GNUnet  0.20.0
Macros | Enumerations | Functions
oidc_helper.h File Reference

helper library for OIDC related functions More...

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define JWT_ALG   "alg"
 
#define JWT_TYP   "typ"
 
#define JWT_TYP_VALUE   "jwt"
 
#define JWT_ALG_VALUE_HMAC   "HS512"
 
#define JWT_ALG_VALUE_RSA   "RS256"
 
#define SERVER_ADDRESS   "http://localhost:7776"
 

Enumerations

enum  OIDC_VerificationOptions { OIDC_VERIFICATION_DEFAULT = 0 , OIDC_VERIFICATION_NO_CODE_VERIFIER = 1 }
 

Functions

char * OIDC_generate_id_token_rsa (const struct GNUNET_IDENTITY_PublicKey *aud_key, const struct GNUNET_IDENTITY_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const json_t *secret_rsa_key)
 Create a JWT using RSA256 algorithm from attributes. More...
 
char * OIDC_generate_id_token_hmac (const struct GNUNET_IDENTITY_PublicKey *aud_key, const struct GNUNET_IDENTITY_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const char *secret_key)
 Create a JWT using HMAC (HS256) from attributes. More...
 
char * OIDC_build_authz_code (const struct GNUNET_IDENTITY_PrivateKey *issuer, const struct GNUNET_RECLAIM_Ticket *ticket, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const char *nonce, const char *code_challenge)
 Builds an OIDC authorization code including a reclaim ticket and nonce. More...
 
int OIDC_parse_authz_code (const struct GNUNET_IDENTITY_PublicKey *ecdsa_pub, const char *code, const char *code_verifier, struct GNUNET_RECLAIM_Ticket *ticket, struct GNUNET_RECLAIM_AttributeList **attrs, struct GNUNET_RECLAIM_PresentationList **presentations, char **nonce, enum OIDC_VerificationOptions opts)
 Parse reclaim ticket and nonce from authorization code. More...
 
void OIDC_build_token_response (const char *access_token, const char *id_token, const struct GNUNET_TIME_Relative *expiration_time, char **token_response)
 Build a token response for a token request TODO: Maybe we should add the scope here? More...
 
char * OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket)
 Generate a new access token. More...
 
int OIDC_access_token_parse (const char *token, struct GNUNET_RECLAIM_Ticket **ticket)
 Parse an access token. More...
 
enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request (const char *scopes, const char *attr)
 Checks if a claim is implicitly requested through standard scope(s) More...
 
char * OIDC_generate_userinfo (const struct GNUNET_IDENTITY_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
 Generate userinfo JSON as string. More...
 

Detailed Description

helper library for OIDC related functions

Author
Martin Schanzenbach

Definition in file oidc_helper.h.

Macro Definition Documentation

◆ JWT_ALG

#define JWT_ALG   "alg"

Definition at line 30 of file oidc_helper.h.

◆ JWT_TYP

#define JWT_TYP   "typ"

Definition at line 31 of file oidc_helper.h.

◆ JWT_TYP_VALUE

#define JWT_TYP_VALUE   "jwt"

Definition at line 32 of file oidc_helper.h.

◆ JWT_ALG_VALUE_HMAC

#define JWT_ALG_VALUE_HMAC   "HS512"

Definition at line 34 of file oidc_helper.h.

◆ JWT_ALG_VALUE_RSA

#define JWT_ALG_VALUE_RSA   "RS256"

Definition at line 35 of file oidc_helper.h.

◆ SERVER_ADDRESS

#define SERVER_ADDRESS   "http://localhost:7776"

Definition at line 37 of file oidc_helper.h.

Enumeration Type Documentation

◆ OIDC_VerificationOptions

enum OIDC_VerificationOptions
Enumerator
OIDC_VERIFICATION_DEFAULT 

Strict verification.

OIDC_VERIFICATION_NO_CODE_VERIFIER 

Do not check code verifier even if expected.

Definition at line 39 of file oidc_helper.h.

