diff options
author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-22 15:50:52 +0200 |
---|---|---|
committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-07-22 15:50:52 +0200 |
commit | 214f2e90aff373771838d4504d77444c43194e49 (patch) | |
tree | 3772ba1e9fa75996e607fce58b3b07ad349b79a6 /src | |
parent | 33d45d039f618ec2892c8db3961f4f76a0e63652 (diff) | |
download | gnunet-214f2e90aff373771838d4504d77444c43194e49.tar.gz gnunet-214f2e90aff373771838d4504d77444c43194e49.zip |
fix code signing
Diffstat (limited to 'src')
-rw-r--r-- | src/include/gnunet_signatures.h | 2 | ||||
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 116 |
2 files changed, 93 insertions, 25 deletions
diff --git a/src/include/gnunet_signatures.h b/src/include/gnunet_signatures.h index 280fefa83..829f8be7e 100644 --- a/src/include/gnunet_signatures.h +++ b/src/include/gnunet_signatures.h | |||
@@ -181,7 +181,7 @@ extern "C" | |||
181 | /** | 181 | /** |
182 | * Signature for a GNUid Ticket | 182 | * Signature for a GNUid Ticket |
183 | */ | 183 | */ |
184 | #define GNUNET_SIGNATURE_PURPOSE_GNUID_TICKET 27 | 184 | #define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN 27 |
185 | 185 | ||
186 | /** | 186 | /** |
187 | * Signature for a GNUnet credential | 187 | * Signature for a GNUnet credential |
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index bd11b2de7..0a6dd2b61 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -794,11 +794,75 @@ oidc_iteration_error (void *cls) | |||
794 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 794 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
795 | } | 795 | } |
796 | 796 | ||
797 | static void get_client_name_result (void *cls, | 797 | |
798 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone, | 798 | static char* |
799 | const char *label, | 799 | build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, |
800 | unsigned int rd_count, | 800 | const struct GNUNET_RECLAIM_Ticket *ticket, |
801 | const struct GNUNET_GNSRECORD_Data *rd) | 801 | const char* nonce) |
802 | { | ||
803 | char *ticket_str; | ||
804 | json_t *code_json; | ||
805 | char *signature_payload; | ||
806 | char *signature_str; | ||
807 | char *authz_code; | ||
808 | size_t signature_payload_len; | ||
809 | struct GNUNET_CRYPTO_EcdsaSignature signature; | ||
810 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; | ||
811 | |||
812 | signature_payload_len = sizeof (struct GNUNET_RECLAIM_Ticket); | ||
813 | if (NULL != nonce) | ||
814 | signature_payload_len += strlen (nonce); | ||
815 | |||
816 | signature_payload = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len); | ||
817 | purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *)signature_payload; | ||
818 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + signature_payload_len); | ||
819 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); | ||
820 | memcpy (&purpose[1], | ||
821 | ticket, | ||
822 | sizeof (struct GNUNET_RECLAIM_Ticket)); | ||
823 | if (NULL != nonce) | ||
824 | memcpy (&purpose[1] + sizeof (struct GNUNET_RECLAIM_Ticket), | ||
825 | nonce, | ||
826 | strlen (nonce)); | ||
827 | if (GNUNET_SYSERR == GNUNET_CRYPTO_ecdsa_sign (issuer, | ||
828 | purpose, | ||
829 | &signature)) | ||
830 | { | ||
831 | GNUNET_free (signature_payload); | ||
832 | return NULL; | ||
833 | } | ||
834 | signature_str = GNUNET_STRINGS_data_to_string_alloc (&signature, | ||
835 | sizeof (signature)); | ||
836 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket, | ||
837 | sizeof (struct GNUNET_RECLAIM_Ticket)); | ||
838 | |||
839 | code_json = json_object (); | ||
840 | json_object_set_new (code_json, | ||
