Skip to content

Commit

Permalink
fix: added salt in the pairwised subject id - closes #158
Browse files Browse the repository at this point in the history
  • Loading branch information
peppelinux committed Dec 7, 2023
1 parent e14e728 commit e29792e
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 8 deletions.
2 changes: 1 addition & 1 deletion example/satosa/pyeudiw_backend.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ config:
unique_identifiers:
- tax_id_code
- unique_id
subject_id_salt: CHANGEME!
subject_id_random_value: CHANGEME!

network:
httpc_params:
Expand Down
2 changes: 1 addition & 1 deletion pyeudiw/openid4vp/direct_post_response.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def __init__(self, jwt: str, jwks_by_kids: dict, nonce: str = ""):

@property
def payload(self) -> dict:
# TODO: detect if if it encrypted otherwise ...
# TODO: detect if it is encrypted otherwise ...
# here we support only the encrypted jwt
if not self._payload:
self.decrypt()
Expand Down
9 changes: 3 additions & 6 deletions pyeudiw/satosa/backend.py
Original file line number Diff line number Diff line change
Expand Up @@ -307,11 +307,12 @@ def _translate_response(self, response: dict, issuer: str, context: Context):
internal_resp = InternalData(auth_info=auth_info)

sub = ""
pepper = self.config.get("user_attributes", {})['subject_id_random_value']
for i in self.config.get("user_attributes", {}).get("unique_identifiers", []):
if response.get(i):
_sub = response[i]
sub = hashlib.sha256(
f"{_sub}~{self.config['user_attributes']['subject_id_salt']}".encode(
f"{_sub}~{pepper}".encode(
)
).hexdigest()
break
Expand All @@ -325,9 +326,8 @@ def _translate_response(self, response: dict, issuer: str, context: Context):
"setting a random one for interop for internal frontends"
)
)
# TODO - add a salt here
sub = hashlib.sha256(
json.dumps(response).encode()
f"{json.dumps(response).encode()}~{pepper}".encode()
).hexdigest()

response["sub"] = [sub]
Expand Down Expand Up @@ -731,9 +731,6 @@ def handle_error(
level="error"
):

# TODO: evaluate with UX designers if Jinja2 template
# loader and rendering is required, it seems not.

_msg = f"{message}:"
if err:
_msg += f" {err}."
Expand Down
4 changes: 4 additions & 0 deletions pyeudiw/tests/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@
"scopes": ["pid-sd-jwt:unique_id+given_name+family_name"],
"default_acr_value": "https://www.spid.gov.it/SpidL2",
},
'user_attributes': {
"unique_identifiers": ["tax_id_code", "unique_id"],
"subject_id_random_value": "CHANGEME!"
},
'network': {
"httpc_params": httpc_params
},
Expand Down

0 comments on commit e29792e

Please sign in to comment.