From 82ca50ebb247280fd7f5640da185cd45631ec0ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 7 Sep 2016 15:03:28 +0200 Subject: [PATCH] tidy and small improvments * rename long-term-key to auth-key * add warning for auth key and token lifetime expiry or missmatch * tidy sample script --- README.turnutils | 17 ++++++------ examples/scripts/oauth.sh | 12 +++++---- man/man1/turnutils.1 | 25 ++++++++--------- src/apps/oauth/oauth.c | 57 ++++++++++++++++++++++++--------------- 4 files changed, 65 insertions(+), 46 deletions(-) diff --git a/README.turnutils b/README.turnutils index 7642070..9af7dbe 100644 --- a/README.turnutils +++ b/README.turnutils @@ -44,7 +44,8 @@ creation and validationi of an access_token. It outputs a JSON with all OAuth PoP parameters that need to pass to the client. Output is generated accoriding RFC7635 Appendix B, Figure 8. -For more details, and for the access_token structure, read rfc7635. +For more details, and for the access_token structure, read rfc7635, and see +script in examples/scripts/oauth.sh. ===================================== @@ -303,8 +304,8 @@ parameters that need to pass to the client. Output is generated accoriding RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server service, but be awere that this utility does not generate "session key" / "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key". - -For more details, and for the access_token structure, read rfc7635. +For more details, and for the access_token structure, read rfc7635, and see +the example in examples/scripts/oauth.sh. Use either -e and/or -d flag to encrypt or decrypt access_token. @@ -322,15 +323,15 @@ Options with required values: -i, --server-name server name (max. 255 char) --j, --long-term-key-id long term key id (max. 32 char) +-j, --auth-key-id Auth key id (max. 32 char) --k, --long-term-key base64 encoded long term key +-k, --auth-key base64 encoded Auth key --l --long-term-key-timestamp long term key timestamp (sec since epoch) +-l --auth-key-timestamp Auth key timestamp (sec since epoch) --m, --long-term-key-lifetime long term key lifetime in sec +-m, --auth-key-lifetime Auth key lifetime in sec --n, --long-term-key-as-rs-alg Authorization Server Resource Server encryption algorithm +-n, --auth-key-as-rs-alg Authorization Server(AS) - Resource Server(RS) encryption algorithm -o, --token-nonce base64 encoded nonce base64(12 octet) = 16 char diff --git a/examples/scripts/oauth.sh b/examples/scripts/oauth.sh index ac902b3..e869f17 100755 --- a/examples/scripts/oauth.sh +++ b/examples/scripts/oauth.sh @@ -1,15 +1,17 @@ #!/bin/bash -OAUTH_UTILITY=../../bin/turnutils_oauth + +OAUTH_UTILITY=bin/turnutils_oauth + echo "--------------create an access_token---------------" -$OAUTH_UTILITY -e --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16332934350000 +$OAUTH_UTILITY -e --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16333642137600 --token-lifetime=3600 echo "---------------create and validate and print out the decoded access_token---------------" -$OAUTH_UTILITY -v -d -e --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16332934350000 +$OAUTH_UTILITY -v -d -e --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token-mac-key WmtzanB3ZW9peFhtdm42NzUzNG0= --token-timestamp 16333642137600 --token-lifetime=3600 echo -e "\n---------------just validate only the access_token---------------" -$OAUTH_UTILITY -d --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token AAyi1nAiKbhykYXGUzGF9uM/nUu67J4z1ySG3weLavUN6JLQm+HCPvCNkVWWVrOppCSTmYapLx+jDhgZcx0vMA== +$OAUTH_UTILITY -d --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token AAy1JBYVLo16iq9gFdHyyknmx5T/Lq9YlbxgUdLcStOFS0H8xhHceHOL2f49qxp4uBpGuuLeLqk+RcAa5uP2EQ== --token-lifetime=3600 echo -e "\n---------------validate and print out the decoded access_token---------------" -$OAUTH_UTILITY -v -d --server-name example.com --long-term-key-id 1234 --long-term-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --long-term-key-timestamp 249213600 --long-term-key-lifetime 86400 --token AAyi1nAiKbhykYXGUzGF9uM/nUu67J4z1ySG3weLavUN6JLQm+HCPvCNkVWWVrOppCSTmYapLx+jDhgZcx0vMA== +$OAUTH_UTILITY -v -d --server-name example.com --auth-key-id 1234 --auth-key SEdrajMyS0pHaXV5MDk4c2RmYXFiTmpPaWF6NzE5MjM= --auth-key-timestamp 249213600 --auth-key-lifetime 21600 --token AAy1JBYVLo16iq9gFdHyyknmx5T/Lq9YlbxgUdLcStOFS0H8xhHceHOL2f49qxp4uBpGuuLeLqk+RcAa5uP2EQ== --token-lifetime=3600 diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index c32bbf1..07319df 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -58,7 +58,8 @@ creation and validationi of an access_token. It outputs a JSON with all OAuth PoP parameters that need to pass to the client. Output is generated accoriding RFC7635 Appendix B, Figure 8. .PP -For more details, and for the access_token structure, read rfc7635. +For more details, and for the access_token structure, read rfc7635, and see +script in examples/scripts/oauth.sh. .RE .PP @@ -455,8 +456,8 @@ parameters that need to pass to the client. Output is generated accoriding RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server service, but be awere that this utility does not generate "session key" / "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key". -.PP -For more details, and for the access_token structure, read rfc7635. +For more details, and for the access_token structure, read rfc7635, and see +the example in examples/scripts/oauth.sh. .PP Use either \fB\-e\fP and/or \fB\-d\fP flag to encrypt or decrypt access_token. .PP @@ -485,24 +486,24 @@ Options with required values: server name (max. 255 char) .TP .B -\fB\-j\fP, \fB\-\-long\-term\-key\-id\fP -long term key id (max. 32 char) +\fB\-j\fP, \fB\-\-auth\-key\-id\fP +Auth key id (max. 32 char) .TP .B -\fB\-k\fP, \fB\-\-long\-term\-key\fP -base64 encoded long term key +\fB\-k\fP, \fB\-\-auth\-key\fP +base64 encoded Auth key .TP .B \fB\-l\fP -\fB\-\-long\-term\-key\-timestamp\fP long term key timestamp (sec since epoch) +\fB\-\-auth\-key\-timestamp\fP Auth key timestamp (sec since epoch) .TP .B -\fB\-m\fP, \fB\-\-long\-term\-key\-lifetime\fP -long term key lifetime in sec +\fB\-m\fP, \fB\-\-auth\-key\-lifetime\fP +Auth key lifetime in sec .TP .B -\fB\-n\fP, \fB\-\-long\-term\-key\-as\-rs\-alg\fP -Authorization Server Resource Server encryption algorithm +\fB\-n\fP, \fB\-\-auth\-key\-as\-rs\-alg\fP +Authorization \fBServer\fP(AS) \- Resource \fBServer\fP(RS) encryption algorithm .TP .B \fB\-o\fP, \fB\-\-token\-nonce\fP diff --git a/src/apps/oauth/oauth.c b/src/apps/oauth/oauth.c index 457f572..c849804 100644 --- a/src/apps/oauth/oauth.c +++ b/src/apps/oauth/oauth.c @@ -168,7 +168,7 @@ static void print_token_body(oauth_token* dot) { time_t time=dot->enc_block.timestamp>>16; unsigned msec=(dot->enc_block.timestamp & 0xFFFF)*64; printf(" timestamp:\n"); - printf(" unixtime: %s", ctime(&time)); + printf(" unixtime: %u (localtime: %s )", (unsigned int)time, ctime(&time)); printf(" msec:%u\n", msec); printf(" lifetime: %lu\n", (unsigned long) dot->enc_block.lifetime); printf("}\n"); @@ -185,11 +185,11 @@ const char Usage[] = " -e, --encrypt encrypt token\n" " -d, --decrypt decrypt validate token\n\n" " -i, --server-name server name (max. 255 char)\n" - " -j, --long-term-key-id long term key id (max. 32 char)\n" - " -k, --long-term-key base64 encoded long term key\n" - " -l --long-term-key-timestamp long term key timestamp (sec since epoch)\n" - " -m, --long-term-key-lifetime long term key lifetime in sec\n" - " -n, --long-term-key-as-rs-alg Authorization Server Resource Server encryption algorithm\n" + " -j, --auth-key-id Auth key id (max. 32 char)\n" + " -k, --auth-key base64 encoded Auth key\n" + " -l --auth-key-timestamp Auth key timestamp (sec since epoch)\n" + " -m, --auth-key-lifetime