From 924550f97d371c7cfd9b8dc4de588e65bd5ea5db Mon Sep 17 00:00:00 2001 From: Jakob Schlyter Date: Tue, 17 Dec 2024 16:09:37 +0100 Subject: [PATCH 1/2] serialize once --- nodeman/client.py | 4 ++-- nodeman/nodes.py | 6 ++++-- tests/test_api.py | 10 +++++----- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/nodeman/client.py b/nodeman/client.py index 9fe31bd..c69c4ca 100644 --- a/nodeman/client.py +++ b/nodeman/client.py @@ -38,7 +38,7 @@ def enroll(name: str, server: str, hmac_key: JWK, data_key: JWK, x509_key: Priva jws = JWS(payload=jws_payload) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/enroll") @@ -71,7 +71,7 @@ def renew(name: str, server: str, data_key: JWK, x509_key: PrivateKey) -> NodeCe jws = JWS(payload=jws_payload) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - renewal_request = jws.serialize() + renewal_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/renew") try: diff --git a/nodeman/nodes.py b/nodeman/nodes.py index 91c2253..cf413ab 100644 --- a/nodeman/nodes.py +++ b/nodeman/nodes.py @@ -223,7 +223,7 @@ async def enroll_node( with tracer.start_as_current_span("verify_jws"): jws = JWS() - jws.deserialize(json.loads(body.decode())) + jws.deserialize(body.decode()) # Verify signature by HMAC key try: @@ -297,8 +297,10 @@ async def renew_node( with tracer.start_as_current_span("verify_jws"): jws = JWS() - jws.deserialize(json.loads(body.decode())) + jws.deserialize(body.decode()) + public_key = JWK(**node.public_key) + # Verify signature by public data key try: jws.verify(key=public_key) diff --git a/tests/test_api.py b/tests/test_api.py index 5d400c9..2bc4995 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -101,7 +101,7 @@ def _test_enroll(data_key: JWK, x509_key: PrivateKey, requested_name: str | None jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) node_enroll_url = f"{node_url}/enroll" @@ -160,7 +160,7 @@ def _test_enroll(data_key: JWK, x509_key: PrivateKey, requested_name: str | None jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=rekey(data_key), alg=data_alg, protected={"alg": data_alg}) - renew_request = jws.serialize() + renew_request = json.loads(jws.serialize()) response = client.post(f"{node_url}/renew", json=renew_request) assert response.status_code == status.HTTP_401_UNAUTHORIZED @@ -176,7 +176,7 @@ def _test_enroll(data_key: JWK, x509_key: PrivateKey, requested_name: str | None jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - renew_request = jws.serialize() + renew_request = json.loads(jws.serialize()) response = client.post(f"{node_url}/renew", json=renew_request) assert response.status_code == status.HTTP_200_OK @@ -280,7 +280,7 @@ def test_enroll_bad_hmac_signature() -> None: jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/enroll") response = client.post(url, json=enrollment_request) @@ -328,7 +328,7 @@ def test_enroll_bad_data_signature() -> None: jws = JWS(payload=json.dumps(payload)) jws.add_signature(key=hmac_key, alg=hmac_alg, protected={"alg": hmac_alg}) jws.add_signature(key=bad_data_key, alg=data_alg, protected={"alg": data_alg}) - enrollment_request = jws.serialize() + enrollment_request = json.loads(jws.serialize()) url = urljoin(server, f"/api/v1/node/{name}/enroll") response = client.post(url, json=enrollment_request) From 0255f847d4d58d466fd4b1c692d0d3f32bc61df7 Mon Sep 17 00:00:00 2001 From: Jakob Schlyter Date: Tue, 17 Dec 2024 16:09:41 +0100 Subject: [PATCH 2/2] debug --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 5093fe7..936a8c0 100644 --- a/Makefile +++ b/Makefile @@ -38,14 +38,14 @@ test-client: test-client-enroll test-client-renew test-client-enroll: rm -f tls.crt tls-ca.crt tls.key data.json - NODEMAN_USERNAME=username NODEMAN_PASSWORD=password poetry run nodeman_client enroll --create + NODEMAN_USERNAME=username NODEMAN_PASSWORD=password poetry run nodeman_client --debug enroll --create step crypto jwk public < data.json step certificate inspect tls.crt step certificate inspect tls-ca.crt test-client-renew: rm -f tls.crt tls-ca.crt tls.key - poetry run nodeman_client renew + poetry run nodeman_client --debug renew step crypto jwk public < data.json step certificate inspect tls.crt step certificate inspect tls-ca.crt