GNUnet debian-0.26.1
 
Loading...
Searching...
No Matches
Macros | Enumerations | Functions
oidc_helper.h File Reference
#include "gnunet_util_lib.h"
#include "gnunet_reclaim_service.h"
Include dependency graph for oidc_helper.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define JWT_ALG   "alg"
 
#define JWT_TYP   "typ"
 
#define JWT_TYP_VALUE   "jwt"
 
#define JWT_ALG_VALUE_HMAC   "HS512"
 
#define JWT_ALG_VALUE_RSA   "RS256"
 
#define SERVER_ADDRESS   "http://localhost:7776"
 

Enumerations

enum  OIDC_VerificationOptions { OIDC_VERIFICATION_DEFAULT = 0 , OIDC_VERIFICATION_NO_CODE_VERIFIER = 1 }
 

Functions

char * OIDC_generate_id_token_rsa (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const json_t *secret_rsa_key)
 Create a JWT using RSA256 algorithm from attributes.
 
char * OIDC_generate_id_token_hmac (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const char *secret_key)
 Create a JWT using HMAC (HS256) from attributes.
 
char * OIDC_build_authz_code (const struct GNUNET_CRYPTO_BlindablePrivateKey *issuer, const struct GNUNET_RECLAIM_Ticket *ticket, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const char *nonce, const char *code_challenge)
 Builds an OIDC authorization code including a reclaim ticket and nonce.
 
int OIDC_parse_authz_code (const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *cid, const char *code, const char *code_verifier, struct GNUNET_RECLAIM_Ticket *ticket, struct GNUNET_RECLAIM_AttributeList **attrs, struct GNUNET_RECLAIM_PresentationList **presentations, char **nonce, enum OIDC_VerificationOptions opts, char **emsg)
 Parse reclaim ticket and nonce from authorization code.
 
void OIDC_build_token_response (const char *access_token, const char *id_token, const struct GNUNET_TIME_Relative *expiration_time, char **token_response)
 Build a token response for a token request TODO: Maybe we should add the scope here?
 
char * OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket, const char *rp_uri)
 Generate a new access token.
 
int OIDC_access_token_parse (const char *token, struct GNUNET_RECLAIM_Ticket **ticket, char **rp_uri)
 Parse an access token.
 
enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request (const char *scopes, const char *attr)
 Checks if a claim is implicitly requested through standard scope(s)
 
char * OIDC_generate_userinfo (const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
 Generate userinfo JSON as string.
 

Macro Definition Documentation

◆ JWT_ALG

#define JWT_ALG   "alg"

Definition at line 32 of file oidc_helper.h.

◆ JWT_TYP

#define JWT_TYP   "typ"

Definition at line 33 of file oidc_helper.h.

◆ JWT_TYP_VALUE

#define JWT_TYP_VALUE   "jwt"

Definition at line 34 of file oidc_helper.h.

◆ JWT_ALG_VALUE_HMAC

#define JWT_ALG_VALUE_HMAC   "HS512"

Definition at line 36 of file oidc_helper.h.

◆ JWT_ALG_VALUE_RSA

#define JWT_ALG_VALUE_RSA   "RS256"

Definition at line 37 of file oidc_helper.h.

◆ SERVER_ADDRESS

#define SERVER_ADDRESS   "http://localhost:7776"

Definition at line 39 of file oidc_helper.h.

Enumeration Type Documentation

◆ OIDC_VerificationOptions

enum OIDC_VerificationOptions
Enumerator
OIDC_VERIFICATION_DEFAULT 

Strict verification.

OIDC_VERIFICATION_NO_CODE_VERIFIER 

Do not check code verifier even if expected.

Definition at line 41 of file oidc_helper.h.

42{
46 OIDC_VERIFICATION_DEFAULT = 0,
47
51 OIDC_VERIFICATION_NO_CODE_VERIFIER = 1
52};
OIDC_VERIFICATION_NO_CODE_VERIFIER
@ OIDC_VERIFICATION_NO_CODE_VERIFIER
Do not check code verifier even if expected.
Definition oidc_helper.h:51
OIDC_VERIFICATION_DEFAULT
@ OIDC_VERIFICATION_DEFAULT
Strict verification.
Definition oidc_helper.h:46

Function Documentation

◆ OIDC_generate_id_token_rsa()

char * OIDC_generate_id_token_rsa ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const json_t *  secret_rsa_key 
)

Create a JWT using RSA256 algorithm from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_rsa_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Definition at line 417 of file oidc_helper.c.

