c6a3-81ce-4439-aef5-9648e75dd878",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID-vGaming-NLS-Metered-8.0",
      "name": "GRID-vGaming-NLS-Metered-8.0",
      "description": null
    },
    {
      "xid": "c653e131-695c-4477-b77c-42ade3dcb02c",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID-Virtual-WS-Ext-2.0",
      "name": "GRID-Virtual-WS-Ext-2.0",
      "description": null
    },
    {
      "xid": "6fc224ef-e0b5-467b-9bbb-d31c9eb7c6fc",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID-vGaming-8.0",
      "name": "GRID-vGaming-8.0",
      "description": null
    },
    {
      "xid": "3c88888d-ebf3-4df7-9e86-c97d5b29b997",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID-Virtual-PC-2.0",
      "name": "GRID-Virtual-PC-2.0",
      "description": null
    },
    {
      "xid": "66744b41-1fff-49be-a5a6-4cbd71b1117e",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVAIE_Licensing-1.0",
      "name": "NVAIE_Licensing-1.0",
      "description": null
    },
    {
      "xid": "1d4e9ebc-a78c-41f4-a11a-de38a467b2ba",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA-vComputeServer NLS Metered-9.0",
      "name": "NVIDIA-vComputeServer NLS Metered-9.0",
      "description": null
    },
    {
      "xid": "2152f8aa-d17b-46f5-8f5f-6f8c0760ce9c",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "vGaming_FB_License-0.1",
      "name": "vGaming_FB_License-0.1",
      "description": null
    },
    {
      "xid": "54cbe0e8-7b35-4068-b058-e11f5b367c66",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "Quadro-Virtual-DWS-5.0",
      "name": "Quadro-Virtual-DWS-5.0",
      "description": null
    },
    {
      "xid": "07a1d2b5-c147-48bc-bf44-9390339ca388",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID-Virtual-WS-2.0",
      "name": "GRID-Virtual-WS-2.0",
      "description": null
    },
    {
      "xid": "82d7a5f0-0c26-11ef-b3b6-371045c70906",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "vGaming_Flexera_License-0.1",
      "name": "vGaming_Flexera_License-0.1",
      "description": null
    },
    {
      "xid": "bdfbde00-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA Virtual Applications",
      "name": "NVIDIA Virtual Applications",
      "description": null
    },
    {
      "xid": "bdfbe16d-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA Virtual PC",
      "name": "NVIDIA Virtual PC",
      "description": null
    },
    {
      "xid": "bdfbe308-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA RTX Virtual Workstation",
      "name": "NVIDIA RTX Virtual Workstation",
      "description": null
    },
    {
      "xid": "bdfbe405-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA vGaming",
      "name": "NVIDIA vGaming",
      "description": null
    },
    {
      "xid": "bdfbe509-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID Virtual Applications",
      "name": "GRID Virtual Applications",
      "description": null
    },
    {
      "xid": "bdfbe5c6-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID Virtual PC",
      "name": "GRID Virtual PC",
      "description": null
    },
    {
      "xid": "bdfbe6e8-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "Quadro Virtual Data Center Workstation",
      "name": "Quadro Virtual Data Center Workstation",
      "description": null
    },
    {
      "xid": "bdfbe7c8-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "GRID vGaming",
      "name": "GRID vGaming",
      "description": null
    },
    {
      "xid": "bdfbe884-2cdb-11ec-9838-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA Virtual Compute Server",
      "name": "NVIDIA Virtual Compute Server",
      "description": null
    },
    {
      "xid": "f09b5c33-5c07-11ed-9fa6-061a22468b59",
      "product_family_xid": "bda4d909-2cdb-11ec-9838-061a22468b59",
      "identifier": "NVIDIA OVE Licensing",
      "name": "NVIDIA Omniverse Nucleus",
      "description": null
    }
  ],
  "product_fulfillment": [
    {
      "xid": "cf0a5330-b583-4d9f-84bb-cfc8ce0917bb",
      "product_xid": "07a1d2b5-c147-48bc-bf44-9390339ca388",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "90d0f05f-9431-4a15-86e7-740a4f08d457",
      "product_xid": "1d4e9ebc-a78c-41f4-a11a-de38a467b2ba",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "327385dd-4ba8-4b3c-bc56-30bcf58ae9a3",
