Merge branch 'main' into 142-add-extensibility-to-referenced-token-status_list-object

Author: paulbastian

draft-ietf-oauth-status-list.md

@@ -21,7 +21,8 @@ author:
     email: paul.bastian@posteo.de
  -
     fullname: Christian Bormann
-    email: chris.bormann@gmx.de
+    organization: Robert Bosch GmbH
+    email: christiancarl.bormann@bosch.com
 
 normative:
   RFC1950: RFC1950
@@ -38,6 +39,7 @@ normative:
   RFC9052: RFC9052
   RFC9110: RFC9110
   RFC9111: RFC9111
+  RFC9596: RFC9596
   IANA.MediaTypes:
     author:
       org: "IANA"
@@ -58,7 +60,6 @@ normative:
       org: "IANA"
     title: "CBOR Web Token (CWT) Claims"
     target: "https://www.iana.org/assignments/cwt/cwt.xhtml"
-  CWT.typ: I-D.ietf-cose-typ-header-parameter
 
 informative:
   RFC6749: RFC6749
@@ -220,13 +221,13 @@ This section defines the structure for a CBOR-encoded Status List:
   * `bits`: REQUIRED. Unsigned int (Major Type 0) that contains the number of bits per Referenced Token in the Status List. The allowed values for `bits` are 1, 2, 4 and 8.
   * `lst`: REQUIRED. Byte string (Major Type 2) that contains the Status List as specified in [](#status-list-json).
 
-The following example illustrates the CBOR representation of the Status List:
+The following example illustrates the CBOR representation of the Status List in Hex:
 
 ~~~~~~~~~~
 {::include ./examples/status_list_encoding_cbor}
 ~~~~~~~~~~
 
-The following is the CBOR diagnostic output of the example above:
+The following is the CBOR Annotated Hex output of the example above:
 
 ~~~~~~~~~~
 {::include ./examples/status_list_encoding_cbor_diag}
@@ -277,7 +278,7 @@ The Status List Token MUST be encoded as a "CBOR Web Token (CWT)" according to {
 
 The following content applies to the CWT protected header:
 
-* `16` TBD (type): REQUIRED. The type of the CWT MUST be `statuslist+cwt` as defined in {{CWT.typ}}.
+* `16` (type): REQUIRED. The type of the CWT MUST be `statuslist+cwt` as defined in {{RFC9596}}.
 
 The following content applies to the CWT Claims Set:
 
@@ -298,13 +299,13 @@ The following additional rules apply:
 
 4. Application of additional restrictions and policy are at the discretion of the verifying party.
 
-The following is a non-normative example for a Status List Token in CWT format (not including the type header yet):
+The following is a non-normative example for a Status List Token in CWT format in Hex:
 
 ~~~~~~~~~~
 {::include ./examples/status_list_cwt}
 ~~~~~~~~~~
 
-The following is the CBOR diagnostic output of the example above:
+The following is the CBOR Annotated Hex output of the example above:
 
 ~~~~~~~~~~
 {::include ./examples/status_list_cwt_diag}
@@ -364,31 +365,18 @@ The following content applies to the CWT Claims Set:
 
 Application of additional restrictions and policy are at the discretion of the verifying party.
 
-The following is a non-normative example for a decoded payload of a Referenced Token:
+The following is a non-normative example of a Referenced Token in CWT format in Hex:
 
-~~~ ascii-art
+~~~~~~~~~~
+{::include ./examples/referenced_token_cwt}
+~~~~~~~~~~
+
+The following is the CBOR Annotated Hex output of the example above:
+
+~~~~~~~~~~
+{::include ./examples/referenced_token_cwt_diag}
+~~~~~~~~~~
 
-18(
-    [
-      / protected / << {
-        / alg / 1: -7 / ES256 /
-      } >>,
-      / unprotected / {
-        / kid / 4: h'3132' / '13' /
-      },
-      / payload / << {
-        / iss    / 1: "https://example.com",
-        / status / 65535: {
-          "status_list": {
-            "idx": 0,
-            "uri": "https://example.com/statuslists/1"
-          }
-        }
-      } >>,
-      / signature / h'...'
-    ]
-  )
-~~~
 
