working on new third-party auth draft

INSTALL

@@ -744,8 +744,6 @@ CREATE TABLE oauth_key (
 	timestamp bigint default 0,
 	lifetime integer default 0,
 	as_rs_alg varchar(64) default '',
-	as_rs_key varchar(256) default '',
-	auth_key varchar(256) default '',
 	primary key (kid)
 ); 
 
@@ -754,8 +752,6 @@ The oauth_key table fields meanings are:
 	kid: the kid of the key;
 
 	ikm_key - (optional) base64-encoded key ("input keying material");
-		The ikm_key is not needed if the as_rs_key and auth_key are defined
-		explicitly in the database;
 		
 	timestamp - (optional) the timestamp (in seconds) when the key 
 		lifetime starts;
@@ -767,12 +763,6 @@ The oauth_key table fields meanings are:
 		"A256GCMKW", "A128GCMKW" (see 
 		http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1).
 		The default value is "A256GCMKW";
-		
-	as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then 
-		calculated with ikm_key.
-		
-	auth_key - (optional) base64-encoded AUTH key. If not defined, then 
-		calculated with ikm_key. Not used for AEAD algorithms.
 
 # Https access admin users.
 # Leave this table empty if you do not want 

src/apps/common/apputils.c

@@ -1136,27 +1136,6 @@ void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *o
 				turn_free(ikm_key,ikm_key_size);
 			}
 		}
-
-		if(raw->as_rs_key[0]) {
-			size_t as_rs_key_size = 0;
-			char *as_rs_key = (char*)base64_decode(raw->as_rs_key,strlen(raw->as_rs_key),&as_rs_key_size);
-			if(as_rs_key) {
-				ns_bcopy(as_rs_key,oakd->as_rs_key,as_rs_key_size);
-				oakd->as_rs_key_size = as_rs_key_size;
-				turn_free(as_rs_key,as_rs_key_size);
-			}
-		}
-
-		if(raw->auth_key[0]) {
-			size_t auth_key_size = 0;
-			char *auth_key = (char*)base64_decode(raw->auth_key,strlen(raw->auth_key),&auth_key_size);
-			if(auth_key) {
-				ns_bcopy(auth_key,oakd->auth_key,auth_key_size);
-				oakd->auth_key_size = auth_key_size;
-				turn_free(auth_key,auth_key_size);
-			}
-		}
-
 	}
 }
 

src/apps/common/apputils.h

@@ -142,8 +142,6 @@ struct _oauth_key_data_raw {
 	u64bits timestamp;
 	u32bits lifetime;
 	char as_rs_alg[OAUTH_ALG_SIZE+1];
-	char as_rs_key[OAUTH_KEY_SIZE+1];
-	char auth_key[OAUTH_KEY_SIZE+1];
 };
 
 typedef struct _oauth_key_data_raw oauth_key_data_raw;

src/apps/relay/dbdrivers/dbd_mongo.c

@@ -255,8 +255,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	BSON_APPEND_INT32(&fields, "lifetime", 1);
 	BSON_APPEND_INT32(&fields, "timestamp", 1);
 	BSON_APPEND_INT32(&fields, "as_rs_alg", 1);
-	BSON_APPEND_INT32(&fields, "as_rs_key", 1);
-	BSON_APPEND_INT32(&fields, "auth_key", 1);
 	BSON_APPEND_INT32(&fields, "ikm_key", 1);
 
 	mongoc_cursor_t * cursor;
@@ -279,12 +277,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
 				STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length));
 			}
-			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
-				STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length));
-			}
-			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
-				STRCPY(key->auth_key,bson_iter_utf8(&iter, &length));
-			}
 			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
 				STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
 			}
@@ -349,8 +341,6 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) {
   bson_init(&doc);
   BSON_APPEND_UTF8(&doc, "kid", (const char *)key->kid);
   BSON_APPEND_UTF8(&doc, "as_rs_alg", (const char *)key->as_rs_alg);
-  BSON_APPEND_UTF8(&doc, "as_rs_key", (const char *)key->as_rs_key);
-  BSON_APPEND_UTF8(&doc, "auth_key", (const char *)key->auth_key);
   BSON_APPEND_UTF8(&doc, "ikm_key", (const char *)key->ikm_key);
   BSON_APPEND_INT64(&doc, "timestamp", (int64_t)key->timestamp);
   BSON_APPEND_INT32(&doc, "lifetime", (int32_t)key->lifetime);
@@ -511,8 +501,6 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
   BSON_APPEND_INT32(&fields, "lifetime", 1);
   BSON_APPEND_INT32(&fields, "timestamp", 1);
   BSON_APPEND_INT32(&fields, "as_rs_alg", 1);
-  BSON_APPEND_INT32(&fields, "as_rs_key", 1);
-  BSON_APPEND_INT32(&fields, "auth_key", 1);
   BSON_APPEND_INT32(&fields, "ikm_key", 1);
 
