Subversion Repositories oidplus

Compare Revisions

Regard whitespace Rev 1297 → Rev 1298

/trunk/doc/developer_notes/server_secret.md
35,6 → 35,10
* If a private/public key pair exists: Sign the JWT using that private key.
* Otherwise sign it using PBKDF2+HMAC:
`JWT = HS512(hash_pbkdf2("sha512", OIDplus::authUtils()->makeSecret(["0be35e52-f4ef-11ed-b67e-3c4a92df8582"]), "", 10000, 64/*256bit*/, false))`
- The JWT additionally contains a member `oidplus_ssh = OIDplus::authUtils()->makeSecret(["bb1aebd6-fe6a-11ed-a553-3c4a92df8582"]` (SSH = Server Secret Hash)
with the sole purpose of allowing to invalidate all issued JWT by changing the server secret.
(This would be more secure than the Blacklist feature, since changing the server secret)
also invalidates JWT which might have been maliciously postdated).
- Session Handler (OIDplusSessionHandler.class.php):
Encryption of session contents (regular logins)
* if OpenSSL is installed: sha512-pbkdf2 + AES-256-CBC + sha3-512-hmac
/trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php
97,6 → 97,15
}
 
/**
* We include a hash of the server-secret here (ssh = server-secret-hash), so that the JWT can be invalidated by changing the server-secret
* @return string
* @throws OIDplusException
*/
private static function getSsh(): string {
return OIDplus::authUtils()->makeSecret(['bb1aebd6-fe6a-11ed-a553-3c4a92df8582']);
}
 
/**
* Do various checks if the token is allowed and not blacklisted
* @param OIDplusAuthContentStore $contentProvider
* @param int|null $validGenerators Bitmask which generators to allow (null = allow all)
108,6 → 117,11
if ($contentProvider->getValue('aud','') !== OIDplus::getEditionInfo()['jwtaud']) {
throw new OIDplusException(_L('Token has wrong audience'));
}
 
if ($contentProvider->getValue('oidplus_ssh', '') !== self::getSsh()) {
throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore'));
}
 
$gen = $contentProvider->getValue('oidplus_generator', -1);
 
$has_admin = $contentProvider->isAdminLoggedIn();
411,7 → 425,7
\Firebase\JWT\JWT::$leeway = 60; // leeway in seconds
if (OIDplus::getPkiStatus()) {
$pubKey = OIDplus::getSystemPublicKey();
$k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation
$k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation
$this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k);
} else {
$key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']);
431,10 → 445,11
$payload["aud"] = OIDplus::getEditionInfo()['jwtaud'];
$payload["jti"] = gen_uuid();
$payload["iat"] = time();
$payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash
 
if (OIDplus::getPkiStatus()) {
$privKey = OIDplus::getSystemPrivateKey();
return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation
return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation
} else {
$key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']);
$key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false);
/trunk/plugins/viathinksoft/language/dede/messages.xml
30,6 → 30,14
</message>
<message>
<source><![CDATA[
"Server Secret" was changed; therefore the JWT is not valid anymore
]]></source>
<target><![CDATA[
Das "Server Secret" wurde geändert; deshalb ist der JWT-Schlüssel nicht mehr gültig
]]></target>
</message>
<message>
<source><![CDATA[
%1 action failed because object "%2" cannot be parsed!
]]></source>
<target><![CDATA[