426{
427 json_t *jws;
428 char *body_str;
429 char *result;
430
431 // Generate the body of the JSON Web Signature
432 body_str = generate_id_token_body (rp_uri,
433 sub_key,
434 attrs,
435 presentations,
436 expiration_time,
437 nonce);
438
439 if (NULL == body_str)
440 {
441 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
442 "Body for the JWS could not be generated\n");
443 return NULL;
444 }
445
446 // Creating the JSON Web Signature.
447 jws = json_pack ("{s:o}", "payload",
448 jose_b64_enc (body_str, strlen (body_str)));
449 GNUNET_free (body_str);
450
451 if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
452 {
453 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
454 "Signature generation failed\n");
455 return NULL;
456 }
457
458 // Encoding JSON as compact JSON Web Signature
459 GNUNET_asprintf (&result, "%s.%s.%s",
460 json_string_value (json_object_get (jws, "protected")),
461 json_string_value (json_object_get (jws, "payload")),
462 json_string_value (json_object_get (jws, "signature")) );
463
464 json_decref (jws);
465 return result;
466}
result
static int result
Global testing status.
Definition gnunet-regex-profiler.c:240
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:417
GNUNET_asprintf
int int GNUNET_asprintf(char **buf, const char *format,...) __attribute__((format(printf
Like asprintf, just portable.
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition gnunet_common.h:1415
generate_id_token_body
static char * generate_id_token_body(const char *rp_uri, const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
Definition oidc_helper.c:358

References generate_id_token_body(), GNUNET_asprintf(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_id_token_hmac()

char * OIDC_generate_id_token_hmac ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const char *  secret_key 
)

Create a JWT using HMAC (HS256) from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Creating the JWT signature. This might not be standards compliant, check.

Definition at line 470 of file oidc_helper.c.

479{
480 struct GNUNET_HashCode signature;
481 char *header;
482 char *header_base64;
483 char *body_str;
484 char *body_base64;
485 char *signature_target;
486 char *signature_base64;
487 char *result;
488
489 // Generate and encode Header
490 header = create_jwt_hmac_header ();
491 if (NULL == header)
492 {
493 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
494 "Header for the JWS could not be generated\n");
495 return NULL;
496 }
497 GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
498 GNUNET_free (header);
499 fix_base64 (header_base64);
500
501 // Generate and encode the body of the JSON Web Signature
502 body_str = generate_id_token_body (rp_uri,
503 sub_key,
504 attrs,
505 presentations,
506 expiration_time,
507 nonce);
508
509 if (NULL == body_str)
510 {
511 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
512 "Body for the JWS could not be generated\n");
513 GNUNET_free (header_base64);
514 return NULL;
515 }
516
517 GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
518 fix_base64 (body_base64);
519
524 GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
525 GNUNET_CRYPTO_hmac_raw (secret_key,
526 strlen (secret_key),
527 signature_target,
528 strlen (signature_target),
529 &signature);
530 GNUNET_STRINGS_base64url_encode ((const char *) &signature,
531 sizeof(struct GNUNET_HashCode),
532 &signature_base64);
533 fix_base64 (signature_base64);
534
535 GNUNET_asprintf (&result,
536 "%s.%s.%s",
537 header_base64,
538 body_base64,
539 signature_base64);
540
541 GNUNET_free (header_base64);
542 GNUNET_free (body_str);
543 GNUNET_free (body_base64);
544 GNUNET_free (signature_target);
545 GNUNET_free (signature_base64);
546 return result;
547}
GNUNET_CRYPTO_hmac_raw
void GNUNET_CRYPTO_hmac_raw(const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac)
Calculate HMAC of a message (RFC 2104) TODO: Shouldn't this be the standard hmac function and the abo...
Definition crypto_hash.c:297
GNUNET_STRINGS_base64url_encode
size_t GNUNET_STRINGS_base64url_encode(const void *in, size_t len, char **output)
Encode into Base64url.
Definition strings.c:1667
fix_base64
static void fix_base64(char *str)
Definition oidc_helper.c:151
create_jwt_hmac_header
static char * create_jwt_hmac_header(void)
Definition oidc_helper.c:121
GNUNET_HashCode
A 512-bit hashcode.
Definition gnunet_common.h:287

