fix(security): lock down signing-key file permissions

Private JWK files were written under the default umask (observed 0664 — group
and world readable). Create the key directory 0700, chmod private key files
(private_jwks.json, token_jwks.json) to 0600 after they are written, and
refuse to start if a pre-existing private key is group/world accessible.

Tests now use an isolated per-test key directory.

Refs: porchlight-91i

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-08 15:21:27 +02:00
parent cba63280fb
commit c7550cbf09
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
4 changed files with 67 additions and 6 deletions

View file

@ -1,5 +1,6 @@
"""idpyoidc Server initialization."""
import os
from pathlib import Path
from idpyoidc.server import Server
@ -144,8 +145,32 @@ def _build_server_config(settings: Settings) -> dict:
}
_PRIVATE_KEY_FILES = ("private_jwks.json", "token_jwks.json")
def create_oidc_server(settings: Settings) -> Server:
"""Create and configure an idpyoidc Server instance."""
"""Create and configure an idpyoidc Server instance.
Private signing keys are written to ``signing_key_path``; lock the directory
to 0700 and the private key files to 0600, and refuse to start if a
pre-existing private key is group/world accessible (a key disclosure).
"""
key_path = Path(settings.signing_key_path)
key_path.mkdir(parents=True, exist_ok=True)
os.chmod(key_path, 0o700)
# Fail on pre-existing keys with loose permissions (left by a prior run).
for name in _PRIVATE_KEY_FILES:
f = key_path / name
if f.exists() and (f.stat().st_mode & 0o077):
raise RuntimeError(f"Insecure permission on {f}: private key is group/world accessible")
config = _build_server_config(settings)
server = Server(conf=config)
# Lock down any keys idpyoidc just wrote (umask may have left them 0644).
for name in _PRIVATE_KEY_FILES:
f = key_path / name
if f.exists():
os.chmod(f, 0o600)
return server