@ -36,10 +36,9 @@ import (
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/x509util"
"go.step.sm/crypto/x509util"
"golang.org/x/exp/slices"
"golang.org/x/exp/slices"
"gopkg.in/square/go-jose.v2/jwt"
"github.com/smallstep/certificates/acme/wire"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/wire"
)
)
type ChallengeType string
type ChallengeType string
@ -390,8 +389,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
GivenName string ` json:"given_name,omitempty" `
GivenName string ` json:"given_name,omitempty" `
KeyAuth string ` json:"keyauth" ` // TODO(hs): use this property instead of the one in the payload after https://github.com/wireapp/rusty-jwt-tools/tree/fix/keyauth is done
KeyAuth string ` json:"keyauth" ` // TODO(hs): use this property instead of the one in the payload after https://github.com/wireapp/rusty-jwt-tools/tree/fix/keyauth is done
}
}
err = idToken . Claims ( & claims )
if err = idToken . Claims ( & claims ) ; err != nil {
if err != nil {
return storeError ( ctx , db , ch , false , WrapError ( ErrorRejectedIdentifierType , err ,
return storeError ( ctx , db , ch , false , WrapError ( ErrorRejectedIdentifierType , err ,
"error retrieving claims from ID token" ) )
"error retrieving claims from ID token" ) )
}
}
@ -423,28 +421,26 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE ( err , "error updating challenge" )
return WrapErrorISE ( err , "error updating challenge" )
}
}
parsedIDToken , err := j wt . ParseSigned ( wireChallengePayload . IDToken )
parsedIDToken , err := j ose . ParseSigned ( wireChallengePayload . IDToken )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " Invalid OIDC id token")
return WrapErrorISE ( err , " invalid OIDC ID token")
}
}
oidcToken := make ( map [ string ] interface { } )
oidcToken := make ( map [ string ] interface { } )
if err := parsedIDToken . UnsafeClaimsWithoutVerification ( & oidcToken ) ; err != nil {
if err := parsedIDToken . UnsafeClaimsWithoutVerification ( & oidcToken ) ; err != nil {
return WrapErrorISE ( err , " F ailed parsing OIDC id token")
return WrapErrorISE ( err , " f ailed parsing OIDC id token")
}
}
orders , err := db . GetAllOrdersByAccountID ( ctx , ch . AccountID )
orders , err := db . GetAllOrdersByAccountID ( ctx , ch . AccountID )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " C ould not find current order by account id")
return WrapErrorISE ( err , " c ould not find current order by account id")
}
}
if len ( orders ) == 0 {
if len ( orders ) == 0 {
return WrapErrorISE( err , "T here are not enough orders for this account for this custom OIDC challenge")
return NewErrorISE( "t here are not enough orders for this account for this custom OIDC challenge")
}
}
order := orders [ len ( orders ) - 1 ]
order := orders [ len ( orders ) - 1 ]
if err := db . CreateOidcToken ( ctx , order , oidcToken ) ; err != nil {
if err := db . CreateOidcToken ( ctx , order , oidcToken ) ; err != nil {
return WrapErrorISE ( err , " F ailed storing OIDC id token")
return WrapErrorISE ( err , " f ailed storing OIDC id token")
}
}
return nil
return nil
@ -456,19 +452,17 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return NewErrorISE ( "missing provisioner" )
return NewErrorISE ( "missing provisioner" )
}
}
rawKid , thumbprintE rr := jwk . Thumbprint ( crypto . SHA256 )
rawKid , e rr := jwk . Thumbprint ( crypto . SHA256 )
if thumbprintE rr != nil {
if e rr != nil {
return storeError ( ctx , db , ch , false , WrapError ( ErrorServerInternalType , thumbprintE rr, "failed to compute JWK thumbprint" ) )
return storeError ( ctx , db , ch , false , WrapError ( ErrorServerInternalType , e rr, "failed to compute JWK thumbprint" ) )
}
}
kid := base64 . RawURLEncoding . EncodeToString ( rawKid )
kid := base64 . RawURLEncoding . EncodeToString ( rawKid )
dpopOptions := prov . GetOptions ( ) . GetDPOPOptions ( )
dpopOptions := prov . GetOptions ( ) . GetDPOPOptions ( )
key := dpopOptions . GetSigningKey ( )
key := dpopOptions . GetSigningKey ( )
var wireChallengePayload WireChallengePayload
var wireChallengePayload WireChallengePayload
err := json . Unmarshal ( payload , & wireChallengePayload )
if err := json . Unmarshal ( payload , & wireChallengePayload ) ; err != nil {