40 {
44  OIDC_VERIFICATION_DEFAULT = 0,
45 
49  OIDC_VERIFICATION_NO_CODE_VERIFIER = 1
50 };
OIDC_VERIFICATION_NO_CODE_VERIFIER
@ OIDC_VERIFICATION_NO_CODE_VERIFIER
Do not check code verifier even if expected.
Definition: oidc_helper.h:49
OIDC_VERIFICATION_DEFAULT
@ OIDC_VERIFICATION_DEFAULT
Strict verification.
Definition: oidc_helper.h:44

Function Documentation

◆ OIDC_generate_id_token_rsa()

char* OIDC_generate_id_token_rsa ( const struct GNUNET_IDENTITY_PublicKey aud_key,
const struct GNUNET_IDENTITY_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const json_t *  secret_rsa_key 
)

Create a JWT using RSA256 algorithm from attributes.

Parameters
aud_keythe public of the audience
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_rsa_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Definition at line 427 of file oidc_helper.c.

435 {
436  json_t *jws;
437  char *body_str;
438  char *result;
439 
440  // Generate the body of the JSON Web Signature
441  body_str = generate_id_token_body (aud_key,
442  sub_key,
443  attrs,
444  presentations,
445  expiration_time,
446  nonce);
447 
448  if (NULL == body_str)
449  {
450  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
451  "Body for the JWS could not be generated\n");
452  return NULL;
453  }
454 
455  // Creating the JSON Web Signature.
456  jws = json_pack ("{s:o}", "payload",
457  jose_b64_enc (body_str, strlen (body_str)));
458  GNUNET_free (body_str);
459 
460  if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
461  {
462  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
463  "Signature generation failed\n");
464  return NULL;
465  }
466 
467  // Encoding JSON as compact JSON Web Signature
468  GNUNET_asprintf (&result, "%s.%s.%s",
469  json_string_value (json_object_get (jws, "protected")),
470  json_string_value (json_object_get (jws, "payload")),
471  json_string_value (json_object_get (jws, "signature")) );
472 
473  json_decref (jws);
474  return result;
475 }
result
static int result
Global testing status.
Definition: gnunet-regex-profiler.c:240
GNUNET_log
#define GNUNET_log(kind,...)
Definition: gnunet_common.h:568
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition: gnunet_common.h:437
GNUNET_asprintf
int int GNUNET_asprintf(char **buf, const char *format,...) __attribute__((format(printf
Like asprintf, just portable.
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition: gnunet_common.h:1412
generate_id_token_body
char * generate_id_token_body(const struct GNUNET_IDENTITY_PublicKey *aud_key, const struct GNUNET_IDENTITY_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
Definition: oidc_helper.c:362

References generate_id_token_body(), GNUNET_asprintf(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_id_token_hmac()

char* OIDC_generate_id_token_hmac ( const struct GNUNET_IDENTITY_PublicKey aud_key,
const struct GNUNET_IDENTITY_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const char *  secret_key 
)

Create a JWT using HMAC (HS256) from attributes.

Parameters
aud_keythe public of the audience
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Creating the JWT signature. This might not be standards compliant, check.

Definition at line 489 of file oidc_helper.c.

