diff --git a/Makefile b/Makefile index 2ac7d65..7bb0092 100644 --- a/Makefile +++ b/Makefile @@ -38,14 +38,14 @@ test-client: test-client-enroll test-client-renew test-client-enroll: rm -f tls.crt tls-ca.crt tls.key data.json - NODEMAN_USERNAME=username NODEMAN_PASSWORD=password poetry run nodeman_client enroll --create + NODEMAN_USERNAME=username NODEMAN_PASSWORD=password poetry run nodeman_client --debug enroll --create step crypto jwk public < data.json step certificate inspect tls.crt step certificate inspect tls-ca.crt test-client-renew: rm -f tls.crt tls-ca.crt tls.key - poetry run nodeman_client renew + poetry run nodeman_client --debug renew step crypto jwk public < data.json step certificate inspect tls.crt step certificate inspect tls-ca.crt diff --git a/nodeman/client.py b/nodeman/client.py index 8473ac0..b12eef0 100644 --- a/nodeman/client.py +++ b/nodeman/client.py @@ -38,7 +38,7 @@ def enroll(name: str, server: str, hmac_key: JWK, data_key: JWK, x509_key: Priva jws = JWS(payload=jws_payload) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/enroll") @@ -71,7 +71,7 @@ def renew(name: str, server: str, data_key: JWK, x509_key: PrivateKey) -> NodeCe jws = JWS(payload=jws_payload) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - renewal_request = jws.serialize() + renewal_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/renew") try: diff --git a/nodeman/nodes.py b/nodeman/nodes.py index 91c2253..cf413ab 100644 --- a/nodeman/nodes.py +++ b/nodeman/nodes.py @@ -223,7 +223,7 @@ async def enroll_node( with tracer.start_as_current_span("verify_jws"): jws = JWS() - jws.deserialize(json.loads(body.decode())) + jws.deserialize(body.decode()) # Verify signature by HMAC key try: @@ -297,8 +297,10 @@ async def renew_node( with tracer.start_as_current_span("verify_jws"): jws = JWS() - jws.deserialize(json.loads(body.decode())) + jws.deserialize(body.decode()) + public_key = JWK(**node.public_key) + # Verify signature by public data key try: jws.verify(key=public_key) diff --git a/tests/test_api.py b/tests/test_api.py index e3aecca..2df25e3 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -115,7 +115,7 @@ def _test_enroll(data_key: JWK, x509_key: PrivateKey, requested_name: str | None jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) node_enroll_url = f"{node_url}/enroll" @@ -174,7 +174,7 @@ def _test_enroll(data_key: JWK, x509_key: PrivateKey, requested_name: str | None jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=rekey(data_key), alg=data_alg, protected={"alg": data_alg}) - renew_request = jws.serialize() + renew_request = json.loads(jws.serialize()) response = client.post(f"{node_url}/renew", json=renew_request) assert response.status_code == status.HTTP_401_UNAUTHORIZED @@ -190,7 +190,7 @@ def _test_enroll(data_key: JWK, x509_key: PrivateKey, requested_name: str | None jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - renew_request = jws.serialize() + renew_request = json.loads(jws.serialize()) response = client.post(f"{node_url}/renew", json=renew_request) assert response.status_code == status.HTTP_200_OK @@ -294,7 +294,7 @@ def test_enroll_bad_hmac_signature() -> None: jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/enroll") response = client.post(url, json=enrollment_request) @@ -342,7 +342,7 @@ def test_enroll_bad_data_signature() -> None: jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=bad_data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/enroll") response = client.post(url, json=enrollment_request)