Przeglądaj źródła

tidy and small improvments

 * rename long-term-key to auth-key
 * add warning for auth key and token lifetime expiry or missmatch
 * tidy sample script
Mészáros Mihály 9 lat temu
rodzic
commit
82ca50ebb2
4 zmienionych plików z 65 dodań i 46 usunięć
  1. 9 8
      README.turnutils
  2. 7 5
      examples/scripts/oauth.sh
  3. 13 12
      man/man1/turnutils.1
  4. 36 21
      src/apps/oauth/oauth.c

+ 9 - 8
README.turnutils

@@ -44,7 +44,8 @@ creation and validationi of an access_token. It outputs a JSON with all OAuth
 PoP parameters that need to pass to the client. Output is generated accoriding 
 RFC7635 Appendix B, Figure 8. 
 
-For more details, and for the access_token structure, read rfc7635.
+For more details, and for the access_token structure, read rfc7635, and see
+script in examples/scripts/oauth.sh.
 
 
 =====================================
@@ -303,8 +304,8 @@ parameters that need to pass to the client. Output is generated accoriding
 RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server 
 service, but be awere that this utility does not generate "session key" / 
 "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
-
-For more details, and for the access_token structure, read rfc7635. 
+For more details, and for the access_token structure, read rfc7635, and see
+the example in examples/scripts/oauth.sh.
 
 Use either -e and/or -d flag to encrypt or decrypt access_token.
 
@@ -322,15 +323,15 @@ Options with required values:
 
 -i, --server-name              server name (max. 255 char)
 
--j, --long-term-key-id         long term key id (max. 32 char)
+-j, --auth-key-id              Auth key id (max. 32 char)
 
--k, --long-term-key            base64 encoded long term key
+-k, --auth-key                 base64 encoded Auth key
 
--l  --long-term-key-timestamp  long term key timestamp (sec since epoch)
+-l  --auth-key-timestamp       Auth key timestamp (sec since epoch)
 
--m, --long-term-key-lifetime   long term key lifetime in sec
+-m, --auth-key-lifetime        Auth key lifetime in sec
 
--n, --long-term-key-as-rs-alg  Authorization Server Resource Server encryption algorithm
+-n, --auth-key-as-rs-alg       Authorization Server(AS) - Resource Server(RS) encryption algorithm
 
 -o, --token-nonce              base64 encoded nonce base64(12 octet) = 16 char
 

+ 7 - 5
examples/scripts/oauth.sh

@@ -1,15 +1,17 @@
 #!/bin/bash
-OAUTH_UTILITY=../../bin/turnutils_oauth
+
+OAUTH_UTILITY=bin/turnutils_oauth
+
 echo "--------------create an access_token---------------"
-$OAUTH_UTILITY -e --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0=  --token-timestamp 16332934350000
+$OAUTH_UTILITY -e --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0=  --token-timestamp 16333642137600 --token-lifetime=3600
 
 echo "---------------create and validate and print out the decoded access_token---------------"
-$OAUTH_UTILITY -v -d -e --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0=  --token-timestamp 16332934350000
+$OAUTH_UTILITY -v -d -e --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0=  --token-timestamp 16333642137600 --token-lifetime=3600
 
 echo -e "\n---------------just validate only the access_token---------------"
-$OAUTH_UTILITY -d --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token AAyi1nAiKbhykYXGUzGF9uM/nUu67J4z1ySG3weLavUN6JLQm+HCPvCNkVWWVrOppCSTmYapLx+jDhgZcx0vMA==
+$OAUTH_UTILITY -d --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token AAy1JBYVLo16iq9gFdHyyknmx5T/Lq9YlbxgUdLcStOFS0H8xhHceHOL2f49qxp4uBpGuuLeLqk+RcAa5uP2EQ== --token-lifetime=3600
 
 echo -e "\n---------------validate and print out the decoded access_token---------------"
-$OAUTH_UTILITY -v -d --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token AAyi1nAiKbhykYXGUzGF9uM/nUu67J4z1ySG3weLavUN6JLQm+HCPvCNkVWWVrOppCSTmYapLx+jDhgZcx0vMA==
+$OAUTH_UTILITY -v -d --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token AAy1JBYVLo16iq9gFdHyyknmx5T/Lq9YlbxgUdLcStOFS0H8xhHceHOL2f49qxp4uBpGuuLeLqk+RcAa5uP2EQ== --token-lifetime=3600
 
 

+ 13 - 12
man/man1/turnutils.1

@@ -58,7 +58,8 @@ creation and validationi of an access_token. It outputs a JSON with all OAuth
 PoP parameters that need to pass to the client. Output is generated accoriding 
 RFC7635 Appendix B, Figure 8. 
 .PP
-For more details, and for the access_token structure, read rfc7635.
+For more details, and for the access_token structure, read rfc7635, and see
+script in examples/scripts/oauth.sh.
 .RE
 .PP
 
