GNUnet 0.22.2
Macros | Enumerations | Functions
oidc_helper.h File Reference
#include "gnunet_util_lib.h"
#include "gnunet_reclaim_service.h"
Include dependency graph for oidc_helper.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define JWT_ALG   "alg"
 
#define JWT_TYP   "typ"
 
#define JWT_TYP_VALUE   "jwt"
 
#define JWT_ALG_VALUE_HMAC   "HS512"
 
#define JWT_ALG_VALUE_RSA   "RS256"
 
#define SERVER_ADDRESS   "http://localhost:7776"
 

Enumerations

enum  OIDC_VerificationOptions { OIDC_VERIFICATION_DEFAULT = 0 , OIDC_VERIFICATION_NO_CODE_VERIFIER = 1 }
 

Functions

char * OIDC_generate_id_token_rsa (const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const json_t *secret_rsa_key)
 Create a JWT using RSA256 algorithm from attributes. More...
 
char * OIDC_generate_id_token_hmac (const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const char *secret_key)
 Create a JWT using HMAC (HS256) from attributes. More...
 
char * OIDC_build_authz_code (const struct GNUNET_CRYPTO_PrivateKey *issuer, const struct GNUNET_RECLAIM_Ticket *ticket, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const char *nonce, const char *code_challenge)
 Builds an OIDC authorization code including a reclaim ticket and nonce. More...
 
int OIDC_parse_authz_code (const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *cid, const char *code, const char *code_verifier, struct GNUNET_RECLAIM_Ticket *ticket, struct GNUNET_RECLAIM_AttributeList **attrs, struct GNUNET_RECLAIM_PresentationList **presentations, char **nonce, enum OIDC_VerificationOptions opts, char **emsg)
 Parse reclaim ticket and nonce from authorization code. More...
 
void OIDC_build_token_response (const char *access_token, const char *id_token, const struct GNUNET_TIME_Relative *expiration_time, char **token_response)
 Build a token response for a token request TODO: Maybe we should add the scope here? More...
 
char * OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket, const char *rp_uri)
 Generate a new access token. More...
 
int OIDC_access_token_parse (const char *token, struct GNUNET_RECLAIM_Ticket **ticket, char **rp_uri)
 Parse an access token. More...
 
enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request (const char *scopes, const char *attr)
 Checks if a claim is implicitly requested through standard scope(s) More...
 
char * OIDC_generate_userinfo (const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
 Generate userinfo JSON as string. More...
 

Macro Definition Documentation

◆ JWT_ALG

#define JWT_ALG   "alg"

Definition at line 32 of file oidc_helper.h.

◆ JWT_TYP

#define JWT_TYP   "typ"

Definition at line 33 of file oidc_helper.h.

◆ JWT_TYP_VALUE

#define JWT_TYP_VALUE   "jwt"

Definition at line 34 of file oidc_helper.h.

◆ JWT_ALG_VALUE_HMAC

#define JWT_ALG_VALUE_HMAC   "HS512"

Definition at line 36 of file oidc_helper.h.

◆ JWT_ALG_VALUE_RSA

#define JWT_ALG_VALUE_RSA   "RS256"

Definition at line 37 of file oidc_helper.h.

◆ SERVER_ADDRESS

#define SERVER_ADDRESS   "http://localhost:7776"

Definition at line 39 of file oidc_helper.h.

Enumeration Type Documentation

◆ OIDC_VerificationOptions

enum OIDC_VerificationOptions
Enumerator
OIDC_VERIFICATION_DEFAULT 

Strict verification.

OIDC_VERIFICATION_NO_CODE_VERIFIER 

Do not check code verifier even if expected.

Definition at line 41 of file oidc_helper.h.

42{
46 OIDC_VERIFICATION_DEFAULT = 0,
47
51 OIDC_VERIFICATION_NO_CODE_VERIFIER = 1
52};
OIDC_VERIFICATION_NO_CODE_VERIFIER
@ OIDC_VERIFICATION_NO_CODE_VERIFIER
Do not check code verifier even if expected.
Definition: oidc_helper.h:51
OIDC_VERIFICATION_DEFAULT
@ OIDC_VERIFICATION_DEFAULT
Strict verification.
Definition: oidc_helper.h:46

Function Documentation

◆ OIDC_generate_id_token_rsa()

char * OIDC_generate_id_token_rsa ( const char *  rp_uri,
const struct GNUNET_CRYPTO_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const json_t *  secret_rsa_key 
)

Create a JWT using RSA256 algorithm from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_rsa_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Definition at line 423 of file oidc_helper.c.

