diff options
author | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-04-15 09:55:48 +0200 |
---|---|---|
committer | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-04-15 09:55:48 +0200 |
commit | ae5e3e047c357de816f54ba53722b7444a7cae82 (patch) | |
tree | e1133bcc3064e1d002db9f2f71aea5c66bc33ba0 /src/reclaim/oidc_helper.c | |
parent | 77494b746ad3baa510ddf751c046b0fa802bfd5f (diff) | |
download | gnunet-ae5e3e047c357de816f54ba53722b7444a7cae82.tar.gz gnunet-ae5e3e047c357de816f54ba53722b7444a7cae82.zip |
RECLAIM/REST: update style
Diffstat (limited to 'src/reclaim/oidc_helper.c')
-rw-r--r-- | src/reclaim/oidc_helper.c | 317 |
1 files changed, 136 insertions, 181 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c index 646e58551..750b276a4 100644 --- a/src/reclaim/oidc_helper.c +++ b/src/reclaim/oidc_helper.c | |||
@@ -11,7 +11,7 @@ | |||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | 11 | WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
13 | Affero General Public License for more details. | 13 | Affero General Public License for more details. |
14 | 14 | ||
15 | You should have received a copy of the GNU Affero General Public License | 15 | You should have received a copy of the GNU Affero General Public License |
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | 16 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
17 | 17 | ||
@@ -24,16 +24,17 @@ | |||
24 | * @author Martin Schanzenbach | 24 | * @author Martin Schanzenbach |
25 | */ | 25 | */ |
26 | #include "platform.h" | 26 | #include "platform.h" |
27 | #include <inttypes.h> | ||
28 | #include <jansson.h> | ||
29 | |||
27 | #include "gnunet_util_lib.h" | 30 | #include "gnunet_util_lib.h" |
28 | #include "gnunet_signatures.h" | 31 | |
29 | #include "gnunet_reclaim_service.h" | ||
30 | #include "gnunet_reclaim_attribute_lib.h" | 32 | #include "gnunet_reclaim_attribute_lib.h" |
31 | #include <jansson.h> | 33 | #include "gnunet_reclaim_service.h" |
32 | #include <inttypes.h> | 34 | #include "gnunet_signatures.h" |
33 | #include "oidc_helper.h" | 35 | #include "oidc_helper.h" |
34 | 36 | static char * | |
35 | static char* | 37 | create_jwt_header (void) |
36 | create_jwt_header(void) | ||
37 | { | 38 | { |
38 | json_t *root; | 39 | json_t *root; |
39 | char *json_str; | 40 | char *json_str; |
@@ -42,29 +43,30 @@ create_jwt_header(void) | |||
42 | json_object_set_new (root, JWT_ALG, json_string (JWT_ALG_VALUE)); | 43 | json_object_set_new (root, JWT_ALG, json_string (JWT_ALG_VALUE)); |
43 | json_object_set_new (root, JWT_TYP, json_string (JWT_TYP_VALUE)); | 44 | json_object_set_new (root, JWT_TYP, json_string (JWT_TYP_VALUE)); |
44 | 45 | ||
45 | json_str = json_dumps (root, JSON_INDENT(0) | JSON_COMPACT); | 46 | json_str = json_dumps (root, JSON_INDENT (0) | JSON_COMPACT); |
46 | json_decref (root); | 47 | json_decref (root); |
47 | return json_str; | 48 | return json_str; |
48 | } | 49 | } |
49 | 50 | ||
50 | static void | 51 | static void |
51 | replace_char(char* str, char find, char replace){ | 52 | replace_char (char *str, char find, char replace) |
52 | char *current_pos = strchr(str,find); | 53 | { |
53 | while (current_pos){ | 54 | char *current_pos = strchr (str, find); |
55 | while (current_pos) { | ||
54 | *current_pos = replace; | 56 | *current_pos = replace; |
55 | current_pos = strchr(current_pos,find); | 57 | current_pos = strchr (current_pos, find); |
56 | } | 58 | } |
57 | } | 59 | } |
58 | 60 | ||
59 | //RFC4648 | 61 | // RFC4648 |
60 | static void | 62 | static void |
61 | fix_base64(char* str) { | 63 | fix_base64 (char *str) |
62 | //Replace + with - | 64 | { |
65 | // Replace + with - | ||
63 | replace_char (str, '+', '-'); | 66 | replace_char (str, '+', '-'); |
