🔥 Remove key passphrase config field

The form field is now a part of django-simple-certmanager,
which in turn uses it to decrypt the private key so that
the file is ready to use and no additional decryption is
needed in django-digid-eherkenning.

digid_eherkenning/admin.py

@@ -23,10 +23,7 @@ class DigidConfigurationAdmin(CustomPrivateMediaMixin, SingletonModelAdmin):
         (
             _("X.509 Certificate"),
             {
-                "fields": (
-                    "certificate",
-                    "key_passphrase",
-                ),
+                "fields": ("certificate",),
             },
         ),
         (
@@ -88,10 +85,7 @@ class EherkenningConfigurationAdmin(CustomPrivateMediaMixin, SingletonModelAdmin
         (
             _("X.509 Certificate"),
             {
-                "fields": (
-                    "certificate",
-                    "key_passphrase",
-                ),
+                "fields": ("certificate",),
             },
         ),
         (

digid_eherkenning/management/commands/generate_eherkenning_dienstcatalogus.py

@@ -30,7 +30,6 @@ def add_arguments(self, parser):
         dests_to_delete = [
             "want_assertions_encrypted",
             "want_assertions_signed",
-            "key_passphrase",
             "technical_contact_person_telephone",
             "technical_contact_person_email",
             "organization_url",

digid_eherkenning/migrations/0010_remove_digidconfiguration_key_passphrase_and_more.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.2.13 on 2024-07-18 14:46
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("digid_eherkenning", "0009_decrypt_private_keys"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="digidconfiguration",
+            name="key_passphrase",
+        ),
+        migrations.RemoveField(
+            model_name="eherkenningconfiguration",
+            name="key_passphrase",
+        ),
+    ]

digid_eherkenning/models/base.py

@@ -82,12 +82,6 @@ class BaseConfiguration(SingletonModel):
             "expect 'text/xml'."
         ),
     )
-    key_passphrase = models.CharField(
-        _("key passphrase"),
-        blank=True,
-        help_text=_("Passphrase for the private key used by the SOAP client."),
-        max_length=100,
-    )
     signature_algorithm = models.CharField(
         _("signature algorithm"),
         blank=True,

digid_eherkenning/models/digid.py

@@ -78,7 +78,6 @@ def as_dict(self) -> dict:
             # optional in runtime code
             "want_assertions_encrypted": self.want_assertions_encrypted,
             "want_assertions_signed": self.want_assertions_signed,
-            "key_passphrase": self.key_passphrase or None,
             "signature_algorithm": self.signature_algorithm,
             "digest_algorithm": self.digest_algorithm or None,
             "technical_contact_person_telephone": self.technical_contact_person_telephone

digid_eherkenning/models/eherkenning.py

@@ -287,7 +287,6 @@ def as_dict(self) -> EHerkenningConfig:
             # optional in runtime code
             "want_assertions_encrypted": self.want_assertions_encrypted,
             "want_assertions_signed": self.want_assertions_signed,
-            "key_passphrase": self.key_passphrase or None,
             "signature_algorithm": self.signature_algorithm,
             "digest_algorithm": self.digest_algorithm or None,
             "technical_contact_person_telephone": self.technical_contact_person_telephone

digid_eherkenning/saml2/base.py

@@ -246,7 +246,6 @@ def create_config_dict(self, conf):
                 "wantAssertionsSigned": conf.get("want_assertions_signed", False),
                 "soapClientKey": conf["key_file"].path,
                 "soapClientCert": conf["cert_file"].path,
-                "soapClientPassphrase": conf.get("key_passphrase", None),
                 # algorithm for requests with HTTP-redirect binding.
                 # AuthnRequest with HTTP-POST uses RSA_SHA256, which is hardcoded in OneLogin_Saml2_Auth.login_post
                 "signatureAlgorithm": conf.get(
@@ -283,7 +282,6 @@ def create_config_dict(self, conf):
                 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
                 "x509cert": certificate,
                 "privateKey": privkey,
-                "privateKeyPassphrase": conf.get("key_passphrase", None),
             },
         }
 
@@ -412,7 +410,6 @@ def handle_logout_request(
                 logout_response,
                 self.saml2_settings.get_sp_key(),
                 self.saml2_settings.get_sp_cert(),
-                key_passphrase=self.saml2_settings.get_sp_key_passphrase(),
                 sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256,
                 digest_algorithm=OneLogin_Saml2_Constants.SHA256,
             )

digid_eherkenning/saml2/eherkenning.py

@@ -491,7 +491,6 @@ def create_config_dict(self, conf: EHerkenningConfig) -> EHerkenningSAMLConfig:
                     "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
                     "x509cert": certificate,
                     "privateKey": privkey,
-                    "privateKeyPassphrase": conf.get("key_passphrase", None),
                 },
             }
         )

digid_eherkenning/types.py

@@ -32,7 +32,6 @@ class EHerkenningConfig(TypedDict):
     services: list[ServiceConfig]
     want_assertions_encrypted: str
     want_assertions_signed: str
-    key_passphrase: str
     signature_algorithm: str
     digest_algorithm: str
     technical_contact_person_telephone: Optional[str]