From d81369afa8c051383727fa4c54479decc4071b9e Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Sat, 21 Jul 2018 12:02:24 +0200 Subject: [PATCH] fixes for JWT creation --- src/reclaim/jwt.c | 30 +++++++++++-- src/reclaim/jwt.h | 17 +++++++- src/reclaim/plugin_rest_openid_connect.c | 55 ++++-------------------- src/reclaim/reclaim.conf | 2 +- 4 files changed, 50 insertions(+), 54 deletions(-) diff --git a/src/reclaim/jwt.c b/src/reclaim/jwt.c index 9885bf467..41a3747ed 100644 --- a/src/reclaim/jwt.c +++ b/src/reclaim/jwt.c @@ -83,19 +83,25 @@ fix_base64(char* str) { /** * Create a JWT from attributes * - * @param aud_key the public of the subject + * @param aud_key the public of the audience + * @param sub_key the public key of the subject * @param attrs the attribute list - * @param priv_key the key used to sign the JWT + * @param expiration_time the validity of the token + * @param secret_key the key used to sign the JWT * @return a new base64-encoded JWT string. */ char* jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, + const struct GNUNET_TIME_Relative *expiration_time, + const char *nonce, const char *secret_key) { struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; struct GNUNET_HashCode signature; + struct GNUNET_TIME_Absolute exp_time; + struct GNUNET_TIME_Absolute time_now; char* audience; char* subject; char* header; @@ -107,9 +113,11 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, char* signature_base64; char* attr_val_str; json_t* body; - - //exp REQUIRED time expired from config + //iat REQUIRED time now + time_now = GNUNET_TIME_absolute_get(); + //exp REQUIRED time expired from config + exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time); //auth_time only if max_age //nonce only if nonce // OPTIONAL acr,amr,azp @@ -130,6 +138,20 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, //aud REQUIRED public key client_id must be there json_object_set_new (body, "aud", json_string (audience)); + //iat + json_object_set_new (body, + "iat", json_integer (time_now.abs_value_us)); + //exp + json_object_set_new (body, + "exp", json_integer (exp_time.abs_value_us)); + //nbf + json_object_set_new (body, + "nbf", json_integer (time_now.abs_value_us)); + //nonce + if (NULL != nonce) + json_object_set_new (body, + "nonce", json_string (nonce)); + for (le = attrs->list_head; NULL != le; le = le->next) { attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type, diff --git a/src/reclaim/jwt.h b/src/reclaim/jwt.h index 39b4e2f3c..12ff85b01 100644 --- a/src/reclaim/jwt.h +++ b/src/reclaim/jwt.h @@ -1,10 +1,23 @@ #ifndef JWT_H #define JWT_H +/** + * Create a JWT from attributes + * + * @param aud_key the public of the audience + * @param sub_key the public key of the subject + * @param attrs the attribute list + * @param expiration_time the validity of the token + * @param nonce the nonce, may be NULL + * @param secret_key the key used to sign the JWT + * @return a new base64-encoded JWT string. + */ char* jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, - const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, - const char* secret_key); + const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, + const struct GNUNET_TIME_Relative *expiration_time, + const char *nonce, + const char *secret_key); #endif diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 5a34e5b72..d1c5b31b6 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c @@ -168,7 +168,6 @@ static char* OIDC_ignored_parameter_array [] = { "display", "prompt", - "max_age", "ui_locales", "response_mode", "id_token_hint", @@ -1320,7 +1319,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, int client_exists = GNUNET_NO; struct MHD_Response *resp; char* code_output; - json_t *root, *ticket_string, *nonce, *max_age; + json_t *root; + json_t *ticket_string; + json_t *nonce; json_error_t error; char *json_response; char *jwt_secret; @@ -1515,7 +1516,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_free(code_output); ticket_string = json_object_get (root, "ticket"); nonce = json_object_get (root, "nonce"); - max_age = json_object_get (root, "max_age"); if(ticket_string == NULL && !json_is_string(ticket_string)) { @@ -1557,9 +1557,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } //create jwt - unsigned long long int expiration_time; + struct GNUNET_TIME_Relative expiration_time; if ( GNUNET_OK - != GNUNET_CONFIGURATION_get_value_number(cfg, "reclaim-rest-plugin", + != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin", "expiration_time", &expiration_time) ) { GNUNET_free_non_null(user_psw); @@ -1572,48 +1572,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); - //aud REQUIRED public key client_id must be there - GNUNET_RECLAIM_ATTRIBUTE_list_add(cl, - "aud", - GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, - client_id, - strlen(client_id)); - //exp REQUIRED time expired from config - struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute ( - GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), - expiration_time)); - const char* exp_time_string = GNUNET_STRINGS_absolute_time_to_string(exp_time); - GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, - "exp", - GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, - exp_time_string, - strlen(exp_time_string)); - //iat REQUIRED time now - struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get(); - const char* time_now_string = GNUNET_STRINGS_absolute_time_to_string(time_now); - GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, - "iat", - GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, - time_now_string, - strlen(time_now_string)); - //nonce only if nonce is provided - if ( NULL != nonce && json_is_string(nonce) ) - { - GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, - "nonce", - GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, - json_string_value(nonce), - strlen(json_string_value(nonce))); - } - //auth_time only if max_age is provided - if ( NULL != max_age && json_is_string(max_age) ) - { - GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, - "auth_time", - GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, - json_string_value(max_age), - strlen(json_string_value(max_age))); - } + //TODO OPTIONAL acr,amr,azp struct EgoEntry *ego_entry; @@ -1652,6 +1611,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, char *id_token = jwt_create_from_list(&ticket->audience, &pk, cl, + &expiration_time, + (NULL != nonce && json_is_string(nonce)) ? json_string_value (nonce) : NULL, jwt_secret); //Create random access_token diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf index e93899e05..cf0a0dc5e 100644 --- a/src/reclaim/reclaim.conf +++ b/src/reclaim/reclaim.conf @@ -17,7 +17,7 @@ DATABASE = sqlite ADDRESS = https://reclaim.ui/#/login PSW = secret JWT_SECRET = secret -EXPIRATION_TIME = 3600 +EXPIRATION_TIME = 1d [reclaim-sqlite] FILENAME = $GNUNET_DATA_HOME/reclaim/sqlite.db -- 2.25.1