aboutsummaryrefslogtreecommitdiff
path: root/src/reclaim
diff options
context:
space:
mode:
authorSchanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de>2018-07-21 12:02:24 +0200
committerSchanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de>2018-07-21 12:02:24 +0200
commitd81369afa8c051383727fa4c54479decc4071b9e (patch)
tree68d5c88483a45c904f7a0c5d8d0752c862360075 /src/reclaim
parent51ace4c06634efe9fd7edbb39f91f754befccd5e (diff)
downloadgnunet-d81369afa8c051383727fa4c54479decc4071b9e.tar.gz
gnunet-d81369afa8c051383727fa4c54479decc4071b9e.zip
fixes for JWT creation
Diffstat (limited to 'src/reclaim')
-rw-r--r--src/reclaim/jwt.c30
-rw-r--r--src/reclaim/jwt.h17
-rw-r--r--src/reclaim/plugin_rest_openid_connect.c55
-rw-r--r--src/reclaim/reclaim.conf2
4 files changed, 50 insertions, 54 deletions
diff --git a/src/reclaim/jwt.c b/src/reclaim/jwt.c
index 9885bf467..41a3747ed 100644
--- a/src/reclaim/jwt.c
+++ b/src/reclaim/jwt.c
@@ -83,19 +83,25 @@ fix_base64(char* str) {
83/** 83/**
84 * Create a JWT from attributes 84 * Create a JWT from attributes
85 * 85 *
86 * @param aud_key the public of the subject 86 * @param aud_key the public of the audience
87 * @param sub_key the public key of the subject
87 * @param attrs the attribute list 88 * @param attrs the attribute list
88 * @param priv_key the key used to sign the JWT 89 * @param expiration_time the validity of the token
90 * @param secret_key the key used to sign the JWT
89 * @return a new base64-encoded JWT string. 91 * @return a new base64-encoded JWT string.
90 */ 92 */
91char* 93char*
92jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, 94jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
93 const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, 95 const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
94 const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, 96 const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
97 const struct GNUNET_TIME_Relative *expiration_time,
98 const char *nonce,
95 const char *secret_key) 99 const char *secret_key)
96{ 100{
97 struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; 101 struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le;
98 struct GNUNET_HashCode signature; 102 struct GNUNET_HashCode signature;
103 struct GNUNET_TIME_Absolute exp_time;
104 struct GNUNET_TIME_Absolute time_now;
99 char* audience; 105 char* audience;
100 char* subject; 106 char* subject;
101 char* header; 107 char* header;
@@ -107,9 +113,11 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
107 char* signature_base64; 113 char* signature_base64;
108 char* attr_val_str; 114 char* attr_val_str;
109 json_t* body; 115 json_t* body;
110 116
111 //exp REQUIRED time expired from config
112 //iat REQUIRED time now 117 //iat REQUIRED time now
118 time_now = GNUNET_TIME_absolute_get();
119 //exp REQUIRED time expired from config
120 exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time);
113 //auth_time only if max_age 121 //auth_time only if max_age
114 //nonce only if nonce 122 //nonce only if nonce
115 // OPTIONAL acr,amr,azp 123 // OPTIONAL acr,amr,azp
@@ -130,6 +138,20 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
130 //aud REQUIRED public key client_id must be there 138 //aud REQUIRED public key client_id must be there
131 json_object_set_new (body, 139 json_object_set_new (body,
132 "aud", json_string (audience)); 140 "aud", json_string (audience));
141 //iat
142 json_object_set_new (body,
143 "iat", json_integer (time_now.abs_value_us));
144 //exp
145 json_object_set_new (body,
146 "exp", json_integer (exp_time.abs_value_us));
147 //nbf
148 json_object_set_new (body,
149 "nbf", json_integer (time_now.abs_value_us));
150 //nonce
151 if (NULL != nonce)
152 json_object_set_new (body,
153 "nonce", json_string (nonce));
154
133 for (le = attrs->list_head; NULL != le; le = le->next) 155 for (le = attrs->list_head; NULL != le; le = le->next)
134 { 156 {
135 attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type, 157 attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type,
diff --git a/src/reclaim/jwt.h b/src/reclaim/jwt.h
index 39b4e2f3c..12ff85b01 100644
--- a/src/reclaim/jwt.h
+++ b/src/reclaim/jwt.h
@@ -1,10 +1,23 @@
1#ifndef JWT_H 1#ifndef JWT_H
2#define JWT_H 2#define JWT_H
3 3
4/**
5 * Create a JWT from attributes
6 *
7 * @param aud_key the public of the audience
8 * @param sub_key the public key of the subject
9 * @param attrs the attribute list
10 * @param expiration_time the validity of the token
11 * @param nonce the nonce, may be NULL
12 * @param secret_key the key used to sign the JWT
13 * @return a new base64-encoded JWT string.
