master/coturn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tidy and small improvments

Browse Source 
* rename long-term-key to auth-key
 * add warning for auth key and token lifetime expiry or missmatch
 * tidy sample script
This commit is contained in:
Mészáros Mihály 2016-09-07 15:03:28 +02:00
parent 9bd3f0ee9c
commit 82ca50ebb2
4 changed files with 65 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.turnutils
View File

@ -44,7 +44,8 @@ creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
For more details, and for the access_token structure, read rfc7635.
For more details, and for the access_token structure, read rfc7635, and see
script in examples/scripts/oauth.sh.
=====================================
@ -303,8 +304,8 @@ parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
"mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
For more details, and for the access_token structure, read rfc7635.
For more details, and for the access_token structure, read rfc7635, and see
the example in examples/scripts/oauth.sh.
Use either -e and/or -d flag to encrypt or decrypt access_token.
@ -322,15 +323,15 @@ Options with required values:
-i, --server-name server name (max. 255 char)
-j, --long-term-key-id long term key id (max. 32 char)
-j, --auth-key-id Auth key id (max. 32 char)
-k, --long-term-key base64 encoded long term key
-k, --auth-key base64 encoded Auth key
-l --long-term-key-timestamp long term key timestamp (sec since epoch)
-l --auth-key-timestamp Auth key timestamp (sec since epoch)
-m, --long-term-key-lifetime long term key lifetime in sec
-m, --auth-key-lifetime Auth key lifetime in sec
-n, --long-term-key-as-rs-alg Authorization Server Resource Server encryption algorithm
-n, --auth-key-as-rs-alg Authorization Server(AS) - Resource Server(RS) encryption algorithm
-o, --token-nonce base64 encoded nonce base64(12 octet) = 16 char

12
examples/scripts/oauth.sh
View File

@ -1,15 +1,17 @@
#!/bin/bash
OAUTH_UTILITY=../../bin/turnutils_oauth
OAUTH_UTILITY=bin/turnutils_oauth
echo "--------------create an access_token---------------"
$OAUTH_UTILITY -e --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16332934350000
$OAUTH_UTILITY -e --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16333642137600 --token-lifetime=3600
echo "---------------create and validate and print out the decoded access_token---------------"
$OAUTH_UTILITY -v -d -e --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16332934350000
$OAUTH_UTILITY -v -d -e --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16333642137600 --token-lifetime=3600
echo -e "\n---------------just validate only the access_token---------------"
$OAUTH_UTILITY -d --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token AAyi1nAiKbhykYXGUzGF9uM/nUu67J4z1ySG3weLavUN6JLQm+HCPvCNkVWWVrOppCSTmYapLx+jDhgZcx0vMA==
$OAUTH_UTILITY -d --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token AAy1JBYVLo16iq9gFdHyyknmx5T/Lq9YlbxgUdLcStOFS0H8xhHceHOL2f49qxp4uBpGuuLeLqk+RcAa5uP2EQ== --token-lifetime=3600
echo -e "\n---------------validate and print out the decoded access_token---------------"
$OAUTH_UTILITY -v -d --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token AAyi1nAiKbhykYXGUzGF9uM/nUu67J4z1ySG3weLavUN6JLQm+HCPvCNkVWWVrOppCSTmYapLx+jDhgZcx0vMA==
$OAUTH_UTILITY -v -d --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token AAy1JBYVLo16iq9gFdHyyknmx5T/Lq9YlbxgUdLcStOFS0H8xhHceHOL2f49qxp4uBpGuuLeLqk+RcAa5uP2EQ== --token-lifetime=3600

