GNUnet 0.25.2-1-g44a9a8846
 
Loading...
Searching...
No Matches
Macros | Enumerations | Functions
oidc_helper.h File Reference
#include "gnunet_util_lib.h"
#include "gnunet_reclaim_service.h"
Include dependency graph for oidc_helper.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define JWT_ALG   "alg"
 
#define JWT_TYP   "typ"
 
#define JWT_TYP_VALUE   "jwt"
 
#define JWT_ALG_VALUE_HMAC   "HS512"
 
#define JWT_ALG_VALUE_RSA   "RS256"
 
#define SERVER_ADDRESS   "http://localhost:7776"
 

Enumerations

enum  OIDC_VerificationOptions { OIDC_VERIFICATION_DEFAULT = 0 , OIDC_VERIFICATION_NO_CODE_VERIFIER = 1 }
 

Functions

char * OIDC_generate_id_token_rsa (const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const json_t *secret_rsa_key)
 Create a JWT using RSA256 algorithm from attributes.
 
char * OIDC_generate_id_token_hmac (const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce, const char *secret_key)
 Create a JWT using HMAC (HS256) from attributes.
 
char * OIDC_build_authz_code (const struct GNUNET_CRYPTO_PrivateKey *issuer, const struct GNUNET_RECLAIM_Ticket *ticket, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const char *nonce, const char *code_challenge)
 Builds an OIDC authorization code including a reclaim ticket and nonce.
 
int OIDC_parse_authz_code (const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *cid, const char *code, const char *code_verifier, struct GNUNET_RECLAIM_Ticket *ticket, struct GNUNET_RECLAIM_AttributeList **attrs, struct GNUNET_RECLAIM_PresentationList **presentations, char **nonce, enum OIDC_VerificationOptions opts, char **emsg)
 Parse reclaim ticket and nonce from authorization code.
 
void OIDC_build_token_response (const char *access_token, const char *id_token, const struct GNUNET_TIME_Relative *expiration_time, char **token_response)
 Build a token response for a token request TODO: Maybe we should add the scope here?
 
char * OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket, const char *rp_uri)
 Generate a new access token.
 
int OIDC_access_token_parse (const char *token, struct GNUNET_RECLAIM_Ticket **ticket, char **rp_uri)
 Parse an access token.
 
enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request (const char *scopes, const char *attr)
 Checks if a claim is implicitly requested through standard scope(s)
 
char * OIDC_generate_userinfo (const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
 Generate userinfo JSON as string.
 

Macro Definition Documentation

◆ JWT_ALG

#define JWT_ALG   "alg"

Definition at line 32 of file oidc_helper.h.

◆ JWT_TYP

#define JWT_TYP   "typ"

Definition at line 33 of file oidc_helper.h.

◆ JWT_TYP_VALUE

#define JWT_TYP_VALUE   "jwt"

Definition at line 34 of file oidc_helper.h.

◆ JWT_ALG_VALUE_HMAC

#define JWT_ALG_VALUE_HMAC   "HS512"

Definition at line 36 of file oidc_helper.h.

◆ JWT_ALG_VALUE_RSA

#define JWT_ALG_VALUE_RSA   "RS256"

Definition at line 37 of file oidc_helper.h.

◆ SERVER_ADDRESS

#define SERVER_ADDRESS   "http://localhost:7776"

Definition at line 39 of file oidc_helper.h.

Enumeration Type Documentation

◆ OIDC_VerificationOptions

enum OIDC_VerificationOptions
Enumerator
OIDC_VERIFICATION_DEFAULT 

Strict verification.

OIDC_VERIFICATION_NO_CODE_VERIFIER 

Do not check code verifier even if expected.

Definition at line 41 of file oidc_helper.h.

42{
46 OIDC_VERIFICATION_DEFAULT = 0,
47
51 OIDC_VERIFICATION_NO_CODE_VERIFIER = 1
52};
OIDC_VERIFICATION_NO_CODE_VERIFIER
@ OIDC_VERIFICATION_NO_CODE_VERIFIER
Do not check code verifier even if expected.
Definition oidc_helper.h:51
OIDC_VERIFICATION_DEFAULT
@ OIDC_VERIFICATION_DEFAULT
Strict verification.
Definition oidc_helper.h:46

Function Documentation

◆ OIDC_generate_id_token_rsa()

char * OIDC_generate_id_token_rsa ( const char *  rp_uri,
const struct GNUNET_CRYPTO_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const json_t *  secret_rsa_key 
)

Create a JWT using RSA256 algorithm from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_rsa_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Definition at line 417 of file oidc_helper.c.

