key loader: x509: Remove

Signed-off-by: John Andersen <[email protected]>

Author: pdxjohnny

docs/registration_policies.md

@@ -66,42 +66,12 @@ Simple drop rule based on claim content allowlist.
 {
     "$id": "https://schema.example.com/scitt-allowlist.schema.json",
     "$schema": "https://json-schema.org/draft/2020-12/schema",
-    "required": ["issuer", "issuer_key"],
     "properties": {
         "issuer": {
             "type": "string",
             "enum": [
                 "did:web:example.org"
             ]
-        },
-        "issuer_key": {
-            "type": "object",
-            "required": ["content_type", "certificate"],
-            "properties": {
-                "content_type": {
-                    "type": "string",
-                    "enum": [
-                        "application/pkix-cert"
-                    ]
-                },
-                "certificate": {
-                    "type": "object",
-                    "required": ["subject"],
-                    "properties": {
-                        "subject": {
-                            "type": "object",
-                            "properties": {
-                                "O": {
-                                    "type": "string",
-                                    "enum": [
-                                        "SCITT Emulator"
-                                    ]
-                                }
-                            }
-                        }
-                    }
-                }
-            }
         }
     }
 }

scitt_emulator/key_loader_format_url_referencing_ssh_authorized_keys.py

@@ -14,6 +14,9 @@
 import jwcrypto.jwk
 
 from scitt_emulator.did_helpers import did_web_to_url
+from scitt_emulator.key_helper_dataclasses import VerificationKey
+
+CONTENT_TYPE = "application/key+ssh"
 
 
 def key_loader_format_url_referencing_ssh_authorized_keys(
@@ -40,7 +43,7 @@ def key_loader_format_url_referencing_ssh_authorized_keys(
                             transforms=[key],
                             original=key,
                             original_content_type=CONTENT_TYPE,
-                            original_bytes=line.encode("utf-8"),
+                            original_bytes=line,
                             original_bytes_encoding="utf-8",
                             usable=False,
                             cwt=None,

scitt_emulator/key_loader_format_url_referencing_x509.py

@@ -15,17 +15,13 @@
             'did_key=scitt_emulator.key_loader_format_did_key:key_loader_format_did_key',
             'url_referencing_oidc_issuer=scitt_emulator.key_loader_format_url_referencing_oidc_issuer:key_loader_format_url_referencing_oidc_issuer',
             'url_referencing_ssh_authorized_keys=scitt_emulator.key_loader_format_url_referencing_ssh_authorized_keys:key_loader_format_url_referencing_ssh_authorized_keys',
-            'url_referencing_x509=scitt_emulator.key_loader_format_url_referencing_x509:key_loader_format_url_referencing_x509',
         ],
         'scitt_emulator.key_helpers.transforms_key_instances': [
             'transform_key_instance_cwt_cose_ec2_to_pycose_ec2=scitt_emulator.key_transforms:transform_key_instance_cwt_cose_ec2_to_pycose_ec2',
             'transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk=scitt_emulator:key_loader_format_did_key.transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk',
             'transform_key_instance_jwcrypto_jwk_to_cwt_cose=scitt_emulator.key_loader_format_url_referencing_oidc_issuer:transform_key_instance_jwcrypto_jwk_to_cwt_cose',
         ],
         'scitt_emulator.key_helpers.verification_key_to_object': [
-            # TODO 'to_object_did_key=scitt_emulator.key_loader_format_did_key:to_object_did_key',
-            'to_object_x509=scitt_emulator.key_loader_format_url_referencing_x509:to_object_x509',
-            # TODO 'to_object_ssh_authorized_keys=scitt_emulator.key_loader_format_url_referencing_ssh_authorized_keys:to_object_ssh_authorized_keys',
             'to_object_oidc_issuer=scitt_emulator.key_loader_format_url_referencing_oidc_issuer:to_object_oidc_issuer',
         ],
     },

setup.py

@@ -9,14 +9,6 @@
 import jwcrypto
 from flask import Flask, jsonify, send_file
 from werkzeug.serving import make_server
-from cryptography import x509
-from cryptography.x509.oid import NameOID
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
-from jwcrypto import jwk, jws
-import datetime
 from scitt_emulator import cli, server
 from scitt_emulator.oidc import OIDCAuthMiddleware
 
@@ -174,44 +166,6 @@ def create_flask_app_oidc_server(config):
     @app.route("/", methods=["GET"])
     def ssh_public_keys():
         from cryptography.hazmat.primitives import serialization
-        key = app.config["key"]
-        rsa_public_key = jwk.JWK.from_json(key.export_public())
-
-        # Convert the JWK to a public key
-        public_key = rsa_public_key.get_op_key('verify')
-
-        # Create a builder for the X.509 certificate
-        subject = issuer = x509.Name([
-            x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
-            x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "Oregon"),
-            x509.NameAttribute(NameOID.LOCALITY_NAME, "Portland"),
-            x509.NameAttribute(NameOID.ORGANIZATION_NAME, "SCITT Emulator"),
-            x509.NameAttribute(NameOID.COMMON_NAME, "example.com"),
-        ])
-
-        cert_builder = x509.CertificateBuilder(
-            subject_name=subject,
-            issuer_name=issuer,
-            public_key=public_key,
-            serial_number=x509.random_serial_number(),
-            not_valid_before=datetime.datetime.utcnow(),
-            not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=365),  # Certificate valid for 1 year
-            extensions=[]
-        )
-
-        # Self-sign the certificate with the private key
-        private_key_op = key.get_op_key('sign')
-        cert = cert_builder.sign(private_key=private_key_op, algorithm=hashes.SHA256(), backend=default_backend())
-
-        # Serialize the certificate
-        cert_pem = cert.public_bytes(encoding=Encoding.PEM)
-
-        # Display or save the PEM encoded certificate
-        return send_file(
-            io.BytesIO(cert_pem),
-            mimetype="text/plain",
-        )
-        # TODO Re-enable ssh authorized_keys
         return send_file(
             io.BytesIO(
                 serialization.load_pem_public_key(
@@ -224,9 +178,6 @@ def ssh_public_keys():
             mimetype="text/plain",
         )
 
-    # TODO Re-enable oidc/jwks
-    return app
-
     @app.route("/.well-known/openid-configuration", methods=["GET"])
     def openid_configuration():
         return jsonify(