   mongoc_cursor_t * cursor;
@@ -537,12 +525,6 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
     	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
     	    STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length));
     	}
-    	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
-    		STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length));
-    	}
-    	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
-    		STRCPY(key->auth_key,bson_iter_utf8(&iter, &length));
-    	}
     	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
     		STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
     	}
@@ -566,9 +548,9 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 				add_to_secrets_list(lts,lt);
 			}
     	} else {
-    		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
+    		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
     						key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-    						key->as_rs_alg, key->as_rs_key, key->auth_key);
+    						key->as_rs_alg);
     	}
     }
     mongoc_cursor_destroy(cursor);

src/apps/relay/dbdrivers/dbd_mysql.c

@@ -343,7 +343,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid);
+	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
 
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
@@ -354,7 +354,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 			MYSQL_RES *mres = mysql_store_result(myc);
 			if(!mres) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
-			} else if(mysql_field_count(myc)!=6) {
+			} else if(mysql_field_count(myc)!=4) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement);
 			} else {
 				MYSQL_ROW row = mysql_fetch_row(mres);
@@ -378,12 +378,6 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 						ns_bcopy(row[3],key->as_rs_alg,lengths[3]);
 						key->as_rs_alg[lengths[3]]=0;
 
-						ns_bcopy(row[4],key->as_rs_key,lengths[4]);
-						key->as_rs_key[lengths[4]]=0;
-
-						ns_bcopy(row[5],key->auth_key,lengths[5]);
-						key->auth_key[lengths[5]]=0;
-
 						ret = 0;
 					}
 				}
@@ -402,7 +396,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 	oauth_key_data_raw *key=&key_;
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid");
+	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid");
 
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
@@ -413,7 +407,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 			MYSQL_RES *mres = mysql_store_result(myc);
 			if(!mres) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
-			} else if(mysql_field_count(myc)!=7) {
+			} else if(mysql_field_count(myc)!=5) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement);
 			} else {
 				MYSQL_ROW row = mysql_fetch_row(mres);
@@ -437,14 +431,8 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 						ns_bcopy(row[3],key->as_rs_alg,lengths[3]);
 						key->as_rs_alg[lengths[3]]=0;
 
-						ns_bcopy(row[4],key->as_rs_key,lengths[4]);
-						key->as_rs_key[lengths[4]]=0;
-
-						ns_bcopy(row[5],key->auth_key,lengths[5]);
-						key->auth_key[lengths[5]]=0;
-
 						ns_bcopy(row[6],key->kid,lengths[6]);
-						key->kid[lengths[6]]=0;
+						key->kid[lengths[4]]=0;
 
 						if(kids) {
 							add_to_secrets_list(kids,key->kid);
@@ -460,9 +448,9 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 								add_to_secrets_list(lts,lt);
 							}
 						} else {
-							printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
+							printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
 								key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-								key->as_rs_alg, key->as_rs_key, key->auth_key);
+								key->as_rs_alg);
 						}
 					}
 					row = mysql_fetch_row(mres);
@@ -506,13 +494,13 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key)
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
-		snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')",
+		snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')",
 					  key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime,
-					  key->as_rs_alg,key->as_rs_key,key->auth_key);
+					  key->as_rs_alg);
 		int res = mysql_query(myc, statement);
 		if(res) {
-			snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s',as_rs_key='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
-							  key->as_rs_alg,key->as_rs_key,key->auth_key,key->kid);
+			snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
+							  key->as_rs_alg,key->kid);
 			res = mysql_query(myc, statement);
 			if(res) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth key information: %s\n",mysql_error(myc));

src/apps/relay/dbdrivers/dbd_pgsql.c

@@ -158,7 +158,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	int ret = -1;
 