425{
426 json_t *jws;
427 char *body_str;
428 char *result;
429
430 // Generate the body of the JSON Web Signature
431 body_str = generate_id_token_body (rp_uri,
432 sub_key,
433 attrs,
434 presentations,
435 expiration_time,
436 nonce);
437
438 if (NULL == body_str)
439 {
440 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
441 "Body for the JWS could not be generated\n");
442 return NULL;
443 }
444
445 // Creating the JSON Web Signature.
446 jws = json_pack ("{s:o}", "payload",
447 jose_b64_enc (body_str, strlen (body_str)));
448 GNUNET_free (body_str);
449
450 if (! jose_jws_sig (NULL, jws, NULL, secret_rsa_key))
451 {
452 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
453 "Signature generation failed\n");
454 return NULL;
455 }
456
457 // Encoding JSON as compact JSON Web Signature
458 GNUNET_asprintf (&result, "%s.%s.%s",
459 json_string_value (json_object_get (jws, "protected")),
460 json_string_value (json_object_get (jws, "payload")),
461 json_string_value (json_object_get (jws, "signature")) );
462
463 json_decref (jws);
464 return result;
465}
result
static int result
Global testing status.
Definition gnunet-regex-profiler.c:240
GNUNET_log
#define GNUNET_log(kind,...)
Definition gnunet_common.h:551
GNUNET_ERROR_TYPE_ERROR
@ GNUNET_ERROR_TYPE_ERROR
Definition gnunet_common.h:417
GNUNET_asprintf
int int GNUNET_asprintf(char **buf, const char *format,...) __attribute__((format(printf
Like asprintf, just portable.
GNUNET_free
#define GNUNET_free(ptr)
Wrapper around free.
Definition gnunet_common.h:1415
generate_id_token_body
static char * generate_id_token_body(const char *rp_uri, const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations, const struct GNUNET_TIME_Relative *expiration_time, const char *nonce)
Definition oidc_helper.c:358

References generate_id_token_body(), GNUNET_asprintf(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_generate_id_token_hmac()

char * OIDC_generate_id_token_hmac ( const char *  rp_uri,
const struct GNUNET_CRYPTO_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const struct GNUNET_TIME_Relative expiration_time,
const char *  nonce,
const char *  secret_key 
)

Create a JWT using HMAC (HS256) from attributes.

Parameters
rp_urithe RP URI
sub_keythe public key of the subject
attrsthe attribute list
presentationscredential presentation list (may be empty)
expiration_timethe validity of the token
secret_keythe key used to sign the JWT
Returns
a new base64-encoded JWT string.

Creating the JWT signature. This might not be standards compliant, check.

Definition at line 469 of file oidc_helper.c.

477{
478 struct GNUNET_HashCode signature;
479 char *header;
480 char *header_base64;
481 char *body_str;
482 char *body_base64;
483 char *signature_target;
484 char *signature_base64;
485 char *result;
486
487 // Generate and encode Header
488 header = create_jwt_hmac_header ();
489 if (NULL == header)
490 {
491 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
492 "Header for the JWS could not be generated\n");
493 return NULL;
494 }
495 GNUNET_STRINGS_base64url_encode (header, strlen (header), &header_base64);
496 GNUNET_free (header);
497 fix_base64 (header_base64);
498
499 // Generate and encode the body of the JSON Web Signature
500 body_str = generate_id_token_body (rp_uri,
501 sub_key,
502 attrs,
503 presentations,
504 expiration_time,
505 nonce);
506
507 if (NULL == body_str)
508 {
509 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
510 "Body for the JWS could not be generated\n");
511 GNUNET_free (header_base64);
512 return NULL;
513 }
514
515 GNUNET_STRINGS_base64url_encode (body_str, strlen (body_str), &body_base64);
516 fix_base64 (body_base64);
517
522 GNUNET_asprintf (&signature_target, "%s.%s", header_base64, body_base64);
523 GNUNET_CRYPTO_hmac_raw (secret_key,
524 strlen (secret_key),
525 signature_target,
526 strlen (signature_target),
527 &signature);
528 GNUNET_STRINGS_base64url_encode ((const char *) &signature,
529 sizeof(struct GNUNET_HashCode),
530 &signature_base64);
531 fix_base64 (signature_base64);
532
533 GNUNET_asprintf (&result,
534 "%s.%s.%s",
535 header_base64,
536 body_base64,
537 signature_base64);
538
539 GNUNET_free (header_base64);
540 GNUNET_free (body_str);
541 GNUNET_free (body_base64);
542 GNUNET_free (signature_target);
543 GNUNET_free (signature_base64);
544 return result;
545}
GNUNET_CRYPTO_hmac_raw
void GNUNET_CRYPTO_hmac_raw(const void *key, size_t key_len, const void *plaintext, size_t plaintext_len, struct GNUNET_HashCode *hmac)
Calculate HMAC of a message (RFC 2104) TODO: Shouldn't this be the standard hmac function and the abo...
Definition crypto_hash.c:297
GNUNET_STRINGS_base64url_encode
size_t GNUNET_STRINGS_base64url_encode(const void *in, size_t len, char **output)
Encode into Base64url.
Definition strings.c:1667
fix_base64
static void fix_base64(char *str)
Definition oidc_helper.c:151
create_jwt_hmac_header
static char * create_jwt_hmac_header(void)
Definition oidc_helper.c:121
GNUNET_HashCode
A 512-bit hashcode.
Definition gnunet_common.h:287