References create_jwt_hmac_header(), fix_base64(), generate_id_token_body(), GNUNET_asprintf(), GNUNET_CRYPTO_hmac_raw(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_STRINGS_base64url_encode(), and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_authz_code()

char * OIDC_build_authz_code ( const struct GNUNET_CRYPTO_BlindablePrivateKey issuer,
const struct GNUNET_RECLAIM_Ticket ticket,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const char *  nonce_str,
const char *  code_challenge 
)

Builds an OIDC authorization code including a reclaim ticket and nonce.

Parameters
issuerthe issuer
ticketthe ticket to include in the code
attrslist of attributes to share
presentationscredential presentation list
noncethe nonce to include in the code
code_challengePKCE code challenge
optsverification options
Returns
a new authorization code (caller must free)
Parameters
issuerthe issuer of the ticket, used to sign the ticket and nonce
ticketthe ticket to include in the code
attrslist of attributes which are shared
presentationscredential presentation list (may be empty)
noncethe nonce to include in the code
code_challengePKCE code challenge
Returns
a new authorization code (caller must free)

PLAINTEXT

END

Definition at line 563 of file oidc_helper.c.

570{
571 struct OIDC_Parameters params;
572 char *code_payload;
573 char *payload;
574 char *tmp;
575 char *code_str;
576 char *buf_ptr = NULL;
577 size_t payload_len;
578 size_t code_payload_len;
579 size_t attr_list_len = 0;
580 size_t pres_list_len = 0;
581 size_t code_challenge_len = 0;
582 uint32_t nonce_len = 0;
583 struct GNUNET_CRYPTO_SignaturePurpose *purpose;
584
586 // Assign ticket
587 memset (&params, 0, sizeof(params));
588 memcpy (params.ticket.gns_name, ticket->gns_name, strlen (ticket->gns_name)
589 + 1);
590 // Assign nonce
591 payload_len = sizeof(struct OIDC_Parameters);
592 if ((NULL != nonce_str) && (strcmp ("", nonce_str) != 0))
593 {
594 nonce_len = strlen (nonce_str);
595 payload_len += nonce_len;
596 }
597 params.nonce_len = htonl (nonce_len);
598 // Assign code challenge
599 if (NULL != code_challenge)
600 code_challenge_len = strlen (code_challenge);
601 payload_len += code_challenge_len;
602 params.code_challenge_len = htonl (code_challenge_len);
603 // Assign attributes
604 if (NULL != attrs)
605 {
606 // Get length
607 attr_list_len = GNUNET_RECLAIM_attribute_list_serialize_get_size (attrs);
608 params.attr_list_len = htonl (attr_list_len);
609 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
610 "Length of serialized attributes: %lu\n",
611 attr_list_len);
612 // Get serialized attributes
613 payload_len += attr_list_len;
614 }
615 if (NULL != presentations)
616 {
617 // Get length
618 // FIXME only add presentations relevant for attribute list!!!
619 // This is important because of the distinction between id_token and
620 // userinfo in OIDC
621 pres_list_len =
622 GNUNET_RECLAIM_presentation_list_serialize_get_size (presentations);
623 params.pres_list_len = htonl (pres_list_len);
624 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
625 "Length of serialized presentations: %lu\n",
626 pres_list_len);
627 // Get serialized attributes
628 payload_len += pres_list_len;
629 }
630
631 // Get plaintext length
632 payload = GNUNET_malloc (payload_len);
633 memcpy (payload, &params, sizeof(params));
634 tmp = payload + sizeof(params);
635 if (0 < code_challenge_len)
636 {
637 memcpy (tmp, code_challenge, code_challenge_len);
638 tmp += code_challenge_len;
639 }
640 if (0 < nonce_len)
641 {
642 memcpy (tmp, nonce_str, nonce_len);
643 tmp += nonce_len;
644 }
645 if (0 < attr_list_len)
646 GNUNET_RECLAIM_attribute_list_serialize (attrs, tmp);
647 tmp += attr_list_len;
648 if (0 < pres_list_len)
649 GNUNET_RECLAIM_presentation_list_serialize (presentations, tmp);
650 tmp += pres_list_len;
651
654 // Get length
655 code_payload_len = sizeof(struct GNUNET_CRYPTO_SignaturePurpose)
656 + payload_len + sizeof(struct
657 GNUNET_CRYPTO_BlindableKeySignature)
658 ;
659 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
