From 50aa57c3483ea6e489870e44498fb322a01cc979 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Sat, 3 Jul 2021 11:06:44 +0200 Subject: Do not accept the password in clear, use an encrypted password --- src/scm/webid-oidc/authorization-endpoint.scm | 10 +++++--- src/scm/webid-oidc/identity-provider.scm | 4 ++-- src/scm/webid-oidc/program.scm | 34 +++++++++++++-------------- 3 files changed, 26 insertions(+), 22 deletions(-) (limited to 'src/scm') diff --git a/src/scm/webid-oidc/authorization-endpoint.scm b/src/scm/webid-oidc/authorization-endpoint.scm index 3c4a730..9ff994c 100644 --- a/src/scm/webid-oidc/authorization-endpoint.scm +++ b/src/scm/webid-oidc/authorization-endpoint.scm @@ -29,7 +29,11 @@ #:use-module (ice-9 receive) #:use-module (ice-9 optargs)) -(define*-public (make-authorization-endpoint subject the-password alg jwk validity +(define (verify-password encrypted-password password) + (let ((c (crypt password encrypted-password))) + (string=? c encrypted-password))) + +(define*-public (make-authorization-endpoint subject encrypted-password alg jwk validity #:key (http-get http-get) (current-time current-time)) @@ -81,7 +85,7 @@ (error-no-redirect-uri locale)) ((and (eq? method 'POST) (string? password) - (string=? password the-password)) + (verify-password encrypted-password password)) (with-exception-handler (lambda (error) (error-application locale error)) @@ -123,7 +127,7 @@ (else (authorization-page locale (not (and password - (string=? password the-password))) + (verify-password encrypted-password password))) client-id uri))))))) diff --git a/src/scm/webid-oidc/identity-provider.scm b/src/scm/webid-oidc/identity-provider.scm index 37a01be..8bd3e5b 100644 --- a/src/scm/webid-oidc/identity-provider.scm +++ b/src/scm/webid-oidc/identity-provider.scm @@ -53,7 +53,7 @@ issuer key-file subject - password + encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri @@ -79,7 +79,7 @@ 'RS256 'ES256))) (let ((authorization-endpoint - (make-authorization-endpoint subject password alg key 120 + (make-authorization-endpoint subject encrypted-password alg key 120 #:current-time current-time #:http-get http-get)) (token-endpoint diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm index 7e47c2b..f083700 100644 --- a/src/scm/webid-oidc/program.scm +++ b/src/scm/webid-oidc/program.scm @@ -153,8 +153,8 @@ (string->symbol (G_ "command-line|server|issuer|key-file"))) (subject-sym (string->symbol (G_ "command-line|server|issuer|subject"))) - (password-sym - (string->symbol (G_ "command-line|server|issuer|password"))) + (encrypted-password-sym + (string->symbol (G_ "command-line|server|issuer|encrypted-password"))) (jwks-uri-sym (string->symbol (G_ "command-line|server|issuer|jwks-uri"))) (authorization-endpoint-uri-sym @@ -182,7 +182,7 @@ (,error-file-sym (single-char #\e) (value #t)) (,key-file-sym (single-char #\k) (value #t)) (,subject-sym (single-char #\s) (value #t)) - (,password-sym (single-char #\w) (value #t)) + (,encrypted-password-sym (single-char #\w) (value #t)) (,jwks-uri-sym (single-char #\j) (value #t)) (,authorization-endpoint-uri-sym (single-char #\a) (value #t)) (,token-endpoint-uri-sym (single-char #\t) (value #t)) @@ -252,8 +252,8 @@ Options for the identity provider: key is generated. -s WEBID, --~a=WEBID: set the identity of the subject. - -w PASSWORD, --~a=PASSWORD: - set the password to recognize the user. + -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD: + set the encrypted password to recognize the user. -j URI, --~a=URI: set the URI to query the key of the server. -a URI, --~a=URI: @@ -324,7 +324,7 @@ invoked with the following options: --~a 'https://webid-oidc-demo.planete-kraus.eu' \\ --~a '/var/lib/webid-oidc/issuer/key.jwk' \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\ - --~a \"$PASSWORD\" \\ + --~a \"$ENCRYPTED_PASSWORD\" \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\ @@ -375,7 +375,7 @@ If you find a bug, then please send a report to ~a. ;; Options for the identity provider key-file-sym subject-sym - password-sym + encrypted-password-sym jwks-uri-sym authorization-endpoint-uri-sym token-endpoint-uri-sym @@ -414,7 +414,7 @@ If you find a bug, then please send a report to ~a. (car (command-line)) (G_ "command-line|command|identity-provider") complete-corresponding-source-sym - server-name-sym key-file-sym subject-sym password-sym + server-name-sym key-file-sym subject-sym encrypted-password-sym jwks-uri-sym authorization-endpoint-uri-sym token-endpoint-uri-sym port-sym ;; Running the public pages for an application @@ -478,7 +478,7 @@ If you find a bug, then please send a report to ~a. (subject (let ((str (option-ref options subject-sym #f))) (and str (string->uri str)))) - (password (option-ref options password-sym #f)) + (encrypted-password (option-ref options encrypted-password-sym #f)) (jwks-uri (let ((str (option-ref options jwks-uri-sym #f))) (and str (string->uri str)))) @@ -544,9 +544,9 @@ If you find a bug, then please send a report to ~a. (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") subject-sym) (exit 1)) - (unless password - (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n") - password-sym) + (unless encrypted-password + (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n") + encrypted-password-sym) (exit 1)) (unless jwks-uri (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") @@ -562,7 +562,7 @@ If you find a bug, then please send a report to ~a. (exit 1)) (let ((handler (make-identity-provider - server-name key-file subject password jwks-uri + server-name key-file subject encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri (make-jti-list) #:current-time current-time @@ -616,9 +616,9 @@ If you find a bug, then please send a report to ~a. (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") subject-sym) (exit 1)) - (unless password - (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n") - password-sym) + (unless encrypted-password + (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n") + encrypted-password-sym) (exit 1)) (unless jwks-uri (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") @@ -654,7 +654,7 @@ If you find a bug, then please send a report to ~a. #:http-get cache-http-get)) (identity-provider-handler (make-identity-provider - server-name key-file subject password jwks-uri + server-name key-file subject encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri jti-list #:current-time current-time -- cgit v1.2.3