From 2e1056cc132a4974fd88fd18714fd354bc5c89f2 Mon Sep 17 00:00:00 2001
From: Jonathon Duerig <duerig@flux.utah.edu>
Date: Thu, 21 Aug 2014 12:55:09 -0600
Subject: [PATCH] Finish up authorization protocol for geni users.
The protocol now works perfectly.
TODO: Figure out why certificate parsing is failing
---
www/aptui/geni-login.ajax | 13 +++--
www/aptui/js/geni-login.js | 102 ++++++++-----------------------------
2 files changed, 30 insertions(+), 85 deletions(-)
diff --git a/www/aptui/geni-login.ajax b/www/aptui/geni-login.ajax
index 4921aae1c7..dfee2f232b 100644
--- a/www/aptui/geni-login.ajax
+++ b/www/aptui/geni-login.ajax
@@ -62,6 +62,7 @@ function Do_CreateSecret()
$infname = tempnam("/tmp", "pkcs7in");
$outfname = tempnam("/tmp", "pkcs7out");
+ $userCertName = tempnam("/tmp", "pkcs7cert");
#
# Decrypt the random bytes. To do this we have to put the stuff
@@ -74,7 +75,7 @@ function Do_CreateSecret()
$exec_retval = 0;
exec("/usr/bin/openssl smime -decrypt -inform PEM -inkey ".
- "${TBDIR}/etc/genicm.pem -in $infname -out $outfname",
+ "${TBDIR}/etc/genisa.pem -in $infname -out $outfname",
$exec_output_array, $exec_retval);
if ($exec_retval) {
@@ -96,8 +97,12 @@ function Do_CreateSecret()
fwrite($fp, $r2_decrypted);
fclose($fp);
+ $fp = fopen($userCertName, "w");
+ fwrite($fp, $certificate);
+ fclose($fp);
+
exec("/usr/bin/openssl smime -encrypt -outform PEM ".
- "-in $infname -out $outfname ${TBDIR}/etc/genicm.pem",
+ "-in $infname -out $outfname -aes256 $userCertName",
$exec_output_array, $exec_retval);
if ($exec_retval) {
@@ -110,11 +115,9 @@ function Do_CreateSecret()
return;
}
$r2_encrypted = file_get_contents($outfname);
- $secret = bin2hex(pack('H*', $r1_decrypted) ^ pack('H*', $r2_decrypted));
+ $secret = $r1_decrypted . $r2_decrypted;#bin2hex(pack('H*', $r1_decrypted) ^ pack('H*', $r2_decrypted));
$blob = array();
- $blob["secret"] = $secret;
- $blob["r1_decrypted"] = $r1_decrypted;
$blob["r2_encrypted"] = $r2_encrypted;
# Store in the session.
diff --git a/www/aptui/js/geni-login.js b/www/aptui/js/geni-login.js
index b47fc4c0c6..cc5bbd5dd7 100644
--- a/www/aptui/js/geni-login.js
+++ b/www/aptui/js/geni-login.js
@@ -6,44 +6,6 @@ function (_, sup, forge, loginString)
{
'use strict';
var ajaxurl;
- var secret = null;
-
- var foo = "-----BEGIN PKCS7-----\n" +
- "MIIByQYJKoZIhvcNAQcDoIIBujCCAbYCAQAxggFcMIIBWAIBADCBwDCBuDELMAkG\n" +
- "A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5\n" +
- "MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEeMBwGA1UECxMVQ2VydGlm\n" +
- "aWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDEw9ib3NzLmVtdWxhYi5uZXQxKDAmBgkq\n" +
- "hkiG9w0BCQEWGXRlc3RiZWQtb3BzQGZsdXgudXRhaC5lZHUCAwEv7TANBgkqhkiG\n" +
- "9w0BAQEFAASBgB3SoXZgUFEJrN8gGW06B0O7TzKs9vCSXgHPFGhTHLYWQy7MhV3z\n" +
- "neFDhJw4I4fUu/JOWSMZ58EustIewj652ASYKEGEzzUpNyYA8vyVceiLatiZblMP\n" +
- "vwPo3IBacDqPuiBFB1CPPO/vhd7/M1oZCknmm37sa4Has0fR8T5mIhIiMFEGCSqG\n" +
- "SIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIenog8mG95S6AKN0z8UedzqQ22T4Z\n" +
- "PHy/Lc5zyIDba6mmud8d1h5WT+gq+sP0aLPgQfA=\n" +
- "-----END PKCS7-----\n";
-
- var mycert = "-----BEGIN CERTIFICATE-----\n" +
- "MIID4DCCA0mgAwIBAgIDAlCGMA0GCSqGSIb3DQEBBAUAMIG4MQswCQYDVQQGEwJV\n" +
- "UzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHTAbBgNV\n" +
- "BAoTFFV0YWggTmV0d29yayBUZXN0YmVkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB\n" +
- "dXRob3JpdHkxGDAWBgNVBAMTD2Jvc3MuZW11bGFiLm5ldDEoMCYGCSqGSIb3DQEJ\n" +
- "ARYZdGVzdGJlZC1vcHNAZmx1eC51dGFoLmVkdTAeFw0xNDAyMDMxNzAxMjJaFw0x\n" +
- "NTAyMDMxNzAxMjJaMIGqMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEdMBsG\n" +
- "A1UEChMUVXRhaCBOZXR3b3JrIFRlc3RiZWQxGzAZBgNVBAsTEnV0YWhlbXVsYWIu\n" +
- "c3RvbGxlcjEtMCsGA1UEAxMkMGIyZWI5N2UtZWQzMC0xMWRiLTk2Y2ItMDAxMTQz\n" +