497 {
498  struct GNUNET_HashCode signature;
499  char *header;
500  char *header_base64;
501  char *body_str;
502  char *body_base64;
503  char *signature_target;
504  char *signature_base64;
505  char *result;
506 
507  // Generate and encode Header
508  header = create_jwt_hmac_header ();
509  if (NULL == header)
510  {
511  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
512  "Header for the JWS could not be generated\n");
513  return NULL;
514  }
515  GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
516  GNUNET_free (header);
517  fix_base64 (header_base64);
518 
519  // Generate and encode the body of the JSON Web Signature
520  body_str = generate_id_token_body (aud_key,
521  sub_key,
522  attrs,
523  presentations,
524  expiration_time,
525  nonce);
526 
527  if (NULL == body_str)
528  {
529  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
530  "Body for the JWS could not be generated\n");
531  GNUNET_free (header_base64);
532  return NULL;
533  }
534 
535  GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
536  fix_base64 (body_base64);
537 
542  GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
543  GNUNET_CRYPTO_hmac_raw (secret_key,
544  strlen (secret_key),
545  signature_target,
546  strlen (signature_target),
547  &signature);
548  GNUNET_STRINGS_base64url_encode ((const char *) &signature,
549  sizeof(struct GNUNET_HashCode),
550  &signature_base64);
551  fix_base64 (signature_base64);
552 
553  GNUNET_asprintf (&result,
554  "%s.%s.%s",
555  header_base64,
556  body_base64,
557  signature_base64);
558 
559  GNUNET_free (header_base64);
560  GNUNET_free (body_str);
561  GNUNET_free (body_base64);
562  GNUNET_free (signature_target);
563  GNUNET_free (signature_base64);
564  return result;
565 }
GNUNET_CRYPTO_hmac_raw
void GNUNET_CRYPTO_hmac_raw(const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac)
Calculate HMAC of a message (RFC 2104) TODO: Shouldn't this be the standard hmac function and the abo...
Definition: crypto_hash.c:300
GNUNET_STRINGS_base64url_encode
size_t GNUNET_STRINGS_base64url_encode(const void *in, size_t len, char **output)
Encode into Base64url.
Definition: strings.c:1656
create_jwt_hmac_header
static char * create_jwt_hmac_header(void)
Definition: oidc_helper.c:120
fix_base64
static void fix_base64(char *str)
Definition: oidc_helper.c:150
GNUNET_HashCode
A 512-bit hashcode.
Definition: gnunet_common.h:284

References create_jwt_hmac_header(), fix_base64(), generate_id_token_body(), GNUNET_asprintf(), GNUNET_CRYPTO_hmac_raw(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_STRINGS_base64url_encode(), and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_authz_code()

char* OIDC_build_authz_code ( const struct GNUNET_IDENTITY_PrivateKey issuer,
const struct GNUNET_RECLAIM_Ticket ticket,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const char *  nonce_str,
const char *  code_challenge 
)

Builds an OIDC authorization code including a reclaim ticket and nonce.

Parameters
issuerthe issuer of the ticket, used to sign the ticket and nonce
ticketthe ticket to include in the code
attrslist of attributes to share
presentationscredential presentation list
noncethe nonce to include in the code
code_challengePKCE code challenge
optsverification options
Returns
a new authorization code (caller must free)
Parameters
issuerthe issuer of the ticket, used to sign the ticket and nonce
ticketthe ticket to include in the code
attrslist of attributes which are shared
presentationscredential presentation list (may be empty)
noncethe nonce to include in the code
code_challengePKCE code challenge
Returns
a new authorization code (caller must free)

PLAINTEXT

END

Definition at line 581 of file oidc_helper.c.

