Esempio n. 1
0
char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
  unsigned char *sig = NULL;
  unsigned char *passphrase = NULL;
  unsigned int len=0;
  EVP_MD_CTX md_ctx;

  EVP_PKEY *pkey;
  BIO *in;
  in = BIO_new_mem_buf((unsigned char*) k, strlen(k));
  pkey = PEM_read_bio_PrivateKey(in, NULL, 0, passphrase); // generate sign
  BIO_free(in);

  if (pkey == NULL) {
  //fprintf(stderr, "liboauth/OpenSSL: can not read private key\n");
    return xstrdup("liboauth/OpenSSL: can not read private key");
  }

  len = EVP_PKEY_size(pkey);
  sig = (unsigned char*)xmalloc((len+1)*sizeof(char));

  EVP_SignInit(&md_ctx, EVP_sha1());
  EVP_SignUpdate(&md_ctx, m, strlen(m));
  if (EVP_SignFinal (&md_ctx, sig, &len, pkey)) {
    char *tmp;
    sig[len] = '\0';
    tmp = oauth_encode_base64(len,sig);
    OPENSSL_free(sig);
    EVP_PKEY_free(pkey);
    return tmp;
  }
  return xstrdup("liboauth/OpenSSL: rsa-sha1 signing failed");
}
Esempio n. 2
0
char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
  PK11SlotInfo      *slot = NULL;
  SECKEYPrivateKey  *pkey = NULL;
  SECItem            signature;
  SECStatus          s;
  SECItem            der;
  char              *rv=NULL;

  char *key = oauth_strip_pkcs(k, NS_PRIV_HEADER, NS_PRIV_TRAILER); 
  if (!key) return NULL;

  oauth_init_nss();

  slot = PK11_GetInternalKeySlot();
  if (!slot) goto looser;
  s = ATOB_ConvertAsciiToItem(&der, key);
  if (s != SECSuccess) goto looser;
  s = PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, &pkey, NULL);
  SECITEM_FreeItem(&der, PR_FALSE);
  if (s != SECSuccess) goto looser;
  if (!pkey) goto looser;
  if (pkey->keyType != rsaKey) goto looser;
  s = SEC_SignData(&signature, (unsigned char*) m, strlen(m), pkey, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE);
  if (s != SECSuccess) goto looser;

  rv=oauth_encode_base64(signature.len, signature.data);
  SECITEM_FreeItem(&signature, PR_FALSE);

looser:
  if (pkey) SECKEY_DestroyPrivateKey(pkey);
  if (slot) PK11_FreeSlot(slot);
  free(key);
  return rv;
}
Esempio n. 3
0
/* API */
char *oauth_sign_hmac_sha1_raw (const char *m, const size_t ml, const char *k, const size_t kl) {
	sha1nfo s;
	sha1_initHmac(&s, (const uint8_t*) k, kl);
	sha1_write(&s, m, ml);
	unsigned char *digest = sha1_resultHmac(&s);
  return oauth_encode_base64(HASH_LENGTH, digest);
}
Esempio n. 4
0
char *oauth_sign_hmac_sha1_raw (const char *m, const size_t ml, const char *k, const size_t kl) {
  unsigned char result[EVP_MAX_MD_SIZE];
  unsigned int resultlen = 0;
  
  HMAC(EVP_sha1(), k, kl, 
      (unsigned char*) m, ml,
      result, &resultlen);

  return(oauth_encode_base64(resultlen, result));
}
Esempio n. 5
0
char *oauth_sign_hmac_sha1_raw (const char *m, const size_t ml, const char *k, const size_t kl) {
  PK11SlotInfo  *slot = NULL;
  PK11SymKey    *pkey = NULL;
  PK11Context   *context = NULL;
  unsigned char  digest[20]; // Is there a way to tell how large the output is?
  unsigned int   len;
  SECStatus      s;
  SECItem        keyItem, noParams;
  char          *rv=NULL;

  keyItem.type = siBuffer;
  keyItem.data = (unsigned char*) k;
  keyItem.len = kl;

  noParams.type = siBuffer;
  noParams.data = NULL;
  noParams.len = 0;

  oauth_init_nss();

  slot = PK11_GetInternalKeySlot();
  if (!slot) goto looser;
  pkey = PK11_ImportSymKey(slot, CKM_SHA_1_HMAC, PK11_OriginUnwrap, CKA_SIGN, &keyItem, NULL);
  if (!pkey)  goto looser;
  context = PK11_CreateContextBySymKey(CKM_SHA_1_HMAC, CKA_SIGN, pkey, &noParams);
  if (!context) goto looser;

  s = PK11_DigestBegin(context);
  if (s != SECSuccess) goto looser;
  s = PK11_DigestOp(context, (unsigned char*) m, ml);
  if (s != SECSuccess) goto looser;
  s = PK11_DigestFinal(context, digest, &len, sizeof digest);
  if (s != SECSuccess) goto looser;

  rv=oauth_encode_base64(len, digest);

looser:
  if (context) PK11_DestroyContext(context, PR_TRUE);
  if (pkey) PK11_FreeSymKey(pkey);
  if (slot) PK11_FreeSlot(slot);
  return rv;
}
Esempio n. 6
0
get_pJWTAssertion(){
	int rc=0;
	char * signature = 0;

	// Before getting here, example: lr_save_string("*****@*****.**","GoogleAPIServiceEmail");

	// Each vuser gets its own tokens.
	