      "product_xid": "2152f8aa-d17b-46f5-8f5f-6f8c0760ce9c",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "6733f2cc-0736-47ee-bcc8-20c4c624ce37",
      "product_xid": "2a99638e-493f-424b-bc3a-629935307490",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "f35396a9-24f8-44b6-aa6a-493b335f4d56",
      "product_xid": "3c88888d-ebf3-4df7-9e86-c97d5b29b997",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "6c7981d3-7192-4bfd-b7ec-ea2ad0b466dc",
      "product_xid": "54cbe0e8-7b35-4068-b058-e11f5b367c66",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "9bd09610-6190-4684-9be6-3d9503833e80",
      "product_xid": "66744b41-1fff-49be-a5a6-4cbd71b1117e",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "a4282e5b-ea08-4e0a-b724-7f4059ba99de",
      "product_xid": "6fc224ef-e0b5-467b-9bbb-d31c9eb7c6fc",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "5cf793fc-1fb3-45c0-a711-d3112c775cbe",
      "product_xid": "a013d60c-3cd6-4e61-ae51-018b5e342178",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "eb2d39a4-6370-4464-8a6a-ec3f42c69cb5",
      "product_xid": "bb99c6a3-81ce-4439-aef5-9648e75dd878",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "e9df1c70-7fac-4c84-b54c-66e922b9791a",
      "product_xid": "c0ce7114-d8a5-40d4-b8b0-df204f4ff631",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "6a4d5bcd-7b81-4e22-a289-ce3673e5cabf",
      "product_xid": "c653e131-695c-4477-b77c-42ade3dcb02c",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "9e162d3c-0c26-11ef-b3b6-371045c70906",
      "product_xid": "82d7a5f0-0c26-11ef-b3b6-371045c70906",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be2769b9-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbde00-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe16d-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be276efe-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe308-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe405-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be2770af-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe509-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be277164-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe5c6-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be277214-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe6e8-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe7c8-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "be277379-2cdb-11ec-9838-061a22468b59",
      "product_xid": "bdfbe884-2cdb-11ec-9838-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    },
    {
      "xid": "c4284597-5c09-11ed-9fa6-061a22468b59",
      "product_xid": "f09b5c33-5c07-11ed-9fa6-061a22468b59",
      "qualifier_specification": null,
      "evaluation_order_index": 0
    }
  ],
  "product_fulfillment_feature": [
    {
      "xid": "9ca32d2b-736e-4e4f-8f5a-895a755b4c41",
      "product_fulfillment_xid": "5cf793fc-1fb3-45c0-a711-d3112c775cbe",
      "feature_identifier": "GRID-Virtual-Apps",
      "feature_version": "3.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "d8b25329-f47f-43dc-a278-f2d38f9e939b",
      "product_fulfillment_xid": "f35396a9-24f8-44b6-aa6a-493b335f4d56",
      "feature_identifier": "GRID-Virtual-PC",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "e7102df8-d88a-4bd0-aa79-9a53d8b77888",
      "product_fulfillment_xid": "cf0a5330-b583-4d9f-84bb-cfc8ce0917bb",
      "feature_identifier": "GRID-Virtual-WS",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "30761db3-0afe-454d-b284-efba6d9b13a3",
      "product_fulfillment_xid": "6a4d5bcd-7b81-4e22-a289-ce3673e5cabf",
      "feature_identifier": "GRID-Virtual-WS-Ext",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "10fd7701-83ae-4caf-a27f-75880fab23f6",
      "product_fulfillment_xid": "a4282e5b-ea08-4e0a-b724-7f4059ba99de",
      "feature_identifier": "GRID-vGaming",
      "feature_version": "8.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "cbd61276-fb1e-42e1-b844-43e94465da8f",
      "product_fulfillment_xid": "9bd09610-6190-4684-9be6-3d9503833e80",
      "feature_identifier": "NVAIE_Licensing",
      "feature_version": "1.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "6b1c74b5-1511-46ee-9f12-8bc6d5636fef",
      "product_fulfillment_xid": "90d0f05f-9431-4a15-86e7-740a4f08d457",
      "feature_identifier": "NVIDIA-vComputeServer NLS Metered",