 	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid);
+	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
 
 	PGconn * pqc = get_pqdb_connection();
 	if(pqc) {
@@ -171,8 +171,6 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 			key->timestamp = (u64bits)strtoll(PQgetvalue(res,0,1),NULL,10);
 			key->lifetime = (u32bits)strtol(PQgetvalue(res,0,2),NULL,10);
 			STRCPY(key->as_rs_alg,PQgetvalue(res,0,3));
-			STRCPY(key->as_rs_key,PQgetvalue(res,0,4));
-			STRCPY(key->auth_key,PQgetvalue(res,0,5));
 			STRCPY(key->kid,kid);
 			ret = 0;
 		}
@@ -193,7 +191,7 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 	int ret = -1;
 
 	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid");
+	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid");
 
 	PGconn * pqc = get_pqdb_connection();
 	if(pqc) {
@@ -209,9 +207,7 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 				key->timestamp = (u64bits)strtoll(PQgetvalue(res,i,1),NULL,10);
 				key->lifetime = (u32bits)strtol(PQgetvalue(res,i,2),NULL,10);
 				STRCPY(key->as_rs_alg,PQgetvalue(res,i,3));
-				STRCPY(key->as_rs_key,PQgetvalue(res,i,4));
-				STRCPY(key->auth_key,PQgetvalue(res,i,5));
-				STRCPY(key->kid,PQgetvalue(res,i,6));
+				STRCPY(key->kid,PQgetvalue(res,i,4));
 
 				if(kids) {
 					add_to_secrets_list(kids,key->kid);
@@ -227,9 +223,9 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 						add_to_secrets_list(lts,lt);
 					}
 				} else {
-					printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
+					printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
 						key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-						key->as_rs_alg, key->as_rs_key, key->auth_key);
+						key->as_rs_alg);
 				}
 
 				ret = 0;
@@ -277,17 +273,17 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) {
   char statement[TURN_LONG_STRING_SIZE];
   PGconn *pqc = get_pqdb_connection();
   if(pqc) {
-	  snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')",
+	  snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')",
 			  key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime,
-			  key->as_rs_alg,key->as_rs_key,key->auth_key);
+			  key->as_rs_alg);
 
 	  PGresult *res = PQexec(pqc, statement);
 	  if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
 		  if(res) {
 			PQclear(res);
 		  }
-		  snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s',as_rs_key='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
-				  key->as_rs_alg,key->as_rs_key,key->auth_key,key->kid);
+		  snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
+				  key->as_rs_alg,key->kid);
 		  res = PQexec(pqc, statement);
 		  if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
 			  TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth_key information: %s\n",PQerrorMessage(pqc));

src/apps/relay/dbdrivers/dbd_redis.c

@@ -477,10 +477,6 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 				if(kw) {
 					if(!strcmp(kw,"as_rs_alg")) {
 						STRCPY(key->as_rs_alg,val);
-					} else if(!strcmp(kw,"as_rs_key")) {
-						STRCPY(key->as_rs_key,val);
-					} else if(!strcmp(kw,"auth_key")) {
-						STRCPY(key->auth_key,val);
 					} else if(!strcmp(kw,"ikm_key")) {
 						STRCPY(key->ikm_key,val);
 					} else if(!strcmp(kw,"timestamp")) {
@@ -516,8 +512,8 @@ static int redis_set_oauth_key(oauth_key_data_raw *key) {
   redisContext *rc = get_redis_connection();
   if(rc) {
 	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s as_rs_alg %s as_rs_key %s auth_key %s timestamp %llu lifetime %lu",
-			key->kid,key->ikm_key,key->as_rs_alg,key->as_rs_key,key->auth_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime);
+	snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s as_rs_alg %s timestamp %llu lifetime %lu",
+			key->kid,key->ikm_key,key->as_rs_alg,(unsigned long long)key->timestamp,(unsigned long)key->lifetime);
 	turnFreeRedisReply(redisCommand(rc, statement));
 	turnFreeRedisReply(redisCommand(rc, "save"));
     ret = 0;
@@ -683,9 +679,9 @@ static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 				add_to_secrets_list(lts,lt);
 			}
 		} else {
-			printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
+			printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
 							key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-							key->as_rs_alg, key->as_rs_key, key->auth_key);
+							key->as_rs_alg);
 		}
 	}
   }