@@ -455,8 +456,8 @@ parameters that need to pass to the client. Output is generated accoriding
 RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server 
 service, but be awere that this utility does not generate "session key" / 
 "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
-.PP
-For more details, and for the access_token structure, read rfc7635. 
+For more details, and for the access_token structure, read rfc7635, and see
+the example in examples/scripts/oauth.sh.
 .PP
 Use either \fB\-e\fP and/or \fB\-d\fP flag to encrypt or decrypt access_token.
 .PP
@@ -485,24 +486,24 @@ Options with required values:
 server name (max. 255 char)
 .TP
 .B
-\fB\-j\fP, \fB\-\-long\-term\-key\-id\fP
-long term key id (max. 32 char)
+\fB\-j\fP, \fB\-\-auth\-key\-id\fP
+Auth key id (max. 32 char)
 .TP
 .B
-\fB\-k\fP, \fB\-\-long\-term\-key\fP
-base64 encoded long term key
+\fB\-k\fP, \fB\-\-auth\-key\fP
+base64 encoded Auth key
 .TP
 .B
 \fB\-l\fP
-\fB\-\-long\-term\-key\-timestamp\fP  long term key timestamp (sec since epoch)
+\fB\-\-auth\-key\-timestamp\fP       Auth key timestamp (sec since epoch)
 .TP
 .B
-\fB\-m\fP, \fB\-\-long\-term\-key\-lifetime\fP
-long term key lifetime in sec
+\fB\-m\fP, \fB\-\-auth\-key\-lifetime\fP
+Auth key lifetime in sec
 .TP
 .B
-\fB\-n\fP, \fB\-\-long\-term\-key\-as\-rs\-alg\fP
-Authorization Server Resource Server encryption algorithm
+\fB\-n\fP, \fB\-\-auth\-key\-as\-rs\-alg\fP
+Authorization \fBServer\fP(AS) \- Resource \fBServer\fP(RS) encryption algorithm
 .TP
 .B
 \fB\-o\fP, \fB\-\-token\-nonce\fP

+ 36 - 21
src/apps/oauth/oauth.c

@@ -168,7 +168,7 @@ static void print_token_body(oauth_token* dot) {
         time_t time=dot->enc_block.timestamp>>16;
         unsigned msec=(dot->enc_block.timestamp & 0xFFFF)*64;
         printf("    timestamp:\n");
-        printf("        unixtime: %s", ctime(&time));
+        printf("        unixtime: %u (localtime: %s )", (unsigned int)time, ctime(&time));
         printf("        msec:%u\n", msec);
         printf("    lifetime: %lu\n", (unsigned long) dot->enc_block.lifetime);
         printf("}\n");
@@ -185,11 +185,11 @@ const char Usage[] =
   "        -e, --encrypt                    encrypt token\n"
   "        -d, --decrypt                    decrypt validate token\n\n"
   "        -i, --server-name                server name (max. 255 char)\n"
-  "        -j, --long-term-key-id           long term key id (max. 32 char)\n"
-  "        -k, --long-term-key              base64 encoded long term key\n"
-  "        -l  --long-term-key-timestamp    long term key timestamp (sec since epoch)\n"
-  "        -m, --long-term-key-lifetime     long term key lifetime in sec\n"
-  "        -n, --long-term-key-as-rs-alg    Authorization Server Resource Server encryption algorithm\n"
+  "        -j, --auth-key-id                Auth key id (max. 32 char)\n"
+  "        -k, --auth-key                   base64 encoded Auth key\n"
+  "        -l  --auth-key-timestamp         Auth key timestamp (sec since epoch)\n"
+  "        -m, --auth-key-lifetime          Auth key lifetime in sec\n"
+  "        -n, --auth-key-as-rs-alg         Authorization Server(AS) - Resource Server (RS) encryption algorithm\n"
   "        -o, --token-nonce                base64 encoded nonce base64(12 octet) = 16 char\n"
   "        -p, --token-mac-key              base64 encoded MAC key base64(32 octet) = 44 char\n"
   "        -q, --token-timestamp            timestamp in format 64 bit unsigned (Native format - Unix),\n" 
@@ -242,11 +242,11 @@ int main(int argc, char **argv)
      {"decrypt",                  no_argument,       &decrypt_flag, 1},
      {"help",                     no_argument,       0, 'h'},
      {"server-name",              required_argument, 0, 'i'},
-     {"long-term-key-id",         required_argument, 0, 'j'},
-     {"long-term-key",            required_argument, 0, 'k'},
-     {"long-term-key-timestamp",  required_argument, 0, 'l'},
-     {"long-term-key-lifetime",   required_argument, 0, 'm'},
-     {"long-term-key-as-rs-alg",  required_argument, 0, 'n'},
+     {"auth-key-id",         required_argument, 0, 'j'},
+     {"auth-key",            required_argument, 0, 'k'},
+     {"auth-key-timestamp",  required_argument, 0, 'l'},
+     {"auth-key-lifetime",   required_argument, 0, 'm'},
+     {"auth-key-as-rs-alg",  required_argument, 0, 'n'},
      {"token-nonce",              required_argument, 0, 'o'},
      {"token-mac-key",            required_argument, 0, 'p'},
      {"token-timestamp",          required_argument, 0, 'q'},
@@ -297,7 +297,7 @@ int main(int argc, char **argv)
       }
       break;
    case 'j':
-      //long-term-key-id
+      //auth-key-id
       if ( strlen(optarg) <= OAUTH_LTK_ID_SIZE ) {
         STRCPY(kid,optarg);
       } else {
@@ -306,7 +306,7 @@ int main(int argc, char **argv)
       }
       break;
     case 'k':
-      //long-term-key
+      //auth-key
       if ( strlen(optarg) <= OAUTH_LTK_BASE64ENCODED_SIZE ) {
         STRCPY(base64encoded_ltk,optarg);
       } else {
@@ -315,15 +315,15 @@ int main(int argc, char **argv)
       }
       break;
     case 'l':
-      //long-term-key-timestamp
+      //auth-key-timestamp
       key_timestamp = atoi(optarg);
       break;
     case 'm':
-      //long-term-key-lifetime
+      //auth-key-lifetime
       key_lifetime=atoi(optarg);
       break;
     case 'n':
-      //long-term-key-as-rs-alg
+      //auth-key-as-rs-alg
       if ( strlen(optarg) <= OAUTH_AS_RS_ALG_SIZE ) {
         STRCPY(as_rs_alg,optarg);
       } else {
@@ -403,19 +403,19 @@ int main(int argc, char **argv)
     }
     
