add more general HMAC function for JWTs

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 7b69c157fe0446d5efe544835b7b396f0b876295..8a591fa09ea3df8a90fb293b407ac29f28515ee5 100644 (file)
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -725,6 +725,23 @@ void
 GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc);
 
 
+/**
+ * Calculate HMAC of a message (RFC 2104)
+ * TODO: Shouldn' this be the standard hmac function and
+ * the above be renamed?
+ *
+ * @param key secret key
+ * @param key_len secret key length
+ * @param plaintext input plaintext
+ * @param plaintext_len length of @a plaintext
+ * @param hmac where to store the hmac
+ */
+void
+GNUNET_CRYPTO_hmac_raw (const void *key, size_t key_len,
+                    const void *plaintext, size_t plaintext_len,
+                    struct GNUNET_HashCode *hmac);
+
+
 /**
  * @ingroup hash
  * Calculate HMAC of a message (RFC 2104)

diff --git a/src/reclaim/jwt.c b/src/reclaim/jwt.c
index 45b5d73f6b57acb956c0e00c6aaed2b8ee997801..ec1e6d0983f108f8478401d76dfcb81440522de6 100644 (file)
--- a/src/reclaim/jwt.c
+++ b/src/reclaim/jwt.c
@@ -65,8 +65,8 @@ create_jwt_header(void)
 char*
 jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
                       const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
-                                                const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
-                                                const struct GNUNET_CRYPTO_AuthKey *priv_key)
+                      const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
+                      const char *secret_key)
 {
   struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le;
   struct GNUNET_HashCode signature;
@@ -89,12 +89,12 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
   //nonce only if nonce
   // OPTIONAL acr,amr,azp
   subject = GNUNET_STRINGS_data_to_string_alloc (&sub_key,
-                                                sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey));
+                                                 sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey));
   audience = GNUNET_STRINGS_data_to_string_alloc (aud_key,
                                                   sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey));
   header = create_jwt_header ();
   body = json_object ();
-  
+
   //iss REQUIRED case sensitive server uri with https
   //The issuer is the local reclaim instance (e.g. https://reclaim.id/api/openid)
   json_object_set_new (body,
@@ -108,8 +108,8 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
   for (le = attrs->list_head; NULL != le; le = le->next)
   {
     attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type,
-                                                              le->claim->data,
-                                                              le->claim->data_size);
+                                                             le->claim->data,
+                                                             le->claim->data_size);
     json_object_set_new (body,
                          le->claim->name,
                          json_string (attr_val_str));
@@ -142,8 +142,8 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
    * Creating the JWT signature. This might not be
    * standards compliant, check.
    */
-  GNUNET_asprintf (&signature_target, "%s,%s", header_base64, body_base64);
-  GNUNET_CRYPTO_hmac (priv_key, signature_target, strlen (signature_target), &signature);
+  GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
+  GNUNET_CRYPTO_hmac_raw (secret_key, strlen (secret_key), signature_target, strlen (signature_target), &signature);
   GNUNET_STRINGS_base64_encode ((const char*)&signature,
                                 sizeof (struct GNUNET_HashCode),
                                 &signature_base64);

diff --git a/src/reclaim/jwt.h b/src/reclaim/jwt.h
index 4b0b01be3bddbaff03fab81d3dd18214e75346cb..39b4e2f3cfd3c0a30310d893d2c481cb8baf1e25 100644 (file)
--- a/src/reclaim/jwt.h
+++ b/src/reclaim/jwt.h
@@ -5,6 +5,6 @@ char*
 jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
                       const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
                                                 const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
-                                                const struct GNUNET_CRYPTO_AuthKey *priv_key);
+                                                const char* secret_key);
 
 #endif

diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 6aa2cd907815577a0b7389d35bbb41ecfae135f9..5a34e5b72df516ac9f13d92ad118013d05bae676 100644 (file)
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -1647,14 +1647,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
     GNUNET_free(ticket);
     return;
   }
-  struct GNUNET_CRYPTO_AuthKey jwt_sign_key;
   struct GNUNET_CRYPTO_EcdsaPublicKey pk;
   GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pk);
-  GNUNET_CRYPTO_hash (jwt_secret, strlen (jwt_secret), (struct GNUNET_HashCode*)jwt_sign_key.key);
   char *id_token = jwt_create_from_list(&ticket->audience,
                                         &pk,
                                         cl,
-                                        &jwt_sign_key);
+                                        jwt_secret);
 
   //Create random access_token
   char* access_token_number;

diff --git a/src/util/crypto_hash.c b/src/util/crypto_hash.c
index 8410b7835fc89da56fc4be4893beafbdead53c8e..fe1f58df77ab2ee471462e9d62edebfdd6edf61f 100644 (file)
--- a/src/util/crypto_hash.c
+++ b/src/util/crypto_hash.c
@@ -365,14 +365,17 @@ GNUNET_CRYPTO_hmac_derive_key_v (struct GNUNET_CRYPTO_AuthKey *key,
 
 /**
  * Calculate HMAC of a message (RFC 2104)
+ * TODO: Shouldn' this be the standard hmac function and
+ * the above be renamed?
  *
  * @param key secret key
+ * @param key_len secret key length
  * @param plaintext input plaintext
  * @param plaintext_len length of @a plaintext
  * @param hmac where to store the hmac
  */
 void
-GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
+GNUNET_CRYPTO_hmac_raw (const void *key, size_t key_len,
                     const void *plaintext, size_t plaintext_len,
                     struct GNUNET_HashCode *hmac)
 {
@@ -390,7 +393,7 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
   {
     gcry_md_reset (md);
   }
-  gcry_md_setkey (md, key->key, sizeof (key->key));
+  gcry_md_setkey (md, key, key_len);
   gcry_md_write (md, plaintext, plaintext_len);
   mc = gcry_md_read (md, GCRY_MD_SHA512);
   GNUNET_assert (NULL != mc);
@@ -398,6 +401,25 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
 }
 
 
+/**
+ * Calculate HMAC of a message (RFC 2104)
+ *
+ * @param key secret key
+ * @param plaintext input plaintext
+ * @param plaintext_len length of @a plaintext
+ * @param hmac where to store the hmac
+ */
+void
+GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
+                    const void *plaintext, size_t plaintext_len,
+                    struct GNUNET_HashCode *hmac)
+{
+  GNUNET_CRYPTO_hmac_raw ((void*) key->key, sizeof (key->key),
+                          plaintext, plaintext_len,
+                          hmac);
+}
+
+
 /**
  * Context for cummulative hashing.
  */