Auth key lifetime in sec\n" + " -n, --auth-key-as-rs-alg Authorization Server(AS) - Resource Server (RS) encryption algorithm\n" " -o, --token-nonce base64 encoded nonce base64(12 octet) = 16 char\n" " -p, --token-mac-key base64 encoded MAC key base64(32 octet) = 44 char\n" " -q, --token-timestamp timestamp in format 64 bit unsigned (Native format - Unix),\n" @@ -242,11 +242,11 @@ int main(int argc, char **argv) {"decrypt", no_argument, &decrypt_flag, 1}, {"help", no_argument, 0, 'h'}, {"server-name", required_argument, 0, 'i'}, - {"long-term-key-id", required_argument, 0, 'j'}, - {"long-term-key", required_argument, 0, 'k'}, - {"long-term-key-timestamp", required_argument, 0, 'l'}, - {"long-term-key-lifetime", required_argument, 0, 'm'}, - {"long-term-key-as-rs-alg", required_argument, 0, 'n'}, + {"auth-key-id", required_argument, 0, 'j'}, + {"auth-key", required_argument, 0, 'k'}, + {"auth-key-timestamp", required_argument, 0, 'l'}, + {"auth-key-lifetime", required_argument, 0, 'm'}, + {"auth-key-as-rs-alg", required_argument, 0, 'n'}, {"token-nonce", required_argument, 0, 'o'}, {"token-mac-key", required_argument, 0, 'p'}, {"token-timestamp", required_argument, 0, 'q'}, @@ -297,7 +297,7 @@ int main(int argc, char **argv) } break; case 'j': - //long-term-key-id + //auth-key-id if ( strlen(optarg) <= OAUTH_LTK_ID_SIZE ) { STRCPY(kid,optarg); } else { @@ -306,7 +306,7 @@ int main(int argc, char **argv) } break; case 'k': - //long-term-key + //auth-key if ( strlen(optarg) <= OAUTH_LTK_BASE64ENCODED_SIZE ) { STRCPY(base64encoded_ltk,optarg); } else { @@ -315,15 +315,15 @@ int main(int argc, char **argv) } break; case 'l': - //long-term-key-timestamp + //auth-key-timestamp key_timestamp = atoi(optarg); break; case 'm': - //long-term-key-lifetime + //auth-key-lifetime key_lifetime=atoi(optarg); break; case 'n': - //long-term-key-as-rs-alg + //auth-key-as-rs-alg if ( strlen(optarg) <= OAUTH_AS_RS_ALG_SIZE ) { STRCPY(as_rs_alg,optarg); } else { @@ -403,19 +403,19 @@ int main(int argc, char **argv) } if (strlen(kid) == 0){ - fprintf(stderr, "For encode/decode --long-term-key-id/-j is mandatory \n"); + fprintf(stderr, "For encode/decode --auth-key-id/-j is mandatory \n"); exit(-1); } if (strlen(base64encoded_ltk) == 0){ - fprintf(stderr, "For encode/decode --long-term-key/-k is mandatory \n"); + fprintf(stderr, "For encode/decode --auth-key/-k is mandatory \n"); exit(-1); } if (key_timestamp == 0){ - fprintf(stderr, "For encode/decode --long-term-key-timestamp/-l is mandatory \n"); + fprintf(stderr, "For encode/decode --auth-key-timestamp/-l is mandatory \n"); exit(-1); } if (key_lifetime == 0){ - fprintf(stderr, "For encode/decode --long-term-key-lifetime/-m is mandatory \n"); + fprintf(stderr, "For encode/decode --auth-key-lifetime/-m is mandatory \n"); exit(-1); } @@ -428,7 +428,22 @@ int main(int argc, char **argv) fprintf(stderr, "For decode --token/-t is mandatory \n"); exit(-1); } - + + // Expiry warnings + if ( (unsigned long long)key_timestamp<<16 > token_timestamp +((unsigned long long)token_lifetime << 16) ) { + fprintf(stderr,"\nWARNING: Token expiry is earlear then Auth key life time start timestamp!!\n\n"); + } else { + if( (unsigned long long)key_timestamp<<16 > token_timestamp) { + fprintf(stderr,"\nWARNING: Token life time start timestamp is earlier then Auth key start timestamp!!\n\n"); + } + } + if( (unsigned long long)( key_timestamp + key_lifetime )<<16 < token_timestamp ) { + fprintf(stderr,"\nWARNING: Auth key will expire before token lifetime start timestamp!!\n\n"); + } else { + if( (unsigned long long)( key_timestamp + key_lifetime)<<16 < token_timestamp + ((unsigned long long)token_lifetime << 16) ) { + fprintf(stderr,"\nWARNING: Auth key will expire before token expiry!!\n\n"); + } + } if ( setup_ikm_key(kid, base64encoded_ltk, key_timestamp, key_lifetime, as_rs_alg, &key) == 0 ) { if(encrypt_flag) {