src/apps/relay/dbdrivers/dbd_sqlite.c

@@ -154,7 +154,7 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) {
 		"CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
 		"CREATE TABLE turn_origin_to_realm (origin varchar(127),realm varchar(127),primary key (origin))",
 		"CREATE TABLE turn_realm_option (realm varchar(127) default '',	opt varchar(32),	value varchar(128),	primary key (realm,opt))",
-		"CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_key varchar(256) default '',primary key (kid))",
+		"CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,as_rs_alg varchar(64) default '',primary key (kid))",
 		"CREATE TABLE admin_user (name varchar(32), realm varchar(127), password varchar(127), primary key (name))",
 		NULL
 	};
@@ -293,7 +293,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	char statement[TURN_LONG_STRING_SIZE];
 	sqlite3_stmt *st = NULL;
 	int rc = 0;
-	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid);
+	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
 
 	sqlite3 *sqliteconnection = get_sqlite_connection();
 	if(sqliteconnection) {
@@ -309,8 +309,6 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 				key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10);
 				key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10);
 				STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3));
-				STRCPY(key->as_rs_key,sqlite3_column_text(st, 4));
-				STRCPY(key->auth_key,sqlite3_column_text(st, 5));
 				STRCPY(key->kid,kid);
 				ret = 0;
 			}
@@ -339,7 +337,7 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secr
 	char statement[TURN_LONG_STRING_SIZE];
 	sqlite3_stmt *st = NULL;
 	int rc = 0;
-	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid");
+	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid");
 
 	sqlite3 *sqliteconnection = get_sqlite_connection();
 	if(sqliteconnection) {
@@ -357,9 +355,7 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secr
 					key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10);
 					key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10);
 					STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3));
-					STRCPY(key->as_rs_key,sqlite3_column_text(st, 4));
-					STRCPY(key->auth_key,sqlite3_column_text(st, 5));
-					STRCPY(key->kid,sqlite3_column_text(st, 6));
+					STRCPY(key->kid,sqlite3_column_text(st, 4));
 
 					if(kids) {
 						add_to_secrets_list(kids,key->kid);
@@ -375,9 +371,9 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secr
 							add_to_secrets_list(lts,lt);
 						}
 					} else {
-						printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
+						printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
 										key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-										key->as_rs_alg, key->as_rs_key, key->auth_key);
+										key->as_rs_alg);
 					}
 
 				} else if (res == SQLITE_DONE) {
@@ -447,9 +443,8 @@ static int sqlite_set_oauth_key(oauth_key_data_raw *key)
 		snprintf(
 						statement,
 						sizeof(statement),
-						"insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')",
-						key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->as_rs_alg, key->as_rs_key,
-						key->auth_key);
+						"insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')",
+						key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->as_rs_alg);
 
 		sqlite_lock(1);
 

src/apps/relay/turn_admin_server.c

@@ -1372,8 +1372,6 @@ typedef enum _AS_FORM AS_FORM;
 #define HR_ADD_OAUTH_TS "oauth_ts"
 #define HR_ADD_OAUTH_LT "oauth_lt"
 #define HR_ADD_OAUTH_IKM "oauth_ikm"
-#define HR_ADD_OAUTH_RS_KEY "oauth_rs_key"
-#define HR_ADD_OAUTH_AUTH_KEY "oauth_auth_key"
 #define HR_ADD_OAUTH_TEA "oauth_tea"
 #define HR_DELETE_OAUTH_KID "oauth_kid_del"
 #define HR_OAUTH_KID "kid"
@@ -2878,28 +2876,6 @@ static void write_https_oauth_show_keys(ioa_socket_handle s, const char* kid)
 								str_buffer_append(sb,"</td></tr>\r\n");
 							}
 
