django-oidc-provider replace pyjwkest and cryptodome with pyjwt and cryptography

See issue #207

Sep 06 '17 00:09 psavoie

I must dive into this cryptography library because I don't understand your changes at all :)

Sep 06 '17 03:09 wojtek-fliposports

I'll leave some inline comments explaining things. It's functionally the same as before (that's why there are no new or changed tests). I can answer any additional questions.

Sep 06 '17 17:09 psavoie

Thanks for this contribution. Really great job but I don't understand RSA generation.. sorry..

From RTD:

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

Sep 27 '17 08:09 wojtek-fliposports

@wojtek-fliposports RSA can be extremely tricky for those that aren't familiar with all the things that can go wrong. In this case, the hazmat module is used to provide two pieces of functionality:

RSA Key Generation
RSA Encoding / Decoding

These don't have the risk level associated with the direct cryptographic operations that can easily introduce vulnerabilities if mis-used.

For RSA Key Generation, it is using OpenSSL to generate a 2048-bit key (which is the minimum that should be used today), with e == 65537 (2^16+1), which is the standard value used (recommended by NIST and is mandated for Web PKI). These are the values that you want to see, and OpenSSL is well reviewed and trusted for RSA key generation.

For RSA Key Serialization, this simply encodes the key to the standard PEM format, as the code does today. This is standard and safe functionality.

For this functionality, IMO, the hazmat warning can be ignored. This is safe functionality, and is equivalent to, or an improvement on, the current functionality.