588 {
589  struct OIDC_Parameters params;
590  char *code_payload;
591  char *payload;
592  char *tmp;
593  char *code_str;
594  char *buf_ptr = NULL;
595  size_t payload_len;
596  size_t code_payload_len;
597  size_t attr_list_len = 0;
598  size_t pres_list_len = 0;
599  size_t code_challenge_len = 0;
600  uint32_t nonce_len = 0;
601  struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
602 
604  // Assign ticket
605  memset (&params, 0, sizeof(params));
606  params.ticket = *ticket;
607  // Assign nonce
608  payload_len = sizeof(struct OIDC_Parameters);
609  if ((NULL != nonce_str) && (strcmp ("", nonce_str) != 0))
610  {
611  nonce_len = strlen (nonce_str);
612  payload_len += nonce_len;
613  }
614  params.nonce_len = htonl (nonce_len);
615  // Assign code challenge
616  if (NULL != code_challenge)
617  code_challenge_len = strlen (code_challenge);
618  payload_len += code_challenge_len;
619  params.code_challenge_len = htonl (code_challenge_len);
620  // Assign attributes
621  if (NULL != attrs)
622  {
623  // Get length
624  attr_list_len = GNUNET_RECLAIM_attribute_list_serialize_get_size (attrs);
625  params.attr_list_len = htonl (attr_list_len);
626  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
627  "Length of serialized attributes: %lu\n",
628  attr_list_len);
629  // Get serialized attributes
630  payload_len += attr_list_len;
631  }
632  if (NULL != presentations)
633  {
634  // Get length
635  // FIXME only add presentations relevant for attribute list!!!
636  // This is important because of the distinction between id_token and
637  // userinfo in OIDC
638  pres_list_len =
639  GNUNET_RECLAIM_presentation_list_serialize_get_size (presentations);
640  params.pres_list_len = htonl (pres_list_len);
641  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
642  "Length of serialized presentations: %lu\n",
643  pres_list_len);
644  // Get serialized attributes
645  payload_len += pres_list_len;
646  }
647 
648  // Get plaintext length
649  payload = GNUNET_malloc (payload_len);
650  memcpy (payload, &params, sizeof(params));
651  tmp = payload + sizeof(params);
652  if (0 < code_challenge_len)
653  {
654  memcpy (tmp, code_challenge, code_challenge_len);
655  tmp += code_challenge_len;
656  }
657  if (0 < nonce_len)
658  {
659  memcpy (tmp, nonce_str, nonce_len);
660  tmp += nonce_len;
661  }
662  if (0 < attr_list_len)
663  GNUNET_RECLAIM_attribute_list_serialize (attrs, tmp);
664  tmp += attr_list_len;
665  if (0 < pres_list_len)
666  GNUNET_RECLAIM_presentation_list_serialize (presentations, tmp);
667  tmp += pres_list_len;
668 
671  // Get length
672  code_payload_len = sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
673  + payload_len + sizeof(struct
674  GNUNET_IDENTITY_Signature);
675  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
676  "Length of data to encode: %lu\n",
677  code_payload_len);
678 
679  // Initialize code payload
680  code_payload = GNUNET_malloc (code_payload_len);
681  GNUNET_assert (NULL != code_payload);
682  purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
683  purpose->size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
684  + payload_len);
685  purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
686  // Store pubkey
687  buf_ptr = (char *) &purpose[1];
688  memcpy (buf_ptr, payload, payload_len);
689  GNUNET_free (payload);
690  buf_ptr += payload_len;