References create_jwt_hmac_header(), fix_base64(), generate_id_token_body(), GNUNET_asprintf(), GNUNET_CRYPTO_hmac_raw(), GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_STRINGS_base64url_encode(), and result.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_authz_code()

char * OIDC_build_authz_code ( const struct GNUNET_CRYPTO_PrivateKey issuer,
const struct GNUNET_RECLAIM_Ticket ticket,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations,
const char *  nonce_str,
const char *  code_challenge 
)

Builds an OIDC authorization code including a reclaim ticket and nonce.

Parameters
issuerthe issuer
ticketthe ticket to include in the code
attrslist of attributes to share
presentationscredential presentation list
noncethe nonce to include in the code
code_challengePKCE code challenge
optsverification options
Returns
a new authorization code (caller must free)
Parameters
issuerthe issuer of the ticket, used to sign the ticket and nonce
ticketthe ticket to include in the code
attrslist of attributes which are shared
presentationscredential presentation list (may be empty)
noncethe nonce to include in the code
code_challengePKCE code challenge
Returns
a new authorization code (caller must free)

PLAINTEXT

END

Definition at line 561 of file oidc_helper.c.

568{
569 struct OIDC_Parameters params;
570 char *code_payload;
571 char *payload;
572 char *tmp;
573 char *code_str;
574 char *buf_ptr = NULL;
575 size_t payload_len;
576 size_t code_payload_len;
577 size_t attr_list_len = 0;
578 size_t pres_list_len = 0;
579 size_t code_challenge_len = 0;
580 uint32_t nonce_len = 0;
581 struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
582
584 // Assign ticket
585 memset (&params, 0, sizeof(params));
586 memcpy (params.ticket.gns_name, ticket->gns_name, strlen (ticket->gns_name)
587 + 1);
588 // Assign nonce
589 payload_len = sizeof(struct OIDC_Parameters);
590 if ((NULL != nonce_str) && (strcmp ("", nonce_str) != 0))
591 {
592 nonce_len = strlen (nonce_str);
593 payload_len += nonce_len;
594 }
595 params.nonce_len = htonl (nonce_len);
596 // Assign code challenge
597 if (NULL != code_challenge)
598 code_challenge_len = strlen (code_challenge);
599 payload_len += code_challenge_len;
600 params.code_challenge_len = htonl (code_challenge_len);
601 // Assign attributes
602 if (NULL != attrs)
603 {
604 // Get length
605 attr_list_len = GNUNET_RECLAIM_attribute_list_serialize_get_size (attrs);
606 params.attr_list_len = htonl (attr_list_len);
607 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
608 "Length of serialized attributes: %lu\n",
609 attr_list_len);
610 // Get serialized attributes
611 payload_len += attr_list_len;
612 }
613 if (NULL != presentations)
614 {
615 // Get length
616 // FIXME only add presentations relevant for attribute list!!!
617 // This is important because of the distinction between id_token and
618 // userinfo in OIDC
619 pres_list_len =
620 GNUNET_RECLAIM_presentation_list_serialize_get_size (presentations);
621 params.pres_list_len = htonl (pres_list_len);
622 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
623 "Length of serialized presentations: %lu\n",
624 pres_list_len);
625 // Get serialized attributes
626 payload_len += pres_list_len;
627 }
628
629 // Get plaintext length
630 payload = GNUNET_malloc (payload_len);
631 memcpy (payload, &params, sizeof(params));
632 tmp = payload + sizeof(params);
633 if (0 < code_challenge_len)
634 {
635 memcpy (tmp, code_challenge, code_challenge_len);
636 tmp += code_challenge_len;
637 }
638 if (0 < nonce_len)
639 {
640 memcpy (tmp, nonce_str, nonce_len);
641 tmp += nonce_len;
642 }
643 if (0 < attr_list_len)
644 GNUNET_RECLAIM_attribute_list_serialize (attrs, tmp);
645 tmp += attr_list_len;
646 if (0 < pres_list_len)
647 GNUNET_RECLAIM_presentation_list_serialize (presentations, tmp);
648 tmp += pres_list_len;
649
652 // Get length
653 code_payload_len = sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
654 + payload_len + sizeof(struct
655 GNUNET_CRYPTO_Signature);
656 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
657 "Length of data to encode: %lu\n",
658 code_payload_len);
659
660 // Initialize code payload
