diff options
| author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-20 08:39:06 +0200 |
|---|---|---|
| committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-20 08:39:06 +0200 |
| commit | f89b96d1a0ffe8359fbbda6ea3276a030a701e91 (patch) | |
| tree | c26189923ed5697e282a3a26be7fa1356f23a88a | |
| parent | 4fd677cec39e5621d16bc2c63926b803b31582e3 (diff) | |
| download | gnunet-f89b96d1a0ffe8359fbbda6ea3276a030a701e91.tar.gz gnunet-f89b96d1a0ffe8359fbbda6ea3276a030a701e91.zip | |
remove trust check; we don't need (and thus implicity may slighly deviate from rfc)
| -rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 111 |
1 files changed, 3 insertions, 108 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index abb3f59f5..9b7cf0205 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
| @@ -230,12 +230,6 @@ struct OIDC_Variables | |||
| 230 | char *client_id; | 230 | char *client_id; |
| 231 | 231 | ||
| 232 | /** | 232 | /** |
| 233 | * GNUNET_YES if there is a delegation to | ||
| 234 | * this RP or if it is a local identity | ||
| 235 | */ | ||
| 236 | int is_client_trusted; | ||
| 237 | |||
| 238 | /** | ||
| 239 | * The OIDC redirect uri | 233 | * The OIDC redirect uri |
| 240 | */ | 234 | */ |
| 241 | char *redirect_uri; | 235 | char *redirect_uri; |
| @@ -1027,69 +1021,13 @@ login_check (void *cls) | |||
| 1027 | } | 1021 | } |
| 1028 | 1022 | ||
| 1029 | /** | 1023 | /** |
| 1030 | * Searches for client_id in namestore. If found trust status stored in handle | ||
| 1031 | * Else continues to search | ||
| 1032 | * | ||
| 1033 | * @param handle the RequestHandle | ||
| 1034 | */ | ||
| 1035 | static void | ||
| 1036 | namestore_iteration_callback ( | ||
| 1037 | void *cls, const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key, | ||
| 1038 | const char *rname, unsigned int rd_len, | ||
| 1039 | const struct GNUNET_GNSRECORD_Data *rd) | ||
| 1040 | { | ||
| 1041 | struct RequestHandle *handle = cls; | ||
| 1042 | struct GNUNET_CRYPTO_EcdsaPublicKey login_identity_pkey; | ||
| 1043 | struct GNUNET_CRYPTO_EcdsaPublicKey current_zone_pkey; | ||
| 1044 | int i; | ||
| 1045 | |||
| 1046 | for (i = 0; i < rd_len; i++) | ||
| 1047 | { | ||
| 1048 | if ( GNUNET_GNSRECORD_TYPE_PKEY != rd[i].record_type ) | ||
| 1049 | continue; | ||
| 1050 | |||
| 1051 | if ( NULL != handle->oidc->login_identity ) | ||
| 1052 | { | ||
| 1053 | GNUNET_CRYPTO_ecdsa_public_key_from_string ( | ||
| 1054 | handle->oidc->login_identity, | ||
| 1055 | strlen (handle->oidc->login_identity), | ||
| 1056 | &login_identity_pkey); | ||
| 1057 | GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, | ||
| 1058 | ¤t_zone_pkey); | ||
| 1059 | |||
| 1060 | if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, | ||
| 1061 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
| 1062 | { | ||
| 1063 | if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey, | ||
| 1064 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
| 1065 | { | ||
| 1066 | handle->oidc->is_client_trusted = GNUNET_YES; | ||
| 1067 | } | ||
| 1068 | } | ||
| 1069 | } | ||
| 1070 | else | ||
| 1071 | { | ||
| 1072 | if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, | ||
| 1073 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
| 1074 | { | ||
| 1075 | handle->oidc->is_client_trusted = GNUNET_YES; | ||
| 1076 | } | ||
| 1077 | } | ||
| 1078 | } | ||
| 1079 | |||
| 1080 | GNUNET_NAMESTORE_zone_iterator_next (handle->namestore_handle_it, | ||
| 1081 | 1); | ||
| 1082 | } | ||
| 1083 | |||
| 1084 | |||
| 1085 | /** | ||
| 1086 | * Iteration over all results finished, build final | 1024 | * Iteration over all results finished, build final |
| 1087 | * response. | 1025 | * response. |
| 1088 | * | 1026 | * |
| 1089 | * @param cls the `struct RequestHandle` | 1027 | * @param cls the `struct RequestHandle` |
| 1090 | */ | 1028 | */ |
