Startsida Utforska Hjälp
Logga in
kestrel
/
uidc
1
0
Fork 0
Filer Ärenden 5 Pull-förfrågningar 0 Wiki
Bläddra i källkod

Add infrastructure for HMAC signatures and verification.

Kestrel 11 månader sedan
förälder
bc4f8eb1e0
incheckning
ba869364b3
6 ändrade filer med 156 tillägg och 39 borttagningar
Delad Vy Visa Diff Statistik
  1. 4 1
      src/client_management.rs
  2. 9 9
      src/jwt.rs
  3. 74 5
      src/key.rs
  4. 9 2
      src/schema.rs
  5. 13 5
      src/server/oidc.rs
  6. 47 17
      src/token.rs

+ 4 - 1
src/client_management.rs
Visa fil 

@@ -8,12 +8,15 @@ pub fn create(
 
 ) -> Result<(), UIDCError> {
 
     let rng = ring::rand::SystemRandom::new();
 
     let client_secret: [u8; 32] = ring::rand::generate(&rng).unwrap().expose();
 
+    let refresh_token_secret: [u8; 32] = ring::rand::generate(&rng).unwrap().expose();
 
 
     realm.clients.insert(schema::Client {
 
         realm: realm.id(),
 
         shortname: name.into(),
 
         secret: base64::encode(&client_secret),
 
-        key_type: key_type.into(),
 
+        access_key_type: key_type.into(),
 
+        refresh_key_type: key_type.into(),
 
+        refresh_token_secret: refresh_token_secret.into(),
 
         redirects: Default::default(),
 
         scopes: Default::default(),
 
     })?;

+ 9 - 9
src/jwt.rs
Visa fil 

@@ -1,15 +1,15 @@
 
-use crate::key::ParsedKey;
 
+use crate::key::{HMacType, ParsedKey};
 
 
 fn jwt_algorithm(pk: &ParsedKey) -> &'static str {
 
     match pk {
 
-        ParsedKey::Ed25519 {
 
-            key_id: _,
 
-            keypair: _,
 
-        } => "EdDSA",
 
-        ParsedKey::RSA {
 
-            key_id: _,
 
-            keypair: _,
 
-        } => "RS256",
 
+        ParsedKey::HMAC { hmty, .. } => {
 
+            match hmty {
 
+                HMacType::Sha256 => "HS256",
 
+                HMacType::Sha512 => "HS512",
 
+            }
 
+        },
 
+        ParsedKey::Ed25519 { ..  } => "EdDSA",
 
+        ParsedKey::RSA { ..  } => "RS256",
 
     }
 
 }

+ 74 - 5
src/key.rs
Visa fil 

@@ -1,8 +1,12 @@
 
 use std::{cell::RefCell, sync::Arc};
 
 
 use crate::{schema, UIDCError};
 
+use hmac::{Hmac, Mac};
 
 use microrm::prelude::*;
 
-use ring::signature::{Ed25519KeyPair, KeyPair};
 
+use ring::{
 
+    rand::SecureRandom,
 
+    signature::{Ed25519KeyPair, KeyPair},
 
+};
 
 use sha2::Digest;
 
 
 use itertools::Itertools;
 
@@ -12,9 +16,26 @@ pub enum KeyError {
 
     Plain(&'static str),
 
 }
 
 
+#[non_exhaustive]
 
+#[derive(Clone, Copy, Debug, PartialEq, serde::Serialize, serde::Deserialize)]
 
+pub enum HMacType {
 
+    Sha256,
 
+    Sha512,
 
+}
 
+
 
+impl HMacType {
 
+    pub fn digest_width(&self) -> usize {
 
+        match self {
 
+            Self::Sha256 => 32,
 
+            Self::Sha512 => 64,
 
+        }
 
+    }
 
+}
 
+
 
 #[non_exhaustive]
 