431{
432 json_t *jws;
433 char *body_str;
434 char *result;
435
436 // Generate the body of the JSON Web Signature
437 body_str = generate_id_token_body (rp_uri,
438 sub_key,
439 attrs,
440 presentations,
441 expiration_time,
442 nonce);
443
444 if (NULL == body_str)
445 {
446 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
447 "Body for the JWS could not be generated\n");
448 return NULL;
449 }
450
451 // Creating the JSON Web Signature.
452 jws = json_pack ("{s:o}", "payload",
453 jose_b64_enc (body_str, strlen (body_str)));
454 GNUNET_free (body_str);
455
456 if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
457 {
458 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
459 "Signature generation failed\n");
460 return NULL;
461 }
462
463 // Encoding JSON as compact JSON Web Signature
464 GNUNET_asprintf (&result, "%s.%s.%s",
465 json_string_value (json_object_get (jws, "protected")),
466 json_string_value (json_object_get (jws, "payload")),
467 json_string_value (json_object_get (jws, "signature")) );
468
469 json_decref (jws);
470 return result;
471}
result
static int result
Global testing status.
Definition: gnunet-regex-profiler.c:240
GNUNET_log
#define GNUNET_log(kind,...)
Definition: gnunet_common.h:548
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition: gnunet_common.h:414
GNUNET_asprintf
int int GNUNET_asprintf(char **buf, const char *format,...) __attribute__((format(printf
Like asprintf, just portable.
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition: gnunet_common.h:1411
generate_id_token_body
static char * generate_id_token_body(const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
Definition: oidc_helper.c:364

References generate_id_token_body(), GNUNET_asprintf(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_id_token_hmac()

char * OIDC_generate_id_token_hmac ( const char *  rp_uri,
const struct GNUNET_CRYPTO_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const char *  secret_key 
)

Create a JWT using HMAC (HS256) from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Creating the JWT signature. This might not be standards compliant, check.

Definition at line 475 of file oidc_helper.c.

483{
484 struct GNUNET_HashCode signature;
485 char *header;
486 char *header_base64;
487 char *body_str;
488 char *body_base64;
489 char *signature_target;
490 char *signature_base64;
491 char *result;
492
493 // Generate and encode Header
494 header = create_jwt_hmac_header ();
495 if (NULL == header)
496 {
497 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
498 "Header for the JWS could not be generated\n");
499 return NULL;
500 }
501 GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
502 GNUNET_free (header);
503 fix_base64 (header_base64);
504
505 // Generate and encode the body of the JSON Web Signature
506 body_str = generate_id_token_body (rp_uri,
507 sub_key,
508 attrs,
509 presentations,
510 expiration_time,
511 nonce);
512
513 if (NULL == body_str)
514 {
515 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
516 "Body for the JWS could not be generated\n");
517 GNUNET_free (header_base64);
518 return NULL;
519 }
520
521 GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
522 fix_base64 (body_base64);
523
528 GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
529 GNUNET_CRYPTO_hmac_raw (secret_key,
530 strlen (secret_key),
531 signature_target,
532 strlen (signature_target),
533 &signature);
534 GNUNET_STRINGS_base64url_encode ((const char *) &signature,
535 sizeof(struct GNUNET_HashCode),
536 &signature_base64);
537 fix_base64 (signature_base64);
538
539 GNUNET_asprintf (&result,
540 "%s.%s.%s",
541 header_base64,
542 body_base64,
543 signature_base64);
544
545 GNUNET_free (header_base64);
546 GNUNET_free (body_str);
547 GNUNET_free (body_base64);
548 GNUNET_free (signature_target);
549 GNUNET_free (signature_base64);
550 return result;
551}
GNUNET_CRYPTO_hmac_raw
void GNUNET_CRYPTO_hmac_raw(const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac)
Calculate HMAC of a message (RFC 2104) TODO: Shouldn't this be the standard hmac function and the abo...
Definition: crypto_hash.c:297
GNUNET_STRINGS_base64url_encode
size_t GNUNET_STRINGS_base64url_encode(const void *in, size_t len, char **output)
Encode into Base64url.
Definition: strings.c:1648
fix_base64
static void fix_base64(char *str)
Definition: oidc_helper.c:151
create_jwt_hmac_header
static char * create_jwt_hmac_header(void)
Definition: oidc_helper.c:121
GNUNET_HashCode
A 512-bit hashcode.
Definition: gnunet_common.h:284