25
man/man1/turnutils.1
View File

@ -58,7 +58,8 @@ creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
.PP
For more details, and for the access_token structure, read rfc7635.
For more details, and for the access_token structure, read rfc7635, and see
script in examples/scripts/oauth.sh.
.RE
.PP
@ -455,8 +456,8 @@ parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
"mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
.PP
For more details, and for the access_token structure, read rfc7635.
For more details, and for the access_token structure, read rfc7635, and see
the example in examples/scripts/oauth.sh.
.PP
Use either \fB\-e\fP and/or \fB\-d\fP flag to encrypt or decrypt access_token.
.PP
@ -485,24 +486,24 @@ Options with required values:
server name (max. 255 char)
.TP
.B
\fB\-j\fP, \fB\-\-long\-term\-key\-id\fP
long term key id (max. 32 char)
\fB\-j\fP, \fB\-\-auth\-key\-id\fP
Auth key id (max. 32 char)
.TP
.B
\fB\-k\fP, \fB\-\-long\-term\-key\fP
base64 encoded long term key
\fB\-k\fP, \fB\-\-auth\-key\fP
base64 encoded Auth key
.TP
.B
\fB\-l\fP
\fB\-\-long\-term\-key\-timestamp\fP long term key timestamp (sec since epoch)
\fB\-\-auth\-key\-timestamp\fP Auth key timestamp (sec since epoch)
.TP
.B
\fB\-m\fP, \fB\-\-long\-term\-key\-lifetime\fP
long term key lifetime in sec
\fB\-m\fP, \fB\-\-auth\-key\-lifetime\fP
Auth key lifetime in sec
.TP
.B
\fB\-n\fP, \fB\-\-long\-term\-key\-as\-rs\-alg\fP
Authorization Server Resource Server encryption algorithm
\fB\-n\fP, \fB\-\-auth\-key\-as\-rs\-alg\fP
Authorization \fBServer\fP(AS) \- Resource \fBServer\fP(RS) encryption algorithm
.TP
.B
\fB\-o\fP, \fB\-\-token\-nonce\fP