661 code_payload = GNUNET_malloc (code_payload_len);
662 GNUNET_assert (NULL != code_payload);
663 purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
664 purpose->size = htonl (sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
665 + payload_len);
666 purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN);
667 // Store pubkey
668 buf_ptr = (char *) &purpose[1];
669 memcpy (buf_ptr, payload, payload_len);
670 GNUNET_free (payload);
671 buf_ptr += payload_len;
672 // Sign and store signature
673 if (GNUNET_SYSERR ==
674 GNUNET_CRYPTO_sign_ (issuer,
675 purpose,
676 (struct GNUNET_CRYPTO_Signature *)
677 buf_ptr))
678 {
679 GNUNET_break (0);
680 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n");
681 GNUNET_free (code_payload);
682 return NULL;
683 }
684 GNUNET_STRINGS_base64url_encode (code_payload, code_payload_len, &code_str);
685 GNUNET_free (code_payload);
686 return code_str;
687}
ticket
static struct GNUNET_RECLAIM_Ticket ticket
Ticket to consume.
Definition gnunet-reclaim.c:164
payload
static unsigned long long payload
How much data are we currently storing in the database?
Definition gnunet-service-datastore.c:183
GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
#define GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN
Signature for a GNUid Ticket (Reclaim)
Definition gnunet_signatures.h:172
GNUNET_CRYPTO_sign_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_sign_(const struct GNUNET_CRYPTO_PrivateKey *priv, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_Signature *sig)
Sign a given block.
Definition crypto_pkey.c:293
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition gnunet_common.h:112
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition gnunet_common.h:960
GNUNET_break
#define GNUNET_break(cond)
Use this for internal assertion violations that are not fatal (can be handled) but should not occur.
Definition gnunet_common.h:1045
GNUNET_ERROR_TYPE_DEBUG
@ GNUNET_ERROR_TYPE_DEBUG
Definition gnunet_common.h:424
GNUNET_malloc
#define GNUNET_malloc(size)
Wrapper around malloc.
Definition gnunet_common.h:1355
GNUNET_RECLAIM_attribute_list_serialize
size_t GNUNET_RECLAIM_attribute_list_serialize(const struct GNUNET_RECLAIM_AttributeList *attrs, char *result)
Serialize an attribute list.
Definition reclaim_attribute.c:322
GNUNET_RECLAIM_presentation_list_serialize
size_t GNUNET_RECLAIM_presentation_list_serialize(const struct GNUNET_RECLAIM_PresentationList *presentations, char *result)
Serialize a presentation list.
Definition reclaim_credential.c:703
GNUNET_RECLAIM_presentation_list_serialize_get_size
size_t GNUNET_RECLAIM_presentation_list_serialize_get_size(const struct GNUNET_RECLAIM_PresentationList *presentations)
Get required size for serialization buffer.
Definition reclaim_credential.c:687
GNUNET_RECLAIM_attribute_list_serialize_get_size
size_t GNUNET_RECLAIM_attribute_list_serialize_get_size(const struct GNUNET_RECLAIM_AttributeList *attrs)
Get required size for serialization buffer.
Definition reclaim_attribute.c:306
GNUNET_CRYPTO_EccSignaturePurpose
header of what an ECC signature signs this must be followed by "size - 8" bytes of the actual signed ...
Definition gnunet_crypto_lib.h:141
GNUNET_CRYPTO_EccSignaturePurpose::purpose
uint32_t purpose
What does this signature vouch for? This must contain a GNUNET_SIGNATURE_PURPOSE_XXX constant (from g...
Definition gnunet_crypto_lib.h:155
GNUNET_CRYPTO_Signature
An identity signature as per LSD0001.
Definition gnunet_crypto_lib.h:454
GNUNET_RECLAIM_Ticket::gns_name
char gns_name[63 *2+2]
The ticket.
Definition gnunet_reclaim_service.h:83
OIDC_Parameters
The signature used to generate the authorization code.
Definition oidc_helper.c:46
OIDC_Parameters::pres_list_len
uint32_t pres_list_len
The length of the presentation list.
Definition oidc_helper.c:70
OIDC_Parameters::nonce_len
uint32_t nonce_len
The nonce length.
Definition oidc_helper.c:55
OIDC_Parameters::attr_list_len
uint32_t attr_list_len
The length of the attributes list.
Definition oidc_helper.c:65
OIDC_Parameters::code_challenge_len
uint32_t code_challenge_len
The length of the PKCE code_challenge.
Definition oidc_helper.c:60