 #[derive(Clone, Copy, Debug, PartialEq, serde::Serialize, serde::Deserialize)]
 
 pub enum KeyType {
 
+    HMac(HMacType),
 
     RSA2048,
 
     RSA4096,
 
     Ed25519,
 
@@ -27,6 +48,8 @@ impl std::fmt::Display for KeyType {
 
 }
 
 
 pub const KEY_TYPE_NAMES: &'static [(&'static str, KeyType)] = &[
 
+    ("hmac_sha256", KeyType::HMac(HMacType::Sha256)),
 
+    ("hmac_sha512", KeyType::HMac(HMacType::Sha512)),
 
     ("rsa2048", KeyType::RSA2048),
 
     ("rsa4096", KeyType::RSA4096),
 
     ("ed25519", KeyType::Ed25519),
 
@@ -48,6 +71,11 @@ impl std::str::FromStr for KeyType {
 
 }
 
 
 pub enum ParsedKey {
 
+    HMAC {
 
+        key_id: String,
 
+        keydata: Vec<u8>,
 
+        hmty: HMacType,
 
+    },
 
     Ed25519 {
 
         key_id: String,
 
         keypair: ring::signature::Ed25519KeyPair,
 
@@ -61,15 +89,30 @@ pub enum ParsedKey {
 
 impl ParsedKey {
 
     pub fn key_id(&self) -> &str {
 
         match self {
 
-            Self::Ed25519 { key_id, keypair } => key_id.as_str(),
 
-            Self::RSA { key_id, keypair } => key_id.as_str(),
 
+            Self::HMAC { key_id, .. } => key_id.as_str(),
 
+            Self::Ed25519 { key_id, .. } => key_id.as_str(),
 
+            Self::RSA { key_id, .. } => key_id.as_str(),
 
         }
 
     }
 
 
     pub fn generate_signature(&self, data: &[u8]) -> Result<Vec<u8>, UIDCError> {
 
         match self {
 
-            Self::Ed25519 { key_id, keypair } => Ok(keypair.sign(data).as_ref().into()),
 
-            Self::RSA { key_id, keypair } => {
 
+            Self::HMAC { keydata, hmty, .. } => match hmty {
 
+                HMacType::Sha256 => Ok(Hmac::<sha2::Sha256>::new_from_slice(keydata.as_slice())
 
+                    .unwrap()
 
+                    .chain_update(data)
 
+                    .finalize()
 
+                    .into_bytes()
 
+                    .to_vec()),
 
+                HMacType::Sha512 => Ok(Hmac::<sha2::Sha512>::new_from_slice(keydata.as_slice())
 
+                    .unwrap()
 
+                    .chain_update(data)
 
+                    .finalize()
 
+                    .into_bytes()
 
+                    .to_vec()),
 
+            },
 
+            Self::Ed25519 { keypair, .. } => Ok(keypair.sign(data).as_ref().into()),
 
+            Self::RSA { keypair, .. } => {
 
                 let rng = ring::rand::SystemRandom::new();
 
                 let mut signature = vec![];
 
                 signature.resize(keypair.public_modulus_len(), 0);
 
@@ -89,6 +132,11 @@ impl ParsedKey {
 
     pub fn verify_signature(&self, data: &[u8], signature: &[u8]) -> Result<bool, UIDCError> {
 
         use ring::signature::VerificationAlgorithm;
 
         match self {
 
+            Self::HMAC { .. } => Ok(ring::constant_time::verify_slices_are_equal(
 
+                self.generate_signature(data)?.as_slice(),
 
+                signature,
 
+            )
 
+            .is_ok()),
 
             Self::Ed25519 { keypair, .. } => Ok(ring::signature::ED25519
 
                 .verify(
 
                     keypair.public_key().as_ref().into(),
 
@@ -108,6 +156,11 @@ impl ParsedKey {
 
 
     pub fn parse_from(key: &schema::Key) -> Result<Self, UIDCError> {
 
         match key.key_type.as_ref() {
 
+            KeyType::HMac(hmty) => Ok(ParsedKey::HMAC {
 
+                key_id: key.key_id.clone(),
 
+                keydata: key.secret_data.clone(),
 
+                hmty: *hmty,
 
+            }),
 
             KeyType::RSA2048 | KeyType::RSA4096 => Ok(ParsedKey::RSA {
 
                 key_id: key.key_id.clone(),
 
                 keypair: ring::signature::RsaKeyPair::from_pkcs8(&key.secret_data)
 
