1 files changed, 233 insertions, 23 deletions

diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 1c00abcbd..bb8e1cd1e 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -20,6 +20,7 @@
 /**
  * @author Martin Schanzenbach
  * @author Philippe Buschmann
+ * @author Tristan Schwieren
  * @file identity/plugin_rest_openid_connect.c
  * @brief GNUnet Namestore REST plugin
  *
@@ -27,6 +28,7 @@
 #include "platform.h"
 #include <inttypes.h>
 #include <jansson.h>
+#include <jose/jose.h>
 
 #include "gnunet_buffer_lib.h"
 #include "gnunet_strings_lib.h"
@@ -63,6 +65,11 @@
 #define GNUNET_REST_API_NS_TOKEN "/openid/token"
 
 /**
+ * JSON Web Keys endpoint
+ */
+#define GNUNET_REST_API_JWKS "/jwks.json"
+
+/**
  * UserInfo endpoint
  */
 #define GNUNET_REST_API_NS_USERINFO "/openid/userinfo"
@@ -228,6 +235,11 @@
 #define OIDC_ERROR_KEY_ACCESS_DENIED "access_denied"
 
 /**
+ * OIDC key store file name
+ */
+#define OIDC_JWK_RSA_FILENAME "jwk_rsa.json"
+
+/**
  * How long to wait for a consume in userinfo endpoint
  */
 #define CONSUME_TIMEOUT GNUNET_TIME_relative_multiply ( \
@@ -303,6 +315,11 @@ struct Plugin
 };
 
 /**
+ * @brief The RSA key used by the oidc enpoint
+ */
+json_t *oidc_jwk;
+
+/**
  * OIDC needed variables
  */
 struct OIDC_Variables
@@ -859,6 +876,103 @@ cookie_identity_interpretation (struct RequestHandle *handle)
 
 
 /**
+ * @brief Read the the JSON Web Key in the given file and return it.
+ * Return NULL and emit warning if JSON can not be decoded or the key is
+ * invalid
+ *
+ * @param filename the file to read the JWK from
+ * @return json_t* the reed JWK
+ */
+json_t *
+read_jwk_from_file (const char *filename)
+{
+  json_t *jwk;
+  json_error_t error;
+
+  jwk = json_load_file (filename, JSON_DECODE_ANY, &error);
+
+  if (! jwk)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                ("Could not read OIDC RSA key from config file; %s\n"),
+                error.text);
+  }
+
+  return jwk;
+}
+
+/**
+ * @brief Write the JWK to file. If unsuccessful emit warning
+ *
+ * @param filename the name of the file the JWK is writen to
+ * @param jwk the JWK that is going to be written
+ * @return int Return GNUNET_OK if write is sucessfull
+ */
+static int
+write_jwk_to_file (const char *filename,
+                   json_t *jwk)
+{
+  if (json_dump_file (jwk, filename, JSON_INDENT (2)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                ("Could not write OIDC RSA key to file %s\n"),
+                filename);
+    return GNUNET_ERROR_TYPE_WARNING;
+  }
+  else
+    return GNUNET_OK;
+}
+
+/**
+ * @brief Generate a new RSA JSON Web Key
+ *
+ * @return json_t* the generated JWK
+ */
+json_t *
+generate_jwk ()
+{
+  json_t *jwk;
+  jwk = json_pack ("{s:s,s:i}", "kty", "RSA", "bits", 2048);
+  jose_jwk_gen (NULL, jwk);
+  json_incref (jwk);
+  return jwk;
+}
+
+/**
+ * Return the path to the RSA JWK key file
+ *
+ * @param cls the RequestHandle
+ */
+char *
+get_oidc_jwk_path (void *cls)
+{
+  char *oidc_directory;
+  char *oidc_jwk_path;
+  struct RequestHandle *handle = cls;
+
+  // Read OIDC directory from config
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                            "reclaim-rest-plugin",
+                                                            "oidc_dir",
+                                                            &oidc_directory))
+  {
+    // Could not read Config file
+    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_SERVER_ERROR);
+    handle->edesc = GNUNET_strdup ("gnunet configuration failed");
+    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+    GNUNET_SCHEDULER_add_now (&do_error, handle);
+    return NULL;
+  }
+
+  // Create path to file
+  GNUNET_asprintf (&oidc_jwk_path, "%s/%s", oidc_directory,
+                   OIDC_JWK_RSA_FILENAME);
+
+  return oidc_jwk_path;
+}
+
+
+/**
  * Redirects to login page stored in configuration file
  */
 static void
@@ -1954,7 +2068,7 @@ check_authorization (struct RequestHandle *handle,
   // check client password
   if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg,
                                                           "reclaim-rest-plugin",
-                                                          "OIDC_CLIENT_SECRET",
+                                                          "OIDC_CLIENT_HMAC_SECRET",
                                                           &expected_pass))
   {
     if (0 != strcmp (expected_pass, received_cpw))
@@ -2047,9 +2161,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
   char *json_response;
   char *id_token;
   char *access_token;
+  char *jwa;
   char *jwt_secret;
   char *nonce = NULL;
   char *code_verifier;
+  json_t *oidc_jwk;
+  char *oidc_jwk_path;
 
   /*
    * Check Authorization
@@ -2156,32 +2273,66 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
     return;
   }
 
-
-  // TODO OPTIONAL acr,amr,azp
+  // Check if HMAC or RSA should be used
   if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
                                                           "reclaim-rest-plugin",
-                                                          "jwt_secret",
-                                                          &jwt_secret))
+                                                          "oidc_json_web_algorithm",
+                                                          &jwa))
   {
-    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
-    handle->edesc = GNUNET_strdup ("No signing secret configured!");
-    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-    GNUNET_free (code);
-    GNUNET_RECLAIM_attribute_list_destroy (cl);
-    GNUNET_RECLAIM_presentation_list_destroy (pl);
-    if (NULL != nonce)
-      GNUNET_free (nonce);
-    GNUNET_SCHEDULER_add_now (&do_error, handle);
-    return;
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Could not read OIDC JSON Web Algorithm config attribute."
+                "Defaulting to RS256.");
+    jwa = JWT_ALG_VALUE_RSA;
+  }
+
+  if (strcmp(jwa, JWT_ALG_VALUE_RSA))
+  {
+    // Replace for now
+    oidc_jwk_path = get_oidc_jwk_path (cls);
+    oidc_jwk = read_jwk_from_file (oidc_jwk_path);
+    id_token = OIDC_generate_id_token_rsa (&ticket.audience,
+                                           &ticket.identity,
+                                           cl,
+                                           pl,
+                                           &expiration_time,
+                                           (NULL != nonce) ? nonce : NULL,
+                                           oidc_jwk);
+  }
+  else if (strcmp(jwa, JWT_ALG_VALUE_HMAC))
+  {
+    // TODO OPTIONAL acr,amr,azp
+    if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                            "reclaim-rest-plugin",
+                                                            "jwt_secret",
+                                                            &jwt_secret))
+    {
+      handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
+      handle->edesc = GNUNET_strdup ("No signing secret configured!");
+      handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+      GNUNET_free (code);
+      GNUNET_RECLAIM_attribute_list_destroy (cl);
+      GNUNET_RECLAIM_presentation_list_destroy (pl);
+      if (NULL != nonce)
+        GNUNET_free (nonce);
+      GNUNET_SCHEDULER_add_now (&do_error, handle);
+      return;
+    }
+
+    id_token = OIDC_generate_id_token_hmac (&ticket.audience,
+                                            &ticket.identity,
+                                            cl,
+                                            pl,
+                                            &expiration_time,
+                                            (NULL != nonce) ? nonce : NULL,
+                                            jwt_secret);
+
+    GNUNET_free (jwt_secret);
+  }
+  else 
+  {
+    // TODO: OPTION NOT FOUND ERROR
   }
-  id_token = OIDC_generate_id_token (&ticket.audience,
-                                     &ticket.identity,
-                                     cl,
-                                     pl,
-                                     &expiration_time,
-                                     (NULL != nonce) ? nonce : NULL,
-                                     jwt_secret);
-  GNUNET_free (jwt_secret);
+
   if (NULL != nonce)
     GNUNET_free (nonce);
   access_token = OIDC_access_token_new (&ticket);
@@ -2474,6 +2625,59 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
   GNUNET_free (authorization);
 }
 
+/**
+ * Responds to /jwks.json
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
+static void
+jwks_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
+               const char *url,
+               void *cls)
+{
+  char *oidc_directory;
+  char *oidc_jwk_path;
+  char *oidc_jwk_pub_str;
+  json_t *oidc_jwk;
+  struct MHD_Response *resp;
+  struct RequestHandle *handle = cls;
+
+  oidc_jwk_path = get_oidc_jwk_path (cls);
+  oidc_jwk = read_jwk_from_file (oidc_jwk_path);
+
+  // Check if secret JWK exists
+  if (! oidc_jwk)
+  {
+    // Generate and save a new key
+    oidc_jwk = generate_jwk ();
+
+    // Create new oidc directory
+    if (GNUNET_OK != GNUNET_DISK_directory_create (oidc_directory))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  ("Failed to create directory `%s' for storing oidc data\n"),
+                  oidc_directory);
+    }
+    else
+    {
+      write_jwk_to_file (oidc_jwk_path, oidc_jwk);
+    }
+  }
+
+  // Convert secret JWK to public JWK
+  jose_jwk_pub (NULL, oidc_jwk);
+
+  // Encode JWK as string and return to API endpoint
+  oidc_jwk_pub_str = json_dumps (oidc_jwk, JSON_INDENT (1));
+  resp = GNUNET_REST_create_response (oidc_jwk_pub_str);
+  handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
+  json_decref (oidc_jwk);
+  GNUNET_free (oidc_jwk_pub_str);
+  free (oidc_jwk_pub_str);
+  cleanup_handle (handle);
+}
 
 /**
  * If listing is enabled, prints information about the egos.
@@ -2621,10 +2825,15 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
   sig_algs = json_array ();
   json_array_append_new (sig_algs,
                          json_string ("HS512"));
+  json_array_append_new (sig_algs,
+                         json_string ("RS256"));
   json_object_set_new (oidc_config,
                        "id_token_signing_alg_values_supported",
                        sig_algs);
   json_object_set_new (oidc_config,
+                       "jwks_uri",
+                       json_string ("http://localhost:7776/jwks.json"));
+  json_object_set_new (oidc_config,
                        "userinfo_endpoint",
                        json_string ("http://localhost:7776/openid/userinfo"));
   scopes = json_array ();
@@ -2719,6 +2928,7 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,
     { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_endpoint },
     { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },
     { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },
+    { MHD_HTTP_METHOD_GET, GNUNET_REST_API_JWKS, &jwks_endpoint },
     { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG,
       &oidc_config_endpoint },
     { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC_CONFIG,