References create_jwt_hmac_header(), fix_base64(), generate_id_token_body(), GNUNET_asprintf(), GNUNET_CRYPTO_hmac_raw(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_STRINGS_base64url_encode(), and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_authz_code()

char * OIDC_build_authz_code ( const struct GNUNET_CRYPTO_PrivateKey issuer,
const struct GNUNET_RECLAIM_Ticket ticket,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const char *  nonce_str,
const char *  code_challenge 
)

Builds an OIDC authorization code including a reclaim ticket and nonce.

Parameters
issuerthe issuer
ticketthe ticket to include in the code
attrslist of attributes to share
presentationscredential presentation list
noncethe nonce to include in the code
code_challengePKCE code challenge
optsverification options
Returns
a new authorization code (caller must free)
Parameters
issuerthe issuer of the ticket, used to sign the ticket and nonce
ticketthe ticket to include in the code
attrslist of attributes which are shared
presentationscredential presentation list (may be empty)
noncethe nonce to include in the code
code_challengePKCE code challenge
Returns
a new authorization code (caller must free)

PLAINTEXT

END

Definition at line 567 of file oidc_helper.c.

574{
575 struct OIDC_Parameters params;
576 char *code_payload;
577 char *payload;
578 char *tmp;
579 char *code_str;
580 char *buf_ptr = NULL;
581 size_t payload_len;
582 size_t code_payload_len;
583 size_t attr_list_len = 0;
584 size_t pres_list_len = 0;
585 size_t code_challenge_len = 0;
586 uint32_t nonce_len = 0;
587 struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
588
590 // Assign ticket
591 memset (&params, 0, sizeof(params));
592 memcpy (params.ticket.gns_name, ticket->gns_name, strlen (ticket->gns_name)
593 + 1);
594 // Assign nonce
595 payload_len = sizeof(struct OIDC_Parameters);
596 if ((NULL != nonce_str) && (strcmp ("", nonce_str) != 0))
597 {
598 nonce_len = strlen (nonce_str);
599 payload_len += nonce_len;
600 }
601 params.nonce_len = htonl (nonce_len);
602 // Assign code challenge
603 if (NULL != code_challenge)
604 code_challenge_len = strlen (code_challenge);
605 payload_len += code_challenge_len;
606 params.code_challenge_len = htonl (code_challenge_len);
607 // Assign attributes
608 if (NULL != attrs)
609 {
610 // Get length
611 attr_list_len = GNUNET_RECLAIM_attribute_list_serialize_get_size (attrs);
612 params.attr_list_len = htonl (attr_list_len);
613 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
614 "Length of serialized attributes: %lu\n",
615 attr_list_len);
616 // Get serialized attributes
617 payload_len += attr_list_len;
618 }
619 if (NULL != presentations)
620 {
621 // Get length
622 // FIXME only add presentations relevant for attribute list!!!
623 // This is important because of the distinction between id_token and
624 // userinfo in OIDC
625 pres_list_len =
626 GNUNET_RECLAIM_presentation_list_serialize_get_size (presentations);
627 params.pres_list_len = htonl (pres_list_len);
628 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
629 "Length of serialized presentations: %lu\n",
630 pres_list_len);
631 // Get serialized attributes
632 payload_len += pres_list_len;
633 }
634
635 // Get plaintext length
636 payload = GNUNET_malloc (payload_len);
637 memcpy (payload, &params, sizeof(params));
638 tmp = payload + sizeof(params);
639 if (0 < code_challenge_len)
640 {
641 memcpy (tmp, code_challenge, code_challenge_len);
642 tmp += code_challenge_len;
643 }
644 if (0 < nonce_len)
645 {
646 memcpy (tmp, nonce_str, nonce_len);
647 tmp += nonce_len;
648 }
649 if (0 < attr_list_len)
650 GNUNET_RECLAIM_attribute_list_serialize (attrs, tmp);
651 tmp += attr_list_len;
652 if (0 < pres_list_len)
653 GNUNET_RECLAIM_presentation_list_serialize (presentations, tmp);
654 tmp += pres_list_len;
655
658 // Get length
659 code_payload_len = sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
660 + payload_len + sizeof(struct
661 GNUNET_CRYPTO_Signature);
662 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
