GNUnet 0.22.0
oidc_helper.c
Go to the documentation of this file.
1/*
2 This file is part of GNUnet
3 Copyright (C) 2010-2015 GNUnet e.V.
4
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
9
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
14
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18 SPDX-License-Identifier: AGPL3.0-or-later
19 */
20
27#include <inttypes.h>
28#include <jansson.h>
29#include <jose/jose.h>
30#include "gnunet_gns_service.h"
32#include "gnunet_util_lib.h"
33#include "gnunet_reclaim_lib.h"
35#include "gnunet_signatures.h"
36#include "oidc_helper.h"
37// #include "benchmark.h"
38#include <gcrypt.h>
39
41
46{
51
56
61
66
71};
72
74
78static char OIDC_profile_claims[14][32] = {
79 "name", "family_name", "given_name", "middle_name", "nickname",
80 "preferred_username", "profile", "picture", "website", "gender", "birthdate",
81 "zoneinfo", "locale", "updated_at"
82};
83
87static char OIDC_email_claims[2][16] = {
88 "email", "email_verified"
89};
90
94static char OIDC_phone_claims[2][32] = {
95 "phone_number", "phone_number_verified"
96};
97
101static char OIDC_address_claims[5][32] = {
102 "street_address", "locality", "region", "postal_code", "country"
103};
104
107{
108 int i;
109 for (i = 0; i < 5; i++)
110 {
111 if (0 == strcmp (claim, OIDC_address_claims[i]))
112 {
113 return GNUNET_YES;
114 }
115 }
116 return GNUNET_NO;
117}
118
119
120static char *
122{
123 json_t *root;
124 char *json_str;
125
126 root = json_object ();
127 json_object_set_new (root, JWT_ALG, json_string (JWT_ALG_VALUE_HMAC));
128 json_object_set_new (root, JWT_TYP, json_string (JWT_TYP_VALUE));
129
130 json_str = json_dumps (root, JSON_INDENT (0) | JSON_COMPACT);
131 json_decref (root);
132 return json_str;
133}
134
135
136static void
137replace_char (char *str, char find, char replace)
138{
139 char *current_pos = strchr (str, find);
140
141 while (current_pos)
142 {
143 *current_pos = replace;
144 current_pos = strchr (current_pos, find);
145 }
146}
147
148
149// RFC4648
150static void
151fix_base64 (char *str)
152{
153 // Replace + with -
154 replace_char (str, '+', '-');
155
156 // Replace / with _
157 replace_char (str, '/', '_');
158}
159
160
161static json_t*
163 const struct GNUNET_RECLAIM_AttributeList *attrs,
164 const struct
165 GNUNET_RECLAIM_PresentationList *presentations)
166{
169 char *subject;
170 char *source_name;
171 char *attr_val_str;
172 char *pres_val_str;
173 json_t *body;
174 json_t *aggr_names;
175 json_t *aggr_sources;
176 json_t *aggr_sources_jwt;
177 json_t *addr_claim = NULL;
178 int num_presentations = 0;
179 for (le = attrs->list_head; NULL != le; le = le->next)
180 {
182 num_presentations++;
183 }
184
185 subject =
187 sizeof(struct
189 body = json_object ();
190 aggr_names = json_object ();
191 aggr_sources = json_object ();
192
193 // iss REQUIRED case sensitive server uri with https
194 // The issuer is the local reclaim instance (e.g.
