Rev 1283 | Rev 1300 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1283 | Rev 1298 | ||
---|---|---|---|
Line 95... | Line 95... | ||
95 | $cfg = self::jwtGetBlacklistConfigKey($gen, $sub); |
95 | $cfg = self::jwtGetBlacklistConfigKey($gen, $sub); |
96 | return (int)OIDplus::config()->getValue($cfg,0); |
96 | return (int)OIDplus::config()->getValue($cfg,0); |
97 | } |
97 | } |
98 | 98 | ||
99 | /** |
99 | /** |
- | 100 | * We include a hash of the server-secret here (ssh = server-secret-hash), so that the JWT can be invalidated by changing the server-secret |
|
- | 101 | * @return string |
|
- | 102 | * @throws OIDplusException |
|
- | 103 | */ |
|
- | 104 | private static function getSsh(): string { |
|
- | 105 | return OIDplus::authUtils()->makeSecret(['bb1aebd6-fe6a-11ed-a553-3c4a92df8582']); |
|
- | 106 | } |
|
- | 107 | ||
- | 108 | /** |
|
100 | * Do various checks if the token is allowed and not blacklisted |
109 | * Do various checks if the token is allowed and not blacklisted |
101 | * @param OIDplusAuthContentStore $contentProvider |
110 | * @param OIDplusAuthContentStore $contentProvider |
102 | * @param int|null $validGenerators Bitmask which generators to allow (null = allow all) |
111 | * @param int|null $validGenerators Bitmask which generators to allow (null = allow all) |
103 | * @return void |
112 | * @return void |
104 | * @throws OIDplusException |
113 | * @throws OIDplusException |
Line 106... | Line 115... | ||
106 | private static function jwtSecurityCheck(OIDplusAuthContentStore $contentProvider, int $validGenerators=null) { |
115 | private static function jwtSecurityCheck(OIDplusAuthContentStore $contentProvider, int $validGenerators=null) { |
107 | // Check if the token is intended for us |
116 | // Check if the token is intended for us |
108 | if ($contentProvider->getValue('aud','') !== OIDplus::getEditionInfo()['jwtaud']) { |
117 | if ($contentProvider->getValue('aud','') !== OIDplus::getEditionInfo()['jwtaud']) { |
109 | throw new OIDplusException(_L('Token has wrong audience')); |
118 | throw new OIDplusException(_L('Token has wrong audience')); |
110 | } |
119 | } |
- | 120 | ||
- | 121 | if ($contentProvider->getValue('oidplus_ssh', '') !== self::getSsh()) { |
|
- | 122 | throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore')); |
|
- | 123 | } |
|
- | 124 | ||
111 | $gen = $contentProvider->getValue('oidplus_generator', -1); |
125 | $gen = $contentProvider->getValue('oidplus_generator', -1); |
112 | 126 | ||
113 | $has_admin = $contentProvider->isAdminLoggedIn(); |
127 | $has_admin = $contentProvider->isAdminLoggedIn(); |
114 | $has_ra = $contentProvider->raNumLoggedIn() > 0; |
128 | $has_ra = $contentProvider->raNumLoggedIn() > 0; |
115 | 129 | ||
Line 409... | Line 423... | ||
409 | */ |
423 | */ |
410 | public function loadJWT(string $jwt) { |
424 | public function loadJWT(string $jwt) { |
411 | \Firebase\JWT\JWT::$leeway = 60; // leeway in seconds |
425 | \Firebase\JWT\JWT::$leeway = 60; // leeway in seconds |
412 | if (OIDplus::getPkiStatus()) { |
426 | if (OIDplus::getPkiStatus()) { |
413 | $pubKey = OIDplus::getSystemPublicKey(); |
427 | $pubKey = OIDplus::getSystemPublicKey(); |
414 | $k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation |
428 | $k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation |
415 | $this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k); |
429 | $this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k); |
416 | } else { |
430 | } else { |
417 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
431 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
418 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
432 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
419 | $k = new \Firebase\JWT\Key($key, 'HS512'); // HMAC+SHA512 is hardcoded here |
433 | $k = new \Firebase\JWT\Key($key, 'HS512'); // HMAC+SHA512 is hardcoded here |
Line 429... | Line 443... | ||
429 | $payload = $this->content; |
443 | $payload = $this->content; |
430 | $payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
444 | $payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
431 | $payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
445 | $payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
432 | $payload["jti"] = gen_uuid(); |
446 | $payload["jti"] = gen_uuid(); |
433 | $payload["iat"] = time(); |
447 | $payload["iat"] = time(); |
- | 448 | $payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash |
|
434 | 449 | ||
435 | if (OIDplus::getPkiStatus()) { |
450 | if (OIDplus::getPkiStatus()) { |
436 | $privKey = OIDplus::getSystemPrivateKey(); |
451 | $privKey = OIDplus::getSystemPrivateKey(); |
437 | return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation |
452 | return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation |
438 | } else { |
453 | } else { |
439 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
454 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
440 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
455 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
441 | return \Firebase\JWT\JWT::encode($payload, $key, 'HS512'); // HMAC+SHA512 is hardcoded here |
456 | return \Firebase\JWT\JWT::encode($payload, $key, 'HS512'); // HMAC+SHA512 is hardcoded here |
442 | } |
457 | } |