64 | 67 | ||
65 | //Replace / with _ | 68 | // Replace / with _ |
66 | replace_char (str, '/', '_'); | 69 | replace_char (str, '/', '_'); |
67 | |||
68 | } | 70 | } |
69 | 71 | ||
70 | /** | 72 | /** |
@@ -77,90 +79,78 @@ fix_base64(char* str) { | |||
77 | * @param secret_key the key used to sign the JWT | 79 | * @param secret_key the key used to sign the JWT |
78 | * @return a new base64-encoded JWT string. | 80 | * @return a new base64-encoded JWT string. |
79 | */ | 81 | */ |
80 | char* | 82 | char * |
81 | OIDC_id_token_new (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | 83 | OIDC_id_token_new (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, |
82 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, | 84 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, |
83 | const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, | 85 | const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, |
84 | const struct GNUNET_TIME_Relative *expiration_time, | 86 | const struct GNUNET_TIME_Relative *expiration_time, |
85 | const char *nonce, | 87 | const char *nonce, const char *secret_key) |
86 | const char *secret_key) | ||
87 | { | 88 | { |
88 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; | 89 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; |
89 | struct GNUNET_HashCode signature; | 90 | struct GNUNET_HashCode signature; |
90 | struct GNUNET_TIME_Absolute exp_time; | 91 | struct GNUNET_TIME_Absolute exp_time; |
91 | struct GNUNET_TIME_Absolute time_now; | 92 | struct GNUNET_TIME_Absolute time_now; |
92 | char* audience; | 93 | char *audience; |
93 | char* subject; | 94 | char *subject; |
94 | char* header; | 95 | char *header; |
95 | char* body_str; | 96 | char *body_str; |
96 | char* result; | 97 | char *result; |
97 | char* header_base64; | 98 | char *header_base64; |
98 | char* body_base64; | 99 | char *body_base64; |
99 | char* signature_target; | 100 | char *signature_target; |
100 | char* signature_base64; | 101 | char *signature_base64; |
101 | char* attr_val_str; | 102 | char *attr_val_str; |
102 | json_t* body; | 103 | json_t *body; |
103 | 104 | ||
104 | //iat REQUIRED time now | 105 | // iat REQUIRED time now |
105 | time_now = GNUNET_TIME_absolute_get(); | 106 | time_now = GNUNET_TIME_absolute_get (); |
106 | //exp REQUIRED time expired from config | 107 | // exp REQUIRED time expired from config |
107 | exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time); | 108 | exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time); |
108 | //auth_time only if max_age | 109 | // auth_time only if max_age |
109 | //nonce only if nonce | 110 | // nonce only if nonce |
110 | // OPTIONAL acr,amr,azp | 111 | // OPTIONAL acr,amr,azp |
111 | subject = GNUNET_STRINGS_data_to_string_alloc (sub_key, | 112 | subject = GNUNET_STRINGS_data_to_string_alloc ( |
112 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); | 113 | sub_key, sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); |
113 | audience = GNUNET_STRINGS_data_to_string_alloc (aud_key, | 114 | audience = GNUNET_STRINGS_data_to_string_alloc ( |
114 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); | 115 | aud_key, sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); |
115 | header = create_jwt_header (); | 116 | header = create_jwt_header (); |
116 | body = json_object (); | 117 | body = json_object (); |
117 | 118 | ||
118 | //iss REQUIRED case sensitive server uri with https | 119 | // iss REQUIRED case sensitive server uri with https |
119 | //The issuer is the local reclaim instance (e.g. https://reclaim.id/api/openid) | 120 | // The issuer is the local reclaim instance (e.g. |
120 | json_object_set_new (body, | 121 | // https://reclaim.id/api/openid) |
121 | "iss", json_string (SERVER_ADDRESS)); | 122 | json_object_set_new (body, "iss", json_string (SERVER_ADDRESS)); |
122 | //sub REQUIRED public key identity, not exceed 255 ASCII length | 123 | // sub REQUIRED public key identity, not exceed 255 ASCII length |
123 | json_object_set_new (body, | 124 | json_object_set_new (body, "sub", json_string (subject)); |
124 | "sub", json_string (subject)); | 125 | // aud REQUIRED public key client_id must be there |
125 | //aud REQUIRED public key client_id must be there | 126 | json_object_set_new (body, "aud", json_string (audience)); |
126 | json_object_set_new (body, | 127 | // iat |
127 | "aud", json_string (audience)); | 128 | json_object_set_new (body, "iat", |
128 | //iat | 129 | json_integer (time_now.abs_value_us / (1000 * 1000))); |
129 | json_object_set_new (body, | 130 | // exp |
130 | "iat", json_integer (time_now.abs_value_us / (1000*1000))); | 131 | json_object_set_new (body, "exp", |
131 | //exp | 132 | json_integer (exp_time.abs_value_us / (1000 * 1000))); |
132 | json_object_set_new (body, | 133 | // nbf |
133 | "exp", json_integer (exp_time.abs_value_us / (1000*1000))); | 134 | json_object_set_new (body, "nbf", |
134 | //nbf | 135 | json_integer (time_now.abs_value_us / (1000 * 1000))); |
135 | json_object_set_new (body, | 136 | // nonce |
136 | "nbf", json_integer (time_now.abs_value_us / (1000*1000))); | ||
137 | //nonce | ||
138 | if (NULL != nonce) | 137 | if (NULL != nonce) |
139 | json_object_set_new (body, | 138 | json_object_set_new (body, "nonce", json_string (nonce)); |
140 | "nonce", json_string (nonce)); | 139 | |
141 | 140 | for (le = attrs->list_head; NULL != le; le = le->next) { | |
142 | for (le = attrs->list_head; NULL != le; le = le->next) | 141 | attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string ( |
143 | { | 142 | le->claim->type, le->claim->data, le->claim->data_size); |
144 | attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type, | 143 | json_object_set_new (body, le->claim->name, json_string (attr_val_str)); |
145 | le->claim->data, | ||
146 | le->claim->data_size); | ||
147 | json_object_set_new (body, | ||
148 | le->claim->name, | ||
149 | json_string (attr_val_str)); | ||
150 | GNUNET_free (attr_val_str); | 144 | GNUNET_free (attr_val_str); |
151 | } | 145 | } |
152 | body_str = json_dumps (body, JSON_INDENT(0) | JSON_COMPACT); | 146 | body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT); |
153 | json_decref (body); | 147 | json_decref (body); |
154 | 148 | ||
155 | GNUNET_STRINGS_base64_encode (header, | 149 | GNUNET_STRINGS_base64_encode (header, strlen (header), &header_base64); |
156 | strlen (header), | 150 | fix_base64 (header_base64); |
157 | &header_base64); | ||
158 | fix_base64(header_base64); | ||
159 | 151 | ||
160 | GNUNET_STRINGS_base64_encode (body_str, | 152 | GNUNET_STRINGS_base64_encode (body_str, strlen (body_str), &body_base64); |
161 | strlen (body_str), | 153 | fix_base64 (body_base64); |
162 | &body_base64); | ||
163 | fix_base64(body_base64); | ||
164 | 154 | ||
165 | GNUNET_free (subject); | 155 | GNUNET_free (subject); |
166 | GNUNET_free (audience); | 156 | GNUNET_free (audience); |
@@ -170,14 +160,15 @@ OIDC_id_token_new (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
170 | * standards compliant, check. | 160 | * standards compliant, check. |
171 | */ | 161 | */ |
172 | GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64); | 162 | GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64); |
173 | GNUNET_CRYPTO_hmac_raw (secret_key, strlen (secret_key), signature_target, strlen (signature_target), &signature); | 163 | GNUNET_CRYPTO_hmac_raw (secret_key, strlen (secret_key), signature_target, |
174 | GNUNET_STRINGS_base64_encode ((const char*)&signature, | 164 | strlen (signature_target), &signature); |
165 | GNUNET_STRINGS_base64_encode ((const char *)&signature, | ||
175 | sizeof (struct GNUNET_HashCode), | 166 | sizeof (struct GNUNET_HashCode), |
176 | &signature_base64); | 167 | &signature_base64); |
177 | fix_base64(signature_base64); | 168 | fix_base64 (signature_base64); |
178 | 169 | ||
179 | GNUNET_asprintf (&result, "%s.%s.%s", | 170 | GNUNET_asprintf (&result, "%s.%s.%s", header_base64, body_base64, |
180 | header_base64, body_base64, signature_base64); | 171 | signature_base64); |
181 | 172 | ||
182 | GNUNET_free (signature_target); | 173 | GNUNET_free (signature_target); |
183 | GNUNET_free (header); | 174 | GNUNET_free (header); |
@@ -196,10 +187,10 @@ OIDC_id_token_new (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
196 | * @param nonce the nonce to include in the code | 187 | * @param nonce the nonce to include in the code |
197 | * @return a new authorization code (caller must free) | 188 | * @return a new authorization code (caller must free) |
198 | */ | 189 | */ |
199 | char* | 190 | char * |
200 | OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | 191 | OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, |
201 | const struct GNUNET_RECLAIM_Ticket *ticket, | 192 | const struct GNUNET_RECLAIM_Ticket *ticket, |
202 | const char* nonce) | 193 | const char *nonce) |
203 | { | 194 | { |
204 | char *ticket_str; | 195 | char *ticket_str; |
205 | json_t *code_json; | 196 | json_t *code_json; |
@@ -214,42 +205,32 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
214 | if (NULL != nonce) | 205 | if (NULL != nonce) |
215 | signature_payload_len += strlen (nonce); | 206 | signature_payload_len += strlen (nonce); |
216 | 207 | ||
217 | signature_payload = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len); | 208 | signature_payload = |
209 | GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | ||
210 | signature_payload_len); | ||
218 | purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *)signature_payload; | 211 | purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *)signature_payload; |
219 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len); | 212 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + |
213 | signature_payload_len); | ||
220 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); | 214 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); |
221 | memcpy (&purpose[1], | 215 | memcpy (&purpose[1], ticket, sizeof (struct GNUNET_RECLAIM_Ticket)); |
222 | ticket, | ||
223 | sizeof (struct GNUNET_RECLAIM_Ticket)); | ||
224 | if (NULL != nonce) | 216 | if (NULL != nonce) |
225 | memcpy (((char*)&purpose[1]) + sizeof (struct GNUNET_RECLAIM_Ticket), | 217 | memcpy (((char *)&purpose[1]) + sizeof (struct GNUNET_RECLAIM_Ticket), |
226 | nonce, | 218 | nonce, strlen (nonce)); |
227 | strlen (nonce)); | 219 | if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (issuer, purpose, &signature)) { |
228 | if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (issuer, | ||
229 | purpose, | ||
230 | &signature)) | ||
231 | { | ||
232 | GNUNET_free (signature_payload); | 220 | GNUNET_free (signature_payload); |
233 | return NULL; | 221 | return NULL; |
234 | } | 222 | } |
235 | signature_str = GNUNET_STRINGS_data_to_string_alloc (&signature, | 223 | signature_str = |
236 | sizeof (signature)); | 224 | GNUNET_STRINGS_data_to_string_alloc (&signature, sizeof (signature)); |
237 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket, | 225 | ticket_str = GNUNET_STRINGS_data_to_string_alloc ( |
238 | sizeof (struct GNUNET_RECLAIM_Ticket)); | 226 | ticket, sizeof (struct GNUNET_RECLAIM_Ticket)); |
239 | 227 | ||
240 | code_json = json_object (); | 228 | code_json = json_object (); |
241 | json_object_set_new (code_json, | 229 | json_object_set_new (code_json, "ticket", json_string (ticket_str)); |
242 | "ticket", | ||
243 | json_string (ticket_str)); | ||
244 | if (NULL != nonce) | 230 | if (NULL != nonce) |
245 | json_object_set_new (code_json, | 231 | json_object_set_new (code_json, "nonce", json_string (nonce)); |
246 | "nonce", | 232 | json_object_set_new (code_json, "signature", json_string (signature_str)); |
247 | json_string (nonce)); | 233 | authz_code = json_dumps (code_json, JSON_INDENT (0) | JSON_COMPACT); |
248 | json_object_set_new (code_json, | ||
249 | "signature", | ||
250 | json_string (signature_str)); | ||
251 | authz_code = json_dumps (code_json, | ||
252 | JSON_INDENT(0) | JSON_COMPACT); | ||
253 | GNUNET_free (signature_payload); | 234 | GNUNET_free (signature_payload); |
254 | GNUNET_free (signature_str); | 235 | GNUNET_free (signature_str); |
255 | GNUNET_free (ticket_str); | 236 | GNUNET_free (ticket_str); |
@@ -258,8 +239,6 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
258 | } | 239 | } |
259 | 240 | ||
260 | 241 | ||
261 | |||
262 | |||
263 | /** | 242 | /** |
264 | * Parse reclaim ticket and nonce from | 243 | * Parse reclaim ticket and nonce from |
265 | * authorization code. | 244 | * authorization code. |
@@ -273,8 +252,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
273 | */ | 252 | */ |
274 | int | 253 | int |
275 | OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | 254 | OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, |
276 | const char* code, | 255 | const char *code, struct GNUNET_RECLAIM_Ticket **ticket, |
277 | struct GNUNET_RECLAIM_Ticket **ticket, | ||
278 | char **nonce) | 256 | char **nonce) |
279 | { | 257 | { |
280 | json_error_t error; | 258 | json_error_t error; |
@@ -290,11 +268,9 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
290 | struct GNUNET_CRYPTO_EcdsaSignature signature; | 268 | struct GNUNET_CRYPTO_EcdsaSignature signature; |
291 | size_t signature_payload_len; | 269 | size_t signature_payload_len; |
292 | 270 | ||
293 | code_output = NULL; | 271 | code_output = NULL; |
294 | GNUNET_STRINGS_base64_decode (code, | 272 | GNUNET_STRINGS_base64_decode (code, strlen (code), (void **)&code_output); |
295 | strlen(code), | 273 | code_json = json_loads (code_output, 0, &error); |
296 | (void**)&code_output); | ||
297 | code_json = json_loads (code_output, 0 , &error); | ||
298 | GNUNET_free (code_output); | 274 | GNUNET_free (code_output); |
299 | ticket_json = json_object_get (code_json, "ticket"); | 275 | ticket_json = json_object_get (code_json, "ticket"); |
300 | nonce_json = json_object_get (code_json, "nonce"); | 276 | nonce_json = json_object_get (code_json, "nonce"); |
@@ -303,8 +279,7 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
303 | *nonce = NULL; | 279 | *nonce = NULL; |
304 | 280 | ||
305 | if ((NULL == ticket_json || !json_is_string (ticket_json)) || | 281 | if ((NULL == ticket_json || !json_is_string (ticket_json)) || |
306 | (NULL == signature_json || !json_is_string (signature_json))) | 282 | (NULL == signature_json || !json_is_string (signature_json))) { |
307 | { | ||
308 | json_decref (code_json); | 283 | json_decref (code_json); |
309 | return GNUNET_SYSERR; | 284 | return GNUNET_SYSERR; |
310 | } | 285 | } |
@@ -318,38 +293,29 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
318 | signature_payload_len += strlen (nonce_str); | 293 | signature_payload_len += strlen (nonce_str); |
319 | purpose = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | 294 | purpose = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + |
320 | signature_payload_len); | 295 | signature_payload_len); |
321 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len); | 296 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + |
297 | signature_payload_len); | ||
322 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); | 298 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); |
323 | if (GNUNET_OK != GNUNET_STRINGS_string_to_data (ticket_str, | 299 | if (GNUNET_OK != GNUNET_STRINGS_string_to_data ( |
324 | strlen (ticket_str), | 300 | ticket_str, strlen (ticket_str), &purpose[1], |
325 | &purpose[1], | 301 | sizeof (struct GNUNET_RECLAIM_Ticket))) { |
326 | sizeof (struct GNUNET_RECLAIM_Ticket))) | ||
327 | { | ||
328 | GNUNET_free (purpose); | 302 | GNUNET_free (purpose); |
329 | json_decref (code_json); | 303 | json_decref (code_json); |
330 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | 304 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Cannot parse ticket!\n"); |
331 | "Cannot parse ticket!\n"); | ||
332 | return GNUNET_SYSERR; | 305 | return GNUNET_SYSERR; |
333 | } | 306 | } |
334 | if (GNUNET_OK != GNUNET_STRINGS_string_to_data (signature_str, | 307 | if (GNUNET_OK != GNUNET_STRINGS_string_to_data ( |
335 | strlen (signature_str), | 308 | signature_str, strlen (signature_str), &signature, |
336 | &signature, | 309 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature))) { |
337 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature))) | ||
338 | { | ||
339 | GNUNET_free (purpose); | 310 | GNUNET_free (purpose); |
340 | json_decref (code_json); | 311 | json_decref (code_json); |
341 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | 312 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Cannot parse signature!\n"); |
342 | "Cannot parse signature!\n"); | ||
343 | return GNUNET_SYSERR; | 313 | return GNUNET_SYSERR; |
344 | } | 314 | } |
345 | *ticket = GNUNET_new (struct GNUNET_RECLAIM_Ticket); | 315 | *ticket = GNUNET_new (struct GNUNET_RECLAIM_Ticket); |
346 | memcpy (*ticket, | 316 | memcpy (*ticket, &purpose[1], sizeof (struct GNUNET_RECLAIM_Ticket)); |
347 | &purpose[1], | 317 | if (0 != memcmp (audience, &(*ticket)->audience, |
348 | sizeof (struct GNUNET_RECLAIM_Ticket)); | 318 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey))) { |
349 | if (0 != memcmp (audience, | ||
350 | &(*ticket)->audience, | ||
351 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey))) | ||
352 | { | ||
353 | GNUNET_free (purpose); | 319 | GNUNET_free (purpose); |
354 | GNUNET_free (*ticket); | 320 | GNUNET_free (*ticket); |
355 | json_decref (code_json); | 321 | json_decref (code_json); |
@@ -357,23 +323,18 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
357 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | 323 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, |
358 | "Audience in ticket does not match client!\n"); | 324 | "Audience in ticket does not match client!\n"); |
359 | return GNUNET_SYSERR; | 325 | return GNUNET_SYSERR; |
360 | |||
361 | } | 326 | } |
362 | if (NULL != nonce_str) | 327 | if (NULL != nonce_str) |
363 | memcpy (((char*)&purpose[1]) + sizeof (struct GNUNET_RECLAIM_Ticket), | 328 | memcpy (((char *)&purpose[1]) + sizeof (struct GNUNET_RECLAIM_Ticket), |
364 | nonce_str, | 329 | nonce_str, strlen (nonce_str)); |
365 | strlen (nonce_str)); | 330 | if (GNUNET_OK != |
366 | if (GNUNET_OK != GNUNET_CRYPTO_ecdsa_verify (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, | 331 | GNUNET_CRYPTO_ecdsa_verify (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, |
367 | purpose, | 332 | purpose, &signature, &(*ticket)->identity)) { |
368 | &signature, | ||
369 | &(*ticket)->identity)) | ||
370 | { | ||
