diff options
author | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-04-27 21:01:13 +0200 |
---|---|---|
committer | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-04-27 21:01:13 +0200 |
commit | f7e0dfea0966f0ae9a4185206885d3a61895b759 (patch) | |
tree | eeeba47f96972b3e619cd038f488f0639062977d /src/reclaim/plugin_rest_openid_connect.c | |
parent | 7f50a089e5308bc7691704683dea805258f6c0b2 (diff) | |
download | gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.tar.gz gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.zip |
RECLAIM/OIDC: encrypt authorizaion code payload
Diffstat (limited to 'src/reclaim/plugin_rest_openid_connect.c')
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 52 |
1 files changed, 22 insertions, 30 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 0ef621536..753c3fcae 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -1600,9 +1600,9 @@ check_authorization (struct RequestHandle *handle, | |||
1600 | return GNUNET_OK; | 1600 | return GNUNET_OK; |
1601 | } | 1601 | } |
1602 | 1602 | ||
1603 | static int | 1603 | const struct EgoEntry * |
1604 | ego_exists (struct RequestHandle *handle, | 1604 | find_ego (struct RequestHandle *handle, |
1605 | struct GNUNET_CRYPTO_EcdsaPublicKey *test_key) | 1605 | struct GNUNET_CRYPTO_EcdsaPublicKey *test_key) |
1606 | { | 1606 | { |
1607 | struct EgoEntry *ego_entry; | 1607 | struct EgoEntry *ego_entry; |
1608 | struct GNUNET_CRYPTO_EcdsaPublicKey pub_key; | 1608 | struct GNUNET_CRYPTO_EcdsaPublicKey pub_key; |
@@ -1612,11 +1612,9 @@ ego_exists (struct RequestHandle *handle, | |||
1612 | { | 1612 | { |
1613 | GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key); | 1613 | GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key); |
1614 | if (0 == GNUNET_memcmp (&pub_key, test_key)) | 1614 | if (0 == GNUNET_memcmp (&pub_key, test_key)) |
1615 | break; | 1615 | return ego_entry; |
1616 | } | 1616 | } |
1617 | if (NULL == ego_entry) | 1617 | return NULL; |
1618 | return GNUNET_NO; | ||
1619 | return GNUNET_YES; | ||
1620 | } | 1618 | } |
1621 | 1619 | ||
1622 | static void | 1620 | static void |
@@ -1650,10 +1648,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1650 | void *cls) | 1648 | void *cls) |
1651 | { | 1649 | { |
1652 | struct RequestHandle *handle = cls; | 1650 | struct RequestHandle *handle = cls; |
1651 | const struct EgoEntry *ego_entry; | ||
1653 | struct GNUNET_TIME_Relative expiration_time; | 1652 | struct GNUNET_TIME_Relative expiration_time; |
1654 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl; | 1653 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl; |
1655 | struct GNUNET_RECLAIM_Ticket ticket; | 1654 | struct GNUNET_RECLAIM_Ticket ticket; |
1656 | struct GNUNET_CRYPTO_EcdsaPublicKey cid; | 1655 | struct GNUNET_CRYPTO_EcdsaPublicKey cid; |
1656 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; | ||
1657 | struct GNUNET_HashCode cache_key; | 1657 | struct GNUNET_HashCode cache_key; |
1658 | struct MHD_Response *resp; | 1658 | struct MHD_Response *resp; |
1659 | char *grant_type; | 1659 | char *grant_type; |
@@ -1713,9 +1713,17 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1713 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1713 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1714 | return; | 1714 | return; |
1715 | } | 1715 | } |
1716 | 1716 | ego_entry = find_ego (handle, &cid); | |
1717 | if (NULL == ego_entry) | ||
1718 | { | ||
1719 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | ||
1720 | handle->edesc = GNUNET_strdup ("Unknown client"); | ||
1721 | handle->response_code = MHD_HTTP_BAD_REQUEST; | ||
1722 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1723 | } | ||
1724 | privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); | ||
1717 | // decode code | 1725 | // decode code |
1718 | if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, &ticket, &cl, &nonce)) | 1726 | if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, &ticket, &cl, &nonce)) |
1719 | { | 1727 | { |
1720 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | 1728 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); |
1721 | handle->edesc = GNUNET_strdup ("invalid code"); | 1729 | handle->edesc = GNUNET_strdup ("invalid code"); |
@@ -1739,13 +1747,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1739 | 1747 | ||
1740 | 1748 | ||
1741 | // TODO OPTIONAL acr,amr,azp | 1749 | // TODO OPTIONAL acr,amr,azp |
1742 | if (GNUNET_NO == ego_exists (handle, &ticket.audience)) | ||
1743 | { | ||
1744 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | ||
1745 | handle->edesc = GNUNET_strdup ("invalid code..."); | ||
1746 | handle->response_code = MHD_HTTP_BAD_REQUEST; | ||
1747 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1748 | } | ||
1749 | if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, | 1750 | if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, |
1750 | "reclaim-rest-plugin", | 1751 | "reclaim-rest-plugin", |
1751 | "jwt_secret", | 1752 | "jwt_secret", |
@@ -1827,9 +1828,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1827 | char *authorization_type; | 1828 | char *authorization_type; |
1828 | char *authorization_access_token; | 1829 | char *authorization_access_token; |
1829 | struct GNUNET_RECLAIM_Ticket *ticket; | 1830 | struct GNUNET_RECLAIM_Ticket *ticket; |
1831 | const struct EgoEntry *ego_entry; | ||
1830 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; | 1832 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; |
1831 | struct GNUNET_CRYPTO_EcdsaPublicKey pk; | ||
1832 | |||
1833 | 1833 | ||
1834 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, | 1834 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, |
1835 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), | 1835 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), |
@@ -1888,15 +1888,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1888 | ticket = | 1888 | ticket = |
1889 | GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key); | 1889 | GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key); |
1890 | GNUNET_assert (NULL != ticket); | 1890 | GNUNET_assert (NULL != ticket); |
1891 | 1891 | ego_entry = find_ego (handle, &ticket->audience); | |
1892 | for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry; | 1892 | if (NULL == ego_entry) |
1893 | handle->ego_entry = handle->ego_entry->next) | ||
1894 | { | ||
1895 | GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &pk); | ||
1896 | if (0 == GNUNET_memcmp (&pk, &ticket->audience)) | ||
1897 | break; // Found | ||
1898 | } | ||
1899 | if (NULL == handle->ego_entry) | ||
1900 | { | 1893 | { |
1901 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); | 1894 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); |
1902 | handle->edesc = GNUNET_strdup ("The access token expired"); | 1895 | handle->edesc = GNUNET_strdup ("The access token expired"); |
@@ -1910,9 +1903,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1910 | handle->oidc->response = json_object (); | 1903 | handle->oidc->response = json_object (); |
1911 | json_object_set_new (handle->oidc->response, | 1904 | json_object_set_new (handle->oidc->response, |
1912 | "sub", | 1905 | "sub", |
1913 | json_string (handle->ego_entry->keystring)); | 1906 | json_string (ego_entry->keystring)); |
1914 | privkey = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | 1907 | privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); |
1915 | |||
1916 | handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp, | 1908 | handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp, |
1917 | privkey, | 1909 | privkey, |
1918 | ticket, | 1910 | ticket, |