      "feature_version": "9.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "db53af09-7295-48b7-b927-24b23690c959",
      "product_fulfillment_xid": "e9df1c70-7fac-4c84-b54c-66e922b9791a",
      "feature_identifier": "NVIDIA-vComputeServer",
      "feature_version": "9.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "1f62be61-a887-4e54-a34e-61cfa7b2db30",
      "product_fulfillment_xid": "6c7981d3-7192-4bfd-b7ec-ea2ad0b466dc",
      "feature_identifier": "Quadro-Virtual-DWS",
      "feature_version": "5.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "8a4b5e98-f1ca-4c18-b0d4-8f4f9f0462e2",
      "product_fulfillment_xid": "327385dd-4ba8-4b3c-bc56-30bcf58ae9a3",
      "feature_identifier": "vGaming_FB_License",
      "feature_version": "0.1",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be531e98-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be2769b9-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-Apps",
      "feature_version": "3.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be53219e-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-PC",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be5322f0-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "Quadro-Virtual-DWS",
      "feature_version": "5.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "be5323d8-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "be5324a6-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276d7b-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS-Ext",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 3
    },
    {
      "xid": "be532568-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "Quadro-Virtual-DWS",
      "feature_version": "5.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be532630-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "be5326e7-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276efe-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS-Ext",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "be5327a7-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-vGaming",
      "feature_version": "8.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be532923-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be2770af-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-Apps",
      "feature_version": "3.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be5329e0-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-PC",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be532aa0-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "Quadro-Virtual-DWS",
      "feature_version": "5.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "be532b5c-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "be532c19-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277164-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS-Ext",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 3
    },
    {
      "xid": "be532ccb-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "Quadro-Virtual-DWS",
      "feature_version": "5.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be532d92-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "be532e45-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277214-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-Virtual-WS-Ext",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "be532efa-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-vGaming",
      "feature_version": "8.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be53306d-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "NVIDIA-vComputeServer",
      "feature_version": "9.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "be533228-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "NVIDIA-vComputeServer NLS Metered",
      "feature_version": "9.0",
      "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "be5332f6-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "NVAIE_Licensing",
      "feature_version": "1.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 3
    },
    {
      "xid": "15ff4f16-57a8-4593-93ec-58352a256f12",
      "product_fulfillment_xid": "eb2d39a4-6370-4464-8a6a-ec3f42c69cb5",
      "feature_identifier": "GRID-vGaming-NLS-Metered",
      "feature_version": "8.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 3
    },
    {
      "xid": "0c1552ca-3ef8-11ed-9fa6-061a22468b59",