| 1091 | static void | 1029 | static void |
| 1092 | namestore_iteration_finished (void *cls) | 1030 | build_authz_response (void *cls) |
| 1093 | { | 1031 | { |
| 1094 | struct RequestHandle *handle = cls; | 1032 | struct RequestHandle *handle = cls; |
| 1095 | struct GNUNET_HashCode cache_key; | 1033 | struct GNUNET_HashCode cache_key; |
| @@ -1099,25 +1037,6 @@ namestore_iteration_finished (void *cls) | |||
| 1099 | int number_of_ignored_parameter, iterator; | 1037 | int number_of_ignored_parameter, iterator; |
| 1100 | 1038 | ||
| 1101 | 1039 | ||
| 1102 | handle->ego_entry = handle->ego_entry->next; | ||
| 1103 | |||
| 1104 | if(NULL != handle->ego_entry) | ||
| 1105 | { | ||
| 1106 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | ||
| 1107 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (handle->namestore_handle, &handle->priv_key, | ||
| 1108 | &oidc_iteration_error, handle, &namestore_iteration_callback, handle, | ||
| 1109 | &namestore_iteration_finished, handle); | ||
| 1110 | return; | ||
| 1111 | } | ||
| 1112 | if (GNUNET_NO == handle->oidc->is_client_trusted) | ||
| 1113 | { | ||
| 1114 | handle->emsg = GNUNET_strdup("unauthorized_client"); | ||
| 1115 | handle->edesc = GNUNET_strdup("The client is not authorized to request an " | ||
| 1116 | "authorization code using this method."); | ||
| 1117 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
| 1118 | return; | ||
| 1119 | } | ||
| 1120 | |||
| 1121 | // REQUIRED value: redirect_uri | 1040 | // REQUIRED value: redirect_uri |
| 1122 | GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), | 1041 | GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), |
| 1123 | &cache_key); | 1042 | &cache_key); |
| @@ -1246,9 +1165,6 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1246 | { | 1165 | { |
| 1247 | struct RequestHandle *handle = cls; | 1166 | struct RequestHandle *handle = cls; |
| 1248 | struct GNUNET_HashCode cache_key; | 1167 | struct GNUNET_HashCode cache_key; |
| 1249 | struct EgoEntry *tmp_ego; | ||
| 1250 | struct GNUNET_CRYPTO_EcdsaPublicKey pkey; | ||
| 1251 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key; | ||
| 1252 | 1168 | ||
| 1253 | cookie_identity_interpretation(handle); | 1169 | cookie_identity_interpretation(handle); |
| 1254 | 1170 | ||
| @@ -1302,29 +1218,8 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1302 | 1218 | ||
| 1303 | handle->ego_entry = handle->ego_head; | 1219 | handle->ego_entry = handle->ego_head; |
| 1304 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); | 1220 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); |
| 1305 | handle->oidc->is_client_trusted = GNUNET_NO; | 1221 | |
| 1306 | 1222 | GNUNET_SCHEDULER_add_now (&build_authz_response, handle); | |
| 1307 | //First check if client_id is one of our egos; TODO: handle other TLD cases: Delegation, from config | ||
| 1308 | for (tmp_ego = handle->ego_head; NULL != tmp_ego; tmp_ego = tmp_ego->next) | ||
| 1309 | { | ||
| 1310 | priv_key = GNUNET_IDENTITY_ego_get_private_key (tmp_ego->ego); | ||
| 1311 | GNUNET_CRYPTO_ecdsa_key_get_public (priv_key, | ||
| 1312 | &pkey); | ||
| 1313 | if ( 0 == memcmp (&pkey, &handle->oidc->client_pkey, | ||
| 1314 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | ||
| 1315 | { | ||
| 1316 | handle->tld = GNUNET_strdup (tmp_ego->identifier); | ||
| 1317 | handle->oidc->is_client_trusted = GNUNET_YES; | ||
| 1318 | handle->ego_entry = handle->ego_tail; | ||
| 1319 | } | ||
| 1320 | } | ||
| 1321 | |||
| 1322 | |||
| 1323 | // Checks if client_id is valid: | ||
| 1324 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start ( | ||
| 1325 | handle->namestore_handle, &handle->priv_key, &oidc_iteration_error, | ||
| 1326 | handle, &namestore_iteration_callback, handle, | ||
| 1327 | &namestore_iteration_finished, handle); | ||
| 1328 | } | 1223 | } |
| 1329 | 1224 | ||
| 1330 | /** | 1225 | /** |