195 // https://reclaim.id/api/openid)
196 json_object_set_new (body, "iss", json_string (SERVER_ADDRESS));
197 // sub REQUIRED public key identity, not exceed 255 ASCII length
198 json_object_set_new (body, "sub", json_string (subject));
200 pres_val_str = NULL;
201 source_name = NULL;
202 int i = 0;
203 for (ple = presentations->list_head; NULL != ple; ple = ple->next)
204 {
205 // New presentation
206 GNUNET_asprintf (&source_name,
207 "src%d",
208 i);
210 "Adding new presentation source #%d\n", i);
211 aggr_sources_jwt = json_object ();
212 pres_val_str =
214 ple->presentation->data,
216 ;
218 "Presentation is: %s\n", pres_val_str);
219 json_object_set_new (aggr_sources_jwt,
221 ple->presentation->type),
222 json_string (pres_val_str) );
223 json_object_set_new (aggr_sources, source_name, aggr_sources_jwt);
224 GNUNET_free (pres_val_str);
225 GNUNET_free (source_name);
226 source_name = NULL;
227 i++;
228 }
229
230 int addr_is_aggregated = GNUNET_NO;
231 int addr_is_normal = GNUNET_NO;
232 for (le = attrs->list_head; NULL != le; le = le->next)
233 {
235 "Processing %s for userinfo body\n",
236 le->attribute->name);
238 {
239 attr_val_str =
241 le->attribute->data,
242 le->attribute->data_size);
248 {
249 if (GNUNET_YES == addr_is_aggregated)
250 {
252 "Address is set as aggregated claim. Skipping self-issued value...\n");
253 GNUNET_free (attr_val_str);
254 continue;
255 }
256 addr_is_normal = GNUNET_YES;
257
258 if (NULL == addr_claim)
259 {
260 addr_claim = json_object ();
261 json_object_set_new (body, "address", addr_claim);
262 }
263 json_object_set_new (addr_claim, le->attribute->name,
264 json_string (attr_val_str));
265
266 }
267 else
268 {
269 json_object_set_new (body, le->attribute->name,
270 json_string (attr_val_str));
271 }
272 GNUNET_free (attr_val_str);
273 }
274 else
275 {
276 // Check if presentation is there
277 int j = 0;
278 for (ple = presentations->list_head; NULL != ple; ple = ple->next)
279 {
280 if (GNUNET_YES ==
282 &le->attribute->credential))
283 break;
284 j++;
285 }
286 if (NULL == ple)
287 {
289 "Presentation for `%s' missing...\n",
290 le->attribute->name);
291 continue;
292 }
298 {
299 if (GNUNET_YES == addr_is_normal)
300 {
302 "Address is already set as normal claim. Skipping attested value...\n");
303 continue;
304 }
305 addr_is_aggregated = GNUNET_YES;
307 if (NULL != addr_claim)
308 continue;
309 addr_claim = json_object ();
310 GNUNET_asprintf (&source_name,
311 "src%d",
312 j);
313 json_object_set_new (aggr_names, "address",
314 json_string (source_name));
315 GNUNET_free (source_name);
316 }
317 else
318 {
319 // Presentation exists, hence take the respective source str
320 GNUNET_asprintf (&source_name,
321 "src%d",
322 j);
323 json_object_set_new (aggr_names, le->attribute->name,
324 json_string (source_name));
325 GNUNET_free (source_name);
326 }
327 }
328 }
329 if (0 != i)
330 {
331 json_object_set_new (body, "_claim_names", aggr_names);
332 json_object_set_new (body, "_claim_sources", aggr_sources);
333 }
334
335 return body;
336}
337
338
347char *
349 const struct GNUNET_RECLAIM_AttributeList *attrs,
350 const struct
351 GNUNET_RECLAIM_PresentationList *presentations)
352{
353 char *body_str;
354 json_t*body = generate_userinfo_json (sub_key,
355 attrs,
356 presentations);
357 body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
358 json_decref (body);
359 return body_str;
360}
361
362
363static char *
364generate_id_token_body (const char *rp_uri,
365 const struct GNUNET_CRYPTO_PublicKey *sub_key,
366 const struct GNUNET_RECLAIM_AttributeList *attrs,
367 const struct
368 GNUNET_RECLAIM_PresentationList *presentations,
369 const struct GNUNET_TIME_Relative *expiration_time,
370 const char *nonce)
371{
372 struct GNUNET_TIME_Absolute exp_time;
373 struct GNUNET_TIME_Absolute time_now;
374 json_t *body;
375 char *subject;
376 char *body_str;
377
378 body = generate_userinfo_json (sub_key,
379 attrs,
380 presentations);
381 // iat REQUIRED time now
382 time_now = GNUNET_TIME_absolute_get ();
383 // exp REQUIRED time expired from config
384 exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time);
385 // auth_time only if max_age
386 // nonce only if nonce
387 // OPTIONAL acr,amr,azp
388 subject =
390 sizeof(struct
392
393 // aud REQUIRED public key client_id must be there
394 json_object_set_new (body, "aud", json_string (rp_uri));
395 // iat
396 json_object_set_new (body,
397 "iat",
398 json_integer (time_now.abs_value_us / (1000 * 1000)));
399 // exp
400 json_object_set_new (body,
401 "exp",
402 json_integer (exp_time.abs_value_us / (1000 * 1000)));
403 // nbf
404 json_object_set_new (body,
405 "nbf",
406 json_integer (time_now.abs_value_us / (1000 * 1000)));
407 // nonce
408 if (NULL != nonce)
409 json_object_set_new (body, "nonce", json_string (nonce));
410
411 // Error checking
412 body_str = json_dumps (body, JSON_INDENT (2) | JSON_COMPACT);
413 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,"ID-Token: %s\n", body_str);
414
415 json_decref (body);
417
418 return body_str;
419}
420
421
422char *
423OIDC_generate_id_token_rsa (const char *rp_uri,
424 const struct GNUNET_CRYPTO_PublicKey *sub_key,
425 const struct GNUNET_RECLAIM_AttributeList *attrs,
426 const struct
427 GNUNET_RECLAIM_PresentationList *presentations,
428 const struct GNUNET_TIME_Relative *expiration_time,
429 const char *nonce,
430 const json_t *secret_rsa_key)
431{
432 json_t *jws;
433 char *body_str;
434 char *result;
435
436 // Generate the body of the JSON Web Signature
437 body_str = generate_id_token_body (rp_uri,
438 sub_key,
439 attrs,
440 presentations,
441 expiration_time,
442 nonce);
443
444 if (NULL == body_str)
445 {
447 "Body for the JWS could not be generated\n");
448 return NULL;
449 }
450
451 // Creating the JSON Web Signature.
