Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use json struct for challenge request payload otherwise it's a hell to craft from client side

Browse Source
pull/1671/head
beltram 1 year ago committed by Herman Slatman
parent 5ca744567c
commit 227e932624
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
1 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File

25
acme/challenge.go
Unescape Escape View File

@ -353,19 +353,33 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
return nil
}
type WireChallengePayload struct {
// IdToken
IdToken string `json:"id_token"`
// AccessToken is the token generated by wire-server
AccessToken string `json:"access_token"`
}
func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
prov, ok := ProvisionerFromContext(ctx)
if !ok {
return NewErrorISE("no provisioner provided")
}
var wireChallengePayload WireChallengePayload
err := json.Unmarshal(payload, &wireChallengePayload)
if err != nil {
return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
"error unmarshalling Wire challenge payload"))
}
oidcOptions := prov.GetOptions().GetOIDCOptions()
idToken, err := oidcOptions.
GetProvider(ctx).
Verifier(
oidcOptions.
GetConfig()).
Verify(ctx, string(payload))
Verify(ctx, wireChallengePayload.IdToken)
if err != nil {
return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
"error verifying ID token signature"))
@ -422,6 +436,13 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return NewErrorISE("key is not ED25519")
}
var wireChallengePayload WireChallengePayload
err := json.Unmarshal(payload, &wireChallengePayload)
if err != nil {
return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
"error unmarshalling Wire challenge payload"))
}
file, err := os.CreateTemp(os.TempDir(), "acme-validate-challenge-pubkey-")
if err != nil {
return WrapErrorISE(err, "temporary file could not be created")
@ -470,7 +491,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE(err, "error starting validation process")
}
_, err = stdin.Write(payload)
_, err = stdin.Write([]byte(wireChallengePayload.AccessToken))
if err != nil {
return WrapErrorISE(err, "error writing to stdin")
}

Write Preview
Loading…
Cancel
Save