     if (strlen(kid) == 0){
-        fprintf(stderr, "For encode/decode  --long-term-key-id/-j is mandatory \n");
+        fprintf(stderr, "For encode/decode  --auth-key-id/-j is mandatory \n");
         exit(-1);
     }
      if (strlen(base64encoded_ltk) == 0){
-        fprintf(stderr, "For encode/decode  --long-term-key/-k is mandatory \n");
+        fprintf(stderr, "For encode/decode  --auth-key/-k is mandatory \n");
         exit(-1);
     }
     if (key_timestamp == 0){
-        fprintf(stderr, "For encode/decode  --long-term-key-timestamp/-l is mandatory \n");
+        fprintf(stderr, "For encode/decode  --auth-key-timestamp/-l is mandatory \n");
         exit(-1);
     }
     if (key_lifetime == 0){
-        fprintf(stderr, "For encode/decode  --long-term-key-lifetime/-m is mandatory \n");
+        fprintf(stderr, "For encode/decode  --auth-key-lifetime/-m is mandatory \n");
         exit(-1);
     }
 
@@ -428,7 +428,22 @@ int main(int argc, char **argv)
         fprintf(stderr, "For decode --token/-t is mandatory \n");
         exit(-1);
     }
-
+    
+    // Expiry warnings
+    if ( (unsigned long long)key_timestamp<<16 > token_timestamp  +((unsigned long long)token_lifetime << 16)  ) {
+        fprintf(stderr,"\nWARNING: Token expiry is earlear then Auth key life time start timestamp!!\n\n");
+    } else {
+        if( (unsigned long long)key_timestamp<<16 > token_timestamp) {
+            fprintf(stderr,"\nWARNING: Token life time start timestamp is earlier then Auth key start timestamp!!\n\n");
+        }
+    }
+    if( (unsigned long long)( key_timestamp + key_lifetime )<<16 < token_timestamp ) {
+        fprintf(stderr,"\nWARNING: Auth key will expire before token lifetime start timestamp!!\n\n");
+    } else {
+        if( (unsigned long long)( key_timestamp + key_lifetime)<<16 < token_timestamp + ((unsigned long long)token_lifetime << 16) ) {
+            fprintf(stderr,"\nWARNING: Auth key will expire before token expiry!!\n\n");
+        }  
+    }
 
     if ( setup_ikm_key(kid, base64encoded_ltk, key_timestamp, key_lifetime, as_rs_alg, &key) == 0 ) {
           if(encrypt_flag) {