-							if(okey.as_rs_key_size) {
-								size_t as_rs_key_size = 0;
-								char *as_rs_key = (char*)base64_encode((unsigned char*)okey.as_rs_key,okey.as_rs_key_size,&as_rs_key_size);
-								if(as_rs_key) {
-									str_buffer_append(sb,"<tr><td>AS-RS key:</td><td>");
-									str_buffer_append(sb,as_rs_key);
-									str_buffer_append(sb,"</td></tr>\r\n");
-									turn_free(as_rs_key,as_rs_key_size);
-								}
-							}
-
-							if(okey.auth_key_size) {
-								size_t auth_key_size = 0;
-								char *auth_key = (char*)base64_encode((unsigned char*)okey.auth_key,okey.auth_key_size,&auth_key_size);
-								if(auth_key) {
-									str_buffer_append(sb,"<tr><td>AUTH key:</td><td>");
-									str_buffer_append(sb,auth_key);
-									str_buffer_append(sb,"</td></tr>\r\n");
-									turn_free(auth_key,auth_key_size);
-								}
-							}
-
 							str_buffer_append(sb,"</table>\r\n");
 						}
 					}
@@ -2914,7 +2890,6 @@ static void write_https_oauth_show_keys(ioa_socket_handle s, const char* kid)
 static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, const char* add_ikm,
 				const char* add_tea,
 				const char *add_ts, const char* add_lt,
-				const char *add_rs_key, const char *add_auth_key,
 				const char* msg)
 {
 	if(s && !ioa_socket_tobeclosed(s)) {
@@ -3017,35 +2992,7 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
 					str_buffer_append(sb,">A256GCMKW\r\n<br>\r\n");
 				}
 
-				str_buffer_append(sb,"</td><td colspan=\"2\">");
-
-				{
-					if(!add_rs_key) add_rs_key = "";
-
-					str_buffer_append(sb,"  <br>Base64-encoded AS-RS key (optional):<br><textarea wrap=\"soft\" cols=70 rows=4 name=\"");
-					str_buffer_append(sb,HR_ADD_OAUTH_RS_KEY);
-					str_buffer_append(sb,"\" maxLength=256 >");
-					str_buffer_append(sb,(const char*)add_rs_key);
-					str_buffer_append(sb,"</textarea>");
-					str_buffer_append(sb,"<br>\r\n");
-				}
-
-				str_buffer_append(sb,"</td></tr>\r\n");
-
-				str_buffer_append(sb,"<tr><td colspan=\"2\">");
-
-				{
-					if(!add_auth_key) add_auth_key = "";
-
-					str_buffer_append(sb,"  <br>Base64-encoded AUTH key (optional):<br><textarea wrap=\"soft\" cols=70 rows=4 name=\"");
-					str_buffer_append(sb,HR_ADD_OAUTH_AUTH_KEY);
-					str_buffer_append(sb,"\" maxLength=256 >");
-					str_buffer_append(sb,(const char*)add_auth_key);
-					str_buffer_append(sb,"</textarea>");
-					str_buffer_append(sb,"<br>\r\n");
-				}
-
-				str_buffer_append(sb,"</td></tr></table>\r\n");
+				str_buffer_append(sb,"</td></tr>\r\n</table>\r\n");
 
 				str_buffer_append(sb,"<br><input type=\"submit\" value=\"Add key\">");
 
@@ -3545,28 +3492,19 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
 					const char* add_ts = "0";
 					const char* add_lt = "0";
 					const char* add_ikm = "";
-					const char *add_rs_key = "";
-					const char *add_auth_key = "";
 					const char* add_tea = "";
 					const char* msg = "";
 
 					add_kid = get_http_header_value(hr,HR_ADD_OAUTH_KID,"");
 					if(add_kid[0]) {
 						add_ikm = get_http_header_value(hr,HR_ADD_OAUTH_IKM,"");
-						add_rs_key = get_http_header_value(hr,HR_ADD_OAUTH_RS_KEY,"");
-						add_auth_key = get_http_header_value(hr,HR_ADD_OAUTH_AUTH_KEY,"");
 						add_ts = get_http_header_value(hr,HR_ADD_OAUTH_TS,"");
 						add_lt = get_http_header_value(hr,HR_ADD_OAUTH_LT,"");
 						add_tea = get_http_header_value(hr,HR_ADD_OAUTH_TEA,"");
 
-						int keys_ok = 0;
-						if(add_rs_key[0] && add_auth_key[0]) {
-							keys_ok = 1;
-						} else if(strstr(add_tea,"GCM") && add_rs_key[0]) {
-							keys_ok = 1;
-						}
+						int keys_ok = (add_ikm[0] != 0);
 						if(!keys_ok) {
-							msg = "Provided information is insufficient for the oAuth key generation.";
+							msg = "You must enter the key value.";
 						} else {
 							oauth_key_data_raw key;
 							ns_bzero(&key,sizeof(key));
@@ -3588,8 +3526,6 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
 