452 jws = json_pack ("{s:o}", "payload",
453 jose_b64_enc (body_str, strlen (body_str)));
454 GNUNET_free (body_str);
455
456 if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
457 {
459 "Signature generation failed\n");
460 return NULL;
461 }
462
463 // Encoding JSON as compact JSON Web Signature
464 GNUNET_asprintf (&result, "%s.%s.%s",
465 json_string_value (json_object_get (jws, "protected")),
466 json_string_value (json_object_get (jws, "payload")),
467 json_string_value (json_object_get (jws, "signature")) );
468
469 json_decref (jws);
470 return result;
471}
472
473
474char *
475OIDC_generate_id_token_hmac (const char *rp_uri,
476 const struct GNUNET_CRYPTO_PublicKey *sub_key,
477 const struct GNUNET_RECLAIM_AttributeList *attrs,
478 const struct
479 GNUNET_RECLAIM_PresentationList *presentations,
480 const struct GNUNET_TIME_Relative *expiration_time,
481 const char *nonce,
482 const char *secret_key)
483{
484 struct GNUNET_HashCode signature;
485 char *header;
486 char *header_base64;
487 char *body_str;
488 char *body_base64;
489 char *signature_target;
490 char *signature_base64;
491 char *result;
492
493 // Generate and encode Header
494 header = create_jwt_hmac_header ();
495 if (NULL == header)
496 {
498 "Header for the JWS could not be generated\n");
499 return NULL;
500 }
501 GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
502 GNUNET_free (header);
503 fix_base64 (header_base64);
504
505 // Generate and encode the body of the JSON Web Signature
506 body_str = generate_id_token_body (rp_uri,
507 sub_key,
508 attrs,
509 presentations,
510 expiration_time,
511 nonce);
512
513 if (NULL == body_str)
514 {
516 "Body for the JWS could not be generated\n");
517 GNUNET_free (header_base64);
518 return NULL;
519 }
520
521 GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
522 fix_base64 (body_base64);
523
528 GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
529 GNUNET_CRYPTO_hmac_raw (secret_key,
530 strlen (secret_key),
531 signature_target,
532 strlen (signature_target),
533 &signature);
534 GNUNET_STRINGS_base64url_encode ((const char *) &signature,
535 sizeof(struct GNUNET_HashCode),
536 &signature_base64);
537 fix_base64 (signature_base64);
538
540 "%s.%s.%s",
541 header_base64,
542 body_base64,
543 signature_base64);
544
545 GNUNET_free (header_base64);
546 GNUNET_free (body_str);
547 GNUNET_free (body_base64);
548 GNUNET_free (signature_target);
549 GNUNET_free (signature_base64);
550 return result;
551}
552
553
566char *
568 const struct GNUNET_RECLAIM_Ticket *ticket,
569 const struct GNUNET_RECLAIM_AttributeList *attrs,
570 const struct
571 GNUNET_RECLAIM_PresentationList *presentations,
572 const char *nonce_str,
573 const char *code_challenge)
574{
575 struct OIDC_Parameters params;
576 char *code_payload;
577 char *payload;
578 char *tmp;
579 char *code_str;
580 char *buf_ptr = NULL;
581 size_t payload_len;
582 size_t code_payload_len;
583 size_t attr_list_len = 0;
584 size_t pres_list_len = 0;
585 size_t code_challenge_len = 0;
586 uint32_t nonce_len = 0;
588
590 // Assign ticket
591 memset (&params, 0, sizeof(params));
592 memcpy (params.ticket.gns_name, ticket->gns_name, strlen (ticket->gns_name)
593 + 1);
594 // Assign nonce
595 payload_len = sizeof(struct OIDC_Parameters);
596 if ((NULL != nonce_str) && (strcmp ("", nonce_str) != 0))
597 {
598 nonce_len = strlen (nonce_str);
599 payload_len += nonce_len;
600 }
601 params.nonce_len = htonl (nonce_len);
602 // Assign code challenge
603 if (NULL != code_challenge)
604 code_challenge_len = strlen (code_challenge);
605 payload_len += code_challenge_len;
606 params.code_challenge_len = htonl (code_challenge_len);
607 // Assign attributes
608 if (NULL != attrs)
609 {
610 // Get length
612 params.attr_list_len = htonl (attr_list_len);
614 "Length of serialized attributes: %lu\n",
616 // Get serialized attributes
617 payload_len += attr_list_len;
618 }
619 if (NULL != presentations)
620 {
621 // Get length
622 // FIXME only add presentations relevant for attribute list!!!
623 // This is important because of the distinction between id_token and
624 // userinfo in OIDC
627 params.pres_list_len = htonl (pres_list_len);
629 "Length of serialized presentations: %lu\n",
631 // Get serialized attributes
632 payload_len += pres_list_len;
633 }
634
635 // Get plaintext length
636 payload = GNUNET_malloc (payload_len);
637 memcpy (payload, &params, sizeof(params));
638 tmp = payload + sizeof(params);
639 if (0 < code_challenge_len)
640 {
641 memcpy (tmp, code_challenge, code_challenge_len);
642 tmp += code_challenge_len;
643 }
644 if (0 < nonce_len)
645 {
646 memcpy (tmp, nonce_str, nonce_len);
647 tmp += nonce_len;
648 }
649 if (0 < attr_list_len)
651 tmp += attr_list_len;
652 if (0 < pres_list_len)
654 tmp += pres_list_len;
655
658 // Get length
659 code_payload_len = sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
660 + payload_len + sizeof(struct
663 "Length of data to encode: %lu\n",
664 code_payload_len);
665
666 // Initialize code payload
667 code_payload = GNUNET_malloc (code_payload_len);
668 GNUNET_assert (NULL != code_payload);
669 purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
670 purpose->size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
671 + payload_len);
673 // Store pubkey
674 buf_ptr = (char *) &purpose[1];
675 memcpy (buf_ptr, payload, payload_len);
677 buf_ptr += payload_len;
678 // Sign and store signature
679 if (GNUNET_SYSERR ==
680 GNUNET_CRYPTO_sign_ (issuer,
681 purpose,
682 (struct GNUNET_CRYPTO_Signature *)
683 buf_ptr))
684 {
685 GNUNET_break (0);
686 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
687 GNUNET_free (code_payload);
688 return NULL;
689 }
690 GNUNET_STRINGS_base64url_encode (code_payload, code_payload_len, &code_str);
691 GNUNET_free (code_payload);
692 return code_str;
693}
694
695
697check_code_challenge (const char *code_challenge,
698 uint32_t code_challenge_len,
699 const char *code_verifier)
700{
701 char *code_verifier_hash;
702 char *expected_code_challenge;
703
704 if (0 == code_challenge_len) /* Only check if this code requires a CV */
705 return GNUNET_OK;
706 if (NULL == code_verifier)
707 {
709 "Expected code verifier!\n");
710 return GNUNET_SYSERR;
711 }
712 code_verifier_hash = GNUNET_malloc (256 / 8);
713 // hash code verifier
714 gcry_md_hash_buffer (GCRY_MD_SHA256,
715 code_verifier_hash,
716 code_verifier,
717 strlen (code_verifier));
718 // encode code verifier
719 GNUNET_STRINGS_base64url_encode (code_verifier_hash, 256 / 8,
720 &expected_code_challenge);
721 GNUNET_free (code_verifier_hash);
722 if (0 !=
723 strncmp (expected_code_challenge, code_challenge, code_challenge_len))
724 {
726 "Invalid code verifier! Expected: %s, Got: %.*s\n",
727 expected_code_challenge,
728 code_challenge_len,
729 code_challenge);
730 GNUNET_free (expected_code_challenge);
731 return GNUNET_SYSERR;
732 }
733 GNUNET_free (expected_code_challenge);
734 return GNUNET_OK;
735}
736
737
753int
754OIDC_parse_authz_code (const char *rp_uri,
755 const struct GNUNET_CRYPTO_PublicKey *cid,
756 const char *code,
757 const char *code_verifier,
759 struct GNUNET_RECLAIM_AttributeList **attrs,
760 struct GNUNET_RECLAIM_PresentationList **presentations,
761 char **nonce_str,
762 enum OIDC_VerificationOptions opts, char **emsg)
763{
764 char *code_payload;
765 char *ptr;
766 char *plaintext;
767 char *attrs_ser;
768 char *presentations_ser;
769 char *code_challenge;
771 struct GNUNET_CRYPTO_Signature *signature;
772 struct GNUNET_CRYPTO_PublicKey iss;
773 uint32_t code_challenge_len;
774 uint32_t attrs_ser_len;
775 uint32_t pres_ser_len;
776 size_t plaintext_len;
777 size_t code_payload_len;
778 uint32_t nonce_len = 0;
779 struct OIDC_Parameters *params;
780
781
783 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code);
784 code_payload = NULL;
785 code_payload_len =
786 GNUNET_STRINGS_base64url_decode (code, strlen (code),
787 (void **) &code_payload);
788 if (code_payload_len < sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
789 + sizeof(struct OIDC_Parameters)
790 + sizeof(struct GNUNET_CRYPTO_Signature))
791 {
792 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
793 GNUNET_free (code_payload);
794 return GNUNET_SYSERR;
795 }
796
797 purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
798 plaintext_len = code_payload_len;
799 plaintext_len -= sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose);
800 ptr = (char *) &purpose[1];
801 plaintext_len -= sizeof(struct GNUNET_CRYPTO_Signature);
802 plaintext = ptr;
803 ptr += plaintext_len;
804 signature = (struct GNUNET_CRYPTO_Signature *) ptr;
805 params = (struct OIDC_Parameters *) plaintext;
806
807 // cmp code_challenge code_verifier
808 code_challenge_len = ntohl (params->code_challenge_len);
809 code_challenge = ((char *) &params[1]);
811 {
812 if (GNUNET_OK != check_code_challenge (code_challenge,
814 code_verifier))
815 {
816 GNUNET_asprintf (emsg, "Code verifier `%s' invalid for challenge `%s'",
817 code_verifier, code_challenge);
818 GNUNET_free (code_payload);
819 return GNUNET_SYSERR;
820 }
821 }
822 nonce_len = ntohl (params->nonce_len);
823 if (0 != nonce_len)
824 {
825 *nonce_str = GNUNET_strndup (code_challenge + code_challenge_len,
826 nonce_len);
827 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %s\n", *nonce_str);
828 }
829
830 // Ticket
831 memcpy (ticket, &params->ticket, sizeof(params->ticket));
832 // Signature
833 // GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
834 if (GNUNET_OK !=
837 purpose,
838 signature,
839 &iss))
840 {
841 GNUNET_free (code_payload);
842 if (NULL != *nonce_str)
843 GNUNET_free (*nonce_str);
844 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n");
845 *emsg = GNUNET_strdup ("Signature verification failed");
846 return GNUNET_SYSERR;
847 }
848 // Attributes
849 attrs_ser = ((char *) &params[1]) + code_challenge_len + nonce_len;
850 attrs_ser_len = ntohl (params->attr_list_len);
851 *attrs = GNUNET_RECLAIM_attribute_list_deserialize (attrs_ser, attrs_ser_len);
852 presentations_ser = ((char*) attrs_ser) + attrs_ser_len;
853 pres_ser_len = ntohl (params->pres_list_len);
854 *presentations =
856 pres_ser_len);
857
858 GNUNET_free (code_payload);
859 return GNUNET_OK;
860}
861
862
872void
873OIDC_build_token_response (const char *access_token,
874 const char *id_token,
875 const struct GNUNET_TIME_Relative *expiration_time,
876 char **token_response)
877{
878 json_t *root_json;
879
880 root_json = json_object ();
881
882 GNUNET_assert (NULL != access_token);
883 GNUNET_assert (NULL != id_token);
884 GNUNET_assert (NULL != expiration_time);
885 json_object_set_new (root_json, "access_token", json_string (access_token));
886 json_object_set_new (root_json, "token_type", json_string ("Bearer"));
887 json_object_set_new (root_json,
888 "expires_in",
889 json_integer (expiration_time->rel_value_us
890 / (1000 * 1000)));
891 json_object_set_new (root_json, "id_token", json_string (id_token));
892 *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT);
893 json_decref (root_json);
894}
895
896
900char *
902 const char *rp_uri)
903{
904 char *access_token;
905 char *tkt_b64;
906
908 sizeof(*ticket),
909 &tkt_b64);
910 GNUNET_asprintf (&access_token, "%s-%s", tkt_b64, rp_uri);
911 GNUNET_free (tkt_b64);
912 return access_token;
913}
914
915
919int
920OIDC_access_token_parse (const char *token,
922 char **rp_uri)
923{
924 size_t sret;
925 char *decoded;
926 char *tmp;
927 char *tkt_str;
928 char *rp_uri_str;
929 tmp = GNUNET_strdup (token);
930 tkt_str = strtok (tmp, "-");