 ## Referenced Token in other COSE/CBOR Format {#referenced-token-cose}
 
@@ -814,6 +802,7 @@ for their valuable contributions, discussions and feedback to this specification
 -03
 
 * relax requirements for status_list claims to contain other parameters
+* change cwt referenced token example to hex and annotated hex
 * require TLS only for fetching Status List, not for Status List Token
 * remove the undefined phrase Status List endpoint
 * remove http caching in favor of the new ttl claim

src/main.py

@@ -1,11 +1,12 @@
 from status_list import StatusList
 from status_token import StatusListToken
-from datetime import datetime, timedelta
+from referenced_token import CWT
+from datetime import datetime, timedelta, timezone
 import os
 import util
 
 key = util.EXAMPLE_KEY
-iat = datetime.utcfromtimestamp(1686920170)
+iat = datetime.fromtimestamp(1686920170, timezone.utc)
 exp = iat + timedelta(days=7000)
 ttl = timedelta(hours=12)
 folder = "./examples/"
@@ -53,25 +54,23 @@ def statusListEncoding1Bit():
     status_list = exampleStatusList1Bit()
     encoded = status_list.encodeAsJSON()
     text = "byte_array = [{}, {}] \nencoded:\n{}".format(
-        hex(status_list.list[0]),
-        hex(status_list.list[1]),
-        util.printObject(encoded)
+        hex(status_list.list[0]), hex(status_list.list[1]), util.printObject(encoded)
     )
     util.outputFile(folder + "status_list_encoding_json", text)
 
+
 def statusListEncoding1BitCBOR():
     status_list = exampleStatusList1Bit()
     encoded = status_list.encodeAsCBOR()
     hex_encoded = encoded.hex()
     text = "byte_array = [{}, {}] \nencoded:\n{}".format(
-        hex(status_list.list[0]),
-        hex(status_list.list[1]),
-        util.printText(hex_encoded)
+        hex(status_list.list[0]), hex(status_list.list[1]), util.printText(hex_encoded)
     )
     util.outputFile(folder + "status_list_encoding_cbor", text)
     diag = util.printCBORDiagnostics(encoded)
     util.outputFile(folder + "status_list_encoding_cbor_diag", diag)
 
+
 def statusListEncoding2Bit():
     status_list = exampleStatusList2Bit()
     encoded = status_list.encodeAsJSON()
@@ -83,6 +82,7 @@ def statusListEncoding2Bit():
     )
     util.outputFile(folder + "status_list_encoding2_json", text)
 
+
 def statusListEncoding2BitCBOR():
     status_list = exampleStatusList2Bit()
     encoded = status_list.encodeAsCBOR()
@@ -97,6 +97,7 @@ def statusListEncoding2BitCBOR():
     diag = util.printCBORDiagnostics(encoded)
     util.outputFile(folder + "status_list_encoding2_cbor_diag", diag)
 
+
 def statusListJWT():
     status_list = exampleStatusList1Bit()
     jwt = StatusListToken(
@@ -109,6 +110,7 @@ def statusListJWT():
     text = util.formatToken(status_jwt, key)
     util.outputFile(folder + "status_list_jwt", text)
 
+
 def statusListCWT():
     status_list = exampleStatusList1Bit()
     cwt = StatusListToken(
@@ -121,7 +123,27 @@ def statusListCWT():
     status_cwt = cwt.buildCWT(iat=iat, exp=exp, ttl=ttl)
     hex_encoded = status_cwt.hex()
     util.outputFile(folder + "status_list_cwt", util.printText(hex_encoded))
-    util.outputFile(folder + "status_list_cwt_diag", util.printCBORDiagnostics(status_cwt))
+    util.outputFile(
+        folder + "status_list_cwt_diag", util.printCBORDiagnostics(status_cwt)
+    )
+
+
+def referencedTokenCWT():
+    encoded = CWT(
+        iat=iat,
+        exp=exp,
+        sub="12345",
+        iss="https://example.com",
+        jwk=key,
+        status_url="https://example.com/statuslists/1",
+        status_idx=0,
+    )
+    hex_encoded = encoded.hex()
+    util.outputFile(folder + "referenced_token_cwt", util.printText(hex_encoded))
+    util.outputFile(
+        folder + "referenced_token_cwt_diag", util.printCBORDiagnostics(encoded)
+    )
+
 
