[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnunet] branch master updated: RECLAIM: Fix OIDC implementation for new
|
From: |
gnunet |
|
Subject: |
[gnunet] branch master updated: RECLAIM: Fix OIDC implementation for new API (WIP) |
|
Date: |
Mon, 29 Apr 2024 15:59:31 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
The following commit(s) were added to refs/heads/master by this push:
new 7e43187c7 RECLAIM: Fix OIDC implementation for new API (WIP)
7e43187c7 is described below
commit 7e43187c78bdae919861c44b03454db61f46370a
Author: Martin Schanzenbach <schanzen@gnunet.org>
AuthorDate: Mon Apr 29 15:59:23 2024 +0200
RECLAIM: Fix OIDC implementation for new API (WIP)
---
contrib/gana | 2 +-
contrib/handbook | 2 +-
src/service/rest/oidc_helper.c | 13 ++--------
src/service/rest/oidc_helper.h | 3 +++
src/service/rest/openid_plugin.c | 55 ++++++++++++++++++++++++++++++++--------
5 files changed, 51 insertions(+), 24 deletions(-)
diff --git a/contrib/gana b/contrib/gana
index d505fecdf..53d099289 160000
--- a/contrib/gana
+++ b/contrib/gana
@@ -1 +1 @@
-Subproject commit d505fecdf8f1339f4115f10f1ae236da7cfea0ef
+Subproject commit 53d0992890e1ebb8f8c6bd747533abe157baec66
diff --git a/contrib/handbook b/contrib/handbook
index 7d66dc169..c309e4169 160000
--- a/contrib/handbook
+++ b/contrib/handbook
@@ -1 +1 @@
-Subproject commit 7d66dc1695829f2511f8e8ecc227a64d73d1562e
+Subproject commit c309e416984fc76e4b39adcbd4e8a602d94b1987
diff --git a/src/service/rest/oidc_helper.c b/src/service/rest/oidc_helper.c
index 15133b270..0c5a5a0d6 100644
--- a/src/service/rest/oidc_helper.c
+++ b/src/service/rest/oidc_helper.c
@@ -24,7 +24,6 @@
* @author Martin Schanzenbach
* @author Tristan Schwieren
*/
-#include "platform.h"
#include <inttypes.h>
#include <jansson.h>
#include <jose/jose.h>
@@ -750,6 +749,7 @@ check_code_challenge (const char *code_challenge,
*/
int
OIDC_parse_authz_code (const char *rp_uri,
+ const struct GNUNET_CRYPTO_PublicKey *cid,
const char *code,
const char *code_verifier,
struct GNUNET_RECLAIM_Ticket *ticket,
@@ -823,21 +823,12 @@ OIDC_parse_authz_code (const char *rp_uri,
memcpy (ticket, ¶ms->ticket, sizeof(params->ticket));
// Signature
// GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
- if (0 != strcmp (rp_uri, ticket->rp_uri))
- {
- GNUNET_free (code_payload);
- if (NULL != *nonce_str)
- GNUNET_free (*nonce_str);
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- "Audience in ticket does not match client!\n");
- return GNUNET_SYSERR;
- }
if (GNUNET_OK !=
GNUNET_CRYPTO_signature_verify_ (
GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
purpose,
signature,
- &(ticket->identity)))
+ cid))
{
GNUNET_free (code_payload);
if (NULL != *nonce_str)
diff --git a/src/service/rest/oidc_helper.h b/src/service/rest/oidc_helper.h
index 08aedc2ed..3e180f673 100644
--- a/src/service/rest/oidc_helper.h
+++ b/src/service/rest/oidc_helper.h
@@ -27,6 +27,8 @@
#ifndef JWT_H
#define JWT_H
+#include "gnunet_util_lib.h"
+#include "gnunet_reclaim_service.h"
#define JWT_ALG "alg"
#define JWT_TYP "typ"
#define JWT_TYP_VALUE "jwt"
@@ -129,6 +131,7 @@ OIDC_build_authz_code (const struct
GNUNET_CRYPTO_PrivateKey *issuer,
*/
int
OIDC_parse_authz_code (const char *rp_uri,
+ const struct GNUNET_CRYPTO_PublicKey *cid,
const char *code,
const char *code_verifier,
struct GNUNET_RECLAIM_Ticket *ticket,
diff --git a/src/service/rest/openid_plugin.c b/src/service/rest/openid_plugin.c
index 5fc98465a..cd3f975a4 100644
--- a/src/service/rest/openid_plugin.c
+++ b/src/service/rest/openid_plugin.c
@@ -34,12 +34,10 @@
#include "gnunet_gns_service.h"
#include "gnunet_gnsrecord_lib.h"
#include "gnunet_identity_service.h"
-#include "gnunet_namestore_service.h"
#include "gnunet_reclaim_lib.h"
#include "gnunet_reclaim_service.h"
#include "gnunet_rest_lib.h"
#include "gnunet_rest_plugin.h"
-#include "gnunet_signatures.h"
#include "microhttpd.h"
#include "oidc_helper.h"
@@ -2193,6 +2191,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
