Rev 1283 | Rev 1300 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1283 | Rev 1298 | ||
|---|---|---|---|
| Line 95... | Line 95... | ||
| 95 | $cfg = self::jwtGetBlacklistConfigKey($gen, $sub); |
95 | $cfg = self::jwtGetBlacklistConfigKey($gen, $sub); |
| 96 | return (int)OIDplus::config()->getValue($cfg,0); |
96 | return (int)OIDplus::config()->getValue($cfg,0); |
| 97 | } |
97 | } |
| 98 | 98 | ||
| 99 | /** |
99 | /** |
| - | 100 | * We include a hash of the server-secret here (ssh = server-secret-hash), so that the JWT can be invalidated by changing the server-secret |
|
| - | 101 | * @return string |
|
| - | 102 | * @throws OIDplusException |
|
| - | 103 | */ |
|
| - | 104 | private static function getSsh(): string { |
|
| - | 105 | return OIDplus::authUtils()->makeSecret(['bb1aebd6-fe6a-11ed-a553-3c4a92df8582']); |
|
| - | 106 | } |
|
| - | 107 | ||
| - | 108 | /** |
|
| 100 | * Do various checks if the token is allowed and not blacklisted |
109 | * Do various checks if the token is allowed and not blacklisted |
| 101 | * @param OIDplusAuthContentStore $contentProvider |
110 | * @param OIDplusAuthContentStore $contentProvider |
| 102 | * @param int|null $validGenerators Bitmask which generators to allow (null = allow all) |
111 | * @param int|null $validGenerators Bitmask which generators to allow (null = allow all) |
| 103 | * @return void |
112 | * @return void |
| 104 | * @throws OIDplusException |
113 | * @throws OIDplusException |
| Line 106... | Line 115... | ||
| 106 | private static function jwtSecurityCheck(OIDplusAuthContentStore $contentProvider, int $validGenerators=null) { |
115 | private static function jwtSecurityCheck(OIDplusAuthContentStore $contentProvider, int $validGenerators=null) { |
| 107 | // Check if the token is intended for us |
116 | // Check if the token is intended for us |
| 108 | if ($contentProvider->getValue('aud','') !== OIDplus::getEditionInfo()['jwtaud']) { |
117 | if ($contentProvider->getValue('aud','') !== OIDplus::getEditionInfo()['jwtaud']) { |
| 109 | throw new OIDplusException(_L('Token has wrong audience')); |
118 | throw new OIDplusException(_L('Token has wrong audience')); |
| 110 | } |
119 | } |
| - | 120 | ||
| - | 121 | if ($contentProvider->getValue('oidplus_ssh', '') !== self::getSsh()) { |
|
| - | 122 | throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore')); |
|
| - | 123 | } |
|
| - | 124 | ||
| 111 | $gen = $contentProvider->getValue('oidplus_generator', -1); |
125 | $gen = $contentProvider->getValue('oidplus_generator', -1); |
| 112 | 126 | ||
| 113 | $has_admin = $contentProvider->isAdminLoggedIn(); |
127 | $has_admin = $contentProvider->isAdminLoggedIn(); |
| 114 | $has_ra = $contentProvider->raNumLoggedIn() > 0; |
128 | $has_ra = $contentProvider->raNumLoggedIn() > 0; |
| 115 | 129 | ||
| Line 409... | Line 423... | ||
| 409 | */ |
423 | */ |
| 410 | public function loadJWT(string $jwt) { |
424 | public function loadJWT(string $jwt) { |
| 411 | \Firebase\JWT\JWT::$leeway = 60; // leeway in seconds |
425 | \Firebase\JWT\JWT::$leeway = 60; // leeway in seconds |
| 412 | if (OIDplus::getPkiStatus()) { |
426 | if (OIDplus::getPkiStatus()) { |
| 413 | $pubKey = OIDplus::getSystemPublicKey(); |
427 | $pubKey = OIDplus::getSystemPublicKey(); |
| 414 | $k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation |
428 | $k = new \Firebase\JWT\Key($pubKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation |
| 415 | $this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k); |
429 | $this->content = (array) \Firebase\JWT\JWT::decode($jwt, $k); |
| 416 | } else { |
430 | } else { |
| 417 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
431 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
| 418 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
432 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
| 419 | $k = new \Firebase\JWT\Key($key, 'HS512'); // HMAC+SHA512 is hardcoded here |
433 | $k = new \Firebase\JWT\Key($key, 'HS512'); // HMAC+SHA512 is hardcoded here |
| Line 429... | Line 443... | ||
| 429 | $payload = $this->content; |
443 | $payload = $this->content; |
| 430 | $payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
444 | $payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
| 431 | $payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
445 | $payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
| 432 | $payload["jti"] = gen_uuid(); |
446 | $payload["jti"] = gen_uuid(); |
| 433 | $payload["iat"] = time(); |
447 | $payload["iat"] = time(); |
| - | 448 | $payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash |
|
| 434 | 449 | ||
| 435 | if (OIDplus::getPkiStatus()) { |
450 | if (OIDplus::getPkiStatus()) { |
| 436 | $privKey = OIDplus::getSystemPrivateKey(); |
451 | $privKey = OIDplus::getSystemPrivateKey(); |
| 437 | return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 ist hardcoded in getPkiStatus() generation |
452 | return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation |
| 438 | } else { |
453 | } else { |
| 439 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
454 | $key = OIDplus::authUtils()->makeSecret(['0be35e52-f4ef-11ed-b67e-3c4a92df8582']); |
| 440 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
455 | $key = hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, false); |
| 441 | return \Firebase\JWT\JWT::encode($payload, $key, 'HS512'); // HMAC+SHA512 is hardcoded here |
456 | return \Firebase\JWT\JWT::encode($payload, $key, 'HS512'); // HMAC+SHA512 is hardcoded here |
| 442 | } |
457 | } |