Do not accept the password in clear, use an encrypted password

author: Vivien Kraus <vivien@planete-kraus.eu> 2021-07-03 11:06:44 +0200
committer: Vivien Kraus <vivien@planete-kraus.eu> 2021-07-03 11:13:22 +0200
commit: 50aa57c3483ea6e489870e44498fb322a01cc979 (patch)
tree: c6841ed38f607b49116f95e90bd76ae239228790 /src
parent: 752baccc78ecfc769c0aa228f1af2e1ec1c30027 (diff)
3 files changed, 26 insertions, 22 deletions
diff --git a/src/scm/webid-oidc/authorization-endpoint.scm b/src/scm/webid-oidc/authorization-endpoint.scm
index 3c4a730..9ff994c 100644
--- a/src/scm/webid-oidc/authorization-endpoint.scm
+++ b/src/scm/webid-oidc/authorization-endpoint.scm
@@ -29,7 +29,11 @@
   #:use-module (ice-9 receive)
   #:use-module (ice-9 optargs))
 
-(define*-public (make-authorization-endpoint subject the-password alg jwk validity
+(define (verify-password encrypted-password password)
+  (let ((c (crypt password encrypted-password)))
+    (string=? c encrypted-password)))
+
+(define*-public (make-authorization-endpoint subject encrypted-password alg jwk validity
                                              #:key
                                              (http-get http-get)
                                              (current-time current-time))
@@ -81,7 +85,7 @@
           (error-no-redirect-uri locale))
          ((and (eq? method 'POST)
                (string? password)
-               (string=? password the-password))
+               (verify-password encrypted-password password))
           (with-exception-handler
               (lambda (error)
                 (error-application locale error))
@@ -123,7 +127,7 @@
          (else
           (authorization-page locale
                               (not (and password
-                                        (string=? password the-password)))
+                                        (verify-password encrypted-password password)))
                               client-id
                               uri)))))))
 