    // Google will return "Invalid Request' if the current time sent is off more than a just a few seconds from Google's server, so:
	// TODO: 14. Wherever machine this runs on needs to be synced to NTP or time.gov for UTC (GMT) timezone.

    // Google returns "invalid_grant" 400 error response if the previous token has not expired yet.
    // So loop is needed to re-use tokens until its expiration:
    lr_param_sprintf("pTimeNow","%d",time(0)); // where time(0) generates 10-digits.
    if( strcmp( lr_eval_string("{pTimeNow}"), lr_eval_string("{pTimeExpire}")) < 0 ){
    	wi_startPrintingTrace();
    	// Re-use assertion saved for use instead of running get_pJWTAssertion() again now.
		lr_output_message(">> JWT assertion token reuse: pTimeNow=%s, pTimeExpire=%s"
		                  ,lr_eval_string("{pTimeNow}")
		                  ,lr_eval_string("{pTimeExpire}") 
		                 );
    	wi_stopPrinting();
	} else {
    	// First iteration or generated one expired:
	    lr_param_sprintf("pTimeExpire","%d",time(0)+1800); // Google allows up to 3600 (one hour).
    }

	    // The spec this should follow is http://tools.ietf.org/id/draft-jones-json-web-token-08.html#rfc.section.3.1
	    lr_param_sprintf("JWTBody",
	                 "{\"iss\":\"%s\","
	                 "\"scope\":\"%s\","
	                 "\"aud\":\"https://accounts.google.com/o/oauth2/token\","
	                 "\"exp\":%s,\"iat\":%s}",
	                 lr_eval_string("{GoogleAPIServiceEmail}"),
	                 lr_eval_string("{pServiceScope}"),
	                 lr_eval_string("{pTimeExpire}"),
	                 lr_eval_string("{pTimeNow}"));
	                 // "aud" (audit) without back-slashes is: https://accounts.google.com/o/oauth2/token
	                 // "prn" (principal) is not set because it's not applicable for Gmail accounts, only Google Apps accounts granted domain-wide delegation access by an administrator.
					
		// Encode Header dot Claim set:
		lr_param_sprintf("pEncoded","%s.%s",
                     oauth_url_escape(oauth_encode_base64(0,"{\"alg\":\"RS256\",\"typ\":\"JWT\"}")),
                     oauth_url_escape(oauth_encode_base64(0,lr_eval_string("{JWTBody}"))));
   						// "alg:RS256" = algorithm RSA P-256 SHA-256 used by Google APIs
   						// "alg:HS256" = used by Google Wallet and OpenID
   						// "alg:ES256" = algorithm ECDSA P-256 SHA-256 used by Salesforce
						// Microsoft Live Connect API
						
	    signature = (char*)oauth_sign_rsa_sha256( lr_eval_string("{pEncoded}") );
	    lr_param_sprintf("pJWTAssertion","%s.%s",
                     lr_eval_string("{pEncoded}"),
                     oauth_url_escape(signature));
				    // Verify assertion output on-line using https://developers.google.com/commerce/wallet/digital/docs/jwtdecoder
					// 										 https://developers.google.com/wallet/digital/docs/jwtdecoder

		wi_startPrintingTrace();
		lr_output_message(">> JWTBody=%s."
		                 ,lr_eval_string("{JWTBody}")
		                 );
		lr_output_message(">> pEncoded=%s."
		                 ,lr_eval_string("{pEncoded}")
		                 );
		lr_output_message(">> pJWTAssertion=%s."
		                 ,lr_eval_string("{pJWTAssertion}")
		                 );
		lr_output_message(">> signature=%s."
	                     ,signature
		                 );
    	wi_stopPrinting();

   	return rc;
} // get_pJWTAssertion()
Esempio n. 7
0
std::string oauth_sign_hmac_sha1_raw(const char *m, const size_t ml, const char *k, const size_t kl)
{
    unsigned char result[20];
    hmac_sha1((unsigned char const *)k, kl, (unsigned char const *)m, ml, result);
    return oauth_encode_base64(result, 20);
}