841 | "ticket", | ||
842 | json_string (ticket_str)); | ||
843 | if (NULL != nonce) | ||
844 | json_object_set_new (code_json, | ||
845 | "nonce", | ||
846 | json_string (nonce)); | ||
847 | json_object_set_new (code_json, | ||
848 | "signature", | ||
849 | json_string (signature_str)); | ||
850 | authz_code = json_dumps (code_json, | ||
851 | JSON_INDENT(0) | JSON_COMPACT); | ||
852 | GNUNET_free (signature_payload); | ||
853 | GNUNET_free (signature_str); | ||
854 | GNUNET_free (ticket_str); | ||
855 | json_decref (code_json); | ||
856 | return authz_code; | ||
857 | } | ||
858 | |||
859 | |||
860 | static void | ||
861 | get_client_name_result (void *cls, | ||
862 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone, | ||
863 | const char *label, | ||
864 | unsigned int rd_count, | ||
865 | const struct GNUNET_GNSRECORD_Data *rd) | ||
802 | { | 866 | { |
803 | struct RequestHandle *handle = cls; | 867 | struct RequestHandle *handle = cls; |
804 | struct MHD_Response *resp; | 868 | struct MHD_Response *resp; |
@@ -812,12 +876,16 @@ static void get_client_name_result (void *cls, | |||
812 | char *prefix; | 876 | char *prefix; |
813 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket, | 877 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket, |
814 | sizeof (struct GNUNET_RECLAIM_Ticket)); | 878 | sizeof (struct GNUNET_RECLAIM_Ticket)); |
879 | //TODO add signature to code payload over nonce and ticket _and_ use jansson here! | ||
815 | //TODO change if more attributes are needed (see max_age) | 880 | //TODO change if more attributes are needed (see max_age) |
816 | GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}", | 881 | code_json_string = build_authz_code (&handle->priv_key, |
882 | &handle->ticket, | ||
883 | handle->oidc->nonce); | ||
884 | /*GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}", | ||
817 | ticket_str, | 885 | ticket_str, |
818 | (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "", | 886 | (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "", |
819 | (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "", | 887 | (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "", |
820 | (NULL != handle->oidc->nonce) ? "\"" : ""); | 888 | (NULL != handle->oidc->nonce) ? "\"" : "");*/ |
821 | code_base64_final_string = base_64_encode(code_json_string); | 889 | code_base64_final_string = base_64_encode(code_json_string); |
822 | tmp = GNUNET_strdup (handle->oidc->redirect_uri); | 890 | tmp = GNUNET_strdup (handle->oidc->redirect_uri); |
823 | redirect_path = strtok (tmp, "/"); | 891 | redirect_path = strtok (tmp, "/"); |
@@ -896,11 +964,11 @@ oidc_collect_finished_cb (void *cls) | |||
896 | return; | 964 | return; |
897 | } | 965 | } |
898 | handle->idp_op = GNUNET_RECLAIM_ticket_issue (handle->idp, | 966 | handle->idp_op = GNUNET_RECLAIM_ticket_issue (handle->idp, |
899 | &handle->priv_key, | 967 | &handle->priv_key, |
900 | &handle->oidc->client_pkey, | 968 | &handle->oidc->client_pkey, |
901 | handle->attr_list, | 969 | handle->attr_list, |
902 | &oidc_ticket_issue_cb, | 970 | &oidc_ticket_issue_cb, |
903 | handle); | 971 | handle); |
904 | } | 972 | } |
905 | 973 | ||
906 | 974 | ||
@@ -944,7 +1012,7 @@ oidc_attr_collect (void *cls, | |||
944 | 1012 | ||
945 | le = GNUNET_new(struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry); | 1013 | le = GNUNET_new(struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry); |
946 | le->claim = GNUNET_RECLAIM_ATTRIBUTE_claim_new (attr->name, attr->type, | 1014 | le->claim = GNUNET_RECLAIM_ATTRIBUTE_claim_new (attr->name, attr->type, |
947 | attr->data, attr->data_size); | 1015 | attr->data, attr->data_size); |