931 GNUNET_assert (NULL != tkt_str); // FIXME handle
932 rp_uri_str = strtok (NULL, "-");
933 GNUNET_assert (NULL != rp_uri_str); // FIXME handle
934 sret = GNUNET_STRINGS_base64_decode (tkt_str,
935 strlen (tkt_str),
936 (void**) &decoded);
937 if (sizeof (struct GNUNET_RECLAIM_Ticket) != sret)
938 {
939 GNUNET_free (decoded);
940 GNUNET_free (tmp);
941 return GNUNET_SYSERR;
942 }
943 *ticket = (struct GNUNET_RECLAIM_Ticket *) decoded;
944 *rp_uri = GNUNET_strdup (rp_uri_str);
945 GNUNET_free (tmp);
946 return GNUNET_OK;
947}
948
949
960 const char*attr)
961{
962 char *scope_variables;
963 char *scope_variable;
964 char delimiter[] = " ";
965 int i;
966
967 scope_variables = GNUNET_strdup (scopes);
968 scope_variable = strtok (scope_variables, delimiter);
969 while (NULL != scope_variable)
970 {
971 if (0 == strcmp ("profile", scope_variable))
972 {
973 for (i = 0; i < 14; i++)
974 {
975 if (0 == strcmp (attr, OIDC_profile_claims[i]))
976 {
977 GNUNET_free (scope_variables);
978 return GNUNET_YES;
979 }
980 }
981 }
982 else if (0 == strcmp ("address", scope_variable))
983 {
984 for (i = 0; i < 5; i++)
985 {
986 if (0 == strcmp (attr, OIDC_address_claims[i]))
987 {
988 GNUNET_free (scope_variables);
989 return GNUNET_YES;
990 }
991 }
992 }
993 else if (0 == strcmp ("email", scope_variable))
994 {
995 for (i = 0; i < 2; i++)
996 {
997 if (0 == strcmp (attr, OIDC_email_claims[i]))
998 {
999 GNUNET_free (scope_variables);
1000 return GNUNET_YES;
1001 }
1002 }
1003 }
1004 else if (0 == strcmp ("phone", scope_variable))
1005 {
1006 for (i = 0; i < 2; i++)
1007 {
1008 if (0 == strcmp (attr, OIDC_phone_claims[i]))
1009 {
1010 GNUNET_free (scope_variables);
1011 return GNUNET_YES;
1012 }
1013 }
1014
1015 }
1016 else if (0 == strcmp (attr, scope_variable))
1017 {
1019 GNUNET_free (scope_variables);
1020 return GNUNET_YES;
1021 }
1022 scope_variable = strtok (NULL, delimiter);
1023 }
1024 GNUNET_free (scope_variables);
1025 return GNUNET_NO;
1026
1027}
static char * subject
Subject pubkey string.
Definition: gnunet-abd.c:87
static int replace
Replace DID Document Flag.
Definition: gnunet-did.c:52
struct GNUNET_RECLAIM_Attribute * claim
Claim to store.
static struct GNUNET_RECLAIM_Ticket ticket
Ticket to consume.
static int result
Global testing status.
static unsigned long long payload
How much data are we currently storing in the database?
API to the GNS service.
API that can be used to manipulate GNS record data.
Identity attribute definitions.
reclaim service; implements identity and personal data sharing for GNUnet
enum GNUNET_GenericReturnValue GNUNET_GNS_parse_ztld(const char *name, struct GNUNET_CRYPTO_PublicKey *ztld_key)
Try to parse the zTLD into a public key.
Definition: gns_tld_api.c:228
#define GNUNET_NETWORK_STRUCT_BEGIN
Define as empty, GNUNET_PACKED should suffice, but this won't work on W32.
#define GNUNET_log(kind,...)
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_signature_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_Signature *sig, const struct GNUNET_CRYPTO_PublicKey *pub)
Verify a given signature.
Definition: crypto_pkey.c:319
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_sign_(const struct GNUNET_CRYPTO_PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_Signature *sig)
Sign a given block.
Definition: crypto_pkey.c:293
#define GNUNET_NETWORK_STRUCT_END
Define as empty, GNUNET_PACKED should suffice, but this won't work on W32;.
GNUNET_GenericReturnValue
Named constants for return values.
void GNUNET_CRYPTO_hmac_raw(const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac)
Calculate HMAC of a message (RFC 2104) TODO: Shouldn't this be the standard hmac function and the abo...
Definition: crypto_hash.c:300
#define GNUNET_PACKED
gcc-ism to get packed structs.