660 "Length of data to encode: %lu\n",
661 code_payload_len);
662
663 // Initialize code payload
664 code_payload = GNUNET_malloc (code_payload_len);
665 GNUNET_assert (NULL != code_payload);
666 purpose = (struct GNUNET_CRYPTO_SignaturePurpose *) code_payload;
667 purpose->size = htonl (sizeof(struct GNUNET_CRYPTO_SignaturePurpose)
668 + payload_len);
669 purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
670 // Store pubkey
671 buf_ptr = (char *) &purpose[1];
672 memcpy (buf_ptr, payload, payload_len);
673 GNUNET_free (payload);
674 buf_ptr += payload_len;
675 // Sign and store signature
676 if (GNUNET_SYSERR ==
677 GNUNET_CRYPTO_blinded_key_sign_ (issuer,
678 purpose,
679 (struct
680 GNUNET_CRYPTO_BlindableKeySignature *)
681 buf_ptr))
682 {
683 GNUNET_break (0);
684 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
685 GNUNET_free (code_payload);
686 return NULL;
687 }
688 GNUNET_STRINGS_base64url_encode (code_payload, code_payload_len, &code_str);
689 GNUNET_free (code_payload);
690 return code_str;
691}
ticket
static struct GNUNET_RECLAIM_Ticket ticket
Ticket to consume.
Definition gnunet-reclaim.c:164
payload
static unsigned long long payload
How much data are we currently storing in the database?
Definition gnunet-service-datastore.c:183
GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
#define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
Signature for a GNUid Ticket (Reclaim)
Definition gnunet_signatures.h:172
GNUNET_CRYPTO_blinded_key_sign_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_blinded_key_sign_(const struct GNUNET_CRYPTO_BlindablePrivateKey *priv, const struct GNUNET_CRYPTO_SignaturePurpose *purpose, struct GNUNET_CRYPTO_BlindableKeySignature *sig)
Sign a given block.
Definition crypto_pkey.c:300
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition gnunet_common.h:960
GNUNET_break
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
Definition gnunet_common.h:1045
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition gnunet_common.h:424
GNUNET_malloc
#define GNUNET_malloc(size)
Wrapper around malloc.
Definition gnunet_common.h:1355
GNUNET_RECLAIM_attribute_list_serialize
size_t GNUNET_RECLAIM_attribute_list_serialize(const struct GNUNET_RECLAIM_AttributeList *attrs, char *result)
Serialize an attribute list.
Definition reclaim_attribute.c:322
GNUNET_RECLAIM_presentation_list_serialize
size_t GNUNET_RECLAIM_presentation_list_serialize(const struct GNUNET_RECLAIM_PresentationList *presentations, char *result)
Serialize a presentation list.
Definition reclaim_credential.c:703
GNUNET_RECLAIM_presentation_list_serialize_get_size
size_t GNUNET_RECLAIM_presentation_list_serialize_get_size(const struct GNUNET_RECLAIM_PresentationList *presentations)
Get required size for serialization buffer.
Definition reclaim_credential.c:687
GNUNET_RECLAIM_attribute_list_serialize_get_size
size_t GNUNET_RECLAIM_attribute_list_serialize_get_size(const struct GNUNET_RECLAIM_AttributeList *attrs)
Get required size for serialization buffer.
Definition reclaim_attribute.c:306
GNUNET_CRYPTO_BlindableKeySignature
An identity signature as per LSD0001.
Definition gnunet_crypto_lib.h:498
GNUNET_CRYPTO_SignaturePurpose
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
Definition gnunet_crypto_lib.h:142
GNUNET_CRYPTO_SignaturePurpose::purpose
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Definition gnunet_crypto_lib.h:156
GNUNET_RECLAIM_Ticket::gns_name
char gns_name[63 *2+2]
The ticket.
Definition gnunet_reclaim_service.h:83
OIDC_Parameters
The signature used to generate the authorization code.
Definition oidc_helper.c:46
OIDC_Parameters::pres_list_len
uint32_t pres_list_len
The length of the presentation list.
Definition oidc_helper.c:70
OIDC_Parameters::nonce_len
uint32_t nonce_len
The nonce length.
Definition oidc_helper.c:55
OIDC_Parameters::attr_list_len
uint32_t attr_list_len
The length of the attributes list.
Definition oidc_helper.c:65
OIDC_Parameters::code_challenge_len
uint32_t code_challenge_len
The length of the PKCE code_challenge.
Definition oidc_helper.c:60

References OIDC_Parameters::attr_list_len, OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_assert, GNUNET_break, GNUNET_CRYPTO_blinded_key_sign_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_malloc, GNUNET_RECLAIM_attribute_list_serialize(), GNUNET_RECLAIM_attribute_list_serialize_get_size(), GNUNET_RECLAIM_presentation_list_serialize(), GNUNET_RECLAIM_presentation_list_serialize_get_size(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_STRINGS_base64url_encode(), GNUNET_SYSERR, OIDC_Parameters::nonce_len, payload, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_SignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by oidc_ticket_issue_cb().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_parse_authz_code()

int OIDC_parse_authz_code ( const char *  rp_uri,
const struct GNUNET_CRYPTO_BlindablePublicKey cid,
const char *  code,
const char *  code_verifier,
struct GNUNET_RECLAIM_Ticket ticket,
struct GNUNET_RECLAIM_AttributeList **  attrs,
struct GNUNET_RECLAIM_PresentationList **  presentations,
char **  nonce_str,
enum OIDC_VerificationOptions  opts,
char **  emsg 
)

Parse reclaim ticket and nonce from authorization code.

This also verifies the signature in the code.

Parameters
rp_urithe RP URI
codethe string representation of the code
code_verfierPKCE code verifier
ticketwhere to store the ticket
attrsthe attributes found in the code
presentationscredential presentation list
noncewhere to store the nonce
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

This also verifies the signature in the code.

Parameters
audiencethe expected audience of the code
codethe string representation of the code
code_verfierPKCE code verifier. Optional, must be provided if used in request.
ticketwhere to store the ticket
attrsthe attributes in the code
presentationscredential presentation list
nonce_strwhere to store the nonce (if contained)
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

Definition at line 752 of file oidc_helper.c.

761{
762 char *code_payload;
763 char *ptr;
764 char *plaintext;
765 char *attrs_ser;
766 char *presentations_ser;
767 char *code_challenge;
768 struct GNUNET_CRYPTO_SignaturePurpose *purpose;
769 struct GNUNET_CRYPTO_BlindableKeySignature *signature;
770 struct GNUNET_CRYPTO_BlindablePublicKey iss;
771 uint32_t code_challenge_len;
772 uint32_t attrs_ser_len;
773 uint32_t pres_ser_len;
774 size_t plaintext_len;
775 size_t code_payload_len;
776 uint32_t nonce_len = 0;
777 struct OIDC_Parameters *params;
778
779
780 GNUNET_GNS_parse_ztld (ticket->gns_name, &iss);
781 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code);
782 code_payload = NULL;
783 code_payload_len =
784 GNUNET_STRINGS_base64url_decode (code, strlen (code),
785 (void **) &code_payload);
786 if (code_payload_len < sizeof(struct GNUNET_CRYPTO_SignaturePurpose)
787 + sizeof(struct OIDC_Parameters)
788 + sizeof(struct GNUNET_CRYPTO_BlindableKeySignature))
789 {
790 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
791 GNUNET_free (code_payload);
792 return GNUNET_SYSERR;
793 }
794
795 purpose = (struct GNUNET_CRYPTO_SignaturePurpose *) code_payload;
796 plaintext_len = code_payload_len;
797 plaintext_len -= sizeof(struct GNUNET_CRYPTO_SignaturePurpose);
798 ptr = (char *) &purpose[1];
799 plaintext_len -= sizeof(struct GNUNET_CRYPTO_BlindableKeySignature);
800 plaintext = ptr;
801 ptr += plaintext_len;
802 signature = (struct GNUNET_CRYPTO_BlindableKeySignature *) ptr;
803 params = (struct OIDC_Parameters *) plaintext;
804
805 // cmp code_challenge code_verifier
806 code_challenge_len = ntohl (params->code_challenge_len);
807 code_challenge = ((char *) &params[1]);
808 if (! (opts & OIDC_VERIFICATION_NO_CODE_VERIFIER))
809 {
810 if (GNUNET_OK != check_code_challenge (code_challenge,
811 code_challenge_len,
812 code_verifier))
813 {
814 GNUNET_asprintf (emsg, "Code verifier `%s' invalid for challenge `%s'",
815 code_verifier, code_challenge);
816 GNUNET_free (code_payload);
817 return GNUNET_SYSERR;
818 }
819 }
820 nonce_len = ntohl (params->nonce_len);
821 if (0 != nonce_len)
822 {
823 *nonce_str = GNUNET_strndup (code_challenge + code_challenge_len,
824 nonce_len);
825 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %s\n", *nonce_str);
826 }
827
828 // Ticket
829 memcpy (ticket, &params->ticket, sizeof(params->ticket));
830 // Signature
831 // GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
832 if (GNUNET_OK !=
833 GNUNET_CRYPTO_blinded_key_signature_verify_ (
834 GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
835 purpose,
836 signature,
837 &iss))
838 {
839 GNUNET_free (code_payload);
840 if (NULL != *nonce_str)
841 GNUNET_free (*nonce_str);
842 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n");
843 *emsg = GNUNET_strdup ("Signature verification failed");
844 return GNUNET_SYSERR;
845 }
846 // Attributes
847 attrs_ser = ((char *) &params[1]) + code_challenge_len + nonce_len;
848 attrs_ser_len = ntohl (params->attr_list_len);
849 *attrs = GNUNET_RECLAIM_attribute_list_deserialize (attrs_ser, attrs_ser_len);
850 presentations_ser = ((char*) attrs_ser) + attrs_ser_len;
851 pres_ser_len = ntohl (params->pres_list_len);
852 *presentations =
853 GNUNET_RECLAIM_presentation_list_deserialize (presentations_ser,
854 pres_ser_len);
855
856 GNUNET_free (code_payload);
857 return GNUNET_OK;
858}
GNUNET_GNS_parse_ztld
enum GNUNET_GenericReturnValue GNUNET_GNS_parse_ztld(const char *name, struct GNUNET_CRYPTO_BlindablePublicKey *ztld_key)
Try to parse the zTLD into a public key.
Definition gns_tld_api.c:228
GNUNET_CRYPTO_blinded_key_signature_verify_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_blinded_key_signature_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_SignaturePurpose *validate, const struct GNUNET_CRYPTO_BlindableKeySignature *sig, const struct GNUNET_CRYPTO_BlindablePublicKey *pub)
Verify a given signature.
Definition crypto_pkey.c:327
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114
GNUNET_strdup
#define GNUNET_strdup(a)
Wrapper around GNUNET_xstrdup_.
Definition gnunet_common.h:1429
GNUNET_strndup
#define GNUNET_strndup(a, length)
Wrapper around GNUNET_xstrndup_.
Definition gnunet_common.h:1441
GNUNET_RECLAIM_presentation_list_deserialize
struct GNUNET_RECLAIM_PresentationList * GNUNET_RECLAIM_presentation_list_deserialize(const char *data, size_t data_size)
Deserialize a presentation list.
Definition reclaim_credential.c:732
GNUNET_RECLAIM_attribute_list_deserialize
struct GNUNET_RECLAIM_AttributeList * GNUNET_RECLAIM_attribute_list_deserialize(const char *data, size_t data_size)
Deserialize an attribute list.
Definition reclaim_attribute.c:351
GNUNET_STRINGS_base64url_decode
size_t GNUNET_STRINGS_base64url_decode(const char *data, size_t len, void **out)
Decode from Base64url.
Definition strings.c:1778
check_code_challenge
static enum GNUNET_GenericReturnValue check_code_challenge(const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
Definition oidc_helper.c:695
GNUNET_CRYPTO_BlindablePublicKey
An identity key as per LSD0001.
Definition gnunet_crypto_lib.h:427
OIDC_Parameters::ticket
struct GNUNET_RECLAIM_Ticket ticket
The reclaim ticket.
Definition oidc_helper.c:50

