|
|
|
@ -353,19 +353,33 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type WireChallengePayload struct {
|
|
|
|
|
// IdToken
|
|
|
|
|
IdToken string `json:"id_token"`
|
|
|
|
|
// AccessToken is the token generated by wire-server
|
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
|
|
|
|
|
prov, ok := ProvisionerFromContext(ctx)
|
|
|
|
|
if !ok {
|
|
|
|
|
return NewErrorISE("no provisioner provided")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var wireChallengePayload WireChallengePayload
|
|
|
|
|
err := json.Unmarshal(payload, &wireChallengePayload)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
|
|
|
|
|
"error unmarshalling Wire challenge payload"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
oidcOptions := prov.GetOptions().GetOIDCOptions()
|
|
|
|
|
idToken, err := oidcOptions.
|
|
|
|
|
GetProvider(ctx).
|
|
|
|
|
Verifier(
|
|
|
|
|
oidcOptions.
|
|
|
|
|
GetConfig()).
|
|
|
|
|
Verify(ctx, string(payload))
|
|
|
|
|
Verify(ctx, wireChallengePayload.IdToken)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
|
|
|
|
|
"error verifying ID token signature"))
|
|
|
|
@ -422,6 +436,13 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
return NewErrorISE("key is not ED25519")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var wireChallengePayload WireChallengePayload
|
|
|
|
|
err := json.Unmarshal(payload, &wireChallengePayload)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
|
|
|
|
|
"error unmarshalling Wire challenge payload"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
file, err := os.CreateTemp(os.TempDir(), "acme-validate-challenge-pubkey-")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return WrapErrorISE(err, "temporary file could not be created")
|
|
|
|
@ -470,7 +491,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
return WrapErrorISE(err, "error starting validation process")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = stdin.Write(payload)
|
|
|
|
|
_, err = stdin.Write([]byte(wireChallengePayload.AccessToken))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return WrapErrorISE(err, "error writing to stdin")
|
|
|
|
|
}
|
|
|
|
|