char *oidc_jwk_path = NULL;
char *oidc_directory = NULL;
char *tmp_at = NULL;
+ char *received_cid = NULL;
/*
* Check Authorization
@@ -2204,6 +2203,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
GNUNET_SCHEDULER_add_now (&do_error, handle);
return;
}
+ received_cid = get_url_parameter_copy (handle, OIDC_CLIENT_ID_KEY);
/*
* Check parameter
@@ -2265,7 +2265,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
// decode code
- if (GNUNET_OK != OIDC_parse_authz_code (ticket.rp_uri, code, code_verifier,
&ticket,
+ if (GNUNET_OK != OIDC_parse_authz_code (received_cid, &cid, code,
+ code_verifier,
+ &ticket,
&cl, &pl, &nonce,
OIDC_VERIFICATION_DEFAULT))
{
@@ -2311,6 +2313,15 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
jwa = JWT_ALG_VALUE_RSA;
}
+ char *tmp = GNUNET_strdup (ticket.gns_name);
+ GNUNET_assert (NULL != strtok (tmp, "."));
+ char *key = strtok (NULL, ".");
+ struct GNUNET_CRYPTO_PublicKey issuer;
+ GNUNET_assert (NULL != key);
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_public_key_from_string (key, &issuer));
+ GNUNET_free (tmp);
+
if (! strcmp (jwa, JWT_ALG_VALUE_RSA))
{
// Replace for now
@@ -2338,8 +2349,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
// Generate oidc token
- id_token = OIDC_generate_id_token_rsa (ticket.rp_uri,
- &ticket.identity,
+ id_token = OIDC_generate_id_token_rsa (received_cid,
+ &issuer,
cl,
pl,
&expiration_time,
@@ -2366,8 +2377,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
- id_token = OIDC_generate_id_token_hmac (ticket.rp_uri,
- &ticket.identity,
+ id_token = OIDC_generate_id_token_hmac (received_cid,
+ &issuer,
cl,
pl,
&expiration_time,
@@ -2481,7 +2492,15 @@ consume_ticket (void *cls,
if (NULL == identity)
{
- result_str = OIDC_generate_userinfo (&handle->ticket.identity,
+ char *tmp = GNUNET_strdup (handle->ticket.gns_name);
+ GNUNET_assert (NULL != strtok (tmp, "."));
+ char *key = strtok (NULL, ".");
+ struct GNUNET_CRYPTO_PublicKey issuer;
+ GNUNET_assert (NULL != key);
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_public_key_from_string (key, &issuer));
+ GNUNET_free (tmp);
+ result_str = OIDC_generate_userinfo (&issuer,
handle->attr_userinfo_list,
handle->presentations);
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Userinfo: %s\n", result_str);
@@ -2538,11 +2557,12 @@ consume_fail (void *cls)
struct GNUNET_RECLAIM_AttributeList *cl = NULL;
struct GNUNET_RECLAIM_PresentationList *pl = NULL;
struct GNUNET_RECLAIM_Ticket ticket;
+ struct GNUNET_CRYPTO_PublicKey cid;
struct MHD_Response *resp;
char *nonce;
char *cached_code;
char *result_str;
-
+ char *received_cid;
handle->consume_timeout_op = NULL;
if (NULL != handle->idp_op)
@@ -2571,9 +2591,14 @@ consume_fail (void *cls)
GNUNET_CONTAINER_multihashmap_remove (oidc_code_cache,
&cache_key,
cached_code));
+ received_cid = get_url_parameter_copy (handle, OIDC_CLIENT_ID_KEY);
+ GNUNET_STRINGS_string_to_data (received_cid,
+ strlen (received_cid),
+ &cid,
+ sizeof(struct GNUNET_CRYPTO_PublicKey));
// decode code
- if (GNUNET_OK != OIDC_parse_authz_code (handle->ticket.rp_uri,
+ if (GNUNET_OK != OIDC_parse_authz_code (received_cid, &cid,
cached_code, NULL, &ticket,
&cl, &pl, &nonce,
OIDC_VERIFICATION_NO_CODE_VERIFIER))
@@ -2590,7 +2615,15 @@ consume_fail (void *cls)
GNUNET_free (cached_code);
- result_str = OIDC_generate_userinfo (&handle->ticket.identity,
+ char *tmp = GNUNET_strdup (handle->ticket.gns_name);
+ GNUNET_assert (NULL != strtok (tmp, "."));
+ char *key = strtok (NULL, ".");
+ struct GNUNET_CRYPTO_PublicKey issuer;
+ GNUNET_assert (NULL != key);
+ GNUNET_assert (GNUNET_OK ==
+ GNUNET_CRYPTO_public_key_from_string (key, &issuer));
+ GNUNET_free (tmp);
+ result_str = OIDC_generate_userinfo (&issuer,
cl,
pl);
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Userinfo: %s\n", result_str);
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [gnunet] branch master updated: RECLAIM: Fix OIDC implementation for new API (WIP),
gnunet <=