|
|
|
@ -19,6 +19,7 @@ import (
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"log"
|
|
|
|
|
"net"
|
|
|
|
|
"net/url"
|
|
|
|
|
"os"
|
|
|
|
@ -36,7 +37,6 @@ import (
|
|
|
|
|
"go.step.sm/crypto/keyutil"
|
|
|
|
|
"go.step.sm/crypto/pemutil"
|
|
|
|
|
"go.step.sm/crypto/x509util"
|
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
|
|
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
|
|
|
"github.com/smallstep/certificates/wire"
|
|
|
|
@ -355,9 +355,9 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
|
|
|
|
|
|
|
|
|
|
type WireChallengePayload struct {
|
|
|
|
|
// IdToken
|
|
|
|
|
IdToken string `json:"id_token"`
|
|
|
|
|
IdToken string `json:"id_token,omitempty"`
|
|
|
|
|
// AccessToken is the token generated by wire-server
|
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
AccessToken string `json:"access_token,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
|
|
|
|
@ -373,6 +373,8 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
"error unmarshalling Wire challenge payload"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Printf("id_token: %s", wireChallengePayload.IdToken)
|
|
|
|
|
|
|
|
|
|
oidcOptions := prov.GetOptions().GetOIDCOptions()
|
|
|
|
|
idToken, err := oidcOptions.
|
|
|
|
|
GetProvider(ctx).
|
|
|
|
@ -440,6 +442,8 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
"error unmarshalling Wire challenge payload"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Printf("access_token: %s", wireChallengePayload.AccessToken)
|
|
|
|
|
|
|
|
|
|
file, err := os.CreateTemp(os.TempDir(), "acme-validate-challenge-pubkey-")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return WrapErrorISE(err, "temporary file could not be created")
|
|
|
|
@ -500,6 +504,24 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
|
|
|
|
|
err = cmd.Wait()
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Printf("access_token: %s, clientID: %s, cli: %s %s %s %s %s %s %s %s %s %s %s %s %s %s",
|
|
|
|
|
wireChallengePayload.AccessToken,
|
|
|
|
|
challengeValues.ClientID,
|
|
|
|
|
provisioner.GetOptions().GetDPOPOptions().GetValidationExecPath(),
|
|
|
|
|
"verify-access",
|
|
|
|
|
"--client-id",
|
|
|
|
|
challengeValues.ClientID,
|
|
|
|
|
"--challenge",
|
|
|
|
|
ch.ID,
|
|
|
|
|
"--leeway",
|
|
|
|
|
"360",
|
|
|
|
|
"--max-expiry",
|
|
|
|
|
strconv.FormatInt(time.Now().Add(time.Hour*24*365).Unix(), 10),
|
|
|
|
|
"--hash-algorithm",
|
|
|
|
|
`"SHA-256"`,
|
|
|
|
|
"--key",
|
|
|
|
|
file.Name(),
|
|
|
|
|
)
|
|
|
|
|
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, "error finishing validation: %s", err))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|