691  // Sign and store signature
692  if (GNUNET_SYSERR ==
693  GNUNET_IDENTITY_sign_ (issuer,
694  purpose,
695  (struct GNUNET_IDENTITY_Signature *)
696  buf_ptr))
697  {
698  GNUNET_break (0);
699  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
700  GNUNET_free (code_payload);
701  return NULL;
702  }
703  GNUNET_STRINGS_base64url_encode (code_payload, code_payload_len, &code_str);
704  GNUNET_free (code_payload);
705  return code_str;
706 }
GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
#define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
Signature for a GNUid Ticket (Reclaim)
Definition: gnunet_signatures.h:172
ticket
static struct GNUNET_RECLAIM_Ticket ticket
Ticket to consume.
Definition: gnunet-reclaim.c:165
payload
static unsigned long long payload
How much data are we currently storing in the database?
Definition: gnunet-service-datastore.c:183
GNUNET_IDENTITY_sign_
enum GNUNET_GenericReturnValue GNUNET_IDENTITY_sign_(const struct GNUNET_IDENTITY_PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_IDENTITY_Signature *sig)
Sign a given block.
Definition: identity_api.c:1053
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:107
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:943
GNUNET_break
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
Definition: gnunet_common.h:1024
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition: gnunet_common.h:444
GNUNET_malloc
#define GNUNET_malloc(size)
Wrapper around malloc.
Definition: gnunet_common.h:1352
GNUNET_RECLAIM_attribute_list_serialize
size_t GNUNET_RECLAIM_attribute_list_serialize(const struct GNUNET_RECLAIM_AttributeList *attrs, char *result)
Serialize an attribute list.
Definition: reclaim_attribute.c:329
GNUNET_RECLAIM_presentation_list_serialize
size_t GNUNET_RECLAIM_presentation_list_serialize(const struct GNUNET_RECLAIM_PresentationList *presentations, char *result)
Serialize a presentation list.
Definition: reclaim_credential.c:721
GNUNET_RECLAIM_presentation_list_serialize_get_size
size_t GNUNET_RECLAIM_presentation_list_serialize_get_size(const struct GNUNET_RECLAIM_PresentationList *presentations)
Get required size for serialization buffer.
Definition: reclaim_credential.c:705
GNUNET_RECLAIM_attribute_list_serialize_get_size
size_t GNUNET_RECLAIM_attribute_list_serialize_get_size(const struct GNUNET_RECLAIM_AttributeList *attrs)
Get required size for serialization buffer.
Definition: reclaim_attribute.c:313
GNUNET_CRYPTO_EccSignaturePurpose
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
Definition: gnunet_crypto_lib.h:141
GNUNET_CRYPTO_EccSignaturePurpose::purpose
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Definition: gnunet_crypto_lib.h:155
GNUNET_IDENTITY_Signature
An identity signature as per LSD0001.
Definition: gnunet_identity_service.h:150
OIDC_Parameters
The signature used to generate the authorization code.
Definition: oidc_helper.c:45
OIDC_Parameters::pres_list_len
uint32_t pres_list_len
The length of the presentation list.
Definition: oidc_helper.c:69
OIDC_Parameters::nonce_len
uint32_t nonce_len
The nonce length.
Definition: oidc_helper.c:54
OIDC_Parameters::attr_list_len
uint32_t attr_list_len
The length of the attributes list.
Definition: oidc_helper.c:64
OIDC_Parameters::code_challenge_len
uint32_t code_challenge_len
The length of the PKCE code_challenge.
Definition: oidc_helper.c:59