14 */
4char* 15char*
5jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, 16jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
6 const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, 17 const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
7 const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, 18 const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
8 const char* secret_key); 19 const struct GNUNET_TIME_Relative *expiration_time,
20 const char *nonce,
21 const char *secret_key);
9 22
10#endif 23#endif
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 5a34e5b72..d1c5b31b6 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -168,7 +168,6 @@ static char* OIDC_ignored_parameter_array [] =
168{ 168{
169 "display", 169 "display",
170 "prompt", 170 "prompt",
171 "max_age",
172 "ui_locales", 171 "ui_locales",
173 "response_mode", 172 "response_mode",
174 "id_token_hint", 173 "id_token_hint",
@@ -1320,7 +1319,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1320 int client_exists = GNUNET_NO; 1319 int client_exists = GNUNET_NO;
1321 struct MHD_Response *resp; 1320 struct MHD_Response *resp;
1322 char* code_output; 1321 char* code_output;
1323 json_t *root, *ticket_string, *nonce, *max_age; 1322 json_t *root;
1323 json_t *ticket_string;
1324 json_t *nonce;
1324 json_error_t error; 1325 json_error_t error;
1325 char *json_response; 1326 char *json_response;
1326 char *jwt_secret; 1327 char *jwt_secret;
@@ -1515,7 +1516,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1515 GNUNET_free(code_output); 1516 GNUNET_free(code_output);
1516 ticket_string = json_object_get (root, "ticket"); 1517 ticket_string = json_object_get (root, "ticket");
1517 nonce = json_object_get (root, "nonce"); 1518 nonce = json_object_get (root, "nonce");
1518 max_age = json_object_get (root, "max_age");
1519 1519
1520 if(ticket_string == NULL && !json_is_string(ticket_string)) 1520 if(ticket_string == NULL && !json_is_string(ticket_string))
1521 { 1521 {
@@ -1557,9 +1557,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1557 } 1557 }
1558 1558
1559 //create jwt 1559 //create jwt
1560 unsigned long long int expiration_time; 1560 struct GNUNET_TIME_Relative expiration_time;
1561 if ( GNUNET_OK 1561 if ( GNUNET_OK
1562 != GNUNET_CONFIGURATION_get_value_number(cfg, "reclaim-rest-plugin", 1562 != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin",
1563 "expiration_time", &expiration_time) ) 1563 "expiration_time", &expiration_time) )
1564 { 1564 {
1565 GNUNET_free_non_null(user_psw); 1565 GNUNET_free_non_null(user_psw);
@@ -1572,48 +1572,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1572 } 1572 }
1573 1573
1574 struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); 1574 struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList);
1575 //aud REQUIRED public key client_id must be there 1575
1576 GNUNET_RECLAIM_ATTRIBUTE_list_add(cl,
1577 "aud",
1578 GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
1579 client_id,
1580 strlen(client_id));
1581 //exp REQUIRED time expired from config
1582 struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute (
1583 GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (),
1584 expiration_time));
1585 const char* exp_time_string = GNUNET_STRINGS_absolute_time_to_string(exp_time);
1586 GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
1587 "exp",
1588 GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
1589 exp_time_string,
1590 strlen(exp_time_string));
1591 //iat REQUIRED time now
1592 struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get();
1593 const char* time_now_string = GNUNET_STRINGS_absolute_time_to_string(time_now);
1594 GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
1595 "iat",
1596 GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
1597 time_now_string,
1598 strlen(time_now_string));
1599 //nonce only if nonce is provided
1600 if ( NULL != nonce && json_is_string(nonce) )
1601 {
1602 GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
1603 "nonce",
1604 GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
1605 json_string_value(nonce),
1606 strlen(json_string_value(nonce)));
1607 }
1608 //auth_time only if max_age is provided
1609 if ( NULL != max_age && json_is_string(max_age) )
1610 {
1611 GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
1612 "auth_time",
1613 GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
1614 json_string_value(max_age),
1615 strlen(json_string_value(max_age)));
1616 }
1617 //TODO OPTIONAL acr,amr,azp 1576 //TODO OPTIONAL acr,amr,azp
1618 1577
1619 struct EgoEntry *ego_entry; 1578 struct EgoEntry *ego_entry;
@@ -1652,6 +1611,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
1652 char *id_token = jwt_create_from_list(&ticket->audience, 1611 char *id_token = jwt_create_from_list(&ticket->audience,
1653 &pk, 1612 &pk,
1654 cl, 1613 cl,
1614 &expiration_time,
1615 (NULL != nonce && json_is_string(nonce)) ? json_string_value (nonce) : NULL,
1655 jwt_secret); 1616 jwt_secret);
1656 1617
1657 //Create random access_token 1618 //Create random access_token
diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf
index e93899e05..cf0a0dc5e 100644
--- a/src/reclaim/reclaim.conf
+++ b/src/reclaim/reclaim.conf
@@ -17,7 +17,7 @@ DATABASE = sqlite
17ADDRESS = https://reclaim.ui/#/login 17ADDRESS = https://reclaim.ui/#/login
18PSW = secret 18PSW = secret
19JWT_SECRET = secret 19JWT_SECRET = secret
20EXPIRATION_TIME = 3600 20EXPIRATION_TIME = 1d
21 21
22[reclaim-sqlite] 22[reclaim-sqlite]
23FILENAME = $GNUNET_DATA_HOME/reclaim/sqlite.db 23FILENAME = $GNUNET_DATA_HOME/reclaim/sqlite.db