      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "vGaming_Flexera_License",
      "feature_version": "0.1",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "31c3be8c-5c0a-11ed-9fa6-061a22468b59",
      "product_fulfillment_xid": "c4284597-5c09-11ed-9fa6-061a22468b59",
      "feature_identifier": "OVE_Licensing",
      "feature_version": "1.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    },
    {
      "xid": "6caeb4cf-360f-11ee-b67d-02f279bf2bff",
      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "NVAIE_Licensing",
      "feature_version": "2.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 4
    },
    {
      "xid": "7fb1d01d-3f0e-11ed-9fa6-061a22468b59",
      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "vGaming_FB_License",
      "feature_version": "0.1",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "8eabcb08-3f0e-11ed-9fa6-061a22468b59",
      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "vGaming_FB_License",
      "feature_version": "0.1",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 2
    },
    {
      "xid": "a1dfe741-3e49-11ed-9fa6-061a22468b59",
      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "vGaming_Flexera_License",
      "feature_version": "0.1",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "be53286a-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be276ff0-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-vGaming-NLS-Metered",
      "feature_version": "8.0",
      "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE",
      "evaluation_order_index": 3
    },
    {
      "xid": "be532fb2-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be2772c8-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "GRID-vGaming-NLS-Metered",
      "feature_version": "8.0",
      "license_type_identifier": "CONCURRENT_UNCOUNTED_SINGLE",
      "evaluation_order_index": 3
    },
    {
      "xid": "be533144-2cdb-11ec-9838-061a22468b59",
      "product_fulfillment_xid": "be277379-2cdb-11ec-9838-061a22468b59",
      "feature_identifier": "Quadro-Virtual-DWS",
      "feature_version": "0.0",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 1
    },
    {
      "xid": "bf105e18-0c26-11ef-b3b6-371045c70906",
      "product_fulfillment_xid": "9e162d3c-0c26-11ef-b3b6-371045c70906",
      "feature_identifier": "vGaming_Flexera_License",
      "feature_version": "0.1",
      "license_type_identifier": "CONCURRENT_COUNTED_SINGLE",
      "evaluation_order_index": 0
    }
  ]
 }
--- a/app/util.py
+++ b/app/util.py
@ -1,17 +1,9 @@
 import logging
-from datetime import datetime, UTC, timedelta
+from json import load as json_load
 from json import loads as json_loads
 from os.path import join, dirname, isfile
-from cryptography import x509
+from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat._oid import NameOID
 from cryptography.hazmat.primitives import serialization, hashes
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key
 from cryptography.hazmat.primitives.hashes import SHA256
 from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
 from cryptography.x509 import load_pem_x509_certificate, Certificate
 logging.basicConfig()
@ -24,193 +16,6 @@ def load_file(filename: str) -> bytes:
    return content
 class CASetup:
    ###
    #
    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
    #
    ###
    ROOT_PRIVATE_KEY_FILENAME = 'root_private_key.pem'
    ROOT_CERTIFICATE_FILENAME = 'root_certificate.pem'
    CA_PRIVATE_KEY_FILENAME = 'ca_private_key.pem'
    CA_CERTIFICATE_FILENAME = 'ca_certificate.pem'
    SI_PRIVATE_KEY_FILENAME = 'si_private_key.pem'
    SI_CERTIFICATE_FILENAME = 'si_certificate.pem'
    def __init__(self, service_instance_ref: str):
        self.service_instance_ref = service_instance_ref
        self.root_private_key_filename = join(dirname(__file__), 'cert', CASetup.ROOT_PRIVATE_KEY_FILENAME)
        self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME)
        self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME)
        self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME)
        self.si_private_key_filename = join(dirname(__file__), 'cert', CASetup.SI_PRIVATE_KEY_FILENAME)
        self.si_certificate_filename = join(dirname(__file__), 'cert', CASetup.SI_CERTIFICATE_FILENAME)
        if not (isfile(self.root_private_key_filename)
