docs: registration policies: x509 subject validation

pdxjohnny · pdxjohnny · commit 7a97a4916096 · 2023-12-16T00:00:48.000-08:00
Asciinema: https://asciinema.org/a/627198 Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
diff --git a/docs/registration_policies.md b/docs/registration_policies.md
@@ -66,12 +66,42 @@ Simple drop rule based on claim content allowlist.
 {
     "$id": "https://schema.example.com/scitt-allowlist.schema.json",
     "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "required": ["issuer", "issuer_key"],
     "properties": {
         "issuer": {
             "type": "string",
             "enum": [
                 "did:web:example.org"
             ]
+        },
+        "issuer_key": {
+            "type": "object",
+            "required": ["content_type", "certificate"],
+            "properties": {
+                "content_type": {
+                    "type": "string",
+                    "enum": [
+                        "application/pkix-cert"
+                    ]
+                },
+                "certificate": {
+                    "type": "object",
+                    "required": ["subject"],
+                    "properties": {
+                        "subject": {
+                            "type": "object",
+                            "properties": {
+                                "O": {
+                                    "type": "string",
+                                    "enum": [
+                                        "SCITT Emulator"
+                                    ]
+                                }
+                            }
+                        }
+                    }
+                }
+            }
         }
     }
 }
diff --git a/scitt_emulator/key_loader_format_url_referencing_oidc_issuer.py b/scitt_emulator/key_loader_format_url_referencing_oidc_issuer.py
@@ -79,7 +79,10 @@ def to_object_oidc_issuer(verification_key: VerificationKey) -> dict:
         return
 
     return {
-        **verification_key.original.export_public(as_dict=True),
-        "use": "sig",
-        "kid": verification_key.original.thumbprint(),
+        "content_type": verification_key.original_content_type,
+        "key": {
+            **verification_key.original.export_public(as_dict=True),
+            "use": "sig",
+            "kid": verification_key.original.thumbprint(),
+        },
     }
diff --git a/scitt_emulator/key_loader_format_url_referencing_x509.py b/scitt_emulator/key_loader_format_url_referencing_x509.py
@@ -40,11 +40,10 @@ def key_loader_format_url_referencing_x509(
                 for certificate in cryptography.x509.load_pem_x509_certificates(
                     contents
                 ):
-                    key = certificate.public_key()
                     keys.append(
                         VerificationKey(
-                            transforms=[key],
-                            original=key,
+                            transforms=[certificate, certificate.public_key()],
+                            original=certificate,
                             original_content_type=CONTENT_TYPE,
                             original_bytes=contents,
                             original_bytes_encoding="utf-8",
@@ -60,8 +59,12 @@ def key_loader_format_url_referencing_x509(
 def to_object_x509(verification_key: VerificationKey) -> dict:
     if verification_key.original_content_type != CONTENT_TYPE:
         return
-
-    # TODO to dict
-    verification_key.original
-
-    return {}
+    return {
+        "content_type": verification_key.original_content_type,
+        "certificate": {
+            "subject": {
+                attribute.rfc4514_attribute_name: attribute.value
+                for attribute in verification_key.original.subject
+            },
+        },
+    }
diff --git a/tests/test_cli.py b/tests/test_cli.py
@@ -211,7 +211,7 @@ def ssh_public_keys():
             io.BytesIO(cert_pem),
             mimetype="text/plain",
         )
-        # TODO Re-enable
+        # TODO Re-enable ssh authorized_keys
         return send_file(
             io.BytesIO(
                 serialization.load_pem_public_key(
@@ -224,6 +224,9 @@ def ssh_public_keys():
             mimetype="text/plain",
         )
 
+    # TODO Re-enable oidc/jwks
+    return app
+
     @app.route("/.well-known/openid-configuration", methods=["GET"])
     def openid_configuration():
         return jsonify(
