diff options
Diffstat (limited to 'src/identity-provider/jwt.c')
| -rw-r--r-- | src/identity-provider/jwt.c | 49 |
1 files changed, 10 insertions, 39 deletions
diff --git a/src/identity-provider/jwt.c b/src/identity-provider/jwt.c index 1a984f7b5..7ac4f0025 100644 --- a/src/identity-provider/jwt.c +++ b/src/identity-provider/jwt.c | |||
| @@ -30,15 +30,14 @@ | |||
| 30 | 30 | ||
| 31 | #define JWT_ALG "alg" | 31 | #define JWT_ALG "alg" |
| 32 | 32 | ||
| 33 | /*TODO is this the correct way to define new algs? */ | 33 | /* Use 512bit HMAC */ |
| 34 | #define JWT_ALG_VALUE "urn:org:gnunet:jwt:alg:ecdsa:ed25519" | 34 | #define JWT_ALG_VALUE "HS512" |
| 35 | 35 | ||
| 36 | #define JWT_TYP "typ" | 36 | #define JWT_TYP "typ" |
| 37 | 37 | ||
| 38 | #define JWT_TYP_VALUE "jwt" | 38 | #define JWT_TYP_VALUE "jwt" |
| 39 | 39 | ||
| 40 | //TODO change server address | 40 | #define SERVER_ADDRESS "https://reclaim.id/api/openid/userinfo" |
| 41 | #define SERVER_ADDRESS "https://localhost" | ||
| 42 | 41 | ||
| 43 | static char* | 42 | static char* |
| 44 | create_jwt_header(void) | 43 | create_jwt_header(void) |
| @@ -65,13 +64,12 @@ create_jwt_header(void) | |||
| 65 | */ | 64 | */ |
| 66 | char* | 65 | char* |
| 67 | jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | 66 | jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, |
| 67 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, | ||
| 68 | const struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs, | 68 | const struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs, |
| 69 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key) | 69 | const struct GNUNET_CRYPTO_AuthKey *priv_key) |
| 70 | { | 70 | { |
| 71 | struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le; | 71 | struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le; |
| 72 | struct GNUNET_CRYPTO_EcdsaPublicKey sub_key; | 72 | struct GNUNET_HashCode signature; |
| 73 | struct GNUNET_CRYPTO_EcdsaSignature signature; | ||
| 74 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; | ||
| 75 | char* audience; | 73 | char* audience; |
| 76 | char* subject; | 74 | char* subject; |
| 77 | char* header; | 75 | char* header; |
| @@ -90,32 +88,25 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
| 90 | //auth_time only if max_age | 88 | //auth_time only if max_age |
| 91 | //nonce only if nonce | 89 | //nonce only if nonce |
| 92 | // OPTIONAL acr,amr,azp | 90 | // OPTIONAL acr,amr,azp |
| 93 | GNUNET_CRYPTO_ecdsa_key_get_public (priv_key, &sub_key); | ||
| 94 | /* TODO maybe we should use a local identity here */ | ||
| 95 | subject = GNUNET_STRINGS_data_to_string_alloc (&sub_key, | 91 | subject = GNUNET_STRINGS_data_to_string_alloc (&sub_key, |
| 96 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); | 92 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); |
| 97 | audience = GNUNET_STRINGS_data_to_string_alloc (aud_key, | 93 | audience = GNUNET_STRINGS_data_to_string_alloc (aud_key, |
| 98 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); | 94 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); |
| 99 | header = create_jwt_header (); | 95 | header = create_jwt_header (); |
| 100 | body = json_object (); | 96 | body = json_object (); |
| 101 | /* TODO who is the issuer? local IdP or subject ? See self-issued tokens? */ | 97 | |
| 102 | //iss REQUIRED case sensitive server uri with https | 98 | //iss REQUIRED case sensitive server uri with https |
| 99 | //The issuer is the local reclaim instance (e.g. https://reclaim.id/api/openid) | ||
| 103 | json_object_set_new (body, | 100 | json_object_set_new (body, |
| 104 | "iss", json_string (SERVER_ADDRESS)); | 101 | "iss", json_string (SERVER_ADDRESS)); |