                and isfile(self.root_certificate_filename)
                and isfile(self.ca_private_key_filename)
                and isfile(self.ca_certificate_filename)
                and isfile(self.si_private_key_filename)
                and isfile(self.si_certificate_filename)):
            self.init_config_token_demo()
    def init_config_token_demo(self):
        """ Create Root Key and Certificate """
        # create root keypair
        my_root_private_key = generate_private_key(public_exponent=65537, key_size=4096)
        my_root_public_key = my_root_private_key.public_key()
        # create root-certificate subject
        my_root_subject = x509.Name([
            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Root CA'),
        ])
        # create self-signed root-certificate
        my_root_certificate = (
            x509.CertificateBuilder()
            .subject_name(my_root_subject)
            .issuer_name(my_root_subject)
            .public_key(my_root_public_key)
            .serial_number(x509.random_serial_number())
            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_root_public_key), critical=False)
            .sign(my_root_private_key, hashes.SHA256()))
        my_root_private_key_as_pem = my_root_private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
        with open(self.root_private_key_filename, 'wb') as f:
            f.write(my_root_private_key_as_pem)
        with open(self.root_certificate_filename, 'wb') as f:
            f.write(my_root_certificate.public_bytes(encoding=Encoding.PEM))
        """ Create CA (Intermediate) Key and Certificate """
        # create ca keypair
        my_ca_private_key = generate_private_key(public_exponent=65537, key_size=4096)
        my_ca_public_key = my_ca_private_key.public_key()
        # create ca-certificate subject
        my_ca_subject = x509.Name([
            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Nvidia'),
            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Nvidia Licensing Service (NLS)'),
            x509.NameAttribute(NameOID.COMMON_NAME, u'NLS Intermediate CA'),
        ])
        # create self-signed ca-certificate
        my_ca_certificate = (
            x509.CertificateBuilder()
            .subject_name(my_ca_subject)
            .issuer_name(my_root_subject)
            .public_key(my_ca_public_key)
            .serial_number(x509.random_serial_number())
            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
            .add_extension(x509.KeyUsage(
                digital_signature=False,
                key_encipherment=False,
                key_cert_sign=True,
                key_agreement=False,
                content_commitment=False,
                data_encipherment=False,
                crl_sign=True,
                encipher_only=False,
                decipher_only=False),
                critical=True
            )
            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_ca_public_key), critical=False)
            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_root_public_key), critical=False)
            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
                my_root_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
            ), critical=False)
            .sign(my_root_private_key, hashes.SHA256()))
        my_ca_private_key_as_pem = my_ca_private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
        with open(self.ca_private_key_filename, 'wb') as f:
            f.write(my_ca_private_key_as_pem)
        with open(self.ca_certificate_filename, 'wb') as f:
            f.write(my_ca_certificate.public_bytes(encoding=Encoding.PEM))
        """ Create Service-Instance Key and Certificate """
        # create si keypair
        my_si_private_key = generate_private_key(public_exponent=65537, key_size=2048)
        my_si_public_key = my_si_private_key.public_key()
        my_si_private_key_as_pem = my_si_private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
        my_si_public_key_as_pem = my_si_public_key.public_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PublicFormat.SubjectPublicKeyInfo,
        )
        with open(self.si_private_key_filename, 'wb') as f:
            f.write(my_si_private_key_as_pem)
