diff options
| author | Tristan Schwieren <tristan.schwieren@tum.de> | 2022-04-21 16:34:25 +0200 |
|---|---|---|
| committer | Tristan Schwieren <tristan.schwieren@tum.de> | 2022-04-21 16:34:25 +0200 |
| commit | 075a848ad51033061a29cf0f89142c7c62678084 (patch) | |
| tree | 4932421257d4f04bdbd2f4269a93e3cc3dc8558c | |
| parent | 3f9d7e4c487dfa28b43b6292d4bee28c5233d851 (diff) | |
- jwa option RSA/HMAC
| -rw-r--r-- | src/reclaim/oidc_helper.h | 8 | ||||
| -rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 94 | ||||
| -rw-r--r-- | src/reclaim/reclaim.conf | 3 |
3 files changed, 63 insertions, 42 deletions
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h index 12c99a7bc..ea106b4f2 100644 --- a/src/reclaim/oidc_helper.h +++ b/src/reclaim/oidc_helper.h @@ -28,14 +28,12 @@ #define JWT_H #define JWT_ALG "alg" - -/* Use 512bit HMAC */ -#define JWT_ALG_VALUE_HMAC "HS512" - #define JWT_TYP "typ" - #define JWT_TYP_VALUE "jwt" +#define JWT_ALG_VALUE_HMAC "HS512" +#define JWT_ALG_VALUE_RSA "RS256" + #define SERVER_ADDRESS "https://api.reclaim" enum OIDC_VerificationOptions diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index f76ced0cc..bb8e1cd1e 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c @@ -1,4 +1,4 @@ - +/* This file is part of GNUnet. Copyright (C) 2012-2018 GNUnet e.V. @@ -2068,7 +2068,7 @@ check_authorization (struct RequestHandle *handle, // check client password if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg, "reclaim-rest-plugin", - "OIDC_CLIENT_SECRET", + "OIDC_CLIENT_HMAC_SECRET", &expected_pass)) { if (0 != strcmp (expected_pass, received_cpw)) @@ -2161,6 +2161,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, char *json_response; char *id_token; char *access_token; + char *jwa; char *jwt_secret; char *nonce = NULL; char *code_verifier; @@ -2272,45 +2273,66 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } - - // TODO OPTIONAL acr,amr,azp + // Check if HMAC or RSA should be used if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "reclaim-rest-plugin", - "jwt_secret", - &jwt_secret)) + "oidc_json_web_algorithm", + &jwa)) { - handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); - handle->edesc = GNUNET_strdup ("No signing secret configured!"); - handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; - GNUNET_free (code); - GNUNET_RECLAIM_attribute_list_destroy (cl); - GNUNET_RECLAIM_presentation_list_destroy (pl); - if (NULL != nonce) - GNUNET_free (nonce); - GNUNET_SCHEDULER_add_now (&do_error, handle); - return; + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + "Could not read OIDC JSON Web Algorithm config attribute." + "Defaulting to RS256."); + jwa = JWT_ALG_VALUE_RSA; + } + + if (strcmp(jwa, JWT_ALG_VALUE_RSA)) + { + // Replace for now + oidc_jwk_path = get_oidc_jwk_path (cls); + oidc_jwk = read_jwk_from_file (oidc_jwk_path); + id_token = OIDC_generate_id_token_rsa (&ticket.audience, + &ticket.identity, + cl, + pl, + &expiration_time, + (NULL != nonce) ? nonce : NULL, + oidc_jwk); + } + else if (strcmp(jwa, JWT_ALG_VALUE_HMAC)) + { + // TODO OPTIONAL acr,amr,azp + if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, + "reclaim-rest-plugin", + "jwt_secret", + &jwt_secret)) + { + handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); + handle->edesc = GNUNET_strdup ("No signing secret configured!"); + handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; + GNUNET_free (code); + GNUNET_RECLAIM_attribute_list_destroy (cl); + GNUNET_RECLAIM_presentation_list_destroy (pl); + if (NULL != nonce) + GNUNET_free (nonce); + GNUNET_SCHEDULER_add_now (&do_error, handle); + return; + } + + id_token = OIDC_generate_id_token_hmac (&ticket.audience, + &ticket.identity, + cl, + pl, + &expiration_time, + (NULL != nonce) ? nonce : NULL, + jwt_secret); + + GNUNET_free (jwt_secret); + } + else + { + // TODO: OPTION NOT FOUND ERROR } - // id_token = OIDC_generate_id_token_hmac (&ticket.audience, - // &ticket.identity, - // cl, - // pl, - // &expiration_time, - // (NULL != nonce) ? nonce : NULL, - // jwt_secret); - // Replace for now - // TODO: Add some kind of option for HMAC vs. RSA - oidc_jwk_path = get_oidc_jwk_path (cls); - oidc_jwk = read_jwk_from_file (oidc_jwk_path); - id_token = OIDC_generate_id_token_rsa (&ticket.audience, - &ticket.identity, - cl, - pl, - &expiration_time, - (NULL != nonce) ? nonce : NULL, - oidc_jwk); - - GNUNET_free (jwt_secret); if (NULL != nonce) GNUNET_free (nonce); access_token = OIDC_access_token_new (&ticket); diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf index 3192c6b9c..c685042db 100644 --- a/src/reclaim/reclaim.conf +++ b/src/reclaim/reclaim.conf @@ -14,7 +14,8 @@ TICKET_REFRESH_INTERVAL = 6h [reclaim-rest-plugin] #ADDRESS = https://identity.gnu:8000#/login ADDRESS = https://ui.reclaim/#/login -OIDC_CLIENT_SECRET = secret +OIDC_JSON_WEB_ALGORITHM = RS256 +OIDC_CLIENT_HMAC_SECRET = secret OIDC_DIR = $GNUNET_DATA_HOME/oidc JWT_SECRET = secret EXPIRATION_TIME = 1d |