@@ -234,6 +287,22 @@ fn generate_rsa(realm: &schema::Realm, kty: KeyType, bits: usize) -> Result<Pars
 
 pub fn generate_in(realm: &schema::Realm, kty: KeyType) -> Result<ParsedKey, UIDCError> {
 
     let mut rng = ring::rand::SystemRandom::new();
 
     match kty {
 
+        KeyType::HMac(hmty) => {
 
+            let rng = ring::rand::SystemRandom::new();
 
+            let mut key_id = [0u8; 16];
 
+            rng.fill(&mut key_id)
 
+                .map_err(|_| UIDCError::Abort("couldn't generate random values"));
 
+
 
+            let mut keydata = vec![];
 
+            keydata.resize(hmty.digest_width(), 0u8);
 
+            rng.fill(keydata.as_mut_slice())
 
+                .map_err(|_| UIDCError::Abort("couldn't generate random values"));
 
+            Ok(ParsedKey::HMAC {
 
+                key_id: base64::encode(key_id),
 
+                keydata,
 
+                hmty,
 
+            })
 
+        }
 
         KeyType::RSA2048 => generate_rsa(realm, KeyType::RSA2048, 2048),
 
         KeyType::RSA4096 => generate_rsa(realm, KeyType::RSA4096, 4096),
 
         KeyType::Ed25519 => {

+ 9 - 2
src/schema.rs
Visa fil 

@@ -138,15 +138,22 @@ pub struct Client {
 
     pub realm: RealmID,
 
     #[key]
 
     pub shortname: String,
 
+
 
     pub secret: String,
 
-    pub key_type: microrm::Serialized<KeyType>,
 
+
 
+    #[elide]
 
+    pub refresh_token_secret: Vec<u8>,
 
+
 
+    pub access_key_type: microrm::Serialized<KeyType>,
 
+    pub refresh_key_type: microrm::Serialized<KeyType>,
 
+
 
     pub redirects: microrm::RelationMap<ClientRedirect>,
 
     pub scopes: microrm::RelationMap<Scope>,
 
 }
 
 
 #[derive(Entity)]
 
 pub struct ClientRedirect {
 
-    pub redirect: String,
 
+    pub redirect_pattern: String,
 
 }
 
 
 #[derive(Entity)]

+ 13 - 5
src/server/oidc.rs
Visa fil 

@@ -128,7 +128,7 @@ fn do_token_authorize<'l, 's>(
 
     realm: &schema::Realm,
 
     client: &schema::Client,
 
     user: &schema::User,
 
-    scopes: impl Iterator<Item = &'l str>,
 
+    scopes: impl Iterator<Item = &'l str> + Clone,
 
     state: Option<&'s str>,
 
 ) -> Result<tide::Response, OIDCError<'s>> {
 
     let token = token::generate_access_token(config, &realm, client, user, scopes.into_iter());
 
@@ -374,19 +374,27 @@ async fn jwks(request: Request) -> tide::Result<tide::Response> {
 
             .get()?
 
             .into_iter()
 
             .map(|key| match key::ParsedKey::parse_from(&key)? {
 
-                key::ParsedKey::Ed25519 { key_id: _, keypair } => Ok(serde_json::json!({
 
+                key::ParsedKey::HMAC { key_id, hmty, .. } => Ok(serde_json::json!({
 
+                    "kid": key_id,
 
+                    "alg": match hmty {
 
+                        key::HMacType::Sha256 => "HS256",
 
+                        key::HMacType::Sha512 => "HS512",
 
+                    },
 
+                    "hmac": true,
 
+                })),
 
+                key::ParsedKey::Ed25519 { key_id, keypair } => Ok(serde_json::json!({
 
                     "crv": "Ed25519",
 
-                    "kid": key.key_id,
 
+                    "kid": key_id,
 
                     "kty": "OKP",
 
                     "use": "sig",
 
 
                     "x": base64::encode(keypair.public_key().as_ref()),
 
                 })),
 
-                key::ParsedKey::RSA { key_id: _, keypair } => {
 
+                key::ParsedKey::RSA { key_id, keypair } => {
 
                     let pubkey = keypair.public_key();
 