        # with open(self.si_public_key_filename, 'wb') as f:
        #    f.write(my_si_public_key_as_pem)
        # create si-certificate subject
        my_si_subject = x509.Name([
            # x509.NameAttribute(NameOID.COMMON_NAME, INSTANCE_REF),
            x509.NameAttribute(NameOID.COMMON_NAME, self.service_instance_ref),
        ])
        # create self-signed si-certificate
        my_si_certificate = (
            x509.CertificateBuilder()
            .subject_name(my_si_subject)
            .issuer_name(my_ca_subject)
            .public_key(my_si_public_key)
            .serial_number(x509.random_serial_number())
            .not_valid_before(datetime.now(tz=UTC) - timedelta(days=1))
            .not_valid_after(datetime.now(tz=UTC) + timedelta(days=365 * 10))
            .add_extension(x509.KeyUsage(digital_signature=True, key_encipherment=True, key_cert_sign=False,
                                         key_agreement=True, content_commitment=False, data_encipherment=False,
                                         crl_sign=False, encipher_only=False, decipher_only=False), critical=True)
            .add_extension(x509.ExtendedKeyUsage([
                x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
                x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH]
            ), critical=False)
            .add_extension(x509.SubjectKeyIdentifier.from_public_key(my_si_public_key), critical=False)
            # .add_extension(x509.AuthorityKeyIdentifier.from_issuer_public_key(my_ca_public_key), critical=False)
            .add_extension(x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
                my_ca_certificate.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value
            ), critical=False)
            .add_extension(x509.SubjectAlternativeName([
                # x509.DNSName(INSTANCE_REF)
                x509.DNSName(self.service_instance_ref)
            ]), critical=False)
            .sign(my_ca_private_key, hashes.SHA256()))
        with open(self.si_certificate_filename, 'wb') as f:
            f.write(my_si_certificate.public_bytes(encoding=Encoding.PEM))
 class PrivateKey:
    def __init__(self, data: bytes):
@ -243,9 +48,6 @@ class PrivateKey:
        )
        return PublicKey(data=data)
    def generate_signature(self, data: bytes) -> bytes:
        return self.__key.sign(data=data, padding=PKCS1v15(), algorithm=SHA256())
    @staticmethod
    def generate(public_exponent: int = 65537, key_size: int = 2048) -> "PrivateKey":
        log = logging.getLogger(__name__)
@ -283,47 +85,6 @@ class PublicKey:
            format=serialization.PublicFormat.SubjectPublicKeyInfo
        )
    def mod(self) -> str:
        return hex(self.__key.public_numbers().n)[2:]
    def exp(self):
        return int(self.__key.public_numbers().e)
    def verify_signature(self, signature: bytes, data: bytes) -> None:
        self.__key.verify(signature=signature, data=data, padding=PKCS1v15(), algorithm=SHA256())
 class Cert:
    def __init__(self, data: bytes):
        self.__cert = load_pem_x509_certificate(data)
    @staticmethod
    def from_file(filename: str) -> "Cert":
        log = logging.getLogger(__name__)
        log.debug(f'Importing Certificate from "{filename}"')
        with open(filename, 'rb') as f:
            data = f.read()
        return Cert(data=data.strip())
    def raw(self) -> Certificate:
        return self.__cert
    def pem(self) -> bytes:
        return self.__cert.public_bytes(encoding=serialization.Encoding.PEM)
    def signature(self) -> bytes:
        return self.__cert.signature
 def load_file(filename: str) -> bytes:
    log = logging.getLogger(f'{__name__}')
    log.debug(f'Loading contents of file "{filename}')
    with open(filename, 'rb') as file:
        content = file.read()
    return content
 class DriverMatrix:
    __DRIVER_MATRIX_FILENAME = 'static/driver_matrix.json'
@ -337,8 +98,9 @@ class DriverMatrix:
    def __load(self):
        try:
-            with open(DriverMatrix.__DRIVER_MATRIX_FILENAME, 'r') as f:
+            file = open(DriverMatrix.__DRIVER_MATRIX_FILENAME)
-                DriverMatrix.__DRIVER_MATRIX = json_loads(f.read())
+            DriverMatrix.__DRIVER_MATRIX = json_load(file)
            file.close()
            self.log.debug(f'Successfully loaded "{DriverMatrix.__DRIVER_MATRIX_FILENAME}".')