if err != nil {
return storeError ( ctx , db , ch , false , WrapError ( ErrorRejectedIdentifierType , err ,
return storeError ( ctx , db , ch , false , WrapError ( ErrorRejectedIdentifierType , err ,
"error unmarshalling Wire challenge payload" ) )
"error unmarshalling Wire challenge payload" ) )
}
}
@ -485,7 +479,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
n , err := file . Write ( buf . Bytes ( ) )
n , err := file . Write ( buf . Bytes ( ) )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " F ailed writing signature key to temp file")
return WrapErrorISE ( err , " f ailed writing signature key to temp file")
}
}
if n != buf . Len ( ) {
if n != buf . Len ( ) {
return WrapErrorISE ( err , "expected to write %d characters to the key file, got %d" , buf . Len ( ) , n )
return WrapErrorISE ( err , "expected to write %d characters to the key file, got %d" , buf . Len ( ) , n )
@ -503,7 +497,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
issuer , err := dpopOptions . GetTarget ( clientID . DeviceID )
issuer , err := dpopOptions . GetTarget ( clientID . DeviceID )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " I nvalid Go template registered for 'target'")
return WrapErrorISE ( err , " i nvalid Go template registered for 'target'")
}
}
expiry := strconv . FormatInt ( time . Now ( ) . Add ( time . Hour * 24 * 365 ) . Unix ( ) , 10 )
expiry := strconv . FormatInt ( time . Now ( ) . Add ( time . Hour * 24 * 365 ) . Unix ( ) , 10 )
@ -565,42 +559,42 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE ( err , "error updating challenge" )
return WrapErrorISE ( err , "error updating challenge" )
}
}
parsedAccessToken , err := j wt . ParseSigned ( wireChallengePayload . AccessToken )
parsedAccessToken , err := j ose . ParseSigned ( wireChallengePayload . AccessToken )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " I nvalid access token")
return WrapErrorISE ( err , " i nvalid access token")
}
}
access := make ( map [ string ] interface { } )
access := make ( map [ string ] interface { } )
if err := parsedAccessToken . UnsafeClaimsWithoutVerification ( & access ) ; err != nil {
if err := parsedAccessToken . UnsafeClaimsWithoutVerification ( & access ) ; err != nil {
return WrapErrorISE ( err , " F ailed parsing access token")
return WrapErrorISE ( err , " f ailed parsing access token")
}
}
rawDpop , ok := access [ "proof" ] . ( string )
rawDpop , ok := access [ "proof" ] . ( string )
if ! ok {
if ! ok {
return WrapErrorISE ( err , " I nvalid dpop proof format in access token")
return WrapErrorISE ( err , " i nvalid dpop proof format in access token")
}
}
parsedDpopToken , err := j wt . ParseSigned ( rawDpop )
parsedDpopToken , err := j ose . ParseSigned ( rawDpop )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " I nvalid DPoP token")
return WrapErrorISE ( err , " i nvalid DPoP token")
}
}
dpop := make ( map [ string ] interface { } )
dpop := make ( map [ string ] interface { } )
if err := parsedDpopToken . UnsafeClaimsWithoutVerification ( & dpop ) ; err != nil {
if err := parsedDpopToken . UnsafeClaimsWithoutVerification ( & dpop ) ; err != nil {
return WrapErrorISE ( err , " F ailed parsing dpop token")
return WrapErrorISE ( err , " f ailed parsing dpop token")
}
}
orders , err := db . GetAllOrdersByAccountID ( ctx , ch . AccountID )
orders , err := db . GetAllOrdersByAccountID ( ctx , ch . AccountID )
if err != nil {
if err != nil {
return WrapErrorISE ( err , " C ould not find current order by account id")
return WrapErrorISE ( err , " c ould not find current order by account id")
}
}
if len ( orders ) == 0 {
if len ( orders ) == 0 {
return WrapErrorISE ( err , " T here are not enough orders for this account for this custom OIDC challenge")
return WrapErrorISE ( err , " t here are not enough orders for this account for this custom OIDC challenge")
}
}
order := orders [ len ( orders ) - 1 ]
order := orders [ len ( orders ) - 1 ]
if err := db . CreateDpopToken ( ctx , order , dpop ) ; err != nil {
if err := db . CreateDpopToken ( ctx , order , dpop ) ; err != nil {
return WrapErrorISE ( err , " F ailed storing DPoP token")
return WrapErrorISE ( err , " f ailed storing DPoP token")
}
}
return nil
return nil