                     Ok(serde_json::json!({
 
                         "alg": "RS256",
 
-                        "kid": key.key_id,
 
+                        "kid": key_id,
 
                         "kty": "RSA",
 
                         "use": "sig",

+ 47 - 17
src/token.rs
Visa fil 

@@ -20,18 +20,11 @@ impl From<ring::error::KeyRejected> for TokenError {
 
     }
 
 }
 
 
-pub fn generate_access_token<'a>(
 
-    config: &config::Config,
 
+fn determine_roles<'a>(
 
     realm: &schema::Realm,
 
-    client: &schema::Client,
 
     user: &schema::User,
 
     scopes: impl Iterator<Item = &'a str>,
 
-) -> Result<String, UIDCError> {
 
-    let issuer = format!("{}/{}", config.base_url, realm.shortname,);
 
-
 
-    let iat = std::time::SystemTime::now();
 
-    let exp = iat + std::time::Duration::from_secs(config.auth_token_expiry);
 
-
 
+) -> Result<Vec<String>, UIDCError> {
 
     // find all roles the user can possibly have access to
 
     let mut user_roles = user.groups.join(schema::Group::Roles).get()?;
 
 
@@ -54,11 +47,26 @@ pub fn generate_access_token<'a>(
 
     requested_roles.dedup();
 
 
     // find the intersection between requested roles and the ones the user actually has
 
-
 
-    let resulting_roles = requested_roles
 
+    Ok(requested_roles
 
         .into_iter()
 
         .filter(|req| user_roles.contains(req))
 
-        .map(|role| Ok(serde_json::Value::String(role.wrapped().shortname)));
 
+        .map(|role| role.wrapped().shortname)
 
+        .collect())
 
+}
 
+
 
+pub fn generate_access_token<'a>(
 
+    config: &config::Config,
 
+    realm: &schema::Realm,
 
+    client: &schema::Client,
 
+    user: &schema::User,
 
+    scopes: impl Iterator<Item = &'a str> + Clone,
 
+) -> Result<String, UIDCError> {
 
+    let issuer = format!("{}/{}", config.base_url, realm.shortname,);
 
+
 
+    let iat = std::time::SystemTime::now();
 
+    let exp = iat + std::time::Duration::from_secs(config.auth_token_expiry);
 
+
 
+    let resulting_roles = determine_roles(realm, user, scopes.clone())?;
 
 
     let token = jwt::JWTData {
 
         sub: user.username.as_str(),
 
@@ -66,17 +74,32 @@ pub fn generate_access_token<'a>(
 
         aud: client.shortname.as_str(),
 
         iat: iat.duration_since(std::time::UNIX_EPOCH).unwrap().as_secs(),
 
         exp: exp.duration_since(std::time::UNIX_EPOCH).unwrap().as_secs(),
 
-        extras: [(
 
-            "roles",
 
-            serde_json::Value::Array(resulting_roles.collect::<Result<Vec<_>, UIDCError>>()?),
 
-        )]
 
+        extras: [
 
+            (
 
+                "scopes",
 
+                serde_json::Value::Array(
 
+                    scopes
 
+                        .map(|v| serde_json::Value::String(v.into()))
 
+                        .collect::<Vec<_>>(),
 
+                ),
 
+            ),
 
+            (
 
+                "roles",
 
+                serde_json::Value::Array(
 
+                    resulting_roles
 
+                        .into_iter()
 
+                        .map(serde_json::Value::String)
 
+                        .collect::<Vec<_>>(),
 
+                ),
 
+            ),
 
+        ]
 
         .into(),
 
     };
 
 
     let mut realmkeys = key::RealmKeys::new(realm.clone());
 
 
     let key = realmkeys
 
-        .by_type(*client.key_type.as_ref())?
 
+        .by_type(*client.access_key_type.as_ref())?
 
         .ok_or(UIDCError::Abort("no matching signing key for realm"))?;
 
 
     Ok(jwt::JWT::sign(&key, token).into_string())
 
@@ -91,3 +114,10 @@ pub fn generate_refresh_token<'a>(
 
 ) -> Result<String, UIDCError> {
 
     todo!()
 
 }
 
+
 
+pub fn trade_refresh_token<'a>(
 
+    config: &config::Config,
 
+    token: &'a str,
 
+) -> Result<(String, String), UIDCError> {
 
+    todo!()
 
+}