663 "Length of data to encode: %lu\n",
664 code_payload_len);
665
666 // Initialize code payload
667 code_payload = GNUNET_malloc (code_payload_len);
668 GNUNET_assert (NULL != code_payload);
669 purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
670 purpose->size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
671 + payload_len);
672 purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
673 // Store pubkey
674 buf_ptr = (char *) &purpose[1];
675 memcpy (buf_ptr, payload, payload_len);
676 GNUNET_free (payload);
677 buf_ptr += payload_len;
678 // Sign and store signature
679 if (GNUNET_SYSERR ==
680 GNUNET_CRYPTO_sign_ (issuer,
681 purpose,
682 (struct GNUNET_CRYPTO_Signature *)
683 buf_ptr))
684 {
685 GNUNET_break (0);
686 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
687 GNUNET_free (code_payload);
688 return NULL;
689 }
690 GNUNET_STRINGS_base64url_encode (code_payload, code_payload_len, &code_str);
691 GNUNET_free (code_payload);
692 return code_str;
693}
ticket
static struct GNUNET_RECLAIM_Ticket ticket
Ticket to consume.
Definition: gnunet-reclaim.c:164
payload
static unsigned long long payload
How much data are we currently storing in the database?
Definition: gnunet-service-datastore.c:183
GNUNET_CRYPTO_sign_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_sign_(const struct GNUNET_CRYPTO_PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_Signature *sig)
Sign a given block.
Definition: crypto_pkey.c:293
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:109
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:956
GNUNET_break
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
Definition: gnunet_common.h:1041
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition: gnunet_common.h:421
GNUNET_malloc
#define GNUNET_malloc(size)
Wrapper around malloc.
Definition: gnunet_common.h:1351
GNUNET_RECLAIM_attribute_list_serialize
size_t GNUNET_RECLAIM_attribute_list_serialize(const struct GNUNET_RECLAIM_AttributeList *attrs, char *result)
Serialize an attribute list.
Definition: reclaim_attribute.c:322
GNUNET_RECLAIM_presentation_list_serialize
size_t GNUNET_RECLAIM_presentation_list_serialize(const struct GNUNET_RECLAIM_PresentationList *presentations, char *result)
Serialize a presentation list.
Definition: reclaim_credential.c:703
GNUNET_RECLAIM_presentation_list_serialize_get_size
size_t GNUNET_RECLAIM_presentation_list_serialize_get_size(const struct GNUNET_RECLAIM_PresentationList *presentations)
Get required size for serialization buffer.
Definition: reclaim_credential.c:687
GNUNET_RECLAIM_attribute_list_serialize_get_size
size_t GNUNET_RECLAIM_attribute_list_serialize_get_size(const struct GNUNET_RECLAIM_AttributeList *attrs)
Get required size for serialization buffer.
Definition: reclaim_attribute.c:306
GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
#define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
Signature for a GNUid Ticket (Reclaim)
Definition: gnunet_signatures.h:172
GNUNET_CRYPTO_EccSignaturePurpose
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
Definition: gnunet_crypto_lib.h:141
GNUNET_CRYPTO_EccSignaturePurpose::purpose
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Definition: gnunet_crypto_lib.h:155
GNUNET_CRYPTO_Signature
An identity signature as per LSD0001.
Definition: gnunet_crypto_lib.h:454
GNUNET_RECLAIM_Ticket::gns_name
char gns_name[63 *2+2]
The ticket.
Definition: gnunet_reclaim_service.h:83
OIDC_Parameters
The signature used to generate the authorization code.
Definition: oidc_helper.c:46
OIDC_Parameters::pres_list_len
uint32_t pres_list_len
The length of the presentation list.
Definition: oidc_helper.c:70
OIDC_Parameters::nonce_len
uint32_t nonce_len
The nonce length.
Definition: oidc_helper.c:55
OIDC_Parameters::attr_list_len
uint32_t attr_list_len
The length of the attributes list.
Definition: oidc_helper.c:65
OIDC_Parameters::code_challenge_len
uint32_t code_challenge_len
The length of the PKCE code_challenge.
Definition: oidc_helper.c:60