 							STRCPY(key.ikm_key,add_ikm);
 							STRCPY(key.as_rs_alg,add_tea);
-							STRCPY(key.as_rs_key,add_rs_key);
-							STRCPY(key.auth_key,add_auth_key);
 
 							const turn_dbdriver_t * dbd = get_dbdriver();
 							if (dbd && dbd->set_oauth_key) {
@@ -3601,14 +3537,12 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
 									add_lt = "0";
 									add_ikm = "";
 									add_tea = "";
-									add_rs_key = "";
-									add_auth_key = "";
 								}
 							}
 						}
 					}
 
-					write_https_oauth_page(s,add_kid,add_ikm,add_tea,add_ts,add_lt,add_rs_key,add_auth_key,msg);
+					write_https_oauth_page(s,add_kid,add_ikm,add_tea,add_ts,add_lt,msg);
 				}
 				break;
 			}

src/apps/relay/userdb.c

@@ -1018,15 +1018,12 @@ void run_db_test(void)
 		oauth_key_data_raw key_;
 		oauth_key_data_raw *key=&key_;
 		dbd->get_oauth_key((const u08bits*)"north",key);
-		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
-		    		key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-		    		key->as_rs_alg, key->as_rs_key, key->auth_key);
+		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
+		    		key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->as_rs_alg);
 
 		printf("DB TEST 3:\n");
 
 		STRCPY(key->as_rs_alg,"as_rs_alg");
-		STRCPY(key->as_rs_key,"as_rs_key");
-		STRCPY(key->auth_key,"auth_key");
 		STRCPY(key->ikm_key,"ikm_key");
 		STRCPY(key->kid,"kid");
 		key->timestamp = 123;
@@ -1037,9 +1034,8 @@ void run_db_test(void)
 
 		printf("DB TEST 4:\n");
 		dbd->get_oauth_key((const u08bits*)"kid",key);
-		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n",
-		    		key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
-		    		key->as_rs_alg, key->as_rs_key, key->auth_key);
+		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
+		    		key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->as_rs_alg);
 
 		printf("DB TEST 5:\n");
 		dbd->del_oauth_key((const u08bits*)"kid");
@@ -1051,9 +1047,8 @@ void run_db_test(void)
 
 		oauth_key_data oakd;
 		convert_oauth_key_data_raw(key, &oakd);
-		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key_size=%d, auth_key_size=%d\n",
-				    		oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime,
-				    		oakd.as_rs_alg, (int)oakd.as_rs_key_size, (int)oakd.auth_key_size);
+		printf("  kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
+				    		oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, oakd.as_rs_alg);
 
 		oauth_key oak;
 		char err_msg[1025];

src/apps/uclient/mainuclient.c

@@ -102,9 +102,9 @@ int oauth = 0;
 oauth_key okey_array[3];
 
 static oauth_key_data_raw okdr_array[3] = {
-		{"north","Y2FybGVvbg==",0,0,"A256GCMKW","",""},
-		{"union","aGVyb2Q=",0,0,"A128GCMKW","",""},
-		{"oldempire","YXVsY3Vz",0,0,"A256GCMKW","",""}
+		{"north","Y2FybGVvbg==",0,0,"A256GCMKW"},
+		{"union","aGVyb2Q=",0,0,"A128GCMKW"},
+		{"oldempire","YXVsY3Vz",0,0,"A256GCMKW"}
 };
 
 //////////////// local definitions /////////////////

src/client/ns_turn_msg.c

@@ -2045,15 +2045,8 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 		oauth_key_data *oakd = &oakd_obj;
 
 		if(!(oakd->ikm_key_size)) {
-			if(!(oakd->as_rs_key_size)) {
-				if(err_msg) {
-					snprintf(err_msg,err_msg_size,"AS-RS key is not defined");
-				}
-				OAUTH_ERROR("AS-RS key is not defined\n");
-				return -1;
-			}
-			if(!(oakd->auth_key_size)) {
-				//AEAD ?
+			if(err_msg) {
+				snprintf(err_msg,err_msg_size,"key is not defined");
 			}
 		}
 
@@ -2075,10 +2068,6 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 
 		STRCPY(key->kid,oakd->kid);
 