References OIDC_Parameters::attr_list_len, check_code_challenge(), OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_asprintf(), GNUNET_CRYPTO_blinded_key_signature_verify_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_GNS_parse_ztld(), GNUNET_log, GNUNET_OK, GNUNET_RECLAIM_attribute_list_deserialize(), GNUNET_RECLAIM_presentation_list_deserialize(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_strdup, GNUNET_STRINGS_base64url_decode(), GNUNET_strndup, GNUNET_SYSERR, OIDC_Parameters::nonce_len, OIDC_VERIFICATION_NO_CODE_VERIFIER, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_SignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by consume_fail(), and token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_token_response()

void OIDC_build_token_response ( const char *  access_token,
const char *  id_token,
const struct GNUNET_TIME_Relative expiration_time,
char **  token_response 
)

Build a token response for a token request TODO: Maybe we should add the scope here?

Parameters
access_tokenthe access token to include
id_tokenthe id_token to include
expiration_timethe expiration time of the token(s)
token_responsewhere to store the response

Definition at line 871 of file oidc_helper.c.

875{
876 json_t *root_json;
877
878 root_json = json_object ();
879
880 GNUNET_assert (NULL != access_token);
881 GNUNET_assert (NULL != id_token);
882 GNUNET_assert (NULL != expiration_time);
883 json_object_set_new (root_json, "access_token", json_string (access_token));
884 json_object_set_new (root_json, "token_type", json_string ("Bearer"));
885 json_object_set_new (root_json,
886 "expires_in",
887 json_integer (expiration_time->rel_value_us
888 / (1000 * 1000)));
889 json_object_set_new (root_json, "id_token", json_string (id_token));
890 *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT);
891 json_decref (root_json);
892}
GNUNET_TIME_Relative::rel_value_us
uint64_t rel_value_us
The actual value.
Definition gnunet_time_lib.h:84

References GNUNET_assert, and GNUNET_TIME_Relative::rel_value_us.

Referenced by token_endpoint().

Here is the caller graph for this function:

◆ OIDC_access_token_new()

char * OIDC_access_token_new ( const struct GNUNET_RECLAIM_Ticket ticket,
const char *  rp_uri 
)

Generate a new access token.

Definition at line 899 of file oidc_helper.c.

901{
902 char *access_token;
903 char *tkt_b64;
904
905 GNUNET_STRINGS_base64_encode (ticket,
906 sizeof(*ticket),
907 &tkt_b64);
908 GNUNET_asprintf (&access_token, "%s-%s", tkt_b64, rp_uri);
909 GNUNET_free (tkt_b64);
910 return access_token;
911}
GNUNET_STRINGS_base64_encode
size_t GNUNET_STRINGS_base64_encode(const void *in, size_t len, char **output)
Encode into Base64.
Definition strings.c:1618

References GNUNET_asprintf(), GNUNET_free, GNUNET_STRINGS_base64_encode(), and ticket.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_access_token_parse()

int OIDC_access_token_parse ( const char *  token,
struct GNUNET_RECLAIM_Ticket **  ticket,
char **  rp_uri 
)

Parse an access token.

Definition at line 918 of file oidc_helper.c.

921{
922 size_t sret;
923 char *decoded;
924 char *tmp;
925 char *tkt_str;
926 char *rp_uri_str;
927 tmp = GNUNET_strdup (token);
928 tkt_str = strtok (tmp, "-");
929 GNUNET_assert (NULL != tkt_str); // FIXME handle
930 rp_uri_str = strtok (NULL, "-");
931 GNUNET_assert (NULL != rp_uri_str); // FIXME handle
932 sret = GNUNET_STRINGS_base64_decode (tkt_str,
933 strlen (tkt_str),
934 (void**) &decoded);
935 if (sizeof (struct GNUNET_RECLAIM_Ticket) != sret)
936 {
937 GNUNET_free (decoded);
938 GNUNET_free (tmp);
939 return GNUNET_SYSERR;
940 }
941 *ticket = (struct GNUNET_RECLAIM_Ticket *) decoded;
942 *rp_uri = GNUNET_strdup (rp_uri_str);
943 GNUNET_free (tmp);
944 return GNUNET_OK;
945}
GNUNET_STRINGS_base64_decode
size_t GNUNET_STRINGS_base64_decode(const char *data, size_t len, void **output)
Decode from Base64.
Definition strings.c:1720
GNUNET_RECLAIM_Ticket
The authorization ticket.
Definition gnunet_reclaim_service.h:76

References GNUNET_assert, GNUNET_free, GNUNET_OK, GNUNET_strdup, GNUNET_STRINGS_base64_decode(), GNUNET_SYSERR, and ticket.

Referenced by userinfo_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_check_scopes_for_claim_request()

enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request ( const char *  scopes,
const char *  attr 
)

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

attribute matches requested scope

Definition at line 957 of file oidc_helper.c.

959{
960 char *scope_variables;
961 char *scope_variable;
962 char delimiter[] = " ";
963 int i;
964
965 scope_variables = GNUNET_strdup (scopes);
966 scope_variable = strtok (scope_variables, delimiter);
967 while (NULL != scope_variable)
968 {
969 if (0 == strcmp ("profile", scope_variable))
970 {
971 for (i = 0; i < 14; i++)
972 {
973 if (0 == strcmp (attr, OIDC_profile_claims[i]))
974 {
975 GNUNET_free (scope_variables);
976 return GNUNET_YES;
977 }
978 }
979 }
980 else if (0 == strcmp ("address", scope_variable))
981 {
982 for (i = 0; i < 5; i++)
983 {
984 if (0 == strcmp (attr, OIDC_address_claims[i]))
985 {
986 GNUNET_free (scope_variables);
987 return GNUNET_YES;
988 }
989 }
990 }
991 else if (0 == strcmp ("email", scope_variable))
992 {
993 for (i = 0; i < 2; i++)
994 {
995 if (0 == strcmp (attr, OIDC_email_claims[i]))
996 {
997 GNUNET_free (scope_variables);
998 return GNUNET_YES;
999 }
1000 }
1001 }
1002 else if (0 == strcmp ("phone", scope_variable))
1003 {
1004 for (i = 0; i < 2; i++)
1005 {
1006 if (0 == strcmp (attr, OIDC_phone_claims[i]))
1007 {
1008 GNUNET_free (scope_variables);
1009 return GNUNET_YES;
1010 }
1011 }
1012
1013 }
1014 else if (0 == strcmp (attr, scope_variable))
1015 {
1017 GNUNET_free (scope_variables);
1018 return GNUNET_YES;
1019 }
1020 scope_variable = strtok (NULL, delimiter);
1021 }
1022 GNUNET_free (scope_variables);
1023 return GNUNET_NO;
1024
1025}
GNUNET_YES
@ GNUNET_YES
Definition gnunet_common.h:116
GNUNET_NO
@ GNUNET_NO
Definition gnunet_common.h:113
OIDC_email_claims
static char OIDC_email_claims[2][16]
Standard claims represented by the "email" scope in OIDC.
Definition oidc_helper.c:87
OIDC_address_claims
static char OIDC_address_claims[5][32]
Standard claims represented by the "address" scope in OIDC.
Definition oidc_helper.c:101
OIDC_phone_claims
static char OIDC_phone_claims[2][32]
Standard claims represented by the "phone" scope in OIDC.
Definition oidc_helper.c:94
OIDC_profile_claims
static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
Standard claims represented by the "profile" scope in OIDC.
Definition oidc_helper.c:78

References GNUNET_free, GNUNET_NO, GNUNET_strdup, GNUNET_YES, OIDC_address_claims, OIDC_email_claims, OIDC_phone_claims, and OIDC_profile_claims.

Referenced by attr_in_claims_request().

Here is the caller graph for this function:

◆ OIDC_generate_userinfo()

char * OIDC_generate_userinfo ( const struct GNUNET_CRYPTO_BlindablePublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations 
)

Generate userinfo JSON as string.

Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list
Returns
Userinfo JSON
Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list (may be empty)
Returns
Userinfo JSON

Definition at line 342 of file oidc_helper.c.

346{
347 char *body_str;
348 json_t*body = generate_userinfo_json (sub_key,
349 attrs,
350 presentations);
351 body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
352 json_decref (body);
353 return body_str;
354}
generate_userinfo_json
static json_t * generate_userinfo_json(const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Definition oidc_helper.c:162

References generate_userinfo_json().

Referenced by consume_fail(), and consume_ticket().

Here is the call graph for this function:
Here is the caller graph for this function: