fix code signing

author: Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> 2018-07-22 15:50:52 +0200
committer: Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> 2018-07-22 15:50:52 +0200
commit: 214f2e90aff373771838d4504d77444c43194e49 (patch)
tree: 3772ba1e9fa75996e607fce58b3b07ad349b79a6 /src/reclaim/plugin_rest_openid_connect.c
parent: 33d45d039f618ec2892c8db3961f4f76a0e63652 (diff)
download: gnunet-214f2e90aff373771838d4504d77444c43194e49.tar.gz
gnunet-214f2e90aff373771838d4504d77444c43194e49.zip
1 files changed, 92 insertions, 24 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index bd11b2de7..0a6dd2b61 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -794,11 +794,75 @@ oidc_iteration_error (void *cls)
  GNUNET_SCHEDULER_add_now (&do_error, handle);
 }
-static void get_client_name_result (void *cls,
-                                    const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone,
+static char*
-                                    const char *label,
+build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
-                                    unsigned int rd_count,
+                  const struct GNUNET_RECLAIM_Ticket *ticket,
-                                    const struct GNUNET_GNSRECORD_Data *rd)
+                  const char* nonce)
+{
+ char *ticket_str;
+ json_t *code_json;
+ char *signature_payload;
+ char *signature_str;
+ char *authz_code;
+ size_t signature_payload_len;
+ struct GNUNET_CRYPTO_EcdsaSignature signature;
+ struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
+ signature_payload_len = sizeof (struct GNUNET_RECLAIM_Ticket);
+ if (NULL != nonce)
+   signature_payload_len += strlen (nonce);
+ signature_payload = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len);
+ purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *)signature_payload;
+ purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len);
+ purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
+ memcpy (&purpose[1],
+         ticket,
+         sizeof (struct GNUNET_RECLAIM_Ticket));
+ if (NULL != nonce)
+   memcpy (&purpose[1] + sizeof (struct GNUNET_RECLAIM_Ticket),
+           nonce,
+           strlen (nonce));
+ if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (issuer,
+                           purpose,
+                           &signature))
+ {
+   GNUNET_free (signature_payload);
+   return NULL;
+ }
+ signature_str = GNUNET_STRINGS_data_to_string_alloc (&signature,
+                                                      sizeof (signature));
+ ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket,
+                                                   sizeof (struct GNUNET_RECLAIM_Ticket));
+ code_json = json_object ();
+ json_object_set_new (code_json,
+                      "ticket",
+                      json_string (ticket_str));
+ if (NULL != nonce)
+   json_object_set_new (code_json,
+                        "nonce",
+                        json_string (nonce));
+ json_object_set_new (code_json,
+                      "signature",
+                      json_string (signature_str));
+ authz_code = json_dumps (code_json,
+                          JSON_INDENT(0) | JSON_COMPACT);
+ GNUNET_free (signature_payload);
+ GNUNET_free (signature_str);
+ GNUNET_free (ticket_str);
+ json_decref (code_json);
+ return authz_code;
+}
+static void
+get_client_name_result (void *cls,
+                        const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone,
+                        const char *label,
+                        unsigned int rd_count,
+                        const struct GNUNET_GNSRECORD_Data *rd)
 {
  struct RequestHandle *handle = cls;
  struct MHD_Response *resp;
@@ -812,12 +876,16 @@ static void get_client_name_result (void *cls,
  char *prefix;
  ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket,
                                                    sizeof (struct GNUNET_RECLAIM_Ticket));
+  //TODO add signature to code payload over nonce and ticket _and_ use jansson here!