References OIDC_Parameters::attr_list_len, OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_assert, GNUNET_break, GNUNET_CRYPTO_sign_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_log, GNUNET_malloc, GNUNET_RECLAIM_attribute_list_serialize(), GNUNET_RECLAIM_attribute_list_serialize_get_size(), GNUNET_RECLAIM_presentation_list_serialize(), GNUNET_RECLAIM_presentation_list_serialize_get_size(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_STRINGS_base64url_encode(), GNUNET_SYSERR, OIDC_Parameters::nonce_len, payload, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_EccSignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by oidc_ticket_issue_cb().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_parse_authz_code()

int OIDC_parse_authz_code ( const char *  rp_uri,
const struct GNUNET_CRYPTO_PublicKey cid,
const char *  code,
const char *  code_verifier,
struct GNUNET_RECLAIM_Ticket ticket,
struct GNUNET_RECLAIM_AttributeList **  attrs,
struct GNUNET_RECLAIM_PresentationList **  presentations,
char **  nonce_str,
enum OIDC_VerificationOptions  opts,
char **  emsg 
)

Parse reclaim ticket and nonce from authorization code.

This also verifies the signature in the code.

Parameters
rp_urithe RP URI
codethe string representation of the code
code_verfierPKCE code verifier
ticketwhere to store the ticket
attrsthe attributes found in the code
presentationscredential presentation list
noncewhere to store the nonce
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

This also verifies the signature in the code.

Parameters
audiencethe expected audience of the code
codethe string representation of the code
code_verfierPKCE code verifier. Optional, must be provided if used in request.
ticketwhere to store the ticket
attrsthe attributes in the code
presentationscredential presentation list
nonce_strwhere to store the nonce (if contained)
Returns
GNUNET_OK if successful, else GNUNET_SYSERR

Definition at line 748 of file oidc_helper.c.