Referenced by oidc_ticket_issue_cb().

Here is the caller graph for this function:

◆ OIDC_parse_authz_code()

int OIDC_parse_authz_code ( const struct GNUNET_IDENTITY_PublicKey audience,
const char *  code,
const char *  code_verifier,
struct GNUNET_RECLAIM_Ticket ticket,
struct GNUNET_RECLAIM_AttributeList **  attrs,
struct GNUNET_RECLAIM_PresentationList **  presentations,
char **  nonce_str,
enum OIDC_VerificationOptions  opts 
)

Parse reclaim ticket and nonce from authorization code.

This also verifies the signature in the code.

Parameters
ecdsa_privthe audience of the ticket
codethe string representation of the code
code_verfierPKCE code verifier
ticketwhere to store the ticket
attrsthe attributes found in the code
presentationscredential presentation list
noncewhere to store the nonce
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

This also verifies the signature in the code.

Parameters
audiencethe expected audience of the code
codethe string representation of the code
code_verfierPKCE code verifier. Optional, must be provided if used in request.
ticketwhere to store the ticket
attrsthe attributes in the code
presentationscredential presentation list
nonce_strwhere to store the nonce (if contained)
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

Definition at line 767 of file oidc_helper.c.

775 {
776  char *code_payload;
777  char *ptr;
778  char *plaintext;
779  char *attrs_ser;
780  char *presentations_ser;
781  char *code_challenge;
782  struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
783  struct GNUNET_IDENTITY_Signature *signature;
784  uint32_t code_challenge_len;
785  uint32_t attrs_ser_len;
786  uint32_t pres_ser_len;
787  size_t plaintext_len;
788  size_t code_payload_len;
789  uint32_t nonce_len = 0;
790  struct OIDC_Parameters *params;
791 
792  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code);
793  code_payload = NULL;
794  code_payload_len =
795  GNUNET_STRINGS_base64url_decode (code, strlen (code),
796  (void **) &code_payload);
797  if (code_payload_len < sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
798  + sizeof(struct OIDC_Parameters)
799  + sizeof(struct GNUNET_IDENTITY_Signature))
800  {
801  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
802  GNUNET_free (code_payload);
803  return GNUNET_SYSERR;
804  }
805 
806  purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
807  plaintext_len = code_payload_len;
808  plaintext_len -= sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose);
809  ptr = (char *) &purpose[1];
810  plaintext_len -= sizeof(struct GNUNET_IDENTITY_Signature);
811  plaintext = ptr;
812  ptr += plaintext_len;
813  signature = (struct GNUNET_IDENTITY_Signature *) ptr;
814  params = (struct OIDC_Parameters *) plaintext;
815 
816  // cmp code_challenge code_verifier
817  code_challenge_len = ntohl (params->code_challenge_len);
818  code_challenge = ((char *) &params[1]);
819  if (! (opts & OIDC_VERIFICATION_NO_CODE_VERIFIER))
820  {
821  if (GNUNET_OK != check_code_challenge (code_challenge,
822  code_challenge_len,
823  code_verifier))
824  {
825  GNUNET_free (code_payload);
826  return GNUNET_SYSERR;
827  }
828  }
829  nonce_len = ntohl (params->nonce_len);
830  if (0 != nonce_len)
831  {
832  *nonce_str = GNUNET_strndup (code_challenge + code_challenge_len,
833  nonce_len);
834  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %s\n", *nonce_str);
835  }
836 
837  // Ticket
838  memcpy (ticket, &params->ticket, sizeof(params->ticket));
839  // Signature
840  // GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
841  if (0 != GNUNET_memcmp (audience, &ticket->audience))
842  {
843  GNUNET_free (code_payload);
844  if (NULL != *nonce_str)
845  GNUNET_free (*nonce_str);
846  GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
847  "Audience in ticket does not match client!\n");
848  return GNUNET_SYSERR;
849  }
850  if (GNUNET_OK !=
851  GNUNET_IDENTITY_signature_verify_ (
852  GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
853  purpose,
854  signature,
855  &(ticket->identity)))
856  {
857  GNUNET_free (code_payload);
858  if (NULL != *nonce_str)
859  GNUNET_free (*nonce_str);
860  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n");
861  return GNUNET_SYSERR;
862  }
863  // Attributes
864  attrs_ser = ((char *) &params[1]) + code_challenge_len + nonce_len;
865  attrs_ser_len = ntohl (params->attr_list_len);
866  *attrs = GNUNET_RECLAIM_attribute_list_deserialize (attrs_ser, attrs_ser_len);
867  presentations_ser = ((char*) attrs_ser) + attrs_ser_len;
868  pres_ser_len = ntohl (params->pres_list_len);
869  *presentations =
870  GNUNET_RECLAIM_presentation_list_deserialize (presentations_ser,
871  pres_ser_len);
872 
873  GNUNET_free (code_payload);
874  return GNUNET_OK;
875 }
GNUNET_IDENTITY_signature_verify_
enum GNUNET_GenericReturnValue GNUNET_IDENTITY_signature_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_IDENTITY_Signature *sig, const struct GNUNET_IDENTITY_PublicKey *pub)
Verify a given signature.
Definition: identity_api.c:1079
GNUNET_memcmp
#define GNUNET_memcmp(a, b)
Compare memory in a and b, where both must be of the same pointer type.
Definition: gnunet_common.h:1224
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:109
GNUNET_strndup
#define GNUNET_strndup(a, length)
Wrapper around GNUNET_xstrndup_.
Definition: gnunet_common.h:1437
GNUNET_RECLAIM_attribute_list_deserialize
struct GNUNET_RECLAIM_AttributeList * GNUNET_RECLAIM_attribute_list_deserialize(const char *data, size_t data_size)
Deserialize an attribute list.
Definition: reclaim_attribute.c:358
GNUNET_RECLAIM_presentation_list_deserialize
struct GNUNET_RECLAIM_PresentationList * GNUNET_RECLAIM_presentation_list_deserialize(const char *data, size_t data_size)
Deserialize a presentation list.
Definition: reclaim_credential.c:750
GNUNET_STRINGS_base64url_decode
size_t GNUNET_STRINGS_base64url_decode(const char *data, size_t len, void **out)
Decode from Base64url.
Definition: strings.c:1760
check_code_challenge
enum GNUNET_GenericReturnValue check_code_challenge(const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
Definition: oidc_helper.c:710
GNUNET_RECLAIM_Ticket::audience
struct GNUNET_IDENTITY_PublicKey audience
The ticket audience (= relying party)
Definition: gnunet_reclaim_service.h:82
GNUNET_RECLAIM_Ticket::identity
struct GNUNET_IDENTITY_PublicKey identity
The ticket issuer (= the user)
Definition: gnunet_reclaim_service.h:77
OIDC_Parameters::ticket
struct GNUNET_RECLAIM_Ticket ticket
The reclaim ticket.
Definition: oidc_helper.c:49

References OIDC_Parameters::attr_list_len, GNUNET_RECLAIM_Ticket::audience, check_code_challenge(), OIDC_Parameters::code_challenge_len, GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_IDENTITY_signature_verify_(), GNUNET_log, GNUNET_memcmp, GNUNET_OK, GNUNET_RECLAIM_attribute_list_deserialize(), GNUNET_RECLAIM_presentation_list_deserialize(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_STRINGS_base64url_decode(), GNUNET_strndup, GNUNET_SYSERR, GNUNET_RECLAIM_Ticket::identity, OIDC_Parameters::nonce_len, OIDC_VERIFICATION_NO_CODE_VERIFIER, gnunet-chk::opts, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_EccSignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by consume_fail(), and token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_token_response()

void OIDC_build_token_response ( const char *  access_token,
const char *  id_token,
const struct GNUNET_TIME_Relative expiration_time,
char **  token_response 
)

Build a token response for a token request TODO: Maybe we should add the scope here?

Parameters
access_tokenthe access token to include
id_tokenthe id_token to include
expiration_timethe expiration time of the token(s)
token_responsewhere to store the response

Definition at line 888 of file oidc_helper.c.

892 {
893  json_t *root_json;
894 
895  root_json = json_object ();
896 
897  GNUNET_assert (NULL != access_token);
898  GNUNET_assert (NULL != id_token);
899  GNUNET_assert (NULL != expiration_time);
900  json_object_set_new (root_json, "access_token", json_string (access_token));
901  json_object_set_new (root_json, "token_type", json_string ("Bearer"));
902  json_object_set_new (root_json,
903  "expires_in",
904  json_integer (expiration_time->rel_value_us
905  / (1000 * 1000)));
906  json_object_set_new (root_json, "id_token", json_string (id_token));
907  *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT);
908  json_decref (root_json);
909 }
GNUNET_TIME_Relative::rel_value_us
uint64_t rel_value_us
The actual value.
Definition: gnunet_time_lib.h:81

References GNUNET_assert, and GNUNET_TIME_Relative::rel_value_us.

Referenced by token_endpoint().

Here is the caller graph for this function:

◆ OIDC_access_token_new()

char* OIDC_access_token_new ( const struct GNUNET_RECLAIM_Ticket ticket)

Generate a new access token.

Definition at line 916 of file oidc_helper.c.

917 {
918  char *access_token;
919 
920  GNUNET_STRINGS_base64_encode (ticket,
921  sizeof(*ticket),
922  &access_token);
923  return access_token;
924 }
GNUNET_STRINGS_base64_encode
size_t GNUNET_STRINGS_base64_encode(const void *in, size_t len, char **output)
Encode into Base64.
Definition: strings.c:1607

References GNUNET_STRINGS_base64_encode(), and ticket.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_access_token_parse()

int OIDC_access_token_parse ( const char *  token,
struct GNUNET_RECLAIM_Ticket **  ticket 
)

Parse an access token.

Definition at line 931 of file oidc_helper.c.

933 {
934  size_t sret;
935  char *decoded;
936  sret = GNUNET_STRINGS_base64_decode (token,
937  strlen (token),
938  (void**) &decoded);
939  if (sizeof (struct GNUNET_RECLAIM_Ticket) != sret)
940  {
941  GNUNET_free (decoded);
942  return GNUNET_SYSERR;
943  }
944  *ticket = (struct GNUNET_RECLAIM_Ticket *) decoded;
945  return GNUNET_OK;
946 }
GNUNET_STRINGS_base64_decode
size_t GNUNET_STRINGS_base64_decode(const char *data, size_t len, void **output)
Decode from Base64.
Definition: strings.c:1695
GNUNET_RECLAIM_Ticket
The authorization ticket.
Definition: gnunet_reclaim_service.h:73

Referenced by userinfo_endpoint().

Here is the caller graph for this function:

◆ OIDC_check_scopes_for_claim_request()

enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request ( const char *  scopes,
const char *  attr 
)

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implcitly requested

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implcitly requested

attribute matches requested scope

Definition at line 931 of file oidc_helper.c.

960 {
961  char *scope_variables;
962  char *scope_variable;
963  char delimiter[] = " ";
964  int i;
965 
966  scope_variables = GNUNET_strdup (scopes);
967  scope_variable = strtok (scope_variables, delimiter);
968  while (NULL != scope_variable)
969  {
970  if (0 == strcmp ("profile", scope_variable))
971  {
972  for (i = 0; i < 14; i++)
973  {
974  if (0 == strcmp (attr, OIDC_profile_claims[i]))
975  {
976  GNUNET_free (scope_variables);
977  return GNUNET_YES;
978  }
979  }
980  }
981  else if (0 == strcmp ("address", scope_variable))
982  {
983  for (i = 0; i < 5; i++)
984  {
985  if (0 == strcmp (attr, OIDC_address_claims[i]))
986  {
987  GNUNET_free (scope_variables);
988  return GNUNET_YES;
989  }
990  }
991  }
992  else if (0 == strcmp ("email", scope_variable))
993  {
994  for (i = 0; i < 2; i++)
995  {
996  if (0 == strcmp (attr, OIDC_email_claims[i]))
997  {
998  GNUNET_free (scope_variables);
999  return GNUNET_YES;
1000  }
1001  }
1002  }
1003  else if (0 == strcmp ("phone", scope_variable))
1004  {
1005  for (i = 0; i < 2; i++)
1006  {
1007  if (0 == strcmp (attr, OIDC_phone_claims[i]))
1008  {
1009  GNUNET_free (scope_variables);
1010  return GNUNET_YES;
1011  }
1012  }
1013 
1014  }
1015  else if (0 == strcmp (attr, scope_variable))
1016  {
1018  GNUNET_free (scope_variables);
1019  return GNUNET_YES;
1020  }
1021  scope_variable = strtok (NULL, delimiter);
1022  }
1023  GNUNET_free (scope_variables);
1024  return GNUNET_NO;
1025 
1026 }
GNUNET_YES
@ GNUNET_YES
Definition: gnunet_common.h:111
GNUNET_NO
@ GNUNET_NO
Definition: gnunet_common.h:108
GNUNET_strdup
#define GNUNET_strdup(a)
Wrapper around GNUNET_xstrdup_.
Definition: gnunet_common.h:1426
OIDC_email_claims
static char OIDC_email_claims[2][16]
Standard claims represented by the "email" scope in OIDC.
Definition: oidc_helper.c:86
OIDC_address_claims
static char OIDC_address_claims[5][32]
Standard claims represented by the "address" scope in OIDC.
Definition: oidc_helper.c:100
OIDC_phone_claims
static char OIDC_phone_claims[2][32]
Standard claims represented by the "phone" scope in OIDC.
Definition: oidc_helper.c:93
OIDC_profile_claims
static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
Standard claims represented by the "profile" scope in OIDC.
Definition: oidc_helper.c:77

Referenced by attr_in_claims_request().

Here is the caller graph for this function:

◆ OIDC_generate_userinfo()

char* OIDC_generate_userinfo ( const struct GNUNET_IDENTITY_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations 
)

Generate userinfo JSON as string.

Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list
Returns
Userinfo JSON
Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list (may be empty)
Returns
Userinfo JSON

Definition at line 346 of file oidc_helper.c.

350 {
351  char *body_str;
352  json_t*body = generate_userinfo_json (sub_key,
353  attrs,
354  presentations);
355  body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
356  json_decref (body);
357  return body_str;
358 }
generate_userinfo_json
static json_t * generate_userinfo_json(const struct GNUNET_IDENTITY_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Definition: oidc_helper.c:161

References generate_userinfo_json().

Referenced by consume_fail(), and consume_ticket().

Here is the call graph for this function:
Here is the caller graph for this function: