RECLAIM/OIDC: encrypt authorizaion code payload

author: Schanzenbach, Martin <mschanzenbach@posteo.de> 2019-04-27 21:01:13 +0200
committer: Schanzenbach, Martin <mschanzenbach@posteo.de> 2019-04-27 21:01:13 +0200
commit: f7e0dfea0966f0ae9a4185206885d3a61895b759 (patch)
tree: eeeba47f96972b3e619cd038f488f0639062977d /src/reclaim/plugin_rest_openid_connect.c
parent: 7f50a089e5308bc7691704683dea805258f6c0b2 (diff)
download: gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.tar.gz
gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.zip
1 files changed, 22 insertions, 30 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 0ef621536..753c3fcae 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -1600,9 +1600,9 @@ check_authorization (struct RequestHandle *handle,
  return GNUNET_OK;
 }
-static int
+const struct EgoEntry *
-ego_exists (struct RequestHandle *handle,
+find_ego (struct RequestHandle *handle,
-            struct GNUNET_CRYPTO_EcdsaPublicKey *test_key)
+          struct GNUNET_CRYPTO_EcdsaPublicKey *test_key)
 {
  struct EgoEntry *ego_entry;
  struct GNUNET_CRYPTO_EcdsaPublicKey pub_key;
@@ -1612,11 +1612,9 @@ ego_exists (struct RequestHandle *handle,
  {
    GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key);
    if (0 == GNUNET_memcmp (&pub_key, test_key))
-      break;
+      return ego_entry;
  }
-  if (NULL == ego_entry)
+  return NULL;
-    return GNUNET_NO;
-  return GNUNET_YES;
 }
 static void
@@ -1650,10 +1648,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
                void *cls)
 {
  struct RequestHandle *handle = cls;
+  const struct EgoEntry *ego_entry;
  struct GNUNET_TIME_Relative expiration_time;
  struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl;
  struct GNUNET_RECLAIM_Ticket ticket;
  struct GNUNET_CRYPTO_EcdsaPublicKey cid;
+  const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey;
  struct GNUNET_HashCode cache_key;
  struct MHD_Response *resp;
  char *grant_type;
@@ -1713,9 +1713,17 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
    GNUNET_SCHEDULER_add_now (&do_error, handle);
    return;
  }
+  ego_entry = find_ego (handle, &cid);
+  if (NULL == ego_entry)
+  {
+    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
+    handle->edesc = GNUNET_strdup ("Unknown client");
+    handle->response_code = MHD_HTTP_BAD_REQUEST;
+    GNUNET_SCHEDULER_add_now (&do_error, handle);
+  }
+  privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
  // decode code
-  if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, &ticket, &cl, &nonce))
+  if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, &ticket, &cl, &nonce))
  {
    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
    handle->edesc = GNUNET_strdup ("invalid code");
@@ -1739,13 +1747,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  // TODO OPTIONAL acr,amr,azp
-  if (GNUNET_NO == ego_exists (handle, &ticket.audience))
-  {
-    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
-    handle->edesc = GNUNET_strdup ("invalid code...");
-    handle->response_code = MHD_HTTP_BAD_REQUEST;
-    GNUNET_SCHEDULER_add_now (&do_error, handle);
-  }
  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
                                                          "reclaim-rest-plugin",
                                                          "jwt_secret",
@@ -1827,9 +1828,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  char *authorization_type;
  char *authorization_access_token;
  struct GNUNET_RECLAIM_Ticket *ticket;
+  const struct EgoEntry *ego_entry;
  const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey;
-  struct GNUNET_CRYPTO_EcdsaPublicKey pk;
  GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,
                      strlen (OIDC_AUTHORIZATION_HEADER_KEY),
@@ -1888,15 +1888,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  ticket =
    GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key);
  GNUNET_assert (NULL != ticket);
+  ego_entry = find_ego (handle, &ticket->audience);
-  for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry;
+  if (NULL == ego_entry)
-       handle->ego_entry = handle->ego_entry->next)
-  {
-    GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &pk);
-    if (0 == GNUNET_memcmp (&pk, &ticket->audience))
-      break; // Found
-  }
-  if (NULL == handle->ego_entry)
  {
    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN);
    handle->edesc = GNUNET_strdup ("The access token expired");
@@ -1910,9 +1903,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  handle->oidc->response = json_object ();
  json_object_set_new (handle->oidc->response,
                       "sub",
-                       json_string (handle->ego_entry->keystring));
+                       json_string (ego_entry->keystring));
-  privkey = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego);
+  privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
  handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp,
                                                  privkey,
                                                  ticket,
author	Schanzenbach, Martin <mschanzenbach@posteo.de>	2019-04-27 21:01:13 +0200
committer	Schanzenbach, Martin <mschanzenbach@posteo.de>	2019-04-27 21:01:13 +0200
commit	f7e0dfea0966f0ae9a4185206885d3a61895b759 (patch)
tree	eeeba47f96972b3e619cd038f488f0639062977d /src/reclaim/plugin_rest_openid_connect.c
parent	7f50a089e5308bc7691704683dea805258f6c0b2 (diff)
download	gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.tar.gz gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.zip

diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 0ef621536..753c3fcae 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -1600,9 +1600,9 @@ check_authorization (struct RequestHandle *handle,
1600	return GNUNET_OK;	1600	return GNUNET_OK;
1601	}	1601	}
1602		1602
1603	static int	1603	const struct EgoEntry *
1604	ego_exists (struct RequestHandle *handle,	1604	find_ego (struct RequestHandle *handle,
1605	struct GNUNET_CRYPTO_EcdsaPublicKey *test_key)	1605	struct GNUNET_CRYPTO_EcdsaPublicKey *test_key)
1606	{	1606	{
1607	struct EgoEntry *ego_entry;	1607	struct EgoEntry *ego_entry;
1608	struct GNUNET_CRYPTO_EcdsaPublicKey pub_key;	1608	struct GNUNET_CRYPTO_EcdsaPublicKey pub_key;
@@ -1612,11 +1612,9 @@ ego_exists (struct RequestHandle *handle,
1612	{	1612	{
1613	GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key);	1613	GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key);
1614	if (0 == GNUNET_memcmp (&pub_key, test_key))	1614	if (0 == GNUNET_memcmp (&pub_key, test_key))
1615	break;	1615	return ego_entry;
1616	}	1616	}
1617	if (NULL == ego_entry)	1617	return NULL;
1618	return GNUNET_NO;
1619	return GNUNET_YES;
1620	}	1618	}
1621		1619
1622	static void	1620	static void
@@ -1650,10 +1648,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1650	void *cls)	1648	void *cls)
1651	{	1649	{
1652	struct RequestHandle *handle = cls;	1650	struct RequestHandle *handle = cls;
		1651	const struct EgoEntry *ego_entry;
1653	struct GNUNET_TIME_Relative expiration_time;	1652	struct GNUNET_TIME_Relative expiration_time;
1654	struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl;	1653	struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl;
1655	struct GNUNET_RECLAIM_Ticket ticket;	1654	struct GNUNET_RECLAIM_Ticket ticket;
1656	struct GNUNET_CRYPTO_EcdsaPublicKey cid;	1655	struct GNUNET_CRYPTO_EcdsaPublicKey cid;
		1656	const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey;
1657	struct GNUNET_HashCode cache_key;	1657	struct GNUNET_HashCode cache_key;
1658	struct MHD_Response *resp;	1658	struct MHD_Response *resp;
1659	char *grant_type;	1659	char *grant_type;
@@ -1713,9 +1713,17 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1713	GNUNET_SCHEDULER_add_now (&do_error, handle);	1713	GNUNET_SCHEDULER_add_now (&do_error, handle);
1714	return;	1714	return;
1715	}	1715	}
1716		1716	ego_entry = find_ego (handle, &cid);
		1717	if (NULL == ego_entry)
		1718	{
		1719	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
		1720	handle->edesc = GNUNET_strdup ("Unknown client");
		1721	handle->response_code = MHD_HTTP_BAD_REQUEST;
		1722	GNUNET_SCHEDULER_add_now (&do_error, handle);
		1723	}
		1724	privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
1717	// decode code	1725	// decode code
1718	if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, &ticket, &cl, &nonce))	1726	if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, &ticket, &cl, &nonce))
1719	{	1727	{
1720	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);	1728	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
1721	handle->edesc = GNUNET_strdup ("invalid code");	1729	handle->edesc = GNUNET_strdup ("invalid code");
@@ -1739,13 +1747,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1739		1747
1740		1748
1741	// TODO OPTIONAL acr,amr,azp	1749	// TODO OPTIONAL acr,amr,azp
1742	if (GNUNET_NO == ego_exists (handle, &ticket.audience))
1743	{
1744	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
1745	handle->edesc = GNUNET_strdup ("invalid code...");
1746	handle->response_code = MHD_HTTP_BAD_REQUEST;
1747	GNUNET_SCHEDULER_add_now (&do_error, handle);
1748	}
1749	if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,	1750	if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
1750	"reclaim-rest-plugin",	1751	"reclaim-rest-plugin",
1751	"jwt_secret",	1752	"jwt_secret",
@@ -1827,9 +1828,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1827	char *authorization_type;	1828	char *authorization_type;
1828	char *authorization_access_token;	1829	char *authorization_access_token;
1829	struct GNUNET_RECLAIM_Ticket *ticket;	1830	struct GNUNET_RECLAIM_Ticket *ticket;
		1831	const struct EgoEntry *ego_entry;
1830	const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey;	1832	const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey;
1831	struct GNUNET_CRYPTO_EcdsaPublicKey pk;
1832
1833		1833
1834	GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,	1834	GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,
1835	strlen (OIDC_AUTHORIZATION_HEADER_KEY),	1835	strlen (OIDC_AUTHORIZATION_HEADER_KEY),
@@ -1888,15 +1888,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1888	ticket =	1888	ticket =
1889	GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key);	1889	GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key);
1890	GNUNET_assert (NULL != ticket);	1890	GNUNET_assert (NULL != ticket);
1891		1891	ego_entry = find_ego (handle, &ticket->audience);
1892	for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry;	1892	if (NULL == ego_entry)
1893	handle->ego_entry = handle->ego_entry->next)
1894	{
1895	GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &pk);
1896	if (0 == GNUNET_memcmp (&pk, &ticket->audience))
1897	break; // Found
1898	}
1899	if (NULL == handle->ego_entry)
1900	{	1893	{
1901	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN);	1894	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN);
1902	handle->edesc = GNUNET_strdup ("The access token expired");	1895	handle->edesc = GNUNET_strdup ("The access token expired");
@@ -1910,9 +1903,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1910	handle->oidc->response = json_object ();	1903	handle->oidc->response = json_object ();
1911	json_object_set_new (handle->oidc->response,	1904	json_object_set_new (handle->oidc->response,
1912	"sub",	1905	"sub",
1913	json_string (handle->ego_entry->keystring));	1906	json_string (ego_entry->keystring));
1914	privkey = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego);	1907	privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
1915
1916	handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp,	1908	handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp,
1917	privkey,	1909	privkey,
1918	ticket,	1910	ticket,