References OIDC_Parameters::attr_list_len, OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_assert, GNUNET_break, GNUNET_CRYPTO_sign_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_malloc, GNUNET_RECLAIM_attribute_list_serialize(), GNUNET_RECLAIM_attribute_list_serialize_get_size(), GNUNET_RECLAIM_presentation_list_serialize(), GNUNET_RECLAIM_presentation_list_serialize_get_size(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_STRINGS_base64url_encode(), GNUNET_SYSERR, OIDC_Parameters::nonce_len, payload, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_EccSignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by oidc_ticket_issue_cb().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_parse_authz_code()

int OIDC_parse_authz_code ( const char *  rp_uri,
const struct GNUNET_CRYPTO_PublicKey cid,
const char *  code,
const char *  code_verifier,
struct GNUNET_RECLAIM_Ticket ticket,
struct GNUNET_RECLAIM_AttributeList **  attrs,
struct GNUNET_RECLAIM_PresentationList **  presentations,
char **  nonce_str,
enum OIDC_VerificationOptions  opts,
char **  emsg 
)

Parse reclaim ticket and nonce from authorization code.

This also verifies the signature in the code.

Parameters
rp_urithe RP URI
codethe string representation of the code
code_verfierPKCE code verifier
ticketwhere to store the ticket
attrsthe attributes found in the code
presentationscredential presentation list
noncewhere to store the nonce
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

This also verifies the signature in the code.

Parameters
audiencethe expected audience of the code
codethe string representation of the code
code_verfierPKCE code verifier. Optional, must be provided if used in request.
ticketwhere to store the ticket
attrsthe attributes in the code
presentationscredential presentation list
nonce_strwhere to store the nonce (if contained)
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

Definition at line 754 of file oidc_helper.c.