57
src/apps/oauth/oauth.c
View File

@ -168,7 +168,7 @@ static void print_token_body(oauth_token* dot) {
time_t time=dot->enc_block.timestamp>>16;
unsigned msec=(dot->enc_block.timestamp & 0xFFFF)*64;
printf(" timestamp:\n");
printf(" unixtime: %s", ctime(&time));
printf(" unixtime: %u (localtime: %s )", (unsigned int)time, ctime(&time));
printf(" msec:%u\n", msec);
printf(" lifetime: %lu\n", (unsigned long) dot->enc_block.lifetime);
printf("}\n");
@ -185,11 +185,11 @@ const char Usage[] =
" -e, --encrypt encrypt token\n"
" -d, --decrypt decrypt validate token\n\n"
" -i, --server-name server name (max. 255 char)\n"
" -j, --long-term-key-id long term key id (max. 32 char)\n"
" -k, --long-term-key base64 encoded long term key\n"
" -l --long-term-key-timestamp long term key timestamp (sec since epoch)\n"
" -m, --long-term-key-lifetime long term key lifetime in sec\n"
" -n, --long-term-key-as-rs-alg Authorization Server Resource Server encryption algorithm\n"
" -j, --auth-key-id Auth key id (max. 32 char)\n"
" -k, --auth-key base64 encoded Auth key\n"
" -l --auth-key-timestamp Auth key timestamp (sec since epoch)\n"
" -m, --auth-key-lifetime Auth key lifetime in sec\n"
" -n, --auth-key-as-rs-alg Authorization Server(AS) - Resource Server (RS) encryption algorithm\n"
" -o, --token-nonce base64 encoded nonce base64(12 octet) = 16 char\n"
" -p, --token-mac-key base64 encoded MAC key base64(32 octet) = 44 char\n"
" -q, --token-timestamp timestamp in format 64 bit unsigned (Native format - Unix),\n"
@ -242,11 +242,11 @@ int main(int argc, char **argv)
{"decrypt", no_argument, &decrypt_flag, 1},
{"help", no_argument, 0, 'h'},
{"server-name", required_argument, 0, 'i'},
{"long-term-key-id", required_argument, 0, 'j'},
{"long-term-key", required_argument, 0, 'k'},
{"long-term-key-timestamp", required_argument, 0, 'l'},
{"long-term-key-lifetime", required_argument, 0, 'm'},
{"long-term-key-as-rs-alg", required_argument, 0, 'n'},
{"auth-key-id", required_argument, 0, 'j'},
{"auth-key", required_argument, 0, 'k'},
{"auth-key-timestamp", required_argument, 0, 'l'},
{"auth-key-lifetime", required_argument, 0, 'm'},
{"auth-key-as-rs-alg", required_argument, 0, 'n'},
{"token-nonce", required_argument, 0, 'o'},
{"token-mac-key", required_argument, 0, 'p'},
{"token-timestamp", required_argument, 0, 'q'},
@ -297,7 +297,7 @@ int main(int argc, char **argv)
}
break;
case 'j':
//long-term-key-id
//auth-key-id
if ( strlen(optarg) <= OAUTH_LTK_ID_SIZE ) {
STRCPY(kid,optarg);
} else {
@ -306,7 +306,7 @@ int main(int argc, char **argv)
}
break;
case 'k':
//long-term-key
//auth-key
if ( strlen(optarg) <= OAUTH_LTK_BASE64ENCODED_SIZE ) {
STRCPY(base64encoded_ltk,optarg);
} else {
@ -315,15 +315,15 @@ int main(int argc, char **argv)
}
break;
case 'l':
//long-term-key-timestamp
//auth-key-timestamp
key_timestamp = atoi(optarg);
break;
case 'm':
//long-term-key-lifetime
//auth-key-lifetime
key_lifetime=atoi(optarg);
break;
case 'n':
//long-term-key-as-rs-alg
//auth-key-as-rs-alg
if ( strlen(optarg) <= OAUTH_AS_RS_ALG_SIZE ) {
STRCPY(as_rs_alg,optarg);
} else {
@ -403,19 +403,19 @@ int main(int argc, char **argv)
}
if (strlen(kid) == 0){
fprintf(stderr, "For encode/decode --long-term-key-id/-j is mandatory \n");
fprintf(stderr, "For encode/decode --auth-key-id/-j is mandatory \n");
exit(-1);
}
if (strlen(base64encoded_ltk) == 0){
fprintf(stderr, "For encode/decode --long-term-key/-k is mandatory \n");
fprintf(stderr, "For encode/decode --auth-key/-k is mandatory \n");
exit(-1);
}
if (key_timestamp == 0){
fprintf(stderr, "For encode/decode --long-term-key-timestamp/-l is mandatory \n");
fprintf(stderr, "For encode/decode --auth-key-timestamp/-l is mandatory \n");
exit(-1);
}
if (key_lifetime == 0){
fprintf(stderr, "For encode/decode --long-term-key-lifetime/-m is mandatory \n");
fprintf(stderr, "For encode/decode --auth-key-lifetime/-m is mandatory \n");
exit(-1);
}
@ -428,7 +428,22 @@ int main(int argc, char **argv)
fprintf(stderr, "For decode --token/-t is mandatory \n");
exit(-1);
}
// Expiry warnings
if ( (unsigned long long)key_timestamp<<16 > token_timestamp +((unsigned long long)token_lifetime << 16) ) {
fprintf(stderr,"\nWARNING: Token expiry is earlear then Auth key life time start timestamp!!\n\n");
} else {
if( (unsigned long long)key_timestamp<<16 > token_timestamp) {
fprintf(stderr,"\nWARNING: Token life time start timestamp is earlier then Auth key start timestamp!!\n\n");
}
}
if( (unsigned long long)( key_timestamp + key_lifetime )<<16 < token_timestamp ) {
fprintf(stderr,"\nWARNING: Auth key will expire before token lifetime start timestamp!!\n\n");
} else {
if( (unsigned long long)( key_timestamp + key_lifetime)<<16 < token_timestamp + ((unsigned long long)token_lifetime << 16) ) {
fprintf(stderr,"\nWARNING: Auth key will expire before token expiry!!\n\n");
}
}
if ( setup_ikm_key(kid, base64encoded_ltk, key_timestamp, key_lifetime, as_rs_alg, &key) == 0 ) {
if(encrypt_flag) {