From: Schanzenbach, Martin Date: Sat, 21 Jul 2018 06:00:49 +0000 (+0200) Subject: add more general HMAC function for JWTs X-Git-Tag: v0.11.0~322^2~61 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ee4adf9768a740c3d79b854453eb8bc0f5c14d30;p=oweals%2Fgnunet.git add more general HMAC function for JWTs --- diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index 7b69c157f..8a591fa09 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h @@ -725,6 +725,23 @@ void GNUNET_CRYPTO_hash_context_abort (struct GNUNET_HashContext *hc); +/** + * Calculate HMAC of a message (RFC 2104) + * TODO: Shouldn' this be the standard hmac function and + * the above be renamed? + * + * @param key secret key + * @param key_len secret key length + * @param plaintext input plaintext + * @param plaintext_len length of @a plaintext + * @param hmac where to store the hmac + */ +void +GNUNET_CRYPTO_hmac_raw (const void *key, size_t key_len, + const void *plaintext, size_t plaintext_len, + struct GNUNET_HashCode *hmac); + + /** * @ingroup hash * Calculate HMAC of a message (RFC 2104) diff --git a/src/reclaim/jwt.c b/src/reclaim/jwt.c index 45b5d73f6..ec1e6d098 100644 --- a/src/reclaim/jwt.c +++ b/src/reclaim/jwt.c @@ -65,8 +65,8 @@ create_jwt_header(void) char* jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, - const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, - const struct GNUNET_CRYPTO_AuthKey *priv_key) + const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, + const char *secret_key) { struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; struct GNUNET_HashCode signature; @@ -89,12 +89,12 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, //nonce only if nonce // OPTIONAL acr,amr,azp subject = GNUNET_STRINGS_data_to_string_alloc (&sub_key, - sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); audience = GNUNET_STRINGS_data_to_string_alloc (aud_key, sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); header = create_jwt_header (); body = json_object (); - + //iss REQUIRED case sensitive server uri with https //The issuer is the local reclaim instance (e.g. https://reclaim.id/api/openid) json_object_set_new (body, @@ -108,8 +108,8 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, for (le = attrs->list_head; NULL != le; le = le->next) { attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type, - le->claim->data, - le->claim->data_size); + le->claim->data, + le->claim->data_size); json_object_set_new (body, le->claim->name, json_string (attr_val_str)); @@ -142,8 +142,8 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, * Creating the JWT signature. This might not be * standards compliant, check. */ - GNUNET_asprintf (&signature_target, "%s,%s", header_base64, body_base64); - GNUNET_CRYPTO_hmac (priv_key, signature_target, strlen (signature_target), &signature); + GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64); + GNUNET_CRYPTO_hmac_raw (secret_key, strlen (secret_key), signature_target, strlen (signature_target), &signature); GNUNET_STRINGS_base64_encode ((const char*)&signature, sizeof (struct GNUNET_HashCode), &signature_base64); diff --git a/src/reclaim/jwt.h b/src/reclaim/jwt.h index 4b0b01be3..39b4e2f3c 100644 --- a/src/reclaim/jwt.h +++ b/src/reclaim/jwt.h @@ -5,6 +5,6 @@ char* jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, - const struct GNUNET_CRYPTO_AuthKey *priv_key); + const char* secret_key); #endif diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 6aa2cd907..5a34e5b72 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c @@ -1647,14 +1647,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_free(ticket); return; } - struct GNUNET_CRYPTO_AuthKey jwt_sign_key; struct GNUNET_CRYPTO_EcdsaPublicKey pk; GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pk); - GNUNET_CRYPTO_hash (jwt_secret, strlen (jwt_secret), (struct GNUNET_HashCode*)jwt_sign_key.key); char *id_token = jwt_create_from_list(&ticket->audience, &pk, cl, - &jwt_sign_key); + jwt_secret); //Create random access_token char* access_token_number; diff --git a/src/util/crypto_hash.c b/src/util/crypto_hash.c index 8410b7835..fe1f58df7 100644 --- a/src/util/crypto_hash.c +++ b/src/util/crypto_hash.c @@ -365,14 +365,17 @@ GNUNET_CRYPTO_hmac_derive_key_v (struct GNUNET_CRYPTO_AuthKey *key, /** * Calculate HMAC of a message (RFC 2104) + * TODO: Shouldn' this be the standard hmac function and + * the above be renamed? * * @param key secret key + * @param key_len secret key length * @param plaintext input plaintext * @param plaintext_len length of @a plaintext * @param hmac where to store the hmac */ void -GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key, +GNUNET_CRYPTO_hmac_raw (const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac) { @@ -390,7 +393,7 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key, { gcry_md_reset (md); } - gcry_md_setkey (md, key->key, sizeof (key->key)); + gcry_md_setkey (md, key, key_len); gcry_md_write (md, plaintext, plaintext_len); mc = gcry_md_read (md, GCRY_MD_SHA512); GNUNET_assert (NULL != mc); @@ -398,6 +401,25 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key, } +/** + * Calculate HMAC of a message (RFC 2104) + * + * @param key secret key + * @param plaintext input plaintext + * @param plaintext_len length of @a plaintext + * @param hmac where to store the hmac + */ +void +GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key, + const void *plaintext, size_t plaintext_len, + struct GNUNET_HashCode *hmac) +{ + GNUNET_CRYPTO_hmac_raw ((void*) key->key, sizeof (key->key), + plaintext, plaintext_len, + hmac); +} + + /** * Context for cummulative hashing. */