 if __name__ == "__main__":
     if not os.path.exists(folder):
@@ -132,3 +154,4 @@ def statusListCWT():
     statusListEncoding1BitCBOR()
     statusListEncoding2BitCBOR()
     statusListCWT()
+    referencedTokenCWT()

src/referenced_token.py

@@ -0,0 +1,44 @@
+from cbor2 import dumps
+from cwt import COSE, COSEHeaders, COSEKey, CWTClaims, COSEAlgs
+from datetime import datetime
+from jwcrypto import jwk
+
+
+def CWT(
+    jwk: jwk.JWK,
+    iat: datetime,
+    sub: str,
+    iss: str,
+    status_url: str,
+    status_idx: int,
+    exp: datetime = None,
+):
+    claims = {}
+    claims[CWTClaims.SUB] = sub
+    claims[CWTClaims.ISS] = iss
+    claims[CWTClaims.IAT] = int(iat.timestamp())
+    if exp is not None:
+        claims[CWTClaims.EXP] = int(exp.timestamp())
+
+    claims[65535] = {
+        "status_list": {
+            "idx": status_idx,
+            "uri": status_url,
+        }
+    }
+
+    protected_header = {}
+    unprotected_header = {}
+
+    if jwk.key_id:
+        unprotected_header[COSEHeaders.KID] = jwk.key_id.encode("utf-8")
+    protected_header[COSEHeaders.ALG] = COSEAlgs.ES256
+
+    key = COSEKey.from_jwk(jwk)
+
+    sender = COSE.new()
+    encoded = sender.encode(
+        dumps(claims), key, protected=protected_header, unprotected=unprotected_header
+    )
+
+    return encoded

src/status_list.py

@@ -62,9 +62,7 @@ def get(self, pos: int) -> int:
         rest = pos % self.divisor
         floored = pos // self.divisor
         shift = rest * self.bits
-        return (
-            self.list[floored] & (((1 << self.bits) - 1) << shift)
-        ) >> shift
+        return (self.list[floored] & (((1 << self.bits) - 1) << shift)) >> shift
 
     def __str__(self):
         val = ""

src/status_token.py

@@ -82,7 +82,7 @@ def buildJWT(
         ttl: timedelta = None,
         optional_claims: Dict = None,
         optional_header: Dict = None,
-        compact=True
+        compact=True,
     ) -> str:
         # build claims
         if optional_claims is not None:
@@ -111,15 +111,15 @@ def buildJWT(
         token = jwt.JWT(header=header, claims=claims)
         token.make_signed_token(self._key)
         return token.serialize(compact=compact)
-    
+
     def buildCWT(
         self,
         iat: datetime = datetime.utcnow(),
         exp: datetime = None,
         ttl: timedelta = None,
         optional_claims: Dict = None,
         optional_protected_header: Dict = None,
-        optional_unprotected_header: Dict = None
+        optional_unprotected_header: Dict = None,
     ) -> bytes:
         # build claims
         if optional_claims is not None:
@@ -147,7 +147,7 @@ def buildCWT(
             unprotected_header = {}
 
         if self._key.key_id:
-            unprotected_header[COSEHeaders.KID] = self._key.key_id.encode('utf-8')
+            unprotected_header[COSEHeaders.KID] = self._key.key_id.encode("utf-8")
         protected_header[COSEHeaders.ALG] = self._alg
         protected_header[16] = STATUS_LIST_TYP_CWT
 
@@ -159,7 +159,7 @@ def buildCWT(
             dumps(claims),
             key,
             protected=protected_header,
-            unprotected=unprotected_header
+            unprotected=unprotected_header,
         )
 
         return encoded