- "ZTQ1M2ZlMSEwHwYJKoZIhvcNAQkBFhJzdG9sbGVyQGVtdWxhYi5uZXQwgZ8wDQYJ\n" +
- "KoZIhvcNAQEBBQADgY0AMIGJAoGBAK5+JRzpLj9aJakzFHXyLri+eqNyfqySjsB8\n" +
- "2gnzW4h6MAChQFuc4j3m/fIh39buzDRX3nhMF10etZKEHb7sPmA6hzQzq+0y8vGj\n" +
- "3dSiyjsy8SOjGrZAKrBC2mV5eXIFklyglFHJF263SWbUzv48W/quQRFlG+hV3/oL\n" +
- "OH0tQUzbAgMBAAGjggECMIH/MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGAYW2vo\n" +
- "Fecr8tsRcL5H6gSXAUH9MHYGA1UdEQRvMG2GKHVybjpwdWJsaWNpZDpJRE4rZW11\n" +
- "bGFiLm5ldCt1c2VyK3N0b2xsZXKBEnN0b2xsZXJAZW11bGFiLm5ldIYtdXJuOnV1\n" +
- "aWQ6MGIyZWI5N2UtZWQzMC0xMWRiLTk2Y2ItMDAxMTQzZTQ1M2ZlMFgGCCsGAQUF\n" +
- "BwEBBEwwSjBIBhRpg8yTgKiYzKjHvbGngICqrteKG4YwaHR0cHM6Ly93d3cuZW11\n" +
- "bGFiLm5ldDoxMjM2OS9wcm90b2dlbmkveG1scnBjL3NhMA0GCSqGSIb3DQEBBAUA\n" +
- "A4GBAAF8aadZH3vXTFt0od9ooZ+dWvAaGWlkiAmlwOcpUsT5D8G+rUcaz7iPWrju\n" +
- "d3wPd/iFDIO7BqmolxSY6L/YjSwvtkvfMX8Q7gYkECmgCEX/ztMXRdcu9vGdfjYZ\n" +
- "nIPONT767s7Qrx0S6nA9GOV8WvDdywUluFSwE45g+e7zs2CO\n" +
- "-----END CERTIFICATE-----\n";
function initialize()
{
@@ -65,29 +27,7 @@ function (_, sup, forge, loginString)
return false;
});
- CreateSecret(foo, mycert);
- }
-
- function CreateSecret(r1, cert)
- {
- var callback = function(json) {
- if (json.code) {
- alert("Could not generate secret: " + json.value);
- return;
- }
- console.info(json.value);
- secret = json.value.secret;
-
- var md = forge.md.sha256.create();
- md.update(mycert + secret);
- console.log(md.digest().toHex());
- VerifySpeaksfor(mycert, md.digest().toHex());
- }
- var $xmlthing = sup.CallServerMethod(ajaxurl,
- "geni-login", "CreateSecret",
- {"r1_encrypted" : r1,
- "certificate" : cert});
- $xmlthing.done(callback);
+// CreateSecret(foo, mycert);
}
function VerifySpeaksfor(speaksfor, signature)
@@ -117,29 +57,31 @@ function (_, sup, forge, loginString)
$xmlthing.done(callback);
}
- function authenticate(userCertificate, success, failure)
+ function authenticate(cert, r1, success, failure)
{
- // Some AJAX call that ends with success or failure based on the result
- // success should be called with the PKCS#7 string
- success('-----BEGIN PKCS7-----\n'+
- 'MIIByQYJKoZIhvcNAQcDoIIBujCCAbYCAQAxggFcMIIBWAIBADCBwDCBuDELMAkG\n'+
- 'A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5\n'+
- 'MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEeMBwGA1UECxMVQ2VydGlm\n'+
- 'aWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDEw9ib3NzLmVtdWxhYi5uZXQxKDAmBgkq\n'+
- 'hkiG9w0BCQEWGXRlc3RiZWQtb3BzQGZsdXgudXRhaC5lZHUCAwEv7TANBgkqhkiG\n'+
- '9w0BAQEFAASBgDaDHASj7fN7Dp3dvp/Gm2pgfeIf6W+bhanzmgb/21PqU4wQDjDD\n'+
- 'IWsdmGigRKsvn4D/a2kbI27s3QrSf8bsZXeKRsDNm0wWvtdhPQuiiFHYwXjYmE7j\n'+
- 'Zi6OEWLxCoVfNL/fdjNppAqGKn2rg6vPVArBGYk+JpAB8QwWJjA2mQIeMFEGCSqG\n'+
- 'SIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQI5C991yqoRxiAKAfhoqHKJjQTAp3A\n'+
- 'W5P/6+wNAa5TLBMbDlEyN3L3FolO4LKqJ5tbnKo=\n'+
- '-----END PKCS7-----\n');
+ var callback = function(json) {
+ console.log('callback');
+ if (json.code) {
+ alert("Could not generate secret: " + json.value);
+ failure();
+ } else {
+ console.info(json.value);
+ success(json.value.r2_encrypted);
+ }
+ }
+ var $xmlthing = sup.CallServerMethod(ajaxurl,
+ "geni-login", "CreateSecret",
+ {"r1_encrypted" : r1,
+ "certificate" : cert});
+ $xmlthing.done(callback);
}
- function complete(credential, authenticationToken, encryptedCredential)
+ function complete(credential, signature)
{
- $('#credential').show();
- $('#credential').val(credential);
- console.log(authenticationToken, encryptedCredential);
+ // signature is undefined if something failed before
+ VerifySpeaksfor(credential, signature);
+// console.log(credential);
+// console.log(signature);
}
$(document).ready(initialize);
});
--
GitLab