        except Exception as e:
            DriverMatrix.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
@ -368,34 +130,3 @@ class DriverMatrix:
                        'is_latest': is_latest,
                    }
        return None
 class ProductMapping:
    def __init__(self, filename: str):
        with open(filename, 'r') as file:
            self.data = json_loads(file.read())
    def get_feature_name(self, product_name: str) -> (str, str):
        product = self.__get_product(product_name)
        product_fulfillment = self.__get_product_fulfillment(product.get('xid'))
        feature = self.__get_product_fulfillment_feature(product_fulfillment.get('xid'))
        return feature.get('feature_identifier')
    def __get_product(self, product_name: str):
        product_list = self.data.get('product')
        return next(filter(lambda _: _.get('identifier') == product_name, product_list))
    def __get_product_fulfillment(self, product_xid: str):
        product_fulfillment_list = self.data.get('product_fulfillment')
        return next(filter(lambda _: _.get('product_xid') == product_xid, product_fulfillment_list))
    def __get_product_fulfillment_feature(self, product_fulfillment_xid: str):
        feature_list = self.data.get('product_fulfillment_feature')
        features = list(filter(lambda _: _.get('product_fulfillment_xid') == product_fulfillment_xid, feature_list))
        features.sort(key=lambda _: _.get('evaluation_order_index'))
        return features[0]
--- a/examples/docker-compose-http-and-https.yml
+++ b/examples/docker-compose-http-and-https.yml
@ -15,7 +15,7 @@ services:
      <<: *dls-variables
    volumes:
      - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/app/cert
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
      - db:/app/database
    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
    healthcheck:
--- a/test/main.py
+++ b/test/main.py
@ -1,13 +1,13 @@
 import json
 import sys
 from base64 import b64encode as b64enc
 from calendar import timegm
 from datetime import datetime, UTC
 from hashlib import sha256
 from os.path import dirname, join
 from uuid import uuid4, UUID
 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk, jws
+from jose import jwt, jwk
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
@ -16,24 +16,20 @@ sys.path.append('../')
 sys.path.append('../app')
 from app import main
-from util import CASetup, PrivateKey, PublicKey, Cert
+from util import PrivateKey, PublicKey
 client = TestClient(main.app)
 # Instance
 INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
 ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
-# CA & Signing
+# INSTANCE_KEY_RSA = generate_key()
-ca_setup = CASetup(service_instance_ref=INSTANCE_REF)
+# INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key()
 my_root_certificate = Cert.from_file(ca_setup.root_certificate_filename)
 my_si_private_key = PrivateKey.from_file(ca_setup.si_private_key_filename)
 my_si_private_key_as_pem = my_si_private_key.pem()
 my_si_public_key = my_si_private_key.public_key()
 my_si_public_key_as_pem = my_si_private_key.public_key().pem()
-jwt_encode_key = jwk.construct(my_si_private_key_as_pem, algorithm=ALGORITHMS.RS256)
+INSTANCE_KEY_RSA = PrivateKey.from_file(str(join(dirname(__file__), '../app/cert/instance.private.pem')))
-jwt_decode_key = jwk.construct(my_si_public_key_as_pem, algorithm=ALGORITHMS.RS256)
+INSTANCE_KEY_PUB = PublicKey.from_file(str(join(dirname(__file__), '../app/cert/instance.public.pem')))
 jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256)
 jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256)
 def __bearer_token(origin_ref: str) -> str:
@ -42,23 +38,6 @@ def __bearer_token(origin_ref: str) -> str:
    return token
 def test_signing():
    signature_set_header = my_si_private_key.generate_signature(b'Hello')
    # test plain
    my_si_public_key.verify_signature(signature_set_header, b'Hello')
