Add verification of maximum expiry time for Wire tokens

2024-11-11 07:11:00 +00:00 · 2024-01-11 14:24:34 +01:00 · 2024-01-11 14:24:34 +01:00 · b6fc0005d5
commit b6fc0005d5
parent b964c97750
2 changed files with 6 additions and 6 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -584,6 +584,9 @@ func parseAndVerifyWireAccessToken(v verifyParams) (*wireAccessToken, *wireDpopT
 	if accessToken.ClientID != v.wireID.ClientID {
 		return nil, nil, fmt.Errorf("invalid Wire client ID %q", accessToken.ClientID)
 	}
+	if accessToken.Expiry.Time().After(v.t.Add(time.Hour * 24 * 365)) {
+		return nil, nil, fmt.Errorf("'exp' %s is too far into the future", accessToken.Expiry.Time().String())
+	}

 	dpopJWT, err := jose.ParseSigned(accessToken.Proof)
 	if err != nil {
@ -594,6 +597,8 @@ func parseAndVerifyWireAccessToken(v verifyParams) (*wireAccessToken, *wireDpopT
 		return nil, nil, fmt.Errorf("failed parsing Wire DPoP token: %w", err)
 	}

+	// TODO(hs): DPoP verification
+
 	challenge, ok := dpopToken["chal"].(string)
 	if !ok {
 		return nil, nil, fmt.Errorf("invalid challenge in Wire DPoP token")
@ -610,11 +615,6 @@ func parseAndVerifyWireAccessToken(v verifyParams) (*wireAccessToken, *wireDpopT
 		return nil, nil, fmt.Errorf("invalid Wire client handle %q", handle)
 	}

-	// TODO(hs): what to do with max expiry?
-	// maxExpiry:= strconv.FormatInt(time.Now().Add(time.Hour*24*365).Unix(), 10),
-	// 	"--max-expiry",
-	// 	expiry,
-
 	return &accessToken, &dpopToken, nil
 }

--- a/authority/provisioner/wire/wire_options.go
+++ b/authority/provisioner/wire/wire_options.go
@ -14,7 +14,7 @@ func (o *Options) GetOIDCOptions() *OIDCOptions {
 	return o.OIDC
 }

-// GetDPOPOptions returns the OIDC options.
+// GetDPOPOptions returns the DPoP options.
 func (o *Options) GetDPOPOptions() *DPOPOptions {
 	if o == nil {
 		return nil