-		ns_bcopy(oakd->as_rs_key,key->as_rs_key,sizeof(key->as_rs_key));
-		key->as_rs_key_size = oakd->as_rs_key_size;
-		ns_bcopy(oakd->auth_key,key->auth_key,sizeof(key->auth_key));
-		key->auth_key_size = oakd->auth_key_size;
 		ns_bcopy(oakd->ikm_key,key->ikm_key,sizeof(key->ikm_key));
 		key->ikm_key_size = oakd->ikm_key_size;
 
@@ -2108,20 +2097,16 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			return -1;
 		}
 
-		if(!(key->auth_key_size)) {
-			key->auth_key_size = calculate_auth_key_length(key->as_rs_alg);
-			if(key->auth_key_size) {
-				if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size)<0) {
-					return -1;
-				}
+		key->auth_key_size = calculate_auth_key_length(key->as_rs_alg);
+		if(key->auth_key_size) {
+			if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size)<0) {
+				return -1;
 			}
 		}
 
-		if(!(key->as_rs_key_size)) {
-			key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg);
-			if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size)<0) {
-				return -1;
-			}
+		key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg);
+		if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size)<0) {
+			return -1;
 		}
 	}
 

src/client/ns_turn_msg_defs_new.h

@@ -112,10 +112,6 @@ struct _oauth_key_data {
 	turn_time_t timestamp;
 	turn_time_t lifetime;
 	char as_rs_alg[OAUTH_ALG_SIZE+1];
-	char as_rs_key[OAUTH_KEY_SIZE+1];
-	size_t as_rs_key_size;
-	char auth_key[OAUTH_KEY_SIZE+1];
-	size_t auth_key_size;
 };
 
 typedef struct _oauth_key_data oauth_key_data;

turndb/schema.sql

@@ -43,8 +43,6 @@ CREATE TABLE oauth_key (
 	timestamp bigint default 0,
 	lifetime integer default 0,
 	as_rs_alg varchar(64) default '',
-	as_rs_key varchar(256) default '',
-	auth_key varchar(256) default '',
 	primary key (kid)
 );
 

turndb/schema.userdb.redis

@@ -34,12 +34,10 @@ and they will be almost immediately "seen" by the turnserver process.
 4) For the oAuth authentication, there is a hash structure with the key 
 "turn/oauth/kid/<kid-value>". The kid structure fields are:
  
-	ikm_key - (optional) base64-encoded key ("input keying material");
-		The ikm_key is not needed if the as_rs_key and auth_key are defined
-		explicitly in the database;
+	ikm_key - (optional) base64-encoded key ("input keying material").
 		
 	timestamp - (optional) the timestamp (in seconds) when the key 
-		lifetime started;
+		lifetime started.
 	
 	lifetime - (optional) the key lifetime in seconds; the default value 
 		is 0 - unlimited lifetime.
@@ -47,14 +45,7 @@ and they will be almost immediately "seen" by the turnserver process.
 	as_rs_alg - oAuth token encryption algorithm; the valid values are
 		"A256GCMKW", "A128GCMKW" (see 
 		http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1).
-		The default value is "A256GCMKW";
-		
-	as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then 
-		calculated with ikm_key. The as_rs_key length 
-		is defined by as_rs_alg.
-		
-	auth_key - (optional) base64-encoded AUTH key. If not defined, then 
-		calculated with ikm_key. Not used with AEAD algorithms.
+		The default value is "A256GCMKW".
 		
 5) admin users (over https interface) are maintained as keys of form:
 "turn/admin_user/<username> with hash members "password" and,

turndb/testsqldbsetup.sql

@@ -31,6 +31,6 @@ insert into denied_peer_ip (ip_range) values('123::45');
 insert into denied_peer_ip (realm,ip_range) values('north.gov','172.17.17.133-172.17.19.56');
 insert into denied_peer_ip (realm,ip_range) values('crinna.org','123::77');
 
-insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('north','Y2FybGVvbg==',0,0,'A256GCMKW','','');
-insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('union','aGVyb2Q=',0,0,'A128GCMKW','','');
-insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('oldempire','YXVsY3Vz',0,0,'A256GCMKW','','');
+insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('north','Y2FybGVvbg==',0,0,'A256GCMKW');
+insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('union','aGVyb2Q=',0,0,'A128GCMKW');
+insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('oldempire','YXVsY3Vz',0,0,'A256GCMKW');