948 | GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head, | 1016 | GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head, |
949 | handle->attr_list->list_tail, le); | 1017 | handle->attr_list->list_tail, le); |
950 | GNUNET_RECLAIM_get_attributes_next (handle->attr_it); | 1018 | GNUNET_RECLAIM_get_attributes_next (handle->attr_it); |
@@ -1004,8 +1072,8 @@ login_check (void *cls) | |||
1004 | handle->attr_list = GNUNET_new( | 1072 | handle->attr_list = GNUNET_new( |
1005 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); | 1073 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); |
1006 | handle->attr_it = GNUNET_RECLAIM_get_attributes_start ( | 1074 | handle->attr_it = GNUNET_RECLAIM_get_attributes_start ( |
1007 | handle->idp, &handle->priv_key, &oidc_iteration_error, handle, | 1075 | handle->idp, &handle->priv_key, &oidc_iteration_error, handle, |
1008 | &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle); | 1076 | &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle); |
1009 | return; | 1077 | return; |
1010 | } | 1078 | } |
1011 | } | 1079 | } |
@@ -1560,7 +1628,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1560 | struct GNUNET_TIME_Relative expiration_time; | 1628 | struct GNUNET_TIME_Relative expiration_time; |
1561 | if ( GNUNET_OK | 1629 | if ( GNUNET_OK |
1562 | != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin", | 1630 | != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin", |
1563 | "expiration_time", &expiration_time) ) | 1631 | "expiration_time", &expiration_time) ) |
1564 | { | 1632 | { |
1565 | GNUNET_free_non_null(user_psw); | 1633 | GNUNET_free_non_null(user_psw); |
1566 | handle->emsg = GNUNET_strdup("server_error"); | 1634 | handle->emsg = GNUNET_strdup("server_error"); |
@@ -1572,7 +1640,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1572 | } | 1640 | } |
1573 | 1641 | ||
1574 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); | 1642 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); |
1575 | 1643 | ||
1576 | //TODO OPTIONAL acr,amr,azp | 1644 | //TODO OPTIONAL acr,amr,azp |
1577 | 1645 | ||
1578 | struct EgoEntry *ego_entry; | 1646 | struct EgoEntry *ego_entry; |
@@ -1679,8 +1747,8 @@ consume_ticket (void *cls, | |||
1679 | } | 1747 | } |
1680 | 1748 | ||
1681 | tmp_value = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (attr->type, | 1749 | tmp_value = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (attr->type, |
1682 | attr->data, | 1750 | attr->data, |
1683 | attr->data_size); | 1751 | attr->data_size); |
1684 | 1752 | ||
1685 | value = json_string (tmp_value); | 1753 | value = json_string (tmp_value); |
1686 | 1754 | ||
@@ -1828,11 +1896,11 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1828 | handle->oidc->response = json_object(); | 1896 | handle->oidc->response = json_object(); |
1829 | json_object_set_new( handle->oidc->response, "sub", json_string( handle->ego_entry->keystring)); | 1897 | json_object_set_new( handle->oidc->response, "sub", json_string( handle->ego_entry->keystring)); |
1830 | handle->idp_op = GNUNET_RECLAIM_ticket_consume ( | 1898 | handle->idp_op = GNUNET_RECLAIM_ticket_consume ( |
1831 | handle->idp, | 1899 | handle->idp, |
1832 | GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego), | 1900 | GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego), |
1833 | ticket, | 1901 | ticket, |
1834 | consume_ticket, | 1902 | consume_ticket, |
1835 | handle); | 1903 | handle); |
1836 | GNUNET_free(ticket); | 1904 | GNUNET_free(ticket); |
1837 | GNUNET_free(authorization); | 1905 | GNUNET_free(authorization); |
1838 | GNUNET_free(client_ticket); | 1906 | GNUNET_free(client_ticket); |