| 105 | //sub REQUIRED public key identity, not exceed 255 ASCII length | 102 | //sub REQUIRED public key identity, not exceed 255 ASCII length |
| 106 | json_object_set_new (body, | 103 | json_object_set_new (body, |
| 107 | "sub", json_string (subject)); | 104 | "sub", json_string (subject)); |
| 108 | /* TODO what should be in here exactly? */ | ||
| 109 | //aud REQUIRED public key client_id must be there | 105 | //aud REQUIRED public key client_id must be there |
| 110 | json_object_set_new (body, | 106 | json_object_set_new (body, |
| 111 | "aud", json_string (audience)); | 107 | "aud", json_string (audience)); |
| 112 | for (le = attrs->list_head; NULL != le; le = le->next) | 108 | for (le = attrs->list_head; NULL != le; le = le->next) |
| 113 | { | 109 | { |
| 114 | /** | ||
| 115 | * TODO here we should have a function that | ||
| 116 | * calls the Attribute plugins to create a | ||
| 117 | * json representation for its value | ||
| 118 | */ | ||
| 119 | attr_val_str = GNUNET_IDENTITY_ATTRIBUTE_value_to_string (le->claim->type, | 110 | attr_val_str = GNUNET_IDENTITY_ATTRIBUTE_value_to_string (le->claim->type, |
| 120 | le->claim->data, | 111 | le->claim->data, |
| 121 | le->claim->data_size); | 112 | le->claim->data_size); |
| @@ -148,32 +139,13 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
| 148 | GNUNET_free (audience); | 139 | GNUNET_free (audience); |
| 149 | 140 | ||
| 150 | /** | 141 | /** |
| 151 | * TODO | ||
| 152 | * Creating the JWT signature. This might not be | 142 | * Creating the JWT signature. This might not be |
| 153 | * standards compliant, check. | 143 | * standards compliant, check. |
| 154 | */ | 144 | */ |
| 155 | GNUNET_asprintf (&signature_target, "%s,%s", header_base64, body_base64); | 145 | GNUNET_asprintf (&signature_target, "%s,%s", header_base64, body_base64); |
| 156 | 146 | GNUNET_CRYPTO_hmac (priv_key, signature_target, strlen (signature_target), &signature); | |
| 157 | purpose = | ||
| 158 | GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | ||
| 159 | strlen (signature_target)); | ||
| 160 | purpose->size = | ||
| 161 | htonl (strlen (signature_target) + sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose)); | ||
| 162 | purpose->purpose = htonl(GNUNET_SIGNATURE_PURPOSE_GNUID_TOKEN); | ||
| 163 | GNUNET_memcpy (&purpose[1], signature_target, strlen (signature_target)); | ||
| 164 | if (GNUNET_OK != GNUNET_CRYPTO_ecdsa_sign (priv_key, | ||
| 165 | purpose, | ||
| 166 | (struct GNUNET_CRYPTO_EcdsaSignature *)&signature)) | ||
| 167 | { | ||
| 168 | GNUNET_free (signature_target); | ||
| 169 | GNUNET_free (body_str); | ||
| 170 | GNUNET_free (body_base64); | ||
| 171 | GNUNET_free (header_base64); | ||
| 172 | GNUNET_free (purpose); | ||
| 173 | return NULL; | ||
| 174 | } | ||
| 175 | GNUNET_STRINGS_base64_encode ((const char*)&signature, | 147 | GNUNET_STRINGS_base64_encode ((const char*)&signature, |
| 176 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature), | 148 | sizeof (struct GNUNET_HashCode), |
| 177 | &signature_base64); | 149 | &signature_base64); |
| 178 | GNUNET_asprintf (&result, "%s.%s.%s", | 150 | GNUNET_asprintf (&result, "%s.%s.%s", |
| 179 | header_base64, body_base64, signature_base64); | 151 | header_base64, body_base64, signature_base64); |
| @@ -184,6 +156,5 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
| 184 | GNUNET_free (signature_base64); | 156 | GNUNET_free (signature_base64); |
| 185 | GNUNET_free (body_base64); | 157 | GNUNET_free (body_base64); |
| 186 | GNUNET_free (header_base64); | 158 | GNUNET_free (header_base64); |
| 187 | GNUNET_free (purpose); | ||
| 188 | return result; | 159 | return result; |
| 189 | } | 160 | } |