  //TODO change if more attributes are needed (see max_age)
-  GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",
+  code_json_string = build_authz_code (&handle->priv_key,
+                                       &handle->ticket,
+                                       handle->oidc->nonce);
+  /*GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",
                   ticket_str,
                   (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "",
                   (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "",
-                   (NULL != handle->oidc->nonce) ? "\"" : "");
+                   (NULL != handle->oidc->nonce) ? "\"" : "");*/
  code_base64_final_string = base_64_encode(code_json_string);
  tmp = GNUNET_strdup (handle->oidc->redirect_uri);
  redirect_path = strtok (tmp, "/");
@@ -896,11 +964,11 @@ oidc_collect_finished_cb (void *cls)
    return;
  }
  handle->idp_op = GNUNET_RECLAIM_ticket_issue (handle->idp,
-                                                          &handle->priv_key,
+                                                &handle->priv_key,
-                                                          &handle->oidc->client_pkey,
+                                                &handle->oidc->client_pkey,
-                                                          handle->attr_list,
+                                                handle->attr_list,
-                                                          &oidc_ticket_issue_cb,
+                                                &oidc_ticket_issue_cb,
-                                                          handle);
+                                                handle);
 }
@@ -944,7 +1012,7 @@ oidc_attr_collect (void *cls,
  le = GNUNET_new(struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry);
  le->claim = GNUNET_RECLAIM_ATTRIBUTE_claim_new (attr->name, attr->type,
-                                                   attr->data, attr->data_size);
+                                                  attr->data, attr->data_size);
  GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head,
                              handle->attr_list->list_tail, le);
  GNUNET_RECLAIM_get_attributes_next (handle->attr_it);
@@ -1004,8 +1072,8 @@ login_check (void *cls)
          handle->attr_list = GNUNET_new(
                                         struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);
          handle->attr_it = GNUNET_RECLAIM_get_attributes_start (
-                                                                           handle->idp, &handle->priv_key, &oidc_iteration_error, handle,
+                                                                 handle->idp, &handle->priv_key, &oidc_iteration_error, handle,
-                                                                           &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle);
+                                                                 &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle);
          return;
        }
      }
@@ -1560,7 +1628,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  struct GNUNET_TIME_Relative expiration_time;
  if ( GNUNET_OK
       != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin",
-                                                "expiration_time", &expiration_time) )
+                                              "expiration_time", &expiration_time) )
  {
    GNUNET_free_non_null(user_psw);
    handle->emsg = GNUNET_strdup("server_error");
@@ -1572,7 +1640,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  }
  struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);
-  
  //TODO OPTIONAL acr,amr,azp
  struct EgoEntry *ego_entry;
@@ -1679,8 +1747,8 @@ consume_ticket (void *cls,
  }
  tmp_value = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (attr->type,
-                                                         attr->data,
+                                                        attr->data,
-                                                         attr->data_size);
+                                                        attr->data_size);
  value = json_string (tmp_value);
@@ -1828,11 +1896,11 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  handle->oidc->response = json_object();
  json_object_set_new( handle->oidc->response, "sub", json_string( handle->ego_entry->keystring));
  handle->idp_op = GNUNET_RECLAIM_ticket_consume (
-                                                            handle->idp,
+                                                  handle->idp,
-                                                            GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego),
+                                                  GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego),
-                                                            ticket,
+                                                  ticket,
-                                                            consume_ticket,
+                                                  consume_ticket,
-                                                            handle);
+                                                  handle);
  GNUNET_free(ticket);
  GNUNET_free(authorization);
  GNUNET_free(client_ticket);
author	Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de>	2018-07-22 15:50:52 +0200
committer	Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de>	2018-07-22 15:50:52 +0200
commit	214f2e90aff373771838d4504d77444c43194e49 (patch)
tree	3772ba1e9fa75996e607fce58b3b07ad349b79a6 /src/reclaim/plugin_rest_openid_connect.c
parent	33d45d039f618ec2892c8db3961f4f76a0e63652 (diff)
download	gnunet-214f2e90aff373771838d4504d77444c43194e49.tar.gz gnunet-214f2e90aff373771838d4504d77444c43194e49.zip

diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index bd11b2de7..0a6dd2b61 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -794,11 +794,75 @@ oidc_iteration_error (void *cls)
794	GNUNET_SCHEDULER_add_now (&do_error, handle);	794	GNUNET_SCHEDULER_add_now (&do_error, handle);
795	}	795	}
796		796
797	static void get_client_name_result (void *cls,	797
798	const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone,	798	static char*
799	const char *label,	799	build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer,
800	unsigned int rd_count,	800	const struct GNUNET_RECLAIM_Ticket *ticket,
801	const struct GNUNET_GNSRECORD_Data *rd)	801	const char* nonce)
		802	{
		803	char *ticket_str;
		804	json_t *code_json;
		805	char *signature_payload;
		806	char *signature_str;
		807	char *authz_code;
		808	size_t signature_payload_len;
		809	struct GNUNET_CRYPTO_EcdsaSignature signature;
		810	struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
		811
		812	signature_payload_len = sizeof (struct GNUNET_RECLAIM_Ticket);
		813	if (NULL != nonce)
		814	signature_payload_len += strlen (nonce);
		815
		816	signature_payload = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len);
		817	purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *)signature_payload;
		818	purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len);
		819	purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
		820	memcpy (&purpose[1],
		821	ticket,
		822	sizeof (struct GNUNET_RECLAIM_Ticket));
		823	if (NULL != nonce)
		824	memcpy (&purpose[1] + sizeof (struct GNUNET_RECLAIM_Ticket),
		825	nonce,
		826	strlen (nonce));
		827	if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (issuer,
		828	purpose,
		829	&signature))
		830	{
		831	GNUNET_free (signature_payload);
		832	return NULL;
		833	}
		834	signature_str = GNUNET_STRINGS_data_to_string_alloc (&signature,
		835	sizeof (signature));
		836	ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket,
		837	sizeof (struct GNUNET_RECLAIM_Ticket));
		838
		839	code_json = json_object ();
		840	json_object_set_new (code_json,
		841	"ticket",
		842	json_string (ticket_str));
		843	if (NULL != nonce)
		844	json_object_set_new (code_json,
		845	"nonce",
		846	json_string (nonce));
		847	json_object_set_new (code_json,
		848	"signature",
		849	json_string (signature_str));
		850	authz_code = json_dumps (code_json,
		851	JSON_INDENT(0) \| JSON_COMPACT);
		852	GNUNET_free (signature_payload);
		853	GNUNET_free (signature_str);
		854	GNUNET_free (ticket_str);
		855	json_decref (code_json);
		856	return authz_code;
		857	}
		858
		859
		860	static void
		861	get_client_name_result (void *cls,
		862	const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone,
		863	const char *label,
		864	unsigned int rd_count,
		865	const struct GNUNET_GNSRECORD_Data *rd)
802	{	866	{
803	struct RequestHandle *handle = cls;	867	struct RequestHandle *handle = cls;
804	struct MHD_Response *resp;	868	struct MHD_Response *resp;
@@ -812,12 +876,16 @@ static void get_client_name_result (void *cls,
812	char *prefix;	876	char *prefix;
813	ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket,	877	ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket,
814	sizeof (struct GNUNET_RECLAIM_Ticket));	878	sizeof (struct GNUNET_RECLAIM_Ticket));
		879	//TODO add signature to code payload over nonce and ticket _and_ use jansson here!
815	//TODO change if more attributes are needed (see max_age)	880	//TODO change if more attributes are needed (see max_age)
816	GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",	881	code_json_string = build_authz_code (&handle->priv_key,
		882	&handle->ticket,
		883	handle->oidc->nonce);
		884	/*GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",
817	ticket_str,	885	ticket_str,
818	(NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "",	886	(NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "",
819	(NULL != handle->oidc->nonce) ? handle->oidc->nonce : "",	887	(NULL != handle->oidc->nonce) ? handle->oidc->nonce : "",
820	(NULL != handle->oidc->nonce) ? "\"" : "");	888	(NULL != handle->oidc->nonce) ? "\"" : "");*/
821	code_base64_final_string = base_64_encode(code_json_string);	889	code_base64_final_string = base_64_encode(code_json_string);
822	tmp = GNUNET_strdup (handle->oidc->redirect_uri);	890	tmp = GNUNET_strdup (handle->oidc->redirect_uri);
823	redirect_path = strtok (tmp, "/");	891	redirect_path = strtok (tmp, "/");
@@ -896,11 +964,11 @@ oidc_collect_finished_cb (void *cls)
896	return;	964	return;
897	}	965	}
898	handle->idp_op = GNUNET_RECLAIM_ticket_issue (handle->idp,	966	handle->idp_op = GNUNET_RECLAIM_ticket_issue (handle->idp,
899	&handle->priv_key,	967	&handle->priv_key,
900	&handle->oidc->client_pkey,	968	&handle->oidc->client_pkey,
901	handle->attr_list,	969	handle->attr_list,
902	&oidc_ticket_issue_cb,	970	&oidc_ticket_issue_cb,
903	handle);	971	handle);
904	}	972	}
905		973
906		974
@@ -944,7 +1012,7 @@ oidc_attr_collect (void *cls,
944		1012
945	le = GNUNET_new(struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry);	1013	le = GNUNET_new(struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry);
946	le->claim = GNUNET_RECLAIM_ATTRIBUTE_claim_new (attr->name, attr->type,	1014	le->claim = GNUNET_RECLAIM_ATTRIBUTE_claim_new (attr->name, attr->type,
947	attr->data, attr->data_size);	1015	attr->data, attr->data_size);
948	GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head,	1016	GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head,
949	handle->attr_list->list_tail, le);	1017	handle->attr_list->list_tail, le);
950	GNUNET_RECLAIM_get_attributes_next (handle->attr_it);	1018	GNUNET_RECLAIM_get_attributes_next (handle->attr_it);
@@ -1004,8 +1072,8 @@ login_check (void *cls)
1004	handle->attr_list = GNUNET_new(	1072	handle->attr_list = GNUNET_new(
1005	struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);	1073	struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);
1006	handle->attr_it = GNUNET_RECLAIM_get_attributes_start (	1074	handle->attr_it = GNUNET_RECLAIM_get_attributes_start (
1007	handle->idp, &handle->priv_key, &oidc_iteration_error, handle,	1075	handle->idp, &handle->priv_key, &oidc_iteration_error, handle,
1008	&oidc_attr_collect, handle, &oidc_collect_finished_cb, handle);	1076	&oidc_attr_collect, handle, &oidc_collect_finished_cb, handle);
1009	return;	1077	return;
1010	}	1078	}
1011	}	1079	}
@@ -1560,7 +1628,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1560	struct GNUNET_TIME_Relative expiration_time;	1628	struct GNUNET_TIME_Relative expiration_time;
1561	if ( GNUNET_OK	1629	if ( GNUNET_OK
1562	!= GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin",	1630	!= GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin",
1563	"expiration_time", &expiration_time) )	1631	"expiration_time", &expiration_time) )
1564	{	1632	{
1565	GNUNET_free_non_null(user_psw);	1633	GNUNET_free_non_null(user_psw);
1566	handle->emsg = GNUNET_strdup("server_error");	1634	handle->emsg = GNUNET_strdup("server_error");
@@ -1572,7 +1640,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1572	}	1640	}
1573		1641
1574	struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);	1642	struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);
1575		1643
1576	//TODO OPTIONAL acr,amr,azp	1644	//TODO OPTIONAL acr,amr,azp
1577		1645
1578	struct EgoEntry *ego_entry;	1646	struct EgoEntry *ego_entry;
@@ -1679,8 +1747,8 @@ consume_ticket (void *cls,
1679	}	1747	}
1680		1748
1681	tmp_value = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (attr->type,	1749	tmp_value = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (attr->type,
1682	attr->data,	1750	attr->data,
1683	attr->data_size);	1751	attr->data_size);
1684		1752
1685	value = json_string (tmp_value);	1753	value = json_string (tmp_value);
1686		1754
@@ -1828,11 +1896,11 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1828	handle->oidc->response = json_object();	1896	handle->oidc->response = json_object();
1829	json_object_set_new( handle->oidc->response, "sub", json_string( handle->ego_entry->keystring));	1897	json_object_set_new( handle->oidc->response, "sub", json_string( handle->ego_entry->keystring));
1830	handle->idp_op = GNUNET_RECLAIM_ticket_consume (	1898	handle->idp_op = GNUNET_RECLAIM_ticket_consume (
1831	handle->idp,	1899	handle->idp,
1832	GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego),	1900	GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego),
1833	ticket,	1901	ticket,
1834	consume_ticket,	1902	consume_ticket,
1835	handle);	1903	handle);
1836	GNUNET_free(ticket);	1904	GNUNET_free(ticket);
1837	GNUNET_free(authorization);	1905	GNUNET_free(authorization);
1838	GNUNET_free(client_ticket);	1906	GNUNET_free(client_ticket);