    # test "X-NLS-Signature: b'....'
    x_nls_signature_header_value = f'{signature_set_header.hex().encode()}'
    assert f'{x_nls_signature_header_value}'.startswith('b\'')
    assert f'{x_nls_signature_header_value}'.endswith('\'')
    # test eval
    signature_get_header = eval(x_nls_signature_header_value)
    signature_get_header = bytes.fromhex(signature_get_header.decode('ascii'))
    my_si_public_key.verify_signature(signature_get_header, b'Hello')
 def test_index():
    response = client.get('/')
    assert response.status_code == 200
@ -75,12 +54,6 @@ def test_config():
    assert response.status_code == 200
 def test_config_root_ca():
    response = client.get('/-/config/root-ca')
    assert response.status_code == 200
    assert response.content.decode('utf-8') == my_root_certificate.pem().decode('utf-8')
 def test_readme():
    response = client.get('/-/readme')
    assert response.status_code == 200
@ -96,31 +69,6 @@ def test_client_token():
    assert response.status_code == 200
 def test_config_token():
    # https://git.collinwebdesigns.de/nvidia/nls/-/blob/main/src/test/test_config_token.py
    response = client.post('/leasing/v1/config-token', json={"service_instance_ref": INSTANCE_REF})
    assert response.status_code == 200
    nv_response_certificate_configuration = response.json().get('certificateConfiguration')
    nv_response_public_cert = nv_response_certificate_configuration.get('publicCert').encode('utf-8')
    nv_jwt_decode_key = jwk.construct(nv_response_public_cert, algorithm=ALGORITHMS.RS256)
    nv_response_config_token = response.json().get('configToken')
    payload = jws.verify(nv_response_config_token, key=nv_jwt_decode_key, algorithms=ALGORITHMS.RS256)
    payload = json.loads(payload)
    assert payload.get('iss') == 'NLS Service Instance'
    assert payload.get('aud') == 'NLS Licensed Client'
    assert payload.get('service_instance_ref') == INSTANCE_REF
    nv_si_public_key_configuration = payload.get('service_instance_public_key_configuration')
    nv_si_public_key_me = nv_si_public_key_configuration.get('service_instance_public_key_me')
    # assert nv_si_public_key_me.get('mod') == 1  #nv_si_public_key_mod
    assert len(nv_si_public_key_me.get('mod')) == 512
    assert nv_si_public_key_me.get('exp') == 65537  # nv_si_public_key_exp
 def test_origins():
    pass
@ -220,13 +168,12 @@ def test_auth_v1_token():
 def test_leasing_v1_lessor():
    payload = {
        'client_challenge': 'my_unique_string',
        'fulfillment_context': {
            'fulfillment_class_ref_list': []
        },
        'lease_proposal_list': [{
            'license_type_qualifiers': {'count': 1},
-            'product': {'name': 'NVIDIA Virtual Applications'}
+            'product': {'name': 'NVIDIA RTX Virtual Workstation'}
        }],
        'proposal_evaluation_mode': 'ALL_OF',
        'scope_ref_list': [ALLOTMENT_REF]
@ -235,21 +182,10 @@ def test_leasing_v1_lessor():
    response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200
    client_challenge = response.json().get('client_challenge')
    assert client_challenge == payload.get('client_challenge')
    signature = eval(response.headers.get('X-NLS-Signature'))
    assert len(signature) == 512
    signature = bytes.fromhex(signature.decode('ascii'))
    assert len(signature) == 256
    my_si_public_key.verify_signature(signature, response.content)
    lease_result_list = response.json().get('lease_result_list')
    assert len(lease_result_list) == 1
    assert len(lease_result_list[0]['lease']['ref']) == 36
    assert str(UUID(lease_result_list[0]['lease']['ref'])) == lease_result_list[0]['lease']['ref']
    assert lease_result_list[0]['lease']['product_name'] == 'NVIDIA Virtual Applications'
    assert lease_result_list[0]['lease']['feature_name'] == 'GRID-Virtual-Apps'
 def test_leasing_v1_lessor_lease():
@ -269,18 +205,9 @@ def test_leasing_v1_lease_renew():
    ###
-    payload = {'client_challenge': 'my_unique_string'}
+    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200
    client_challenge = response.json().get('client_challenge')
    assert client_challenge == payload.get('client_challenge')
    signature = eval(response.headers.get('X-NLS-Signature'))
    assert len(signature) == 512
    signature = bytes.fromhex(signature.decode('ascii'))
    assert len(signature) == 256
    my_si_public_key.verify_signature(signature, response.content)
    lease_ref = response.json().get('lease_ref')
    assert len(lease_ref) == 36
    assert lease_ref == active_lease_ref
@ -309,7 +236,7 @@ def test_leasing_v1_lessor_lease_remove():
        },
        'lease_proposal_list': [{
            'license_type_qualifiers': {'count': 1},
-            'product': {'name': 'NVIDIA Virtual Applications'}
+            'product': {'name': 'NVIDIA RTX Virtual Workstation'}
        }],
        'proposal_evaluation_mode': 'ALL_OF',
        'scope_ref_list': [ALLOTMENT_REF]