757{
758 char *code_payload;
759 char *ptr;
760 char *plaintext;
761 char *attrs_ser;
762 char *presentations_ser;
763 char *code_challenge;
764 struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
765 struct GNUNET_CRYPTO_Signature *signature;
766 struct GNUNET_CRYPTO_PublicKey iss;
767 uint32_t code_challenge_len;
768 uint32_t attrs_ser_len;
769 uint32_t pres_ser_len;
770 size_t plaintext_len;
771 size_t code_payload_len;
772 uint32_t nonce_len = 0;
773 struct OIDC_Parameters *params;
774
775
776 GNUNET_GNS_parse_ztld (ticket->gns_name, &iss);
777 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code);
778 code_payload = NULL;
779 code_payload_len =
780 GNUNET_STRINGS_base64url_decode (code, strlen (code),
781 (void **) &code_payload);
782 if (code_payload_len < sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose)
783 + sizeof(struct OIDC_Parameters)
784 + sizeof(struct GNUNET_CRYPTO_Signature))
785 {
786 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Authorization code malformed\n");
787 GNUNET_free (code_payload);
788 return GNUNET_SYSERR;
789 }
790
791 purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload;
792 plaintext_len = code_payload_len;
793 plaintext_len -= sizeof(struct GNUNET_CRYPTO_EccSignaturePurpose);
794 ptr = (char *) &purpose[1];
795 plaintext_len -= sizeof(struct GNUNET_CRYPTO_Signature);
796 plaintext = ptr;
797 ptr += plaintext_len;
798 signature = (struct GNUNET_CRYPTO_Signature *) ptr;
799 params = (struct OIDC_Parameters *) plaintext;
800
801 // cmp code_challenge code_verifier
802 code_challenge_len = ntohl (params->code_challenge_len);
803 code_challenge = ((char *) &params[1]);
804 if (! (opts & OIDC_VERIFICATION_NO_CODE_VERIFIER))
805 {
806 if (GNUNET_OK != check_code_challenge (code_challenge,
807 code_challenge_len,
808 code_verifier))
809 {
810 GNUNET_asprintf (emsg, "Code verifier `%s' invalid for challenge `%s'",
811 code_verifier, code_challenge);
812 GNUNET_free (code_payload);
813 return GNUNET_SYSERR;
814 }
815 }
816 nonce_len = ntohl (params->nonce_len);
817 if (0 != nonce_len)
818 {
819 *nonce_str = GNUNET_strndup (code_challenge + code_challenge_len,
820 nonce_len);
821 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %s\n", *nonce_str);
822 }
823
824 // Ticket
825 memcpy (ticket, &params->ticket, sizeof(params->ticket));
826 // Signature
827 // GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub);
828 if (GNUNET_OK !=
829 GNUNET_CRYPTO_signature_verify_ (
830 GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN,
831 purpose,
832 signature,
833 &iss))
834 {
835 GNUNET_free (code_payload);
836 if (NULL != *nonce_str)
837 GNUNET_free (*nonce_str);
838 GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n");
839 *emsg = GNUNET_strdup ("Signature verification failed");
840 return GNUNET_SYSERR;
841 }
842 // Attributes
843 attrs_ser = ((char *) &params[1]) + code_challenge_len + nonce_len;
844 attrs_ser_len = ntohl (params->attr_list_len);
845 *attrs = GNUNET_RECLAIM_attribute_list_deserialize (attrs_ser, attrs_ser_len);
846 presentations_ser = ((char*) attrs_ser) + attrs_ser_len;
847 pres_ser_len = ntohl (params->pres_list_len);
848 *presentations =
849 GNUNET_RECLAIM_presentation_list_deserialize (presentations_ser,
850 pres_ser_len);
851
852 GNUNET_free (code_payload);
853 return GNUNET_OK;
854}
GNUNET_GNS_parse_ztld
enum GNUNET_GenericReturnValue GNUNET_GNS_parse_ztld(const char *name, struct GNUNET_CRYPTO_PublicKey *ztld_key)
Try to parse the zTLD into a public key.
Definition gns_tld_api.c:228
GNUNET_CRYPTO_signature_verify_
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_signature_verify_(uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_Signature *sig, const struct GNUNET_CRYPTO_PublicKey *pub)
Verify a given signature.
Definition crypto_pkey.c:319
GNUNET_OK
@ GNUNET_OK
Definition gnunet_common.h:114
GNUNET_strdup
#define GNUNET_strdup(a)
Wrapper around GNUNET_xstrdup_.
Definition gnunet_common.h:1429
GNUNET_strndup
#define GNUNET_strndup(a, length)
Wrapper around GNUNET_xstrndup_.
Definition gnunet_common.h:1441
GNUNET_RECLAIM_presentation_list_deserialize
struct GNUNET_RECLAIM_PresentationList * GNUNET_RECLAIM_presentation_list_deserialize(const char *data, size_t data_size)
Deserialize a presentation list.
Definition reclaim_credential.c:732
GNUNET_RECLAIM_attribute_list_deserialize
struct GNUNET_RECLAIM_AttributeList * GNUNET_RECLAIM_attribute_list_deserialize(const char *data, size_t data_size)
Deserialize an attribute list.
Definition reclaim_attribute.c:351
GNUNET_STRINGS_base64url_decode
size_t GNUNET_STRINGS_base64url_decode(const char *data, size_t len, void **out)
Decode from Base64url.
Definition strings.c:1778
check_code_challenge
static enum GNUNET_GenericReturnValue check_code_challenge(const char *code_challenge, uint32_t code_challenge_len, const char *code_verifier)
Definition oidc_helper.c:691
GNUNET_CRYPTO_PublicKey
An identity key as per LSD0001.
Definition gnunet_crypto_lib.h:427
OIDC_Parameters::ticket
struct GNUNET_RECLAIM_Ticket ticket
The reclaim ticket.
Definition oidc_helper.c:50

References OIDC_Parameters::attr_list_len, check_code_challenge(), OIDC_Parameters::code_challenge_len, GNUNET_RECLAIM_Ticket::gns_name, GNUNET_asprintf(), GNUNET_CRYPTO_signature_verify_(), GNUNET_ERROR_TYPE_DEBUG, GNUNET_ERROR_TYPE_ERROR, GNUNET_free, GNUNET_GNS_parse_ztld(), GNUNET_log, GNUNET_OK, GNUNET_RECLAIM_attribute_list_deserialize(), GNUNET_RECLAIM_presentation_list_deserialize(), GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN, GNUNET_strdup, GNUNET_STRINGS_base64url_decode(), GNUNET_strndup, GNUNET_SYSERR, OIDC_Parameters::nonce_len, OIDC_VERIFICATION_NO_CODE_VERIFIER, OIDC_Parameters::pres_list_len, GNUNET_CRYPTO_EccSignaturePurpose::purpose, ticket, and OIDC_Parameters::ticket.

