WIP

cicnavi · cicnavi · commit 07cec9fe8026 · 2025-05-15T13:08:01.000+02:00
diff --git a/README.md b/README.md
@@ -78,14 +78,15 @@ the following parameters configured:
 > [!NOTE]  
 > The module has been tested with and supports SQLite, PostgreSQL, and MySQL databases.
 
-### Create Protocol / Federation RSA key pairs
+### Create Protocol / Federation pairs
 
 During the authentication flow, the generated ID Token and Access Token will be in the form of signed JSON Web Tokens (JWS).
 For signing these tokens, you need to create a public/private RSA key pair, referred to as "OIDC protocol" keys.
 
 If you plan to use OpenID Federation capabilities, you should create a separate key pair dedicated to OpenID Federation
 operations, such as signing Entity Statement JWS.
 
+#### RSA key pair generation
 Below are sample commands to create key pairs with default file names for both "protocol" and "federation" purposes:
 
 To generate the private keys without a passphrase:
@@ -112,6 +113,37 @@ With passphrase:
 
 If you use different file names or a passphrase, be sure to update these settings in the `module_oidc.php` configuration file.
 
+#### EC key pair generation
+
+If you prefer to use Elliptic Curve Cryptography (ECC) instead of RSA, you can generate the key pair using the
+following commands:
+
+To generate the private keys without a passphrase:
+
+    openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module.key
+    openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module_federation.key
+
+To generate the private keys with a passphrase:
+
+    openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module.key -passout pass:myPassPhrase
+    openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module_federation.key -passout pass:myPassPhrase
+
+Next, extract the public key from each private key:
+
+Without passphrase:
+
+    openssl ec -in cert/oidc_module.key -pubout -out cert/oidc_module.crt
+    openssl ec -in cert/oidc_module_federation.key -pubout -out cert/oidc_module_federation.crt
+
+With passphrase:
+
+    openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+    openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+
+If you use different file names or a passphrase, be sure to update these settings in the `module_oidc.php`
+configuration file.
+
+
 ### Enabling the module
 
 To enable the module, add `'oidc' => true` to the list of enabled modules in the main SimpleSAMLphp 
diff --git a/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php b/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php
@@ -72,7 +72,7 @@ public function credential(Request $request): Response
 
         $verifiableCredential = $this->verifiableCredentials->jwtVcJsonFactory()->fromData(
             $jwk,
-            SignatureAlgorithmEnum::RS256,
+            SignatureAlgorithmEnum::from($this->moduleConfig->getProtocolSigner()->algorithmId()),
             [
                 ClaimsEnum::Vc->value => [
                     ClaimsEnum::AtContext->value => [
diff --git a/src/Server/Validators/BearerTokenValidator.php b/src/Server/Validators/BearerTokenValidator.php
@@ -18,6 +18,7 @@
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface as OAuth2AccessTokenRepositoryInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 
@@ -44,6 +45,7 @@ class BearerTokenValidator extends OAuth2BearerTokenValidator
     public function __construct(
         AccessTokenRepositoryInterface $accessTokenRepository,
         CryptKey $publicKey,
+        protected readonly ModuleConfig $moduleConfig,
         ?DateInterval $jwtValidAtDateLeeway = null,
         protected LoggerService $loggerService = new LoggerService(),
     ) {
@@ -72,15 +74,15 @@ public function setPublicKey(CryptKey $key): void
     protected function initJwtConfiguration(): void
     {
         $this->jwtConfiguration = Configuration::forSymmetricSigner(
-            new Sha256(),
+            $this->moduleConfig->getProtocolSigner(),
             InMemory::plainText('empty', 'empty'),
         );
 
         /** @psalm-suppress DeprecatedMethod, ArgumentTypeCoercion */
         $this->jwtConfiguration->setValidationConstraints(
             new StrictValidAt(new SystemClock(new DateTimeZone(date_default_timezone_get()))),
             new SignedWith(
-                new Sha256(),
+                $this->moduleConfig->getProtocolSigner(),
                 InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? ''),
             ),
         );

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ public function credential(Request $request): Response`
`72`	`72`
`73`	`73`	`$verifiableCredential = $this->verifiableCredentials->jwtVcJsonFactory()->fromData(`
`74`	`74`	`$jwk,`
`75`		`- SignatureAlgorithmEnum::RS256,`
	`75`	`+ SignatureAlgorithmEnum::from($this->moduleConfig->getProtocolSigner()->algorithmId()),`
`76`	`76`	`[`
`77`	`77`	`ClaimsEnum::Vc->value => [`
`78`	`78`	`ClaimsEnum::AtContext->value => [`