763{
764 char *code_payload;
765 char *ptr;
766 char *plaintext;
767 char *attrs_ser;
768 char *presentations_ser;
769 char *code_challenge;
770 struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
771 struct GNUNET_CRYPTO_Signature *signature;
772 struct GNUNET_CRYPTO_PublicKey iss;
773 uint32_t code_challenge_len;
774 uint32_t attrs_ser_len;
775 uint32_t pres_ser_len;
776 size_t plaintext_len;
777 size_t code_payload_len;
778 uint32_t nonce_len = 0;
779 struct OIDC_Parameters *params;
780
781
782 GNUNET_GNS_parse_ztld (ticket->gns_name, &iss);
783 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code);
784 code_payload = NULL;
785 code_payload_len =
786 GNUNET_STRINGS_base64url_decode (code, strlen (code),
787 (void **) &code_payload);
788 if (code_payload_len < sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
789 + sizeof(struct OIDC_Parameters)
790 + sizeof(struct GNUNET_CRYPTO_Signature))
791 {
792 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
793 GNUNET_free (code_payload);
794 return GNUNET_SYSERR;
795 }
796
797 purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
798 plaintext_len = code_payload_len;
799 plaintext_len -= sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose);
800 ptr = (char *) &purpose[1];
801 plaintext_len -= sizeof(struct GNUNET_CRYPTO_Signature);
802 plaintext = ptr;
803 ptr += plaintext_len;
804 signature = (struct GNUNET_CRYPTO_Signature *) ptr;
805 params = (struct OIDC_Parameters *) plaintext;
806
807 // cmp code_challenge code_verifier
808 code_challenge_len = ntohl (params->code_challenge_len);
809 code_challenge = ((char *) &params[1]);
810 if (! (opts & OIDC_VERIFICATION_NO_CODE_VERIFIER))
811 {
812 if (GNUNET_OK != check_code_challenge (code_challenge,
813 code_challenge_len,
814 code_verifier))
815 {
816 GNUNET_asprintf (emsg, "Code verifier `%s' invalid for challenge `%s'",
817 code_verifier, code_challenge);
818 GNUNET_free (code_payload);
819 return GNUNET_SYSERR;
820 }
821 }
822 nonce_len = ntohl (params->nonce_len);
823 if (0 != nonce_len)
824 {
825 *nonce_str = GNUNET_strndup (code_challenge + code_challenge_len,
826 nonce_len);
827 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %s\n", *nonce_str);
828 }
829
830 // Ticket
831 memcpy (ticket, &params->ticket, sizeof(params->ticket));
832 // Signature
833 // GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
834 if (GNUNET_OK !=
835 GNUNET_CRYPTO_signature_verify_ (
836 GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
837 purpose,
838 signature,
839 &iss))
840 {
841 GNUNET_free (code_payload);
842 if (NULL != *nonce_str)
843 GNUNET_free (*nonce_str);
844 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n");
845 *emsg = GNUNET_strdup ("Signature verification failed");
846 return GNUNET_SYSERR;
847 }
848 // Attributes
849 attrs_ser = ((char *) &params[1]) + code_challenge_len + nonce_len;
850 attrs_ser_len = ntohl (params->attr_list_len);
851 *attrs = GNUNET_RECLAIM_attribute_list_deserialize (attrs_ser, attrs_ser_len);
852 presentations_ser = ((char*) attrs_ser) + attrs_ser_len;
853 pres_ser_len = ntohl (params->pres_list_len);
854 *presentations =
855 GNUNET_RECLAIM_presentation_list_deserialize (presentations_ser,
856 pres_ser_len);
857
858 GNUNET_free (code_payload);
859 return GNUNET_OK;
860}
GNUNET_GNS_parse_ztld
enum GNUNET_GenericReturnValue GNUNET_GNS_parse_ztld(const char *name, struct GNUNET_CRYPTO_PublicKey *ztld_key)
Try to parse the zTLD into a public key.
Definition: gns_tld_api.c:228
GNUNET_CRYPTO_signature_verify_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_signature_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_Signature *sig, const struct GNUNET_CRYPTO_PublicKey *pub)
Verify a given signature.
Definition: crypto_pkey.c:319
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:111
GNUNET_strdup
#define GNUNET_strdup(a)
Wrapper around GNUNET_xstrdup_.
Definition: gnunet_common.h:1425
GNUNET_strndup
#define GNUNET_strndup(a, length)
Wrapper around GNUNET_xstrndup_.
Definition: gnunet_common.h:1437
GNUNET_RECLAIM_presentation_list_deserialize
struct GNUNET_RECLAIM_PresentationList * GNUNET_RECLAIM_presentation_list_deserialize(const char *data, size_t data_size)
Deserialize a presentation list.
Definition: reclaim_credential.c:732
GNUNET_RECLAIM_attribute_list_deserialize
struct GNUNET_RECLAIM_AttributeList * GNUNET_RECLAIM_attribute_list_deserialize(const char *data, size_t data_size)
Deserialize an attribute list.
Definition: reclaim_attribute.c:351
GNUNET_STRINGS_base64url_decode
size_t GNUNET_STRINGS_base64url_decode(const char *data, size_t len, void **out)
Decode from Base64url.
Definition: strings.c:1759
check_code_challenge
static enum GNUNET_GenericReturnValue check_code_challenge(const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
Definition: oidc_helper.c:697
GNUNET_CRYPTO_PublicKey
An identity key as per LSD0001.
Definition: gnunet_crypto_lib.h:427
OIDC_Parameters::ticket
struct GNUNET_RECLAIM_Ticket ticket
The reclaim ticket.
Definition: oidc_helper.c:50

References OIDC_Parameters::attr_list_len, check_code_challenge(), OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_asprintf(), GNUNET_CRYPTO_signature_verify_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_GNS_parse_ztld(), GNUNET_log, GNUNET_OK, GNUNET_RECLAIM_attribute_list_deserialize(), GNUNET_RECLAIM_presentation_list_deserialize(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_strdup, GNUNET_STRINGS_base64url_decode(), GNUNET_strndup, GNUNET_SYSERR, OIDC_Parameters::nonce_len, OIDC_VERIFICATION_NO_CODE_VERIFIER, gnunet-chk::opts, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_EccSignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by consume_fail(), and token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_token_response()

void OIDC_build_token_response ( const char *  access_token,
const char *  id_token,
const struct GNUNET_TIME_Relative expiration_time,
char **  token_response 
)

Build a token response for a token request TODO: Maybe we should add the scope here?

