summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTristan Schwieren <tristan.schwieren@tum.de>2022-04-21 16:34:25 +0200
committerTristan Schwieren <tristan.schwieren@tum.de>2022-04-21 16:34:25 +0200
commit075a848ad51033061a29cf0f89142c7c62678084 (patch)
tree4932421257d4f04bdbd2f4269a93e3cc3dc8558c
parent3f9d7e4c487dfa28b43b6292d4bee28c5233d851 (diff)
- jwa option RSA/HMAC
-rw-r--r--src/reclaim/oidc_helper.h8
-rw-r--r--src/reclaim/plugin_rest_openid_connect.c94
-rw-r--r--src/reclaim/reclaim.conf3
3 files changed, 63 insertions, 42 deletions
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h
index 12c99a7bc..ea106b4f2 100644
--- a/src/reclaim/oidc_helper.h
+++ b/src/reclaim/oidc_helper.h
@@ -28,14 +28,12 @@
#define JWT_H
#define JWT_ALG "alg"
-
-/* Use 512bit HMAC */
-#define JWT_ALG_VALUE_HMAC "HS512"
-
#define JWT_TYP "typ"
-
#define JWT_TYP_VALUE "jwt"
+#define JWT_ALG_VALUE_HMAC "HS512"
+#define JWT_ALG_VALUE_RSA "RS256"
+
#define SERVER_ADDRESS "https://api.reclaim"
enum OIDC_VerificationOptions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index f76ced0cc..bb8e1cd1e 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -1,4 +1,4 @@
-
+/*
This file is part of GNUnet.
Copyright (C) 2012-2018 GNUnet e.V.
@@ -2068,7 +2068,7 @@ check_authorization (struct RequestHandle *handle,
// check client password
if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg,
"reclaim-rest-plugin",
- "OIDC_CLIENT_SECRET",
+ "OIDC_CLIENT_HMAC_SECRET",
&expected_pass))
{
if (0 != strcmp (expected_pass, received_cpw))
@@ -2161,6 +2161,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
char *json_response;
char *id_token;
char *access_token;
+ char *jwa;
char *jwt_secret;
char *nonce = NULL;
char *code_verifier;
@@ -2272,45 +2273,66 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
return;
}
-
- // TODO OPTIONAL acr,amr,azp
+ // Check if HMAC or RSA should be used
if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
"reclaim-rest-plugin",
- "jwt_secret",
- &jwt_secret))
+ "oidc_json_web_algorithm",
+ &jwa))
{
- handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
- handle->edesc = GNUNET_strdup ("No signing secret configured!");
- handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
- GNUNET_free (code);
- GNUNET_RECLAIM_attribute_list_destroy (cl);
- GNUNET_RECLAIM_presentation_list_destroy (pl);
- if (NULL != nonce)
- GNUNET_free (nonce);
- GNUNET_SCHEDULER_add_now (&do_error, handle);
- return;
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ "Could not read OIDC JSON Web Algorithm config attribute."
+ "Defaulting to RS256.");
+ jwa = JWT_ALG_VALUE_RSA;
+ }
+
+ if (strcmp(jwa, JWT_ALG_VALUE_RSA))
+ {
+ // Replace for now
+ oidc_jwk_path = get_oidc_jwk_path (cls);
+ oidc_jwk = read_jwk_from_file (oidc_jwk_path);
+ id_token = OIDC_generate_id_token_rsa (&ticket.audience,
+ &ticket.identity,
+ cl,
+ pl,
+ &expiration_time,
+ (NULL != nonce) ? nonce : NULL,
+ oidc_jwk);
+ }
+ else if (strcmp(jwa, JWT_ALG_VALUE_HMAC))
+ {
+ // TODO OPTIONAL acr,amr,azp
+ if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
+ "reclaim-rest-plugin",
+ "jwt_secret",
+ &jwt_secret))
+ {
+ handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
+ handle->edesc = GNUNET_strdup ("No signing secret configured!");
+ handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+ GNUNET_free (code);
+ GNUNET_RECLAIM_attribute_list_destroy (cl);
+ GNUNET_RECLAIM_presentation_list_destroy (pl);
+ if (NULL != nonce)
+ GNUNET_free (nonce);
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+
+ id_token = OIDC_generate_id_token_hmac (&ticket.audience,
+ &ticket.identity,
+ cl,
+ pl,
+ &expiration_time,
+ (NULL != nonce) ? nonce : NULL,
+ jwt_secret);
+
+ GNUNET_free (jwt_secret);
+ }
+ else
+ {
+ // TODO: OPTION NOT FOUND ERROR
}
- // id_token = OIDC_generate_id_token_hmac (&ticket.audience,
- // &ticket.identity,
- // cl,
- // pl,
- // &expiration_time,
- // (NULL != nonce) ? nonce : NULL,
- // jwt_secret);
- // Replace for now
- // TODO: Add some kind of option for HMAC vs. RSA
- oidc_jwk_path = get_oidc_jwk_path (cls);
- oidc_jwk = read_jwk_from_file (oidc_jwk_path);
- id_token = OIDC_generate_id_token_rsa (&ticket.audience,
- &ticket.identity,
- cl,
- pl,
- &expiration_time,
- (NULL != nonce) ? nonce : NULL,
- oidc_jwk);
-
- GNUNET_free (jwt_secret);
if (NULL != nonce)
GNUNET_free (nonce);
access_token = OIDC_access_token_new (&ticket);
diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf
index 3192c6b9c..c685042db 100644
--- a/src/reclaim/reclaim.conf
+++ b/src/reclaim/reclaim.conf
@@ -14,7 +14,8 @@ TICKET_REFRESH_INTERVAL = 6h
[reclaim-rest-plugin]
#ADDRESS = https://identity.gnu:8000#/login
ADDRESS = https://ui.reclaim/#/login
-OIDC_CLIENT_SECRET = secret
+OIDC_JSON_WEB_ALGORITHM = RS256
+OIDC_CLIENT_HMAC_SECRET = secret
OIDC_DIR = $GNUNET_DATA_HOME/oidc
JWT_SECRET = secret
EXPIRATION_TIME = 1d