You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are two caching modes that can be used to store the cryptographic material of the parties involved in the protocol.
8
+
7
9
- update_first: The cryptographic material is fetched using the handler protocol and then stored in the cache.
8
-
If the retrieval fails, the cache is used.
10
+
If the retrieval fails, the cache is used.
9
11
- cache_first: The cryptographic material is fetched using the cache.
10
-
If the cache is empty, the handler protocol is used to retrieve the cryptographic material and then stored in the cache and returned.
12
+
If the cache is empty, the handler protocol is used to retrieve the cryptographic material and then stored in the cache and returned.
11
13
12
14
update_first is the default caching mode.
13
15
You can set the caching mode by setting the variable trust_caching_mode in the configuration file.
@@ -16,10 +18,9 @@ You can set the caching mode by setting the variable trust_caching_mode in the c
16
18
17
19
The main responsibility of the Trust module is to provide cryptographic material, metadata, trust parameters, and revocation status of parties involved in the [OpenID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) protocol. This project includes some default implementations of trust, whose configurations are described below.
18
20
19
-
> [!NOTE]
21
+
> [!NOTE]
20
22
> A trust parameter is a piece of information that can be used to evaluate the trustworthiness of an entity. For example, the trust parameter of an OpenID Federation entity is the [trust chain](https://openid.net/specs/openid-federation-1_0.html#section-4) of the entity.
21
23
22
-
23
24
### Direct Trust for SD-JWT VC
24
25
25
26
The module `pyeudiw.trust.default.direct_trust_sd_jwt_vc` provides a source of direct trust that can be used to validate VP tokens with the format [SD-JWT VC](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-05.html).
@@ -36,8 +37,8 @@ The module `pyeudiw.trust.default.direct_trust_sd_jwt_vc` provides a source of d
36
37
37
38
HTTPC parameters are optional and described below.
| httpc_params.connection | Dictionary that represents a `aiohttp._RequestOptions` used in GET requests |
42
43
| httpc_params.session | Dictionary that represents the keyword arguments of `aiohttp.ClientSession`|
43
44
@@ -47,21 +48,28 @@ Some HTTPC parameters are commonly used, have a default value, and can alternati
47
48
48
49
The module `pyeudiw.trust.handler.federation` provides a source of trusted entities and metadata based on [OpenID Federation](https://openid.net/specs/openid-federation-1_0.html). It is intended to be applicable to Issuers, Holders, and Verifiers. Specifically, for the Verifier (this application), the module can expose verifier metadata at the `.well-known/openid-federation` endpoint.
| config.federation.metadata_type | The type of metadata to use for the federation | openid_credential_verifier |
54
+
| config.federation.authority_hints | The list of authority hints to use for the federation |[http://127.0.0.1:10000]|
55
+
| config.federation.trust_anchors | The list of trust anchors to use for the federation |[http://127.0.0.1:10000]|
56
+
| config.federation.default_sig_alg | The default signature algorithm to use for the federation | RS256 |
58
57
| config.federation.federation_entity_metadata.organization_name | The organization name | IAM Proxy Italia OpenID4VP backend policy_uri, tos_uri, logo_uri |
59
-
| config.federation.federation_entity_metadata.homepage_uri | The URI of the homepage |https://developers.italia.it|
60
-
| config.federation.federation_entity_metadata.policy_uri | The URI of the policy |https://developers.italia.it/policy.html|
61
-
| config.federation.federation_entity_metadata.tos_uri | The URI of the TOS |https://developers.italia.it/tos.html|
62
-
| config.federation.federation_entity_metadata.logo_uri | The URI of the logo |https://developers.italia.it/assets/icons/logo-it.svg|
63
-
| config.federation.federation_jwks | The list of (private) JSON Web Keys for the federation |||
58
+
| config.federation.federation_entity_metadata.homepage_uri | The URI of the homepage |https://developers.italia.it|
59
+
| config.federation.federation_entity_metadata.policy_uri | The URI of the policy |https://developers.italia.it/policy.html|
60
+
| config.federation.federation_entity_metadata.tos_uri | The URI of the TOS |https://developers.italia.it/tos.html|
61
+
| config.federation.federation_entity_metadata.logo_uri | The URI of the logo |https://developers.italia.it/assets/icons/logo-it.svg|
62
+
| config.federation.federation_jwks | The list of (private) JSON Web Keys for the federation ||
64
63
64
+
### X509
65
+
66
+
The module `pyeudiw.trust.handler.x509` provides a source of trusted entities based on X509 chain.