@ GNUNET_OK
@ GNUNET_YES
@ GNUNET_NO
@ GNUNET_SYSERR
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
@ GNUNET_ERROR_TYPE_WARNING
@ GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_DEBUG
int int GNUNET_asprintf(char **buf, const char *format,...) __attribute__((format(printf
Like asprintf, just portable.
#define GNUNET_strdup(a)
Wrapper around GNUNET_xstrdup_.
#define GNUNET_strndup(a, length)
Wrapper around GNUNET_xstrndup_.
#define GNUNET_malloc(size)
Wrapper around malloc.
#define GNUNET_free(ptr)
Wrapper around free.
#define GNUNET_RECLAIM_id_is_equal(a, b)
struct GNUNET_RECLAIM_PresentationList * GNUNET_RECLAIM_presentation_list_deserialize(const char *data, size_t data_size)
Deserialize a presentation list.
#define GNUNET_RECLAIM_id_is_zero(a)
struct GNUNET_RECLAIM_AttributeList * GNUNET_RECLAIM_attribute_list_deserialize(const char *data, size_t data_size)
Deserialize an attribute list.
size_t GNUNET_RECLAIM_attribute_list_serialize(const struct GNUNET_RECLAIM_AttributeList *attrs, char *result)
Serialize an attribute list.
const char * GNUNET_RECLAIM_presentation_number_to_typename(uint32_t type)
Convert a presentation type number to the corresponding credential type string.
size_t GNUNET_RECLAIM_presentation_list_serialize(const struct GNUNET_RECLAIM_PresentationList *presentations, char *result)
Serialize a presentation list.
char * GNUNET_RECLAIM_attribute_value_to_string(uint32_t type, const void *data, size_t data_size)
Convert the 'claim' of an attribute to a string.
size_t GNUNET_RECLAIM_presentation_list_serialize_get_size(const struct GNUNET_RECLAIM_PresentationList *presentations)
Get required size for serialization buffer.
size_t GNUNET_RECLAIM_attribute_list_serialize_get_size(const struct GNUNET_RECLAIM_AttributeList *attrs)
Get required size for serialization buffer.
char * GNUNET_RECLAIM_presentation_value_to_string(uint32_t type, const void *data, size_t data_size)
Convert the 'claim' of a presentation to a string.
size_t GNUNET_STRINGS_base64url_decode(const char *data, size_t len, void **out)
Decode from Base64url.
Definition: strings.c:1805
char * GNUNET_STRINGS_data_to_string_alloc(const void *buf, size_t size)
Return the base32crockford encoding of the given buffer.
Definition: strings.c:787
size_t GNUNET_STRINGS_base64url_encode(const void *in, size_t len, char **output)
Encode into Base64url.
Definition: strings.c:1694
size_t GNUNET_STRINGS_base64_decode(const char *data, size_t len, void **output)
Decode from Base64.
Definition: strings.c:1747
size_t GNUNET_STRINGS_base64_encode(const void *in, size_t len, char **output)
Encode into Base64.
Definition: strings.c:1645
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_get(void)
Get the current time.
Definition: time.c:111
struct GNUNET_TIME_Absolute GNUNET_TIME_absolute_add(struct GNUNET_TIME_Absolute start, struct GNUNET_TIME_Relative duration)
Add a given relative duration to the given start time.
Definition: time.c:452
static void replace_char(char *str, char find, char replace)
Definition: oidc_helper.c:137
static char OIDC_email_claims[2][16]
Standard claims represented by the "email" scope in OIDC.
Definition: oidc_helper.c:87
char * OIDC_generate_id_token_rsa(const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const json_t *secret_rsa_key)
Create a JWT using RSA256 algorithm from attributes.
Definition: oidc_helper.c:423
static char OIDC_address_claims[5][32]
Standard claims represented by the "address" scope in OIDC.
Definition: oidc_helper.c:101
static void fix_base64(char *str)
Definition: oidc_helper.c:151
char * OIDC_generate_userinfo(const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Generate userinfo JSON as string.
Definition: oidc_helper.c:348
static enum GNUNET_GenericReturnValue check_code_challenge(const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
Definition: oidc_helper.c:697
static enum GNUNET_GenericReturnValue is_claim_in_address_scope(const char *claim)
Definition: oidc_helper.c:106
int OIDC_parse_authz_code(const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *cid, const char *code, const char *code_verifier, struct GNUNET_RECLAIM_Ticket *ticket, struct GNUNET_RECLAIM_AttributeList **attrs, struct GNUNET_RECLAIM_PresentationList **presentations, char **nonce_str, enum OIDC_VerificationOptions opts, char **emsg)
Parse reclaim ticket and nonce from authorization code.
Definition: oidc_helper.c:754
char * OIDC_build_authz_code(const struct GNUNET_CRYPTO_PrivateKey *issuer, const struct GNUNET_RECLAIM_Ticket *ticket, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const char *nonce_str, const char *code_challenge)
Builds an OIDC authorization code including a reclaim ticket and nonce.
Definition: oidc_helper.c:567
char * OIDC_generate_id_token_hmac(const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const char *secret_key)
Create a JWT using HMAC (HS256) from attributes.
Definition: oidc_helper.c:475
char * OIDC_access_token_new(const struct GNUNET_RECLAIM_Ticket *ticket, const char *rp_uri)
Generate a new access token.
Definition: oidc_helper.c:901
static char * generate_id_token_body(const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
Definition: oidc_helper.c:364
static char * create_jwt_hmac_header(void)
Definition: oidc_helper.c:121
int OIDC_access_token_parse(const char *token, struct GNUNET_RECLAIM_Ticket **ticket, char **rp_uri)
Parse an access token.
Definition: oidc_helper.c:920
enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request(const char *scopes, const char *attr)
Checks if a claim is implicitly requested through standard scope(s) or explicitly through non-standar...
Definition: oidc_helper.c:959
static json_t * generate_userinfo_json(const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Definition: oidc_helper.c:162
static char OIDC_phone_claims[2][32]
Standard claims represented by the "phone" scope in OIDC.
Definition: oidc_helper.c:94
void OIDC_build_token_response(const char *access_token, const char *id_token, const struct GNUNET_TIME_Relative *expiration_time, char **token_response)
Build a token response for a token request TODO: Maybe we should add the scope here?
Definition: oidc_helper.c:873
static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
Standard claims represented by the "profile" scope in OIDC.
Definition: oidc_helper.c:78
#define JWT_TYP_VALUE
Definition: oidc_helper.h:34
#define JWT_ALG
Definition: oidc_helper.h:32
#define SERVER_ADDRESS
Definition: oidc_helper.h:39
OIDC_VerificationOptions
Definition: oidc_helper.h:42
@ OIDC_VERIFICATION_NO_CODE_VERIFIER
Do not check code verifier even if expected.
Definition: oidc_helper.h:51
#define JWT_TYP
Definition: oidc_helper.h:33
#define JWT_ALG_VALUE_HMAC
Definition: oidc_helper.h:36
#define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
Signature for a GNUid Ticket (Reclaim)
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
A private key for an identity as per LSD0001.
An identity key as per LSD0001.
An identity signature as per LSD0001.
A 512-bit hashcode.
struct GNUNET_RECLAIM_Attribute * attribute
The attribute claim.
struct GNUNET_RECLAIM_AttributeListEntry * next
DLL.
A list of GNUNET_RECLAIM_Attribute structures.
struct GNUNET_RECLAIM_AttributeListEntry * list_head
List head.
const char * name
The name of the attribute.
struct GNUNET_RECLAIM_Identifier credential
Referenced ID of credential (may be GNUNET_RECLAIM_ID_ZERO if self-creded)
uint32_t type
Type of Claim.
const void * data
Binary value stored as attribute value.
size_t data_size
Number of bytes in data.
struct GNUNET_RECLAIM_Presentation * presentation
The credential.
struct GNUNET_RECLAIM_PresentationListEntry * next
DLL.
A list of GNUNET_RECLAIM_Presentation structures.
struct GNUNET_RECLAIM_PresentationListEntry * list_head
List head.
const void * data
Binary value stored as presentation value.
uint32_t type
Type/Format of Claim.
size_t data_size
Number of bytes in data.
struct GNUNET_RECLAIM_Identifier credential_id
The credential id of which this is a presentation.
The authorization ticket.
char gns_name[63 *2+2]
The ticket.
Time for absolute times used by GNUnet, in microseconds.
uint64_t abs_value_us
The actual value.
Time for relative time used by GNUnet, in microseconds.
uint64_t rel_value_us
The actual value.
The signature used to generate the authorization code.
Definition: oidc_helper.c:46
struct GNUNET_RECLAIM_Ticket ticket
The reclaim ticket.
Definition: oidc_helper.c:50
uint32_t pres_list_len
The length of the presentation list.
Definition: oidc_helper.c:70
uint32_t nonce_len
The nonce length.
Definition: oidc_helper.c:55
uint32_t attr_list_len
The length of the attributes list.
Definition: oidc_helper.c:65
uint32_t code_challenge_len
The length of the PKCE code_challenge.
Definition: oidc_helper.c:60