Referenced by consume_fail(), and token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_build_token_response()

void OIDC_build_token_response ( const char *  access_token,
const char *  id_token,
const struct GNUNET_TIME_Relative expiration_time,
char **  token_response 
)

Build a token response for a token request TODO: Maybe we should add the scope here?

Parameters
access_tokenthe access token to include
id_tokenthe id_token to include
expiration_timethe expiration time of the token(s)
token_responsewhere to store the response

Definition at line 867 of file oidc_helper.c.

871{
872 json_t *root_json;
873
874 root_json = json_object ();
875
876 GNUNET_assert (NULL != access_token);
877 GNUNET_assert (NULL != id_token);
878 GNUNET_assert (NULL != expiration_time);
879 json_object_set_new (root_json, "access_token", json_string (access_token));
880 json_object_set_new (root_json, "token_type", json_string ("Bearer"));
881 json_object_set_new (root_json,
882 "expires_in",
883 json_integer (expiration_time->rel_value_us
884 / (1000 * 1000)));
885 json_object_set_new (root_json, "id_token", json_string (id_token));
886 *token_response = json_dumps (root_json, JSON_INDENT (0) | JSON_COMPACT);
887 json_decref (root_json);
888}
GNUNET_TIME_Relative::rel_value_us
uint64_t rel_value_us
The actual value.
Definition gnunet_time_lib.h:84

References GNUNET_assert, and GNUNET_TIME_Relative::rel_value_us.

Referenced by token_endpoint().

Here is the caller graph for this function:

◆ OIDC_access_token_new()

char * OIDC_access_token_new ( const struct GNUNET_RECLAIM_Ticket ticket,
const char *  rp_uri 
)

Generate a new access token.

Definition at line 895 of file oidc_helper.c.

897{
898 char *access_token;
899 char *tkt_b64;
900
901 GNUNET_STRINGS_base64_encode (ticket,
902 sizeof(*ticket),
903 &tkt_b64);
904 GNUNET_asprintf (&access_token, "%s-%s", tkt_b64, rp_uri);
905 GNUNET_free (tkt_b64);
906 return access_token;
907}
GNUNET_STRINGS_base64_encode
size_t GNUNET_STRINGS_base64_encode(const void *in, size_t len, char **output)
Encode into Base64.
Definition strings.c:1618

References GNUNET_asprintf(), GNUNET_free, GNUNET_STRINGS_base64_encode(), and ticket.

Referenced by token_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_access_token_parse()

int OIDC_access_token_parse ( const char *  token,
struct GNUNET_RECLAIM_Ticket **  ticket,
char **  rp_uri 
)

Parse an access token.

Definition at line 914 of file oidc_helper.c.

917{
918 size_t sret;
919 char *decoded;
920 char *tmp;
921 char *tkt_str;
922 char *rp_uri_str;
923 tmp = GNUNET_strdup (token);
924 tkt_str = strtok (tmp, "-");
925 GNUNET_assert (NULL != tkt_str); // FIXME handle
926 rp_uri_str = strtok (NULL, "-");
927 GNUNET_assert (NULL != rp_uri_str); // FIXME handle
928 sret = GNUNET_STRINGS_base64_decode (tkt_str,
929 strlen (tkt_str),
930 (void**) &decoded);
931 if (sizeof (struct GNUNET_RECLAIM_Ticket) != sret)
932 {
933 GNUNET_free (decoded);
934 GNUNET_free (tmp);
935 return GNUNET_SYSERR;
936 }
937 *ticket = (struct GNUNET_RECLAIM_Ticket *) decoded;
938 *rp_uri = GNUNET_strdup (rp_uri_str);
939 GNUNET_free (tmp);
940 return GNUNET_OK;
941}
GNUNET_STRINGS_base64_decode
size_t GNUNET_STRINGS_base64_decode(const char *data, size_t len, void **output)
Decode from Base64.
Definition strings.c:1720
GNUNET_RECLAIM_Ticket
The authorization ticket.
Definition gnunet_reclaim_service.h:76

References GNUNET_assert, GNUNET_free, GNUNET_OK, GNUNET_strdup, GNUNET_STRINGS_base64_decode(), GNUNET_SYSERR, and ticket.

