[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet] branch master updated: fixes for JWT creation
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnunet] branch master updated: fixes for JWT creation |
|
Date: |
Sat, 21 Jul 2018 12:02:27 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
The following commit(s) were added to refs/heads/master by this push:
new d81369afa fixes for JWT creation
d81369afa is described below
commit d81369afa8c051383727fa4c54479decc4071b9e
Author: Schanzenbach, Martin <address@hidden>
AuthorDate: Sat Jul 21 12:02:24 2018 +0200
fixes for JWT creation
---
src/reclaim/jwt.c | 30 ++++++++++++++---
src/reclaim/jwt.h | 17 ++++++++--
src/reclaim/plugin_rest_openid_connect.c | 55 +++++---------------------------
src/reclaim/reclaim.conf | 2 +-
4 files changed, 50 insertions(+), 54 deletions(-)
diff --git a/src/reclaim/jwt.c b/src/reclaim/jwt.c
index 9885bf467..41a3747ed 100644
--- a/src/reclaim/jwt.c
+++ b/src/reclaim/jwt.c
@@ -83,19 +83,25 @@ fix_base64(char* str) {
/**
* Create a JWT from attributes
*
- * @param aud_key the public of the subject
+ * @param aud_key the public of the audience
+ * @param sub_key the public key of the subject
* @param attrs the attribute list
- * @param priv_key the key used to sign the JWT
+ * @param expiration_time the validity of the token
+ * @param secret_key the key used to sign the JWT
* @return a new base64-encoded JWT string.
*/
char*
jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
+ const struct GNUNET_TIME_Relative *expiration_time,
+ const char *nonce,
const char *secret_key)
{
struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le;
struct GNUNET_HashCode signature;
+ struct GNUNET_TIME_Absolute exp_time;
+ struct GNUNET_TIME_Absolute time_now;
char* audience;
char* subject;
char* header;
@@ -107,9 +113,11 @@ jwt_create_from_list (const struct
GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
char* signature_base64;
char* attr_val_str;
json_t* body;
-
- //exp REQUIRED time expired from config
+
//iat REQUIRED time now
+ time_now = GNUNET_TIME_absolute_get();
+ //exp REQUIRED time expired from config
+ exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time);
//auth_time only if max_age
//nonce only if nonce
// OPTIONAL acr,amr,azp
@@ -130,6 +138,20 @@ jwt_create_from_list (const struct
GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
//aud REQUIRED public key client_id must be there
json_object_set_new (body,
"aud", json_string (audience));
+ //iat
+ json_object_set_new (body,
+ "iat", json_integer (time_now.abs_value_us));
+ //exp
+ json_object_set_new (body,
+ "exp", json_integer (exp_time.abs_value_us));
+ //nbf
+ json_object_set_new (body,
+ "nbf", json_integer (time_now.abs_value_us));
+ //nonce
+ if (NULL != nonce)
+ json_object_set_new (body,
+ "nonce", json_string (nonce));
+
for (le = attrs->list_head; NULL != le; le = le->next)
{
attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type,
diff --git a/src/reclaim/jwt.h b/src/reclaim/jwt.h
index 39b4e2f3c..12ff85b01 100644
--- a/src/reclaim/jwt.h
+++ b/src/reclaim/jwt.h
@@ -1,10 +1,23 @@
#ifndef JWT_H
#define JWT_H
+/**
+ * Create a JWT from attributes
+ *
+ * @param aud_key the public of the audience
+ * @param sub_key the public key of the subject
+ * @param attrs the attribute list
+ * @param expiration_time the validity of the token
+ * @param nonce the nonce, may be NULL
+ * @param secret_key the key used to sign the JWT
+ * @return a new base64-encoded JWT string.
+ */
char*
jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
- const struct
GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
- const char* secret_key);
+ const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs,
+ const struct GNUNET_TIME_Relative *expiration_time,
+ const char *nonce,
+ const char *secret_key);
#endif
diff --git a/src/reclaim/plugin_rest_openid_connect.c
b/src/reclaim/plugin_rest_openid_connect.c
index 5a34e5b72..d1c5b31b6 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -168,7 +168,6 @@ static char* OIDC_ignored_parameter_array [] =
{
"display",
"prompt",
- "max_age",
"ui_locales",
"response_mode",
"id_token_hint",
@@ -1320,7 +1319,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
int client_exists = GNUNET_NO;
struct MHD_Response *resp;
char* code_output;
- json_t *root, *ticket_string, *nonce, *max_age;
+ json_t *root;
+ json_t *ticket_string;
+ json_t *nonce;
json_error_t error;
char *json_response;
char *jwt_secret;
@@ -1515,7 +1516,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
GNUNET_free(code_output);
ticket_string = json_object_get (root, "ticket");
nonce = json_object_get (root, "nonce");
- max_age = json_object_get (root, "max_age");
if(ticket_string == NULL && !json_is_string(ticket_string))
{
@@ -1557,9 +1557,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
//create jwt
- unsigned long long int expiration_time;
+ struct GNUNET_TIME_Relative expiration_time;
if ( GNUNET_OK
- != GNUNET_CONFIGURATION_get_value_number(cfg, "reclaim-rest-plugin",
+ != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin",
"expiration_time",
&expiration_time) )
{
GNUNET_free_non_null(user_psw);
@@ -1572,48 +1572,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct
GNUNET_RECLAIM_ATTRIBUTE_ClaimList);
- //aud REQUIRED public key client_id must be there
- GNUNET_RECLAIM_ATTRIBUTE_list_add(cl,
- "aud",
- GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
- client_id,
- strlen(client_id));
- //exp REQUIRED time expired from config
- struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute (
-
GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (),
-
expiration_time));
- const char* exp_time_string =
GNUNET_STRINGS_absolute_time_to_string(exp_time);
- GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
- "exp",
- GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
- exp_time_string,
- strlen(exp_time_string));
- //iat REQUIRED time now
- struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get();
- const char* time_now_string =
GNUNET_STRINGS_absolute_time_to_string(time_now);
- GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
- "iat",
- GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
- time_now_string,
- strlen(time_now_string));
- //nonce only if nonce is provided
- if ( NULL != nonce && json_is_string(nonce) )
- {
- GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
- "nonce",
- GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
- json_string_value(nonce),
- strlen(json_string_value(nonce)));
- }
- //auth_time only if max_age is provided
- if ( NULL != max_age && json_is_string(max_age) )
- {
- GNUNET_RECLAIM_ATTRIBUTE_list_add (cl,
- "auth_time",
- GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING,
- json_string_value(max_age),
- strlen(json_string_value(max_age)));
- }
+
//TODO OPTIONAL acr,amr,azp
struct EgoEntry *ego_entry;
@@ -1652,6 +1611,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
char *id_token = jwt_create_from_list(&ticket->audience,
&pk,
cl,
+ &expiration_time,
+ (NULL != nonce &&
json_is_string(nonce)) ? json_string_value (nonce) : NULL,
jwt_secret);
//Create random access_token
diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf
index e93899e05..cf0a0dc5e 100644
--- a/src/reclaim/reclaim.conf
+++ b/src/reclaim/reclaim.conf
@@ -17,7 +17,7 @@ DATABASE = sqlite
ADDRESS = https://reclaim.ui/#/login
PSW = secret
JWT_SECRET = secret
-EXPIRATION_TIME = 3600
+EXPIRATION_TIME = 1d
[reclaim-sqlite]
FILENAME = $GNUNET_DATA_HOME/reclaim/sqlite.db
--
To stop receiving notification emails like this one, please contact
address@hidden
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [gnunet] branch master updated: fixes for JWT creation,
gnunet <=