This repository contains the RDE keyserver. This key server is a simple Django application that provides a public key register for RDE enrollment parameters. It provides a simple web interface that allows users to register their e-passports for RDE. The key server also provides a REST API that allows other applications to retrieve the public keys of users, based on their email address. User authentication is handled via SAML.
Probably you want to use the RDE POC server config repository to install the keyserver. This uses Docker and uwsgi to run the keyserver, which is configured to run with 1 worker and 10 threads.
The following environment variables can be passed to the container:
DJANGO_SECRET_KEY: The secret key used by Django.DJANGO_ALLOWED_HOSTS: The allowed hosts for Django, comma separated, e.g.keyserver.example.comorkeyserver.example.com,keyserver2.example.com.DJANGO_DEBUG: Whether to enable debug mode for Django, e.g.TrueorFalse.DJANGO_BASE_URL: The base url of the RDE keyserver, e.g.https://keyserver.example.com. This is also used as entity id for SAML.DJANGO_SAML_IDP_METADATA_URL: The url of the SAML IdP metadata, e.g.https://metadata.test.surfconext.nl/idp-metadata.xml.
These environment variables are used in settings.py.
The key server is exposed on port 8000.
Static (and media) files are not served by the keyserver, but should be served by a separate keyserver.
These directories are available at /code/static and /code/media respectively and can be mounted as volumes.
Configuration of SAML is done in settings.py.
We refer to the Django SAML2 SP documentation for more information.
SAML requires a private.key and public.cert file to be present in the keyserver/config/saml directory.
A sample command to generate these files is openssl req -x509 -newkey rsa:4096 -keyout private.key -out public.cert -days 365.
The current configuration uses an SQLite database in keyserver/db.sqlite3 for data storage.
The keyserver provides a simple web interface that allows users to view and register their RDE documents. The web interface is protected by SAML authentication. Users can register a new RDE document by clicking the "Enroll new document" button. This will generate a ticket that can be used to enroll the document using the API, and will display a QR code that can be scanned by the RDE client app to enroll the document. The ticket will expire when a new ticket is created. In production, the ticket should be also have a max lifetime.
This process is not production ready. In production, the enrollment process should have more user interaction and feedback.
The keyserver provides a REST API that allows other applications to retrieve the public keys of users, based on their email address.
This API can be queries using /api/search?email=<email>.
The API will return a JSON object with the enrollment parameters for the user with the given email address.
If no user is found, the API will return a 404 error.
The keyserver also provides a REST API that allows users to register their RDE documents.
This API can be queries using /api/enroll/<ticket>/.
Here the <ticket> should be replaced with the ticket that was generated by the key server when the user requests to register a new RDE document (via the frontend web interface).
The API expects a JSON object with the enrollment parameters for the RDE document and will return these parameters if the enrollment was successful.
Right now, the keyserver does not verify the enrollment parameters. This means that any user can enroll with any parameters, even invalid ones (in fact, any JSON object is accepted). This is not a problem for the prototype, but should be fixed in production. For this, a python version of the RDE JS library should be implemented, and the JS library should be integrated in the keyserver as well, so users can verify their own enrollment parameters in the browser, too.
Right now the key server acts as a PGP-like public key register. This means that anyone can retrieve the public key of any user as long as they know the email address of the user. It might be desirable to add some form of authentication to the API, so that only authorized users or applications can access the register, and to add some form of rate limiting. This is not a priority at the moment, but should be considered in the future.
Within the RDE prototype, the purpose of the keyserver is to provide a register for RDE enrollment parameters and to link those to email addresses of users. The keyserver is to be trusted for this binding. Other than that, the keyserver does not have any special security requirements. It does not receive or process any secret data within the RDE prototype infrastructure.
The keyserver depends on the following python packages:
- Django
- Django REST framework
- django-qr-code
- Django SAML2 SP
- uWSGI (for running the application)