Referenced by userinfo_endpoint().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OIDC_check_scopes_for_claim_request()

enum GNUNET_GenericReturnValue OIDC_check_scopes_for_claim_request ( const char *  scopes,
const char *  attr 
)

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

Checks if a claim is implicitly requested through standard scope(s)

Parameters
scopesthe scopes which have been requested
attrthe attribute name to check
Returns
GNUNET_YES if attribute is implicitly requested

attribute matches requested scope

Definition at line 953 of file oidc_helper.c.

955{
956 char *scope_variables;
957 char *scope_variable;
958 char delimiter[] = " ";
959 int i;
960
961 scope_variables = GNUNET_strdup (scopes);
962 scope_variable = strtok (scope_variables, delimiter);
963 while (NULL != scope_variable)
964 {
965 if (0 == strcmp ("profile", scope_variable))
966 {
967 for (i = 0; i < 14; i++)
968 {
969 if (0 == strcmp (attr, OIDC_profile_claims[i]))
970 {
971 GNUNET_free (scope_variables);
972 return GNUNET_YES;
973 }
974 }
975 }
976 else if (0 == strcmp ("address", scope_variable))
977 {
978 for (i = 0; i < 5; i++)
979 {
980 if (0 == strcmp (attr, OIDC_address_claims[i]))
981 {
982 GNUNET_free (scope_variables);
983 return GNUNET_YES;
984 }
985 }
986 }
987 else if (0 == strcmp ("email", scope_variable))
988 {
989 for (i = 0; i < 2; i++)
990 {
991 if (0 == strcmp (attr, OIDC_email_claims[i]))
992 {
993 GNUNET_free (scope_variables);
994 return GNUNET_YES;
995 }
996 }
997 }
998 else if (0 == strcmp ("phone", scope_variable))
999 {
1000 for (i = 0; i < 2; i++)
1001 {
1002 if (0 == strcmp (attr, OIDC_phone_claims[i]))
1003 {
1004 GNUNET_free (scope_variables);
1005 return GNUNET_YES;
1006 }
1007 }
1008
1009 }
1010 else if (0 == strcmp (attr, scope_variable))
1011 {
1013 GNUNET_free (scope_variables);
1014 return GNUNET_YES;
1015 }
1016 scope_variable = strtok (NULL, delimiter);
1017 }
1018 GNUNET_free (scope_variables);
1019 return GNUNET_NO;
1020
1021}
GNUNET_YES
@ GNUNET_YES
Definition gnunet_common.h:116
GNUNET_NO
@ GNUNET_NO
Definition gnunet_common.h:113
OIDC_email_claims
static char OIDC_email_claims[2][16]
Standard claims represented by the "email" scope in OIDC.
Definition oidc_helper.c:87
OIDC_address_claims
static char OIDC_address_claims[5][32]
Standard claims represented by the "address" scope in OIDC.
Definition oidc_helper.c:101
OIDC_phone_claims
static char OIDC_phone_claims[2][32]
Standard claims represented by the "phone" scope in OIDC.
Definition oidc_helper.c:94
OIDC_profile_claims
static GNUNET_NETWORK_STRUCT_END char OIDC_profile_claims[14][32]
Standard claims represented by the "profile" scope in OIDC.
Definition oidc_helper.c:78

References GNUNET_free, GNUNET_NO, GNUNET_strdup, GNUNET_YES, OIDC_address_claims, OIDC_email_claims, OIDC_phone_claims, and OIDC_profile_claims.

Referenced by attr_in_claims_request().

Here is the caller graph for this function:

◆ OIDC_generate_userinfo()

char * OIDC_generate_userinfo ( const struct GNUNET_CRYPTO_PublicKey sub_key,
const struct GNUNET_RECLAIM_AttributeList attrs,
const struct GNUNET_RECLAIM_PresentationList presentations 
)

Generate userinfo JSON as string.

Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list
Returns
Userinfo JSON
Parameters
sub_keythe subject (user)
attrsuser attribute list
presentationscredential presentation list (may be empty)
Returns
Userinfo JSON

Definition at line 342 of file oidc_helper.c.

346{
347 char *body_str;
348 json_t*body = generate_userinfo_json (sub_key,
349 attrs,
350 presentations);
351 body_str = json_dumps (body, JSON_INDENT (0) | JSON_COMPACT);
352 json_decref (body);
353 return body_str;
354}
generate_userinfo_json
static json_t * generate_userinfo_json(const struct GNUNET_CRYPTO_PublicKey *sub_key, const struct GNUNET_RECLAIM_AttributeList *attrs, const struct GNUNET_RECLAIM_PresentationList *presentations)
Definition oidc_helper.c:162

References generate_userinfo_json().

Referenced by consume_fail(), and consume_ticket().

Here is the call graph for this function:
Here is the caller graph for this function: