GNUnet 0.25.2-11-g84e94e98c
 
Loading...
Searching...
No Matches
Data Structures | Functions | Variables
oidc_helper.c File Reference
#include <inttypes.h>
#include <jansson.h>
#include <jose/jose.h>
#include "gnunet_gns_service.h"
#include "gnunet_gnsrecord_lib.h"
#include "gnunet_util_lib.h"
#include "gnunet_reclaim_lib.h"
#include "gnunet_reclaim_service.h"
#include "gnunet_signatures.h"
#include "oidc_helper.h"
#include <gcrypt.h>
Include dependency graph for oidc_helper.c:

Go to the source code of this file.

Data Structures

struct  OIDC_Parameters
 The signature used to generate the authorization code. More...
 

Functions

static enum GNUNET_GenericReturnValue is_claim_in_address_scope (const char *claim)
 
static char * create_jwt_hmac_header (void)
 
static void replace_char (char *str, char find, char replace)
 
static void fix_base64 (char *str)
 
static json_t * generate_userinfo_json (const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
 
char * OIDC_generate_userinfo (const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
 Generate userinfo JSON as string.
 
static char * generate_id_token_body (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
 
char * OIDC_generate_id_token_rsa (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const json_t *secret_rsa_key)
 Create a JWT using RSA256 algorithm from attributes.
 
char * OIDC_generate_id_token_hmac (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const char *secret_key)
 Create a JWT using HMAC (HS256) from attributes.
 
char * OIDC_build_authz_code (const struct GNUNET_CRYPTO_BlindablePrivateKey *issuer, const struct GNUNET_RECLAIM_Ticket *ticket, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const char *nonce_str, const char *code_challenge)
 Builds an OIDC authorization code including a reclaim ticket and nonce.
 
static enum GNUNET_GenericReturnValue check_code_challenge (const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
 
int OIDC_parse_authz_code (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *cid, const char *code, const char *code_verifier, struct GNUNET_RECLAIM_Ticket *ticket, struct GNUNET_RECLAIM_AttributeList **attrs, struct GNUNET_RECLAIM_PresentationList **presentations, char **nonce_str, enum OIDC_VerificationOptions opts, char **emsg)
 Parse reclaim ticket and nonce from authorization code.
 
void OIDC_build_token_response (const char *access_token, const char *id_token, const struct GNUNET_TIME_Relative *expiration_time, char **token_response)
 Build a token response for a token request TODO: Maybe we should add the scope here?
 
char * OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket, const char *rp_uri)
 Generate a new access token.
 
int OIDC_access_token_parse (const char *token, struct GNUNET_RECLAIM_Ticket **ticket, char **rp_uri)
 Parse an access token.
 
enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request (const char *scopes, const char *attr)
 Checks if a claim is implicitly requested through standard scope(s) or explicitly through non-standard scope.
 

Variables

static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims [14][32]
 Standard claims represented by the "profile" scope in OIDC.
 
static char OIDC_email_claims [2][16]
 Standard claims represented by the "email" scope in OIDC.
 
static char OIDC_phone_claims [2][32]
 Standard claims represented by the "phone" scope in OIDC.
 
static char OIDC_address_claims [5][32]
 Standard claims represented by the "address" scope in OIDC.
 

Function Documentation

◆ is_claim_in_address_scope()

static enum GNUNET_GenericReturnValue is_claim_in_address_scope ( const char *  claim)
static

Definition at line 106 of file oidc_helper.c.

107{
108 int i;
109 for (i = 0; i < 5; i++)
110 {
111 if (0 == strcmp (claim, OIDC_address_claims[i]))
112 {
113 return GNUNET_YES;
114 }
115 }
116 return GNUNET_NO;
117}
claim
struct GNUNET_RECLAIM_Attribute * claim
Claim to store.
Definition gnunet-reclaim.c:189
GNUNET_YES
@ GNUNET_YES
Definition gnunet_common.h:116
GNUNET_NO
@ GNUNET_NO
Definition gnunet_common.h:113
OIDC_address_claims
static char OIDC_address_claims[5][32]
Standard claims represented by the "address" scope in OIDC.
Definition oidc_helper.c:101

References claim, GNUNET_NO, GNUNET_YES, and OIDC_address_claims.

Referenced by generate_userinfo_json().

Here is the caller graph for this function:

◆ create_jwt_hmac_header()

static char * create_jwt_hmac_header ( void  )
static

Definition at line 121 of file oidc_helper.c.

122{
123 json_t *root;
124 char *json_str;
125
126 root = json_object ();
127 json_object_set_new (root, JWT_ALG, json_string (JWT_ALG_VALUE_HMAC));
128 json_object_set_new (root, JWT_TYP, json_string (JWT_TYP_VALUE));
129
130 json_str = json_dumps (root, JSON_INDENT (0) | JSON_COMPACT);
131 json_decref (root);
132 return json_str;
133}
JWT_TYP_VALUE
#define JWT_TYP_VALUE
Definition oidc_helper.h:34
JWT_ALG
#define JWT_ALG
Definition oidc_helper.h:32
JWT_TYP
#define JWT_TYP
Definition oidc_helper.h:33
JWT_ALG_VALUE_HMAC
#define JWT_ALG_VALUE_HMAC
Definition oidc_helper.h:36

References JWT_ALG, JWT_ALG_VALUE_HMAC, JWT_TYP, and JWT_TYP_VALUE.

Referenced by OIDC_generate_id_token_hmac().

Here is the caller graph for this function:

◆ replace_char()

static void replace_char ( char *  str,
char  find,
char  replace 
)
static

Definition at line 137 of file oidc_helper.c.

138{
139 char *current_pos = strchr (str, find);
140
141 while (current_pos)
142 {
143 *current_pos = replace;
144 current_pos = strchr (current_pos, find);
145 }
146}
replace
static int replace
Replace DID Document Flag.
Definition gnunet-did.c:53
str
const char * str
Definition time.c:1252

References replace, and str.

Referenced by fix_base64().

Here is the caller graph for this function:

◆ fix_base64()

static void fix_base64 ( char *  str)
static

Definition at line 151 of file oidc_helper.c.

152{
153 // Replace + with -
154 replace_char (str, '+', '-');
155
156 // Replace / with _
157 replace_char (str, '/', '_');
158}
replace_char
static void replace_char(char *str, char find, char replace)
Definition oidc_helper.c:137

References replace_char(), and str.

Referenced by OIDC_generate_id_token_hmac().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ generate_userinfo_json()

static json_t * generate_userinfo_json ( const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations 
)
static

There is this weird quirk that the individual address claim(s) must be inside a JSON object of the "address" claim.

There is this weird quirk that the individual address claim(s) must be inside a JSON object of the "address" claim.

This is/can only be set once!

Definition at line 162 of file oidc_helper.c.

166{
167 struct GNUNET_RECLAIM_AttributeListEntry *le;
168 struct GNUNET_RECLAIM_PresentationListEntry *ple;
169 char *subject;
170 char *source_name;
171 char *attr_val_str;
172 char *pres_val_str;
173 json_t *body;
174 json_t *aggr_names;
175 json_t *aggr_sources;
176 json_t *aggr_sources_jwt;
177 json_t *addr_claim = NULL;
178
179 subject =
180 GNUNET_STRINGS_data_to_string_alloc (sub_key,
181 sizeof(struct
182 GNUNET_CRYPTO_BlindablePublicKey));
183 body = json_object ();
184 aggr_names = json_object ();
185 aggr_sources = json_object ();
186
187 // iss REQUIRED case sensitive server uri with https
188 // The issuer is the local reclaim instance (e.g.
189 // https://reclaim.id/api/openid)
190 json_object_set_new (body, "iss", json_string (SERVER_ADDRESS));
191 // sub REQUIRED public key identity, not exceed 255 ASCII length
192 json_object_set_new (body, "sub", json_string (subject));
193 GNUNET_free (subject);
194 pres_val_str = NULL;
195 source_name = NULL;
196 int i = 0;
197 for (ple = presentations->list_head; NULL != ple; ple = ple->next)
198 {
199 // New presentation
200 GNUNET_asprintf (&source_name,
201 "src%d",
202 i);
203 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
204 "Adding new presentation source #%d\n", i);
205 aggr_sources_jwt = json_object ();
206 pres_val_str =
207 GNUNET_RECLAIM_presentation_value_to_string (ple->presentation->type,
208 ple->presentation->data,
209 ple->presentation->data_size)
210 ;
211 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
212 "Presentation is: %s\n", pres_val_str);
213 json_object_set_new (aggr_sources_jwt,
214 GNUNET_RECLAIM_presentation_number_to_typename (
215 ple->presentation->type),
216 json_string (pres_val_str) );
217 json_object_set_new (aggr_sources, source_name, aggr_sources_jwt);
218 GNUNET_free (pres_val_str);
219 GNUNET_free (source_name);
220 source_name = NULL;
221 i++;
222 }
223
224 int addr_is_aggregated = GNUNET_NO;
225 int addr_is_normal = GNUNET_NO;
226 for (le = attrs->list_head; NULL != le; le = le->next)
227 {
228 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
229 "Processing %s for userinfo body\n",
230 le->attribute->name);
231 if (GNUNET_YES == GNUNET_RECLAIM_id_is_zero (&le->attribute->credential))
232 {
233 attr_val_str =
234 GNUNET_RECLAIM_attribute_value_to_string (le->attribute->type,
235 le->attribute->data,
236 le->attribute->data_size);
241 if (GNUNET_YES == is_claim_in_address_scope (le->attribute->name))
242 {
243 if (GNUNET_YES == addr_is_aggregated)
244 {
245 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
246 "Address is set as aggregated claim. Skipping self-issued value...\n");
247 GNUNET_free (attr_val_str);
248 continue;
249 }
250 addr_is_normal = GNUNET_YES;
251
252 if (NULL == addr_claim)
253 {
254 addr_claim = json_object ();
255 json_object_set_new (body, "address", addr_claim);
256 }
257 json_object_set_new (addr_claim, le->attribute->name,
258 json_string (attr_val_str));
259
260 }
261 else
262 {
263 json_object_set_new (body, le->attribute->name,
264 json_string (attr_val_str));
265 }
266 GNUNET_free (attr_val_str);
267 }
268 else
269 {
270 // Check if presentation is there
271 int j = 0;
272 for (ple = presentations->list_head; NULL != ple; ple = ple->next)
273 {
274 if (GNUNET_YES ==
275 GNUNET_RECLAIM_id_is_equal (&ple->presentation->credential_id,
276 &le->attribute->credential))
277 break;
278 j++;
279 }
280 if (NULL == ple)
281 {
282 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
283 "Presentation for `%s' missing...\n",
284 le->attribute->name);
285 continue;
286 }
291 if (GNUNET_YES == is_claim_in_address_scope (le->attribute->name))
292 {
293 if (GNUNET_YES == addr_is_normal)
294 {
295 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
296 "Address is already set as normal claim. Skipping attested value...\n");
297 continue;
298 }
299 addr_is_aggregated = GNUNET_YES;
301 if (NULL != addr_claim)
302 continue;
303 addr_claim = json_object ();
304 GNUNET_asprintf (&source_name,
305 "src%d",
306 j);
307 json_object_set_new (aggr_names, "address",
308 json_string (source_name));
309 GNUNET_free (source_name);
310 }
311 else
312 {
313 // Presentation exists, hence take the respective source str
314 GNUNET_asprintf (&source_name,
315 "src%d",
316 j);
317 json_object_set_new (aggr_names, le->attribute->name,
318 json_string (source_name));
319 GNUNET_free (source_name);
320 }
321 }
322 }
323 if (0 != i)
324 {
325 json_object_set_new (body, "_claim_names", aggr_names);
326 json_object_set_new (body, "_claim_sources", aggr_sources);
327 }
328
329 return body;
330}
subject
static char * subject
Subject pubkey string.
Definition gnunet-abd.c:87
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_ERROR_TYPE_WARNING
@ GNUNET_ERROR_TYPE_WARNING
Definition gnunet_common.h:418
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition gnunet_common.h:424
GNUNET_asprintf
int int GNUNET_asprintf(char **buf, const char *format,...) __attribute__((format(printf
Like asprintf, just portable.
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition gnunet_common.h:1415
GNUNET_RECLAIM_id_is_equal
#define GNUNET_RECLAIM_id_is_equal(a, b)
Definition gnunet_reclaim_lib.h:94
GNUNET_RECLAIM_id_is_zero
#define GNUNET_RECLAIM_id_is_zero(a)
Definition gnunet_reclaim_lib.h:102
GNUNET_RECLAIM_presentation_number_to_typename
const char * GNUNET_RECLAIM_presentation_number_to_typename(uint32_t type)
Convert a presentation type number to the corresponding credential type string.
Definition reclaim_credential.c:578
GNUNET_RECLAIM_attribute_value_to_string
char * GNUNET_RECLAIM_attribute_value_to_string(uint32_t type, const void *data, size_t data_size)
Convert the 'claim' of an attribute to a string.
Definition reclaim_attribute.c:224
GNUNET_RECLAIM_presentation_value_to_string
char * GNUNET_RECLAIM_presentation_value_to_string(uint32_t type, const void *data, size_t data_size)
Convert the 'claim' of a presentation to a string.
Definition reclaim_credential.c:639
GNUNET_STRINGS_data_to_string_alloc
char * GNUNET_STRINGS_data_to_string_alloc(const void *buf, size_t size)
Return the base32crockford encoding of the given buffer.
Definition strings.c:807
is_claim_in_address_scope
static enum GNUNET_GenericReturnValue is_claim_in_address_scope(const char *claim)
Definition oidc_helper.c:106
SERVER_ADDRESS
#define SERVER_ADDRESS
Definition oidc_helper.h:39
GNUNET_CRYPTO_BlindablePublicKey
An identity key as per LSD0001.
Definition gnunet_crypto_lib.h:427
GNUNET_RECLAIM_AttributeListEntry
Definition gnunet_reclaim_lib.h:244
GNUNET_RECLAIM_AttributeListEntry::attribute
struct GNUNET_RECLAIM_Attribute * attribute
The attribute claim.
Definition gnunet_reclaim_lib.h:258
GNUNET_RECLAIM_AttributeListEntry::next
struct GNUNET_RECLAIM_AttributeListEntry * next
DLL.
Definition gnunet_reclaim_lib.h:253
GNUNET_RECLAIM_AttributeList::list_head
struct GNUNET_RECLAIM_AttributeListEntry * list_head
List head.
Definition gnunet_reclaim_lib.h:234
GNUNET_RECLAIM_Attribute::name
const char * name
The name of the attribute.
Definition gnunet_reclaim_lib.h:141
GNUNET_RECLAIM_Attribute::credential
struct GNUNET_RECLAIM_Identifier credential
Referenced ID of credential (may be GNUNET_RECLAIM_ID_ZERO if self-creded)
Definition gnunet_reclaim_lib.h:125
GNUNET_RECLAIM_Attribute::type
uint32_t type
Type of Claim.
Definition gnunet_reclaim_lib.h:130
GNUNET_RECLAIM_Attribute::data
const void * data
Binary value stored as attribute value.
Definition gnunet_reclaim_lib.h:153
GNUNET_RECLAIM_Attribute::data_size
size_t data_size
Number of bytes in data.
Definition gnunet_reclaim_lib.h:146
GNUNET_RECLAIM_PresentationListEntry
Definition gnunet_reclaim_lib.h:317
GNUNET_RECLAIM_PresentationListEntry::presentation
struct GNUNET_RECLAIM_Presentation * presentation
The credential.
Definition gnunet_reclaim_lib.h:331
GNUNET_RECLAIM_PresentationListEntry::next
struct GNUNET_RECLAIM_PresentationListEntry * next
DLL.
Definition gnunet_reclaim_lib.h:326
GNUNET_RECLAIM_PresentationList::list_head
struct GNUNET_RECLAIM_PresentationListEntry * list_head
List head.
Definition gnunet_reclaim_lib.h:307
GNUNET_RECLAIM_Presentation::data
const void * data
Binary value stored as presentation value.
Definition gnunet_reclaim_lib.h:221
GNUNET_RECLAIM_Presentation::type
uint32_t type
Type/Format of Claim.
Definition gnunet_reclaim_lib.h:209
GNUNET_RECLAIM_Presentation::data_size
size_t data_size
Number of bytes in data.
Definition gnunet_reclaim_lib.h:214
GNUNET_RECLAIM_Presentation::credential_id
struct GNUNET_RECLAIM_Identifier credential_id
The credential id of which this is a presentation.
Definition gnunet_reclaim_lib.h:204

References GNUNET_RECLAIM_AttributeListEntry::attribute, GNUNET_RECLAIM_Attribute::credential, GNUNET_RECLAIM_Presentation::credential_id, GNUNET_RECLAIM_Attribute::data, GNUNET_RECLAIM_Presentation::data, GNUNET_RECLAIM_Attribute::data_size, GNUNET_RECLAIM_Presentation::data_size, GNUNET_asprintf(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_WARNING, GNUNET_free, GNUNET_log, GNUNET_NO, GNUNET_RECLAIM_attribute_value_to_string(), GNUNET_RECLAIM_id_is_equal, GNUNET_RECLAIM_id_is_zero, GNUNET_RECLAIM_presentation_number_to_typename(), GNUNET_RECLAIM_presentation_value_to_string(), GNUNET_STRINGS_data_to_string_alloc(), GNUNET_YES, is_claim_in_address_scope(), GNUNET_RECLAIM_AttributeList::list_head, GNUNET_RECLAIM_PresentationList::list_head, GNUNET_RECLAIM_Attribute::name, GNUNET_RECLAIM_AttributeListEntry::next, GNUNET_RECLAIM_PresentationListEntry::next, GNUNET_RECLAIM_PresentationListEntry::presentation, SERVER_ADDRESS, subject, GNUNET_RECLAIM_Attribute::type, and GNUNET_RECLAIM_Presentation::type.

Referenced by generate_id_token_body(), and OIDC_generate_userinfo().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_userinfo()

char * OIDC_generate_userinfo ( const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations 
)

Generate userinfo JSON as string.

Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list (may be empty)
Returns
Userinfo JSON

Definition at line 342 of file oidc_helper.c.

346{
347 char *body_str;
348 json_t*body = generate_userinfo_json (sub_key,
349 attrs,
350 presentations);
351 body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
352 json_decref (body);
353 return body_str;
354}
generate_userinfo_json
static json_t * generate_userinfo_json(const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Definition oidc_helper.c:162

References generate_userinfo_json().

Referenced by consume_fail(), and consume_ticket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ generate_id_token_body()

static char * generate_id_token_body ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce 
)
static

Definition at line 358 of file oidc_helper.c.

365{
366 struct GNUNET_TIME_Absolute exp_time;
367 struct GNUNET_TIME_Absolute time_now;
368 json_t *body;
369 char *subject;
370 char *body_str;
371
372 body = generate_userinfo_json (sub_key,
373 attrs,
374 presentations);
375 // iat REQUIRED time now
376 time_now = GNUNET_TIME_absolute_get ();
377 // exp REQUIRED time expired from config
378 exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time);
379 // auth_time only if max_age
380 // nonce only if nonce
381 // OPTIONAL acr,amr,azp
382 subject =
383 GNUNET_STRINGS_data_to_string_alloc (sub_key,
384 sizeof(struct
385 GNUNET_CRYPTO_BlindablePublicKey));
386
387 // aud REQUIRED public key client_id must be there
388 json_object_set_new (body, "aud", json_string (rp_uri));
389 // iat
390 json_object_set_new (body,
391 "iat",
392 json_integer (time_now.abs_value_us / (1000 * 1000)));
393 // exp
394 json_object_set_new (body,
395 "exp",
396 json_integer (exp_time.abs_value_us / (1000 * 1000)));
397 // nbf
398 json_object_set_new (body,
399 "nbf",
400 json_integer (time_now.abs_value_us / (1000 * 1000)));
401 // nonce
402 if (NULL != nonce)
403 json_object_set_new (body, "nonce", json_string (nonce));
404
405 // Error checking
406 body_str = json_dumps (body, JSON_INDENT (2) | JSON_COMPACT);
407 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,"ID-Token: %s\n", body_str);
408
409 json_decref (body);
410 GNUNET_free (subject);
411
412 return body_str;
413}
GNUNET_TIME_absolute_get
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_get(void)
Get the current time.
Definition time.c:111
GNUNET_TIME_absolute_add
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_add(struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Relative duration)
Add a given relative duration to the given start time.
Definition time.c:452
GNUNET_TIME_Absolute
Time for absolute times used by GNUnet, in microseconds.
Definition gnunet_time_lib.h:54

References GNUNET_TIME_Absolute::abs_value_us, generate_userinfo_json(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_free, GNUNET_log, GNUNET_STRINGS_data_to_string_alloc(), GNUNET_TIME_absolute_add(), GNUNET_TIME_absolute_get(), and subject.

Referenced by OIDC_generate_id_token_hmac(), and OIDC_generate_id_token_rsa().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_id_token_rsa()

char * OIDC_generate_id_token_rsa ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const json_t *  secret_rsa_key 
)

Create a JWT using RSA256 algorithm from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_rsa_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Definition at line 417 of file oidc_helper.c.

426{
427 json_t *jws;
428 char *body_str;
429 char *result;
430
431 // Generate the body of the JSON Web Signature
432 body_str = generate_id_token_body (rp_uri,
433 sub_key,
434 attrs,
435 presentations,
436 expiration_time,
437 nonce);
438
439 if (NULL == body_str)
440 {
441 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
442 "Body for the JWS could not be generated\n");
443 return NULL;
444 }
445
446 // Creating the JSON Web Signature.
447 jws = json_pack ("{s:o}", "payload",
448 jose_b64_enc (body_str, strlen (body_str)));
449 GNUNET_free (body_str);
450
451 if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
452 {
453 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
454 "Signature generation failed\n");
455 return NULL;
456 }
457
458 // Encoding JSON as compact JSON Web Signature
459 GNUNET_asprintf (&result, "%s.%s.%s",
460 json_string_value (json_object_get (jws, "protected")),
461 json_string_value (json_object_get (jws, "payload")),
462 json_string_value (json_object_get (jws, "signature")) );
463
464 json_decref (jws);
465 return result;
466}
result
static int result
Global testing status.
Definition gnunet-regex-profiler.c:240
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:417
generate_id_token_body
static char * generate_id_token_body(const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
Definition oidc_helper.c:358

References generate_id_token_body(), GNUNET_asprintf(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_id_token_hmac()

char * OIDC_generate_id_token_hmac ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const char *  secret_key 
)

Create a JWT using HMAC (HS256) from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Creating the JWT signature. This might not be standards compliant, check.

Definition at line 470 of file oidc_helper.c.

479{
480 struct GNUNET_HashCode signature;
481 char *header;
482 char *header_base64;
483 char *body_str;
484 char *body_base64;
485 char *signature_target;
486 char *signature_base64;
487 char *result;
488
489 // Generate and encode Header
490 header = create_jwt_hmac_header ();
491 if (NULL == header)
492 {
493 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
494 "Header for the JWS could not be generated\n");
495 return NULL;
496 }
497 GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
498 GNUNET_free (header);
499 fix_base64 (header_base64);
500
501 // Generate and encode the body of the JSON Web Signature
502 body_str = generate_id_token_body (rp_uri,
503 sub_key,
504 attrs,
505 presentations,
506 expiration_time,
507 nonce);
508
509 if (NULL == body_str)
510 {
511 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
512 "Body for the JWS could not be generated\n");
513 GNUNET_free (header_base64);
514 return NULL;
515 }
516
517 GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
518 fix_base64 (body_base64);
519
524 GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
525 GNUNET_CRYPTO_hmac_raw (secret_key,
526 strlen (secret_key),
527 signature_target,
528 strlen (signature_target),
529 &signature);
530 GNUNET_STRINGS_base64url_encode ((const char *) &signature,
531 sizeof(struct GNUNET_HashCode),
532 &signature_base64);
533 fix_base64 (signature_base64);
534
535 GNUNET_asprintf (&result,
536 "%s.%s.%s",
537 header_base64,
538 body_base64,
539 signature_base64);
540
541 GNUNET_free (header_base64);
542 GNUNET_free (body_str);
543 GNUNET_free (body_base64);
544 GNUNET_free (signature_target);
545 GNUNET_free (signature_base64);
546 return result;
547}
GNUNET_CRYPTO_hmac_raw
void GNUNET_CRYPTO_hmac_raw(const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac)
Calculate HMAC of a message (RFC 2104) TODO: Shouldn't this be the standard hmac function and the abo...
Definition crypto_hash.c:297
GNUNET_STRINGS_base64url_encode
size_t GNUNET_STRINGS_base64url_encode(const void *in, size_t len, char **output)
Encode into Base64url.
Definition strings.c:1667
fix_base64
static void fix_base64(char *str)
Definition oidc_helper.c:151
create_jwt_hmac_header
static char * create_jwt_hmac_header(void)
Definition oidc_helper.c:121
GNUNET_HashCode
A 512-bit hashcode.
Definition gnunet_common.h:287

References create_jwt_hmac_header(), fix_base64(), generate_id_token_body(), GNUNET_asprintf(), GNUNET_CRYPTO_hmac_raw(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_STRINGS_base64url_encode(), and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_authz_code()

char * OIDC_build_authz_code ( const struct GNUNET_CRYPTO_BlindablePrivateKey issuer,
const struct GNUNET_RECLAIM_Ticket ticket,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const char *  nonce_str,
const char *  code_challenge 
)

Builds an OIDC authorization code including a reclaim ticket and nonce.

Parameters
issuerthe issuer of the ticket, used to sign the ticket and nonce
ticketthe ticket to include in the code
attrslist of attributes which are shared
presentationscredential presentation list (may be empty)
noncethe nonce to include in the code
code_challengePKCE code challenge
Returns
a new authorization code (caller must free)

PLAINTEXT

END

Definition at line 563 of file oidc_helper.c.

570{
571 struct OIDC_Parameters params;
572 char *code_payload;
573 char *payload;
574 char *tmp;
575 char *code_str;
576 char *buf_ptr = NULL;
577 size_t payload_len;
578 size_t code_payload_len;
579 size_t attr_list_len = 0;
580 size_t pres_list_len = 0;
581 size_t code_challenge_len = 0;
582 uint32_t nonce_len = 0;
583 struct GNUNET_CRYPTO_SignaturePurpose *purpose;
584
586 // Assign ticket
587 memset (&params, 0, sizeof(params));
588 memcpy (params.ticket.gns_name, ticket->gns_name, strlen (ticket->gns_name)
589 + 1);
590 // Assign nonce
591 payload_len = sizeof(struct OIDC_Parameters);
592 if ((NULL != nonce_str) && (strcmp ("", nonce_str) != 0))
593 {
594 nonce_len = strlen (nonce_str);
595 payload_len += nonce_len;
596 }
597 params.nonce_len = htonl (nonce_len);
598 // Assign code challenge
599 if (NULL != code_challenge)
600 code_challenge_len = strlen (code_challenge);
601 payload_len += code_challenge_len;
602 params.code_challenge_len = htonl (code_challenge_len);
603 // Assign attributes
604 if (NULL != attrs)
605 {
606 // Get length
607 attr_list_len = GNUNET_RECLAIM_attribute_list_serialize_get_size (attrs);
608 params.attr_list_len = htonl (attr_list_len);
609 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
610 "Length of serialized attributes: %lu\n",
611 attr_list_len);
612 // Get serialized attributes
613 payload_len += attr_list_len;
614 }
615 if (NULL != presentations)
616 {
617 // Get length
618 // FIXME only add presentations relevant for attribute list!!!
619 // This is important because of the distinction between id_token and
620 // userinfo in OIDC
621 pres_list_len =
622 GNUNET_RECLAIM_presentation_list_serialize_get_size (presentations);
623 params.pres_list_len = htonl (pres_list_len);
624 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
625 "Length of serialized presentations: %lu\n",
626 pres_list_len);
627 // Get serialized attributes
628 payload_len += pres_list_len;
629 }
630
631 // Get plaintext length
632 payload = GNUNET_malloc (payload_len);
633 memcpy (payload, &params, sizeof(params));
634 tmp = payload + sizeof(params);
635 if (0 < code_challenge_len)
636 {
637 memcpy (tmp, code_challenge, code_challenge_len);
638 tmp += code_challenge_len;
639 }
640 if (0 < nonce_len)
641 {
642 memcpy (tmp, nonce_str, nonce_len);
643 tmp += nonce_len;
644 }
645 if (0 < attr_list_len)
646 GNUNET_RECLAIM_attribute_list_serialize (attrs, tmp);
647 tmp += attr_list_len;
648 if (0 < pres_list_len)
649 GNUNET_RECLAIM_presentation_list_serialize (presentations, tmp);
650 tmp += pres_list_len;
651
654 // Get length
655 code_payload_len = sizeof(struct GNUNET_CRYPTO_SignaturePurpose)
656 + payload_len + sizeof(struct
657 GNUNET_CRYPTO_BlindableKeySignature)
658 ;
659 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
660 "Length of data to encode: %lu\n",
661 code_payload_len);
662
663 // Initialize code payload
664 code_payload = GNUNET_malloc (code_payload_len);
665 GNUNET_assert (NULL != code_payload);
666 purpose = (struct GNUNET_CRYPTO_SignaturePurpose *) code_payload;
667 purpose->size = htonl (sizeof(struct GNUNET_CRYPTO_SignaturePurpose)
668 + payload_len);
669 purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
670 // Store pubkey
671 buf_ptr = (char *) &purpose[1];
672 memcpy (buf_ptr, payload, payload_len);
673 GNUNET_free (payload);
674 buf_ptr += payload_len;
675 // Sign and store signature
676 if (GNUNET_SYSERR ==
677 GNUNET_CRYPTO_blinded_key_sign_ (issuer,
678 purpose,
679 (struct
680 GNUNET_CRYPTO_BlindableKeySignature *)
681 buf_ptr))
682 {
683 GNUNET_break (0);
684 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
685 GNUNET_free (code_payload);
686 return NULL;
687 }
688 GNUNET_STRINGS_base64url_encode (code_payload, code_payload_len, &code_str);
689 GNUNET_free (code_payload);
690 return code_str;
691}
ticket
static struct GNUNET_RECLAIM_Ticket ticket
Ticket to consume.
Definition gnunet-reclaim.c:164
payload
static unsigned long long payload
How much data are we currently storing in the database?
Definition gnunet-service-datastore.c:183
GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
#define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
Signature for a GNUid Ticket (Reclaim)
Definition gnunet_signatures.h:172
GNUNET_CRYPTO_blinded_key_sign_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_blinded_key_sign_(const struct GNUNET_CRYPTO_BlindablePrivateKey *priv, const struct GNUNET_CRYPTO_SignaturePurpose *purpose, struct GNUNET_CRYPTO_BlindableKeySignature *sig)
Sign a given block.
Definition crypto_pkey.c:300
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition gnunet_common.h:960
GNUNET_break
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
Definition gnunet_common.h:1045
GNUNET_malloc
#define GNUNET_malloc(size)
Wrapper around malloc.
Definition gnunet_common.h:1355
GNUNET_RECLAIM_attribute_list_serialize
size_t GNUNET_RECLAIM_attribute_list_serialize(const struct GNUNET_RECLAIM_AttributeList *attrs, char *result)
Serialize an attribute list.
Definition reclaim_attribute.c:322
GNUNET_RECLAIM_presentation_list_serialize
size_t GNUNET_RECLAIM_presentation_list_serialize(const struct GNUNET_RECLAIM_PresentationList *presentations, char *result)
Serialize a presentation list.
Definition reclaim_credential.c:703
GNUNET_RECLAIM_presentation_list_serialize_get_size
size_t GNUNET_RECLAIM_presentation_list_serialize_get_size(const struct GNUNET_RECLAIM_PresentationList *presentations)
Get required size for serialization buffer.
Definition reclaim_credential.c:687
GNUNET_RECLAIM_attribute_list_serialize_get_size
size_t GNUNET_RECLAIM_attribute_list_serialize_get_size(const struct GNUNET_RECLAIM_AttributeList *attrs)
Get required size for serialization buffer.
Definition reclaim_attribute.c:306
GNUNET_CRYPTO_BlindableKeySignature
An identity signature as per LSD0001.
Definition gnunet_crypto_lib.h:498
GNUNET_CRYPTO_SignaturePurpose
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
Definition gnunet_crypto_lib.h:142
GNUNET_CRYPTO_SignaturePurpose::purpose
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Definition gnunet_crypto_lib.h:156
GNUNET_RECLAIM_Ticket::gns_name
char gns_name[63 *2+2]
The ticket.
Definition gnunet_reclaim_service.h:83
OIDC_Parameters
The signature used to generate the authorization code.
Definition oidc_helper.c:46
OIDC_Parameters::pres_list_len
uint32_t pres_list_len
The length of the presentation list.
Definition oidc_helper.c:70
OIDC_Parameters::nonce_len
uint32_t nonce_len
The nonce length.
Definition oidc_helper.c:55
OIDC_Parameters::attr_list_len
uint32_t attr_list_len
The length of the attributes list.
Definition oidc_helper.c:65
OIDC_Parameters::code_challenge_len
uint32_t code_challenge_len
The length of the PKCE code_challenge.
Definition oidc_helper.c:60

References OIDC_Parameters::attr_list_len, OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_assert, GNUNET_break, GNUNET_CRYPTO_blinded_key_sign_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_malloc, GNUNET_RECLAIM_attribute_list_serialize(), GNUNET_RECLAIM_attribute_list_serialize_get_size(), GNUNET_RECLAIM_presentation_list_serialize(), GNUNET_RECLAIM_presentation_list_serialize_get_size(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_STRINGS_base64url_encode(), GNUNET_SYSERR, OIDC_Parameters::nonce_len, payload, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_SignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by oidc_ticket_issue_cb().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ check_code_challenge()

static enum GNUNET_GenericReturnValue check_code_challenge ( const char *  code_challenge,
uint32_t  code_challenge_len,
const char *  code_verifier 
)
static

Definition at line 695 of file oidc_helper.c.

698{
699 char *code_verifier_hash;
700 char *expected_code_challenge;
701
702 if (0 == code_challenge_len) /* Only check if this code requires a CV */
703 return GNUNET_OK;
704 if (NULL == code_verifier)
705 {
706 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
707 "Expected code verifier!\n");
708 return GNUNET_SYSERR;
709 }
710 code_verifier_hash = GNUNET_malloc (256 / 8);
711 // hash code verifier
712 gcry_md_hash_buffer (GCRY_MD_SHA256,
713 code_verifier_hash,
714 code_verifier,
715 strlen (code_verifier));
716 // encode code verifier
717 GNUNET_STRINGS_base64url_encode (code_verifier_hash, 256 / 8,
718 &expected_code_challenge);
719 GNUNET_free (code_verifier_hash);
720 if (0 !=
721 strncmp (expected_code_challenge, code_challenge, code_challenge_len))
722 {
723 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
724 "Invalid code verifier! Expected: %s, Got: %.*s\n",
725 expected_code_challenge,
726 code_challenge_len,
727 code_challenge);
728 GNUNET_free (expected_code_challenge);
729 return GNUNET_SYSERR;
730 }
731 GNUNET_free (expected_code_challenge);
732 return GNUNET_OK;
733}
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114

References GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_malloc, GNUNET_OK, GNUNET_STRINGS_base64url_encode(), and GNUNET_SYSERR.

Referenced by OIDC_parse_authz_code().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_parse_authz_code()

int OIDC_parse_authz_code ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey cid,
const char *  code,
const char *  code_verifier,
struct GNUNET_RECLAIM_Ticket ticket,
struct GNUNET_RECLAIM_AttributeList **  attrs,
struct GNUNET_RECLAIM_PresentationList **  presentations,
char **  nonce_str,
enum OIDC_VerificationOptions  opts,
char **  emsg 
)

Parse reclaim ticket and nonce from authorization code.

This also verifies the signature in the code.

Parameters
audiencethe expected audience of the code
codethe string representation of the code
code_verfierPKCE code verifier. Optional, must be provided if used in request.
ticketwhere to store the ticket
attrsthe attributes in the code
presentationscredential presentation list
nonce_strwhere to store the nonce (if contained)
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

Definition at line 752 of file oidc_helper.c.

761{
762 char *code_payload;
763 char *ptr;
764 char *plaintext;
765 char *attrs_ser;
766 char *presentations_ser;
767 char *code_challenge;
768 struct GNUNET_CRYPTO_SignaturePurpose *purpose;
769 struct GNUNET_CRYPTO_BlindableKeySignature *signature;
770 struct GNUNET_CRYPTO_BlindablePublicKey iss;
771 uint32_t code_challenge_len;
772 uint32_t attrs_ser_len;
773 uint32_t pres_ser_len;
774 size_t plaintext_len;
775 size_t code_payload_len;
776 uint32_t nonce_len = 0;
777 struct OIDC_Parameters *params;
778
779
780 GNUNET_GNS_parse_ztld (ticket->gns_name, &iss);
781 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code);
782 code_payload = NULL;
783 code_payload_len =
784 GNUNET_STRINGS_base64url_decode (code, strlen (code),
785 (void **) &code_payload);
786 if (code_payload_len < sizeof(struct GNUNET_CRYPTO_SignaturePurpose)
787 + sizeof(struct OIDC_Parameters)
788 + sizeof(struct GNUNET_CRYPTO_BlindableKeySignature))
789 {
790 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
791 GNUNET_free (code_payload);
792 return GNUNET_SYSERR;
793 }
794
795 purpose = (struct GNUNET_CRYPTO_SignaturePurpose *) code_payload;
796 plaintext_len = code_payload_len;
797 plaintext_len -= sizeof(struct GNUNET_CRYPTO_SignaturePurpose);
798 ptr = (char *) &purpose[1];
799 plaintext_len -= sizeof(struct GNUNET_CRYPTO_BlindableKeySignature);
800 plaintext = ptr;
801 ptr += plaintext_len;
802 signature = (struct GNUNET_CRYPTO_BlindableKeySignature *) ptr;
803 params = (struct OIDC_Parameters *) plaintext;
804
805 // cmp code_challenge code_verifier
806 code_challenge_len = ntohl (params->code_challenge_len);
807 code_challenge = ((char *) &params[1]);
808 if (! (opts & OIDC_VERIFICATION_NO_CODE_VERIFIER))
809 {
810 if (GNUNET_OK != check_code_challenge (code_challenge,
811 code_challenge_len,
812 code_verifier))
813 {
814 GNUNET_asprintf (emsg, "Code verifier `%s' invalid for challenge `%s'",
815 code_verifier, code_challenge);
816 GNUNET_free (code_payload);
817 return GNUNET_SYSERR;
818 }
819 }
820 nonce_len = ntohl (params->nonce_len);
821 if (0 != nonce_len)
822 {
823 *nonce_str = GNUNET_strndup (code_challenge + code_challenge_len,
824 nonce_len);
825 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %s\n", *nonce_str);
826 }
827
828 // Ticket
829 memcpy (ticket, &params->ticket, sizeof(params->ticket));
830 // Signature
831 // GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
832 if (GNUNET_OK !=
833 GNUNET_CRYPTO_blinded_key_signature_verify_ (
834 GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
835 purpose,
836 signature,
837 &iss))
838 {
839 GNUNET_free (code_payload);
840 if (NULL != *nonce_str)
841 GNUNET_free (*nonce_str);
842 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n");
843 *emsg = GNUNET_strdup ("Signature verification failed");
844 return GNUNET_SYSERR;
845 }
846 // Attributes
847 attrs_ser = ((char *) &params[1]) + code_challenge_len + nonce_len;
848 attrs_ser_len = ntohl (params->attr_list_len);
849 *attrs = GNUNET_RECLAIM_attribute_list_deserialize (attrs_ser, attrs_ser_len);
850 presentations_ser = ((char*) attrs_ser) + attrs_ser_len;
851 pres_ser_len = ntohl (params->pres_list_len);
852 *presentations =
853 GNUNET_RECLAIM_presentation_list_deserialize (presentations_ser,
854 pres_ser_len);
855
856 GNUNET_free (code_payload);
857 return GNUNET_OK;
858}
GNUNET_GNS_parse_ztld
enum GNUNET_GenericReturnValue GNUNET_GNS_parse_ztld(const char *name, struct GNUNET_CRYPTO_BlindablePublicKey *ztld_key)
Try to parse the zTLD into a public key.
Definition gns_tld_api.c:228
GNUNET_CRYPTO_blinded_key_signature_verify_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_blinded_key_signature_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_SignaturePurpose *validate, const struct GNUNET_CRYPTO_BlindableKeySignature *sig, const struct GNUNET_CRYPTO_BlindablePublicKey *pub)
Verify a given signature.
Definition crypto_pkey.c:327
GNUNET_strdup
#define GNUNET_strdup(a)
Wrapper around GNUNET_xstrdup_.
Definition gnunet_common.h:1429
GNUNET_strndup
#define GNUNET_strndup(a, length)
Wrapper around GNUNET_xstrndup_.
Definition gnunet_common.h:1441
GNUNET_RECLAIM_presentation_list_deserialize
struct GNUNET_RECLAIM_PresentationList * GNUNET_RECLAIM_presentation_list_deserialize(const char *data, size_t data_size)
Deserialize a presentation list.
Definition reclaim_credential.c:732
GNUNET_RECLAIM_attribute_list_deserialize
struct GNUNET_RECLAIM_AttributeList * GNUNET_RECLAIM_attribute_list_deserialize(const char *data, size_t data_size)
Deserialize an attribute list.
Definition reclaim_attribute.c:351
GNUNET_STRINGS_base64url_decode
size_t GNUNET_STRINGS_base64url_decode(const char *data, size_t len, void **out)
Decode from Base64url.
Definition strings.c:1778
check_code_challenge
static enum GNUNET_GenericReturnValue check_code_challenge(const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
Definition oidc_helper.c:695
OIDC_VERIFICATION_NO_CODE_VERIFIER
@ OIDC_VERIFICATION_NO_CODE_VERIFIER
Do not check code verifier even if expected.
Definition oidc_helper.h:51
OIDC_Parameters::ticket
struct GNUNET_RECLAIM_Ticket ticket
The reclaim ticket.
Definition oidc_helper.c:50

References OIDC_Parameters::attr_list_len, check_code_challenge(), OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_asprintf(), GNUNET_CRYPTO_blinded_key_signature_verify_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_GNS_parse_ztld(), GNUNET_log, GNUNET_OK, GNUNET_RECLAIM_attribute_list_deserialize(), GNUNET_RECLAIM_presentation_list_deserialize(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_strdup, GNUNET_STRINGS_base64url_decode(), GNUNET_strndup, GNUNET_SYSERR, OIDC_Parameters::nonce_len, OIDC_VERIFICATION_NO_CODE_VERIFIER, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_SignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by consume_fail(), and token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_token_response()

void OIDC_build_token_response ( const char *  access_token,
const char *  id_token,
const struct GNUNET_TIME_Relative expiration_time,
char **  token_response 
)

Build a token response for a token request TODO: Maybe we should add the scope here?

Parameters
access_tokenthe access token to include
id_tokenthe id_token to include
expiration_timethe expiration time of the token(s)
token_responsewhere to store the response

Definition at line 871 of file oidc_helper.c.

875{
876 json_t *root_json;
877
878 root_json = json_object ();
879
880 GNUNET_assert (NULL != access_token);
881 GNUNET_assert (NULL != id_token);
882 GNUNET_assert (NULL != expiration_time);
883 json_object_set_new (root_json, "access_token", json_string (access_token));
884 json_object_set_new (root_json, "token_type", json_string ("Bearer"));
885 json_object_set_new (root_json,
886 "expires_in",
887 json_integer (expiration_time->rel_value_us
888 / (1000 * 1000)));
889 json_object_set_new (root_json, "id_token", json_string (id_token));
890 *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT);
891 json_decref (root_json);
892}
GNUNET_TIME_Relative::rel_value_us
uint64_t rel_value_us
The actual value.
Definition gnunet_time_lib.h:84

References GNUNET_assert, and GNUNET_TIME_Relative::rel_value_us.

Referenced by token_endpoint().

Here is the caller graph for this function:

◆ OIDC_access_token_new()

char * OIDC_access_token_new ( const struct GNUNET_RECLAIM_Ticket ticket,
const char *  rp_uri 
)

Generate a new access token.

Definition at line 899 of file oidc_helper.c.

901{
902 char *access_token;
903 char *tkt_b64;
904
905 GNUNET_STRINGS_base64_encode (ticket,
906 sizeof(*ticket),
907 &tkt_b64);
908 GNUNET_asprintf (&access_token, "%s-%s", tkt_b64, rp_uri);
909 GNUNET_free (tkt_b64);
910 return access_token;
911}
GNUNET_STRINGS_base64_encode
size_t GNUNET_STRINGS_base64_encode(const void *in, size_t len, char **output)
Encode into Base64.
Definition strings.c:1618

References GNUNET_asprintf(), GNUNET_free, GNUNET_STRINGS_base64_encode(), and ticket.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_access_token_parse()

int OIDC_access_token_parse ( const char *  token,
struct GNUNET_RECLAIM_Ticket **  ticket,
char **  rp_uri 
)

Parse an access token.

Definition at line 918 of file oidc_helper.c.

921{
922 size_t sret;
923 char *decoded;
924 char *tmp;
925 char *tkt_str;
926 char *rp_uri_str;
927 tmp = GNUNET_strdup (token);
928 tkt_str = strtok (tmp, "-");
929 GNUNET_assert (NULL != tkt_str); // FIXME handle
930 rp_uri_str = strtok (NULL, "-");
931 GNUNET_assert (NULL != rp_uri_str); // FIXME handle
932 sret = GNUNET_STRINGS_base64_decode (tkt_str,
933 strlen (tkt_str),
934 (void**) &decoded);
935 if (sizeof (struct GNUNET_RECLAIM_Ticket) != sret)
936 {
937 GNUNET_free (decoded);
938 GNUNET_free (tmp);
939 return GNUNET_SYSERR;
940 }
941 *ticket = (struct GNUNET_RECLAIM_Ticket *) decoded;
942 *rp_uri = GNUNET_strdup (rp_uri_str);
943 GNUNET_free (tmp);
944 return GNUNET_OK;
945}
GNUNET_STRINGS_base64_decode
size_t GNUNET_STRINGS_base64_decode(const char *data, size_t len, void **output)
Decode from Base64.
Definition strings.c:1720
GNUNET_RECLAIM_Ticket
The authorization ticket.
Definition gnunet_reclaim_service.h:76

References GNUNET_assert, GNUNET_free, GNUNET_OK, GNUNET_strdup, GNUNET_STRINGS_base64_decode(), GNUNET_SYSERR, and ticket.

Referenced by userinfo_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_check_scopes_for_claim_request()

enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request ( const char *  scopes,
const char *  attr 
)

Checks if a claim is implicitly requested through standard scope(s) or explicitly through non-standard scope.

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

attribute matches requested scope

Definition at line 957 of file oidc_helper.c.

959{
960 char *scope_variables;
961 char *scope_variable;
962 char delimiter[] = " ";
963 int i;
964
965 scope_variables = GNUNET_strdup (scopes);
966 scope_variable = strtok (scope_variables, delimiter);
967 while (NULL != scope_variable)
968 {
969 if (0 == strcmp ("profile", scope_variable))
970 {
971 for (i = 0; i < 14; i++)
972 {
973 if (0 == strcmp (attr, OIDC_profile_claims[i]))
974 {
975 GNUNET_free (scope_variables);
976 return GNUNET_YES;
977 }
978 }
979 }
980 else if (0 == strcmp ("address", scope_variable))
981 {
982 for (i = 0; i < 5; i++)
983 {
984 if (0 == strcmp (attr, OIDC_address_claims[i]))
985 {
986 GNUNET_free (scope_variables);
987 return GNUNET_YES;
988 }
989 }
990 }
991 else if (0 == strcmp ("email", scope_variable))
992 {
993 for (i = 0; i < 2; i++)
994 {
995 if (0 == strcmp (attr, OIDC_email_claims[i]))
996 {
997 GNUNET_free (scope_variables);
998 return GNUNET_YES;
999 }
1000 }
1001 }
1002 else if (0 == strcmp ("phone", scope_variable))
1003 {
1004 for (i = 0; i < 2; i++)
1005 {
1006 if (0 == strcmp (attr, OIDC_phone_claims[i]))
1007 {
1008 GNUNET_free (scope_variables);
1009 return GNUNET_YES;
1010 }
1011 }
1012
1013 }
1014 else if (0 == strcmp (attr, scope_variable))
1015 {
1017 GNUNET_free (scope_variables);
1018 return GNUNET_YES;
1019 }
1020 scope_variable = strtok (NULL, delimiter);
1021 }
1022 GNUNET_free (scope_variables);
1023 return GNUNET_NO;
1024
1025}
OIDC_email_claims
static char OIDC_email_claims[2][16]
Standard claims represented by the "email" scope in OIDC.
Definition oidc_helper.c:87
OIDC_phone_claims
static char OIDC_phone_claims[2][32]
Standard claims represented by the "phone" scope in OIDC.
Definition oidc_helper.c:94
OIDC_profile_claims
static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
Standard claims represented by the "profile" scope in OIDC.
Definition oidc_helper.c:78

References GNUNET_free, GNUNET_NO, GNUNET_strdup, GNUNET_YES, OIDC_address_claims, OIDC_email_claims, OIDC_phone_claims, and OIDC_profile_claims.

Referenced by attr_in_claims_request().

Here is the caller graph for this function:

Variable Documentation

◆ OIDC_profile_claims

GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
static
Initial value:
= {
"name", "family_name", "given_name", "middle_name", "nickname",
"preferred_username", "profile", "picture", "website", "gender", "birthdate",
"zoneinfo", "locale", "updated_at"
}

Standard claims represented by the "profile" scope in OIDC.

Definition at line 78 of file oidc_helper.c.

78 {
79 "name", "family_name", "given_name", "middle_name", "nickname",
80 "preferred_username", "profile", "picture", "website", "gender", "birthdate",
81 "zoneinfo", "locale", "updated_at"
82};

Referenced by OIDC_check_scopes_for_claim_request().

◆ OIDC_email_claims

char OIDC_email_claims[2][16]
static
Initial value:
= {
"email", "email_verified"
}

Standard claims represented by the "email" scope in OIDC.

Definition at line 87 of file oidc_helper.c.

87 {
88 "email", "email_verified"
89};

Referenced by OIDC_check_scopes_for_claim_request().

◆ OIDC_phone_claims

char OIDC_phone_claims[2][32]
static
Initial value:
= {
"phone_number", "phone_number_verified"
}

Standard claims represented by the "phone" scope in OIDC.

Definition at line 94 of file oidc_helper.c.

94 {
95 "phone_number", "phone_number_verified"
96};

Referenced by OIDC_check_scopes_for_claim_request().

◆ OIDC_address_claims

char OIDC_address_claims[5][32]
static
Initial value:
= {
"street_address", "locality", "region", "postal_code", "country"
}

Standard claims represented by the "address" scope in OIDC.

Definition at line 101 of file oidc_helper.c.

101 {
102 "street_address", "locality", "region", "postal_code", "country"
103};

Referenced by is_claim_in_address_scope(), and OIDC_check_scopes_for_claim_request().