Parameters
access_tokenthe access token to include
id_tokenthe id_token to include
expiration_timethe expiration time of the token(s)
token_responsewhere to store the response

Definition at line 873 of file oidc_helper.c.

877{
878 json_t *root_json;
879
880 root_json = json_object ();
881
882 GNUNET_assert (NULL != access_token);
883 GNUNET_assert (NULL != id_token);
884 GNUNET_assert (NULL != expiration_time);
885 json_object_set_new (root_json, "access_token", json_string (access_token));
886 json_object_set_new (root_json, "token_type", json_string ("Bearer"));
887 json_object_set_new (root_json,
888 "expires_in",
889 json_integer (expiration_time->rel_value_us
890 / (1000 * 1000)));
891 json_object_set_new (root_json, "id_token", json_string (id_token));
892 *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT);
893 json_decref (root_json);
894}
GNUNET_TIME_Relative::rel_value_us
uint64_t rel_value_us
The actual value.
Definition: gnunet_time_lib.h:84

References GNUNET_assert, and GNUNET_TIME_Relative::rel_value_us.

Referenced by token_endpoint().

Here is the caller graph for this function:

◆ OIDC_access_token_new()

char * OIDC_access_token_new ( const struct GNUNET_RECLAIM_Ticket ticket,
const char *  rp_uri 
)

Generate a new access token.

Definition at line 901 of file oidc_helper.c.

903{
904 char *access_token;
905 char *tkt_b64;
906
907 GNUNET_STRINGS_base64_encode (ticket,
908 sizeof(*ticket),
909 &tkt_b64);
910 GNUNET_asprintf (&access_token, "%s-%s", tkt_b64, rp_uri);
911 GNUNET_free (tkt_b64);
912 return access_token;
913}
GNUNET_STRINGS_base64_encode
size_t GNUNET_STRINGS_base64_encode(const void *in, size_t len, char **output)
Encode into Base64.
Definition: strings.c:1599

References GNUNET_asprintf(), GNUNET_free, GNUNET_STRINGS_base64_encode(), and ticket.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_access_token_parse()

int OIDC_access_token_parse ( const char *  token,
struct GNUNET_RECLAIM_Ticket **  ticket,
char **  rp_uri 
)

Parse an access token.

Definition at line 920 of file oidc_helper.c.

923{
924 size_t sret;
925 char *decoded;
926 char *tmp;
927 char *tkt_str;
928 char *rp_uri_str;
929 tmp = GNUNET_strdup (token);
930 tkt_str = strtok (tmp, "-");
931 GNUNET_assert (NULL != tkt_str); // FIXME handle
932 rp_uri_str = strtok (NULL, "-");
933 GNUNET_assert (NULL != rp_uri_str); // FIXME handle
934 sret = GNUNET_STRINGS_base64_decode (tkt_str,
935 strlen (tkt_str),
936 (void**) &decoded);
937 if (sizeof (struct GNUNET_RECLAIM_Ticket) != sret)
938 {
939 GNUNET_free (decoded);
940 GNUNET_free (tmp);
941 return GNUNET_SYSERR;
942 }
943 *ticket = (struct GNUNET_RECLAIM_Ticket *) decoded;
944 *rp_uri = GNUNET_strdup (rp_uri_str);
945 GNUNET_free (tmp);
946 return GNUNET_OK;
947}
GNUNET_STRINGS_base64_decode
size_t GNUNET_STRINGS_base64_decode(const char *data, size_t len, void **output)
Decode from Base64.
Definition: strings.c:1701
GNUNET_RECLAIM_Ticket
The authorization ticket.
Definition: gnunet_reclaim_service.h:76

References GNUNET_assert, GNUNET_free, GNUNET_OK, GNUNET_strdup, GNUNET_STRINGS_base64_decode(), GNUNET_SYSERR, and ticket.

Referenced by userinfo_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_check_scopes_for_claim_request()

enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request ( const char *  scopes,
const char *  attr 
)

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

attribute matches requested scope

Definition at line 959 of file oidc_helper.c.

961{
962 char *scope_variables;
963 char *scope_variable;
964 char delimiter[] = " ";
965 int i;
966
967 scope_variables = GNUNET_strdup (scopes);
968 scope_variable = strtok (scope_variables, delimiter);
969 while (NULL != scope_variable)
970 {
971 if (0 == strcmp ("profile", scope_variable))
972 {
973 for (i = 0; i < 14; i++)
974 {
975 if (0 == strcmp (attr, OIDC_profile_claims[i]))
976 {
977 GNUNET_free (scope_variables);
978 return GNUNET_YES;
979 }
980 }
981 }
982 else if (0 == strcmp ("address", scope_variable))
983 {
984 for (i = 0; i < 5; i++)
985 {
986 if (0 == strcmp (attr, OIDC_address_claims[i]))
987 {
988 GNUNET_free (scope_variables);
989 return GNUNET_YES;
990 }
991 }
992 }
993 else if (0 == strcmp ("email", scope_variable))
994 {
995 for (i = 0; i < 2; i++)
996 {
997 if (0 == strcmp (attr, OIDC_email_claims[i]))
998 {
999 GNUNET_free (scope_variables);
1000 return GNUNET_YES;
1001 }
1002 }
1003 }
1004 else if (0 == strcmp ("phone", scope_variable))
1005 {
1006 for (i = 0; i < 2; i++)
1007 {
1008 if (0 == strcmp (attr, OIDC_phone_claims[i]))
1009 {
1010 GNUNET_free (scope_variables);
1011 return GNUNET_YES;
1012 }
1013 }
1014
1015 }
1016 else if (0 == strcmp (attr, scope_variable))
1017 {
1019 GNUNET_free (scope_variables);
1020 return GNUNET_YES;
1021 }
1022 scope_variable = strtok (NULL, delimiter);
1023 }
1024 GNUNET_free (scope_variables);
1025 return GNUNET_NO;
1026
1027}
GNUNET_YES
@ GNUNET_YES
Definition: gnunet_common.h:113
GNUNET_NO
@ GNUNET_NO
Definition: gnunet_common.h:110
OIDC_email_claims
static char OIDC_email_claims[2][16]
Standard claims represented by the "email" scope in OIDC.
Definition: oidc_helper.c:87
OIDC_address_claims
static char OIDC_address_claims[5][32]
Standard claims represented by the "address" scope in OIDC.
Definition: oidc_helper.c:101
OIDC_phone_claims
static char OIDC_phone_claims[2][32]
Standard claims represented by the "phone" scope in OIDC.
Definition: oidc_helper.c:94
OIDC_profile_claims
static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
Standard claims represented by the "profile" scope in OIDC.
Definition: oidc_helper.c:78

References GNUNET_free, GNUNET_NO, GNUNET_strdup, GNUNET_YES, OIDC_address_claims, OIDC_email_claims, OIDC_phone_claims, and OIDC_profile_claims.

Referenced by attr_in_claims_request().

Here is the caller graph for this function:

◆ OIDC_generate_userinfo()

char * OIDC_generate_userinfo ( const struct GNUNET_CRYPTO_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations 
)

Generate userinfo JSON as string.

Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list
Returns
Userinfo JSON
Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list (may be empty)
Returns
Userinfo JSON

Definition at line 348 of file oidc_helper.c.

352{
353 char *body_str;
354 json_t*body = generate_userinfo_json (sub_key,
355 attrs,
356 presentations);
357 body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
358 json_decref (body);
359 return body_str;
360}
generate_userinfo_json
static json_t * generate_userinfo_json(const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Definition: oidc_helper.c:162

References generate_userinfo_json().

Referenced by consume_fail(), and consume_ticket().

Here is the call graph for this function:
Here is the caller graph for this function: