feat: X.509 self signed certificate now uses ENV vars and settings file

docs/NOTES_ON_KEYS.md

@@ -0,0 +1,17 @@
+# here some trials to have a publick raw key usable in phdr or uhdr
+# but, again, it seems that only x509 works for COSE Sign1
+
+```
+ckey = COSEKey.from_bytes(self.private_key.encode())
+pubkey = ckey.key.public_key()
+self.public_key = CoseKey(
+crv=COSEKEY_HAZMAT_CRV_MAP[pubkey.curve.name],
+x=pubkey.public_numbers().x.to_bytes(32, 'big')
+)
+
+self.public_key = COSEKey(
+crv=self.private_key.crv,
+x=self.private_key.x,
+y=self.private_key.y
+)
+```

pymdoccbor/__init__.py

@@ -1 +1 @@
-__version__ = "0.5.3"
+__version__ = "0.5.4"

pymdoccbor/mso/issuer.py

@@ -120,7 +120,9 @@ def sign(
                 'validUntil': cbor2.dumps(cbor2.CBORTag(0, self.format_datetime_repr(exp)))
             }
         }
-
+
+        _cert = settings.X509_DER_CERT or self.selfsigned_x509cert()
+
         mso = Sign1Message(
             phdr={
                 Algorithm: self.private_key.alg,
@@ -130,7 +132,7 @@ def sign(
             # TODO: x509 (cbor2.CBORTag(33)) and federation trust_chain support (cbor2.CBORTag(27?)) here
             # 33 means x509chain standing to rfc9360
             # in both protected and unprotected for interop purpose .. for now.
-            uhdr={33: self.selfsigned_x509cert()},
+            uhdr={33: _cert},
             payload=cbor2.dumps(payload)
         )
         mso.key = self.private_key

pymdoccbor/settings.py

@@ -1,3 +1,4 @@
+import datetime
 import os
 
 COSEKEY_HAZMAT_CRV_MAP = {
@@ -18,3 +19,30 @@
 }
 
 DIGEST_SALT_LENGTH = 32
+
+
+X509_DER_CERT = os.getenv('X509_DER_CERT', None)
+
+# OR
+
+X509_COUNTRY_NAME           = os.getenv('X509_COUNTRY_NAME', u"US")
+X509_STATE_OR_PROVINCE_NAME = os.getenv('X509_STATE_OR_PROVINCE_NAME', u"California")
+X509_LOCALITY_NAME          = os.getenv('X509_LOCALITY_NAME', u"San Francisco")
+X509_ORGANIZATION_NAME      = os.getenv('X509_ORGANIZATION_NAME', u"My Company")
+X509_COMMON_NAME            = os.getenv('X509_COMMON_NAME', u"mysite.com")
+
+X509_NOT_VALID_BEFORE       = os.getenv('X509_NOT_VALID_BEFORE', datetime.datetime.utcnow())
+X509_NOT_VALID_AFTER_DAYS   = os.getenv('X509_NOT_VALID_AFTER_DAYS', 10)
+X509_NOT_VALID_AFTER        = os.getenv(
+    'X509_NOT_VALID_AFTER', 
+    datetime.datetime.utcnow() + datetime.timedelta(
+        days=X509_NOT_VALID_AFTER_DAYS
+    )
+)
+
+X509_SAN_URL = os.getenv(
+    'X509_SAN_URL', u"https://credential-issuer.oidc-federation.online"
+)
+
+
+

pymdoccbor/x509.py

@@ -1,25 +1,29 @@
 import datetime
+import os
 
 from cwt import COSEKey
 
 from cryptography import x509
 from cryptography.x509.oid import NameOID
 from cryptography.hazmat.primitives import hashes, serialization
 
+from . import settings
+
 
 class MsoX509Fabric:
 
     def selfsigned_x509cert(self, encoding: str = "DER"):
-
-        # TODO: make this dynamic
+        """
+            returns an X.509 certificate derived from the private key of the MSO Issuer
+        """
         ckey = COSEKey.from_bytes(self.private_key.encode())
 
         subject = issuer = x509.Name([
-            x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
-            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
-            x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
-            x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
-            x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
+            x509.NameAttribute(NameOID.COUNTRY_NAME, settings.X509_COUNTRY_NAME),
+            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, settings.X509_STATE_OR_PROVINCE_NAME),
+            x509.NameAttribute(NameOID.LOCALITY_NAME, settings.X509_LOCALITY_NAME),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, settings.X509_ORGANIZATION_NAME),
+            x509.NameAttribute(NameOID.COMMON_NAME, settings.X509_COMMON_NAME),
         ])
         cert = x509.CertificateBuilder().subject_name(
             subject
@@ -30,16 +34,14 @@ def selfsigned_x509cert(self, encoding: str = "DER"):
         ).serial_number(
             x509.random_serial_number()
         ).not_valid_before(
-            datetime.datetime.utcnow()
+            settings.X509_NOT_VALID_BEFORE
         ).not_valid_after(
-            # Our certificate will be valid for .. TODO:
-            # see settings.PYMDOC_EXP_DELTA_HOURS
-            datetime.datetime.utcnow() + datetime.timedelta(days=10)
+            settings.X509_NOT_VALID_AFTER
         ).add_extension(
             x509.SubjectAlternativeName(
                 [
                     x509.UniformResourceIdentifier(
-                        u"https://credential-issuer.oidc-federation.online"
+                        settings.X509_SAN_URL
                     )
                 ]
             ),
@@ -53,21 +55,3 @@ def selfsigned_x509cert(self, encoding: str = "DER"):
             return cert.public_bytes(
                 getattr(serialization.Encoding, encoding)
             )
-
-    def trials(self):
-        # here some desperated trials to have a publick raw key usable in phdr or uhdr
-        # but, again, it seems that only x509 works for COSE Sign1
-
-        #  ckey = COSEKey.from_bytes(self.private_key.encode())
-        #  pubkey = ckey.key.public_key()
-        #  self.public_key = CoseKey(
-        #  crv=COSEKEY_HAZMAT_CRV_MAP[pubkey.curve.name],
-        #  x=pubkey.public_numbers().x.to_bytes(32, 'big')
-        #  )
-        #
-        #  self.public_key = COSEKey(
-        #  crv=self.private_key.crv,
-        #  x=self.private_key.x,
-        #  y=self.private_key.y
-        #  )
-        pass