summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTristan Schwieren <tristan.schwieren@tum.de>2022-05-06 14:45:23 +0200
committerTristan Schwieren <tristan.schwieren@tum.de>2022-05-06 14:45:23 +0200
commit924cfc619308fadce4d5a6aee6556759b2ca8eda (patch)
tree85a10214c311b617851d970bc531b88b94f6ae03
parenta37326ef5411ab5465e9a6b287bf2d4ada38a339 (diff)
- fix missing key file bug and add test
-rw-r--r--src/reclaim/oidc_helper.h2
-rw-r--r--src/reclaim/plugin_rest_openid_connect.c45
-rwxr-xr-xsrc/reclaim/test_jwks.sh30
3 files changed, 73 insertions, 4 deletions
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h
index ea106b4f2..b134c71ad 100644
--- a/src/reclaim/oidc_helper.h
+++ b/src/reclaim/oidc_helper.h
@@ -34,7 +34,7 @@
#define JWT_ALG_VALUE_HMAC "HS512"
#define JWT_ALG_VALUE_RSA "RS256"
-#define SERVER_ADDRESS "https://api.reclaim"
+#define SERVER_ADDRESS "http://localhost:7776"
enum OIDC_VerificationOptions
{
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index d2cbe047d..fd760b6c8 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -939,15 +939,14 @@ generate_jwk ()
}
/**
- * Return the path to the RSA JWK key file
+ * Return the path to the oidc directory path
*
* @param cls the RequestHandle
*/
char *
-get_oidc_jwk_path (void *cls)
+get_oidc_dir_path (void *cls)
{
char *oidc_directory;
- char *oidc_jwk_path;
struct RequestHandle *handle = cls;
// Read OIDC directory from config
@@ -964,6 +963,22 @@ get_oidc_jwk_path (void *cls)
return NULL;
}
+ return oidc_directory;
+}
+
+/**
+ * Return the path to the RSA JWK key file
+ *
+ * @param cls the RequestHandle
+ */
+char *
+get_oidc_jwk_path (void *cls)
+{
+ char *oidc_directory;
+ char *oidc_jwk_path;
+
+ oidc_directory = get_oidc_dir_path(cls);
+
// Create path to file
GNUNET_asprintf (&oidc_jwk_path, "%s/%s", oidc_directory,
OIDC_JWK_RSA_FILENAME);
@@ -2167,6 +2182,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
char *code_verifier;
json_t *oidc_jwk;
char *oidc_jwk_path;
+ char *oidc_directory;
/*
* Check Authorization
@@ -2290,6 +2306,28 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
// Replace for now
oidc_jwk_path = get_oidc_jwk_path (cls);
oidc_jwk = read_jwk_from_file (oidc_jwk_path);
+
+ // Check if secret JWK exists
+ if (! oidc_jwk)
+ {
+ // Generate and save a new key
+ oidc_jwk = generate_jwk ();
+ oidc_directory = get_oidc_dir_path(cls);
+
+ // Create new oidc directory
+ if (GNUNET_OK != GNUNET_DISK_directory_create (oidc_directory))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ ("Failed to create directory `%s' for storing oidc data\n"),
+ oidc_directory);
+ }
+ else
+ {
+ write_jwk_to_file (oidc_jwk_path, oidc_jwk);
+ }
+ }
+
+ // Generate oidc token
id_token = OIDC_generate_id_token_rsa (&ticket.audience,
&ticket.identity,
cl,
@@ -2652,6 +2690,7 @@ jwks_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
{
// Generate and save a new key
oidc_jwk = generate_jwk ();
+ oidc_directory = get_oidc_dir_path(cls);
// Create new oidc directory
if (GNUNET_OK != GNUNET_DISK_directory_create (oidc_directory))
diff --git a/src/reclaim/test_jwks.sh b/src/reclaim/test_jwks.sh
new file mode 100755
index 000000000..358ee941a
--- /dev/null
+++ b/src/reclaim/test_jwks.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/bash
+
+gnunet-arm -s
+gnunet-arm -k rest
+/usr/local/lib/gnunet/libexec/gnunet-rest-server &
+
+# Test key generation, write, read
+rm ~/.local/share/gnunet/oidc/jwk_rsa.json
+jwk1=$(curl -s localhost:7776/jwks.json)
+jwk2=$(curl -s localhost:7776/jwks.json)
+
+if [ "$jwk1" == "$jwk2" ]; then
+ echo "keys are equal"
+else
+ echo "keys are not equal"
+fi
+
+# check if kty and e field are correct and if the key has at least 2048 bit entropy
+kty=$(echo $jwk1 | jq -r '.kty')
+e=$(echo $jwk1 | jq -r '.e')
+n_len=$(echo $jwk1 | jq -r '.n' | wc -c)
+
+if [ "$kty" == "RSA" ] && [ "$e" == "AQAB" ] && [ $(("$n_len"*6)) -gt "2048" ]; then
+ echo "Valid Key"
+else
+ echo "Not a valid key"
+fi
+
+killall gnunet-rest-server
+gnunet-arm -e \ No newline at end of file