| config.x509.client_id_scheme | The scheme in the client id used in the request | x509_san_dns |
71
+
| config.x509.certificate_authorities | It's a list of trusted certificate authorities composed of dict where the key is the DNS, the URI or the CN of<br />the certificate and the value a x509 certificate in PEM or DER Format. ||
72
+
| config.x509.relying_party_certificate_chains_by_ca | It's an object containing the chain's relative to the certificate authorities listed in certificate_authorities parameter and<br /> must be relative to the RP. In particular leaf certificate's DNS, the URI or the CN must match the client id and <br />must be related to metadata_jwks[0].<br />The certificates can be in PEM or DER Format. ||
65
73
66
74
## Write a Custom Trust Handler Module
67
75
@@ -74,35 +82,35 @@ Every method of the `TrustHandlerInterface` takes a `TrustSource` object as inpu
74
82
To work correctly the TrustHandler must implements the following methods:
75
83
76
84
- extract_and_update_trust_materials:
77
-
This method is called internally from the CombinedTrustEvaluator to extract the trust materials from the entity and update the TrustSource object when the trust information of the entity is not stored in the database or outdated. This method must:
78
-
1. Retrieve the trust materials following the protocol of trustability.
79
-
2. Update the TrustSource object with the trust information of the entity using the provided methods like `add_key` to store a public key or `add_trust_param` to store a trust parameter.
80
-
3. Return the updated TrustSource object.
85
+
This method is called internally from the CombinedTrustEvaluator to extract the trust materials from the entity and update the TrustSource object when the trust information of the entity is not stored in the database or outdated. This method must:
81
86
82
-
- build_metadata_endpoints:
83
-
Expose one or more metadata endpoints required to publish metadata information about the entity, such as public keys, configurations, and policies. These endpoints are attached to a backend named according to the first function argument.
87
+
1. Retrieve the trust materials following the protocol of trustability.
88
+
2. Update the TrustSource object with the trust information of the entity using the provided methods like `add_key` to store a public key or `add_trust_param` to store a trust parameter.
89
+
3. Return the updated TrustSource object.
90
+
- build_metadata_endpoints:
91
+
Expose one or more metadata endpoints required to publish metadata information about the entity, such as public keys, configurations, and policies. These endpoints are attached to a backend named according to the first function argument.
84
92
85
-
The method returns a list of tuples, each containing:
86
-
1. A regex for routing to the endpoint, where the first path must match the backend.
87
-
2. An HTTP handler that provides a response based on the context.
93
+
The method returns a list of tuples, each containing:
88
94
89
-
The `entity_uri` is the full path component of the exposed module, which can also serve as the issuer value when signing tokens. The module is exposed to the web in the pattern `<scheme>://<host>/<base_path>`.
95
+
1. A regex for routing to the endpoint, where the first path must match the backend.
96
+
2. An HTTP handler that provides a response based on the context.
90
97
91
-
The TrustHandler may not have any associated metadata endpoints, in which case an empty list is returned.
98
+
The `entity_uri` is the full path component of the exposed module, which can also serve as the issuer value when signing tokens. The module is exposed to the web in the pattern `<scheme>://<host>/<base_path>`.
92
99
100
+
The TrustHandler may not have any associated metadata endpoints, in which case an empty list is returned.
93
101
- get_metadata:
94
-
This method is called internally from the CombinedTrustEvaluator to retrieve the metadata of the entity. This method must:
95
-
1. Retrieve the metadata of the entity following the protocol of trustability.
96
-
2. Update the TrustSource object with the metadata information of the entity using the provided method `add_metadata` to store the metadata.
97
-
3. Return the updated TrustSource object.
102
+
This method is called internally from the CombinedTrustEvaluator to retrieve the metadata of the entity. This method must:
98
103
104
+
1. Retrieve the metadata of the entity following the protocol of trustability.
105
+
2. Update the TrustSource object with the metadata information of the entity using the provided method `add_metadata` to store the metadata.
106
+
3. Return the updated TrustSource object.
99
107
100
108
Finally, to properly load the custom TrustHandler, the user must define the module in a block under the trust section of the configuration file. The module must contain the following fields:
101
109
102
110
- module: The module path of the TrustHandler.
103
111
- class: The path to the class name of the TrustHandler.
104
112
- config: The configuration parameters of the TrustHandler.
105
-
This field is dynamic and must contain all the parameters required by the TrustHandler to work correctly.
113
+
This field is dynamic and must contain all the parameters required by the TrustHandler to work correctly.
106
114
107
115
The following is an example of the [TrustHandlerInterface](/pyeudiw/trust/handler/interface.py) configuration:
108
116
@@ -121,5 +129,6 @@ The following is an example of the [TrustHandlerInterface](/pyeudiw/trust/handle
121
129
```
122
130
123
131
### Client ID and Default Client ID
124
-
The configuration can also define a client id that is used by default when a method of CombinedTrustEvaluator is called without a client_id parameter.
125
-
If the client_id is not defined in the configuration of the handler, in the phase of initialization of the CombinedTrustEvaluator, the client_id is set to default_client_id.
132
+
133
+
The configuration can also define a client id that is used by default when a method of CombinedTrustEvaluator is called without a client_id parameter.
134
+
If the client_id is not defined in the configuration of the handler, in the phase of initialization of the CombinedTrustEvaluator, the client_id is set to default_client_id.
0 commit comments