Key Management.md

• Diagnostics tools

  • https://samltool.io/ is good for inspecting SAML requests and responses, but don’t trust its signature validation (keycloak/keycloak#22962)
  • https://www.samltool.com/online_tools.php is good for verifying signatures, but doesn’t show you the decoded request/response

• One key

  • https://www.stackallocated.com/blog/2020/saml-idp-no-shared-keys/
  • All Identity Providers
  • All purposes: signing & encrypting
  • All services: SAML & LTI (OAuth)
  • But metadata is different, because we use the URL to communicate the Identity Provider samlIdentifier, which is necessary to pick up the idpIssuer before we even decode the SAML Response.
  • Pros of separate keys:
    • Probably a bit more secure, given that an issue with a key doesn’t contaminate everything.
    • It’s what we already had before the migration to the new key management system.
  • Pros of same key:
    • Easier to manage (think of initial configuration, rotation, and so forth).
    • It’s what other services seem to do (Moodle, Canvas, Piazza, NOT GRADESCOPE).
    • Setup only once with Identity Provider (think of LTI and its multiple courses with the same institution)
    • Holds up well when we extend the LTI support to sync with the LMS at the installation level (as opposed to the course level as we’re doing now) and create courses in Courselore automatically

• Create keys with OpenSSL

  $ openssl req -x509 -newkey rsa:2048 -nodes -days 365000 -subj "/CN=courselore.org/C=US/ST=Maryland/L=Baltimore/O=Courselore" -keyout private-key.pem -out certificate.pem
  $ openssl x509 -pubkey -noout -in certificate.pem > public-key.pem
  
  $ openssl rsa -in private-key.pem -text -noout > private-key.txt
  $ openssl rsa -inform PEM -pubin -in public-key.pem -text -noout > public-key.txt
  $ openssl x509 -in certificate.pem -text -noout > certificate.txt

• Libraries

  • https://github.com/digitalbazaar/forge
    • https://github.com/jfromaniello/selfsigned
  • https://www.npmjs.com/package/jose
    • Use to import certificates and export in JWK format (but can’t generate the certificate to begin with—can only generate keys)
  • Web Crypto API
    • No: Doesn’t support working with certificates
  • Node.js’s crypto
    • No: Doesn’t support generating certificates
  • https://www.npmjs.com/package/rasha
    • No: Doesn’t support working with certificates
    • https://npmtrends.com/crypt-vs-crypto-js-vs-jose-vs-keypair-vs-node-forge-vs-rasha