371 | GNUNET_free (purpose); | 333 | GNUNET_free (purpose); |
372 | GNUNET_free (*ticket); | 334 | GNUNET_free (*ticket); |
373 | json_decref (code_json); | 335 | json_decref (code_json); |
374 | *ticket = NULL; | 336 | *ticket = NULL; |
375 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | 337 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of authZ code invalid!\n"); |
376 | "Signature of authZ code invalid!\n"); | ||
377 | return GNUNET_SYSERR; | 338 | return GNUNET_SYSERR; |
378 | } | 339 | } |
379 | *nonce = GNUNET_strdup (nonce_str); | 340 | *nonce = GNUNET_strdup (nonce_str); |
@@ -390,8 +351,7 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
390 | * @param token_response where to store the response | 351 | * @param token_response where to store the response |
391 | */ | 352 | */ |
392 | void | 353 | void |
393 | OIDC_build_token_response (const char *access_token, | 354 | OIDC_build_token_response (const char *access_token, const char *id_token, |
394 | const char *id_token, | ||
395 | const struct GNUNET_TIME_Relative *expiration_time, | 355 | const struct GNUNET_TIME_Relative *expiration_time, |
396 | char **token_response) | 356 | char **token_response) |
397 | { | 357 | { |
@@ -402,35 +362,30 @@ OIDC_build_token_response (const char *access_token, | |||
402 | GNUNET_assert (NULL != access_token); | 362 | GNUNET_assert (NULL != access_token); |
403 | GNUNET_assert (NULL != id_token); | 363 | GNUNET_assert (NULL != id_token); |
404 | GNUNET_assert (NULL != expiration_time); | 364 | GNUNET_assert (NULL != expiration_time); |
405 | json_object_set_new (root_json, | 365 | json_object_set_new (root_json, "access_token", json_string (access_token)); |
406 | "access_token", | 366 | json_object_set_new (root_json, "token_type", json_string ("Bearer")); |
407 | json_string (access_token)); | 367 | json_object_set_new ( |
408 | json_object_set_new (root_json, | 368 | root_json, "expires_in", |
409 | "token_type", | 369 | json_integer (expiration_time->rel_value_us / (1000 * 1000))); |
410 | json_string ("Bearer")); | 370 | json_object_set_new (root_json, "id_token", json_string (id_token)); |
411 | json_object_set_new (root_json, | 371 | *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT); |
412 | "expires_in", | ||
413 | json_integer (expiration_time->rel_value_us / (1000 * 1000))); | ||
414 | json_object_set_new (root_json, | ||
415 | "id_token", | ||
416 | json_string (id_token)); | ||
417 | *token_response = json_dumps (root_json, | ||
418 | JSON_INDENT(0) | JSON_COMPACT); | ||
419 | json_decref (root_json); | 372 | json_decref (root_json); |
420 | } | 373 | } |
421 | 374 | ||
422 | /** | 375 | /** |
423 | * Generate a new access token | 376 | * Generate a new access token |
424 | */ | 377 | */ |
425 | char* | 378 | char * |
426 | OIDC_access_token_new () | 379 | OIDC_access_token_new () |
427 | { | 380 | { |
428 | char* access_token_number; | 381 | char *access_token_number; |
429 | char* access_token; | 382 | char *access_token; |
430 | uint64_t random_number; | 383 | uint64_t random_number; |
431 | 384 | ||
432 | random_number = GNUNET_CRYPTO_random_u64(GNUNET_CRYPTO_QUALITY_NONCE, UINT64_MAX); | 385 | random_number = |
386 | GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_NONCE, UINT64_MAX); | ||
433 | GNUNET_asprintf (&access_token_number, "%" PRIu64, random_number); | 387 | GNUNET_asprintf (&access_token_number, "%" PRIu64, random_number); |
434 | GNUNET_STRINGS_base64_encode(access_token_number,strlen(access_token_number),&access_token); | 388 | GNUNET_STRINGS_base64_encode (access_token_number, |
389 | strlen (access_token_number), &access_token); | ||
435 | return access_token; | 390 | return access_token; |
436 | } | 391 | } |