diff --git a/src/scm/webid-oidc/identity-provider.scm b/src/scm/webid-oidc/identity-provider.scm
index 37a01be..8bd3e5b 100644
--- a/src/scm/webid-oidc/identity-provider.scm
+++ b/src/scm/webid-oidc/identity-provider.scm
@@ -53,7 +53,7 @@
                  issuer
                  key-file
                  subject
-                 password
+                 encrypted-password
                  jwks-uri
                  authorization-endpoint-uri
                  token-endpoint-uri
@@ -79,7 +79,7 @@
                'RS256
                'ES256)))
       (let ((authorization-endpoint
-             (make-authorization-endpoint subject password alg key 120
+             (make-authorization-endpoint subject encrypted-password alg key 120
                                           #:current-time current-time
                                           #:http-get http-get))
             (token-endpoint
diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm
index 7e47c2b..f083700 100644
--- a/src/scm/webid-oidc/program.scm
+++ b/src/scm/webid-oidc/program.scm
@@ -153,8 +153,8 @@
          (string->symbol (G_ "command-line|server|issuer|key-file")))
         (subject-sym
          (string->symbol (G_ "command-line|server|issuer|subject")))
-        (password-sym
-         (string->symbol (G_ "command-line|server|issuer|password")))
+        (encrypted-password-sym
+         (string->symbol (G_ "command-line|server|issuer|encrypted-password")))
         (jwks-uri-sym
          (string->symbol (G_ "command-line|server|issuer|jwks-uri")))
         (authorization-endpoint-uri-sym
@@ -182,7 +182,7 @@
                     (,error-file-sym (single-char #\e) (value #t))
                     (,key-file-sym (single-char #\k) (value #t))
                     (,subject-sym (single-char #\s) (value #t))
-                    (,password-sym (single-char #\w) (value #t))
+                    (,encrypted-password-sym (single-char #\w) (value #t))
                     (,jwks-uri-sym (single-char #\j) (value #t))
                     (,authorization-endpoint-uri-sym (single-char #\a) (value #t))
                     (,token-endpoint-uri-sym (single-char #\t) (value #t))
@@ -252,8 +252,8 @@ Options for the identity provider:
       key is generated.
   -s WEBID, --~a=WEBID:
       set the identity of the subject.
-  -w PASSWORD, --~a=PASSWORD:
-      set the password to recognize the user.
+  -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:
+      set the encrypted password to recognize the user.
   -j URI, --~a=URI:
       set the URI to query the key of the server.
   -a URI, --~a=URI:
@@ -324,7 +324,7 @@ invoked with the following options:
       --~a 'https://webid-oidc-demo.planete-kraus.eu' \\
       --~a '/var/lib/webid-oidc/issuer/key.jwk' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\
-      --~a \"$PASSWORD\" \\
+      --~a \"$ENCRYPTED_PASSWORD\" \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\
@@ -375,7 +375,7 @@ If you find a bug, then please send a report to ~a.
                 ;; Options for the identity provider
                 key-file-sym
                 subject-sym
-                password-sym
+                encrypted-password-sym
                 jwks-uri-sym
                 authorization-endpoint-uri-sym
                 token-endpoint-uri-sym
@@ -414,7 +414,7 @@ If you find a bug, then please send a report to ~a.
                 (car (command-line))
                 (G_ "command-line|command|identity-provider")
                 complete-corresponding-source-sym
-                server-name-sym key-file-sym subject-sym password-sym
+                server-name-sym key-file-sym subject-sym encrypted-password-sym
                 jwks-uri-sym authorization-endpoint-uri-sym
                 token-endpoint-uri-sym port-sym
                 ;; Running the public pages for an application
@@ -478,7 +478,7 @@ If you find a bug, then please send a report to ~a.
               (subject
                (let ((str (option-ref options subject-sym #f)))
                  (and str (string->uri str))))
-              (password (option-ref options password-sym #f))
+              (encrypted-password (option-ref options encrypted-password-sym #f))
               (jwks-uri
                (let ((str (option-ref options jwks-uri-sym #f)))
                  (and str (string->uri str))))
@@ -544,9 +544,9 @@ If you find a bug, then please send a report to ~a.
                   (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n")
                           subject-sym)
                   (exit 1))
-                (unless password
-                  (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n")
-                          password-sym)
+                (unless encrypted-password
+                  (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n")
+                          encrypted-password-sym)
                   (exit 1))
                 (unless jwks-uri
                   (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n")
@@ -562,7 +562,7 @@ If you find a bug, then please send a report to ~a.
                   (exit 1))
                 (let ((handler
                        (make-identity-provider
-                        server-name key-file subject password jwks-uri
+                        server-name key-file subject encrypted-password jwks-uri
                         authorization-endpoint-uri token-endpoint-uri
                         (make-jti-list)
                         #:current-time current-time
@@ -616,9 +616,9 @@ If you find a bug, then please send a report to ~a.
                 (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n")
                         subject-sym)
                 (exit 1))
-              (unless password
-                (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n")
-                        password-sym)
+              (unless encrypted-password
+                (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n")
+                        encrypted-password-sym)
                 (exit 1))
               (unless jwks-uri
                 (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n")
@@ -654,7 +654,7 @@ If you find a bug, then please send a report to ~a.
                         #:http-get cache-http-get))
                       (identity-provider-handler
                        (make-identity-provider
-                        server-name key-file subject password jwks-uri
+                        server-name key-file subject encrypted-password jwks-uri
                         authorization-endpoint-uri token-endpoint-uri
                         jti-list
                         #:current-time current-time
author	Vivien Kraus <vivien@planete-kraus.eu>	2021-07-03 11:06:44 +0200
committer	Vivien Kraus <vivien@planete-kraus.eu>	2021-07-03 11:13:22 +0200
commit	50aa57c3483ea6e489870e44498fb322a01cc979 (patch)
tree	c6841ed38f607b49116f95e90bd76ae239228790 /src
parent	752baccc78ecfc769c0aa228f1af2e1ec1c30027 (diff)