Commit 2e1056cc authored by Jonathon Duerig's avatar Jonathon Duerig

Finish up authorization protocol for geni users.

The protocol now works perfectly.

TODO: Figure out why certificate parsing is failing
parent b4a2cfc6
...@@ -62,6 +62,7 @@ function Do_CreateSecret() ...@@ -62,6 +62,7 @@ function Do_CreateSecret()
$infname = tempnam("/tmp", "pkcs7in"); $infname = tempnam("/tmp", "pkcs7in");
$outfname = tempnam("/tmp", "pkcs7out"); $outfname = tempnam("/tmp", "pkcs7out");
$userCertName = tempnam("/tmp", "pkcs7cert");
# #
# Decrypt the random bytes. To do this we have to put the stuff # Decrypt the random bytes. To do this we have to put the stuff
...@@ -74,7 +75,7 @@ function Do_CreateSecret() ...@@ -74,7 +75,7 @@ function Do_CreateSecret()
$exec_retval = 0; $exec_retval = 0;
exec("/usr/bin/openssl smime -decrypt -inform PEM -inkey ". exec("/usr/bin/openssl smime -decrypt -inform PEM -inkey ".
"${TBDIR}/etc/genicm.pem -in $infname -out $outfname", "${TBDIR}/etc/genisa.pem -in $infname -out $outfname",
$exec_output_array, $exec_retval); $exec_output_array, $exec_retval);
if ($exec_retval) { if ($exec_retval) {
...@@ -96,8 +97,12 @@ function Do_CreateSecret() ...@@ -96,8 +97,12 @@ function Do_CreateSecret()
fwrite($fp, $r2_decrypted); fwrite($fp, $r2_decrypted);
fclose($fp); fclose($fp);
$fp = fopen($userCertName, "w");
fwrite($fp, $certificate);
fclose($fp);
exec("/usr/bin/openssl smime -encrypt -outform PEM ". exec("/usr/bin/openssl smime -encrypt -outform PEM ".
"-in $infname -out $outfname ${TBDIR}/etc/genicm.pem", "-in $infname -out $outfname -aes256 $userCertName",
$exec_output_array, $exec_retval); $exec_output_array, $exec_retval);
if ($exec_retval) { if ($exec_retval) {
...@@ -110,11 +115,9 @@ function Do_CreateSecret() ...@@ -110,11 +115,9 @@ function Do_CreateSecret()
return; return;
} }
$r2_encrypted = file_get_contents($outfname); $r2_encrypted = file_get_contents($outfname);
$secret = bin2hex(pack('H*', $r1_decrypted) ^ pack('H*', $r2_decrypted)); $secret = $r1_decrypted . $r2_decrypted;#bin2hex(pack('H*', $r1_decrypted) ^ pack('H*', $r2_decrypted));
$blob = array(); $blob = array();
$blob["secret"] = $secret;
$blob["r1_decrypted"] = $r1_decrypted;
$blob["r2_encrypted"] = $r2_encrypted; $blob["r2_encrypted"] = $r2_encrypted;
# Store in the session. # Store in the session.
......
...@@ -6,44 +6,6 @@ function (_, sup, forge, loginString) ...@@ -6,44 +6,6 @@ function (_, sup, forge, loginString)
{ {
'use strict'; 'use strict';
var ajaxurl; var ajaxurl;
var secret = null;
var foo = "-----BEGIN PKCS7-----\n" +
"MIIByQYJKoZIhvcNAQcDoIIBujCCAbYCAQAxggFcMIIBWAIBADCBwDCBuDELMAkG\n" +
"A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5\n" +
"MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEeMBwGA1UECxMVQ2VydGlm\n" +
"aWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDEw9ib3NzLmVtdWxhYi5uZXQxKDAmBgkq\n" +
"hkiG9w0BCQEWGXRlc3RiZWQtb3BzQGZsdXgudXRhaC5lZHUCAwEv7TANBgkqhkiG\n" +
"9w0BAQEFAASBgB3SoXZgUFEJrN8gGW06B0O7TzKs9vCSXgHPFGhTHLYWQy7MhV3z\n" +
"neFDhJw4I4fUu/JOWSMZ58EustIewj652ASYKEGEzzUpNyYA8vyVceiLatiZblMP\n" +
"vwPo3IBacDqPuiBFB1CPPO/vhd7/M1oZCknmm37sa4Has0fR8T5mIhIiMFEGCSqG\n" +
"SIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIenog8mG95S6AKN0z8UedzqQ22T4Z\n" +
"PHy/Lc5zyIDba6mmud8d1h5WT+gq+sP0aLPgQfA=\n" +
"-----END PKCS7-----\n";
var mycert = "-----BEGIN CERTIFICATE-----\n" +
"MIID4DCCA0mgAwIBAgIDAlCGMA0GCSqGSIb3DQEBBAUAMIG4MQswCQYDVQQGEwJV\n" +
"UzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHTAbBgNV\n" +
"BAoTFFV0YWggTmV0d29yayBUZXN0YmVkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB\n" +
"dXRob3JpdHkxGDAWBgNVBAMTD2Jvc3MuZW11bGFiLm5ldDEoMCYGCSqGSIb3DQEJ\n" +
"ARYZdGVzdGJlZC1vcHNAZmx1eC51dGFoLmVkdTAeFw0xNDAyMDMxNzAxMjJaFw0x\n" +
"NTAyMDMxNzAxMjJaMIGqMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEdMBsG\n" +
"A1UEChMUVXRhaCBOZXR3b3JrIFRlc3RiZWQxGzAZBgNVBAsTEnV0YWhlbXVsYWIu\n" +
"c3RvbGxlcjEtMCsGA1UEAxMkMGIyZWI5N2UtZWQzMC0xMWRiLTk2Y2ItMDAxMTQz\n" +
"ZTQ1M2ZlMSEwHwYJKoZIhvcNAQkBFhJzdG9sbGVyQGVtdWxhYi5uZXQwgZ8wDQYJ\n" +
"KoZIhvcNAQEBBQADgY0AMIGJAoGBAK5+JRzpLj9aJakzFHXyLri+eqNyfqySjsB8\n" +
"2gnzW4h6MAChQFuc4j3m/fIh39buzDRX3nhMF10etZKEHb7sPmA6hzQzq+0y8vGj\n" +
"3dSiyjsy8SOjGrZAKrBC2mV5eXIFklyglFHJF263SWbUzv48W/quQRFlG+hV3/oL\n" +
"OH0tQUzbAgMBAAGjggECMIH/MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGAYW2vo\n" +
"Fecr8tsRcL5H6gSXAUH9MHYGA1UdEQRvMG2GKHVybjpwdWJsaWNpZDpJRE4rZW11\n" +
"bGFiLm5ldCt1c2VyK3N0b2xsZXKBEnN0b2xsZXJAZW11bGFiLm5ldIYtdXJuOnV1\n" +
"aWQ6MGIyZWI5N2UtZWQzMC0xMWRiLTk2Y2ItMDAxMTQzZTQ1M2ZlMFgGCCsGAQUF\n" +
"BwEBBEwwSjBIBhRpg8yTgKiYzKjHvbGngICqrteKG4YwaHR0cHM6Ly93d3cuZW11\n" +
"bGFiLm5ldDoxMjM2OS9wcm90b2dlbmkveG1scnBjL3NhMA0GCSqGSIb3DQEBBAUA\n" +
"A4GBAAF8aadZH3vXTFt0od9ooZ+dWvAaGWlkiAmlwOcpUsT5D8G+rUcaz7iPWrju\n" +
"d3wPd/iFDIO7BqmolxSY6L/YjSwvtkvfMX8Q7gYkECmgCEX/ztMXRdcu9vGdfjYZ\n" +
"nIPONT767s7Qrx0S6nA9GOV8WvDdywUluFSwE45g+e7zs2CO\n" +
"-----END CERTIFICATE-----\n";
function initialize() function initialize()
{ {
...@@ -65,29 +27,7 @@ function (_, sup, forge, loginString) ...@@ -65,29 +27,7 @@ function (_, sup, forge, loginString)
return false; return false;
}); });
CreateSecret(foo, mycert); // CreateSecret(foo, mycert);
}
function CreateSecret(r1, cert)
{
var callback = function(json) {
if (json.code) {
alert("Could not generate secret: " + json.value);
return;
}
console.info(json.value);
secret = json.value.secret;
var md = forge.md.sha256.create();
md.update(mycert + secret);
console.log(md.digest().toHex());
VerifySpeaksfor(mycert, md.digest().toHex());
}
var $xmlthing = sup.CallServerMethod(ajaxurl,
"geni-login", "CreateSecret",
{"r1_encrypted" : r1,
"certificate" : cert});
$xmlthing.done(callback);
} }
function VerifySpeaksfor(speaksfor, signature) function VerifySpeaksfor(speaksfor, signature)
...@@ -117,29 +57,31 @@ function (_, sup, forge, loginString) ...@@ -117,29 +57,31 @@ function (_, sup, forge, loginString)
$xmlthing.done(callback); $xmlthing.done(callback);
} }
function authenticate(userCertificate, success, failure) function authenticate(cert, r1, success, failure)
{ {
// Some AJAX call that ends with success or failure based on the result var callback = function(json) {
// success should be called with the PKCS#7 string console.log('callback');
success('-----BEGIN PKCS7-----\n'+ if (json.code) {
'MIIByQYJKoZIhvcNAQcDoIIBujCCAbYCAQAxggFcMIIBWAIBADCBwDCBuDELMAkG\n'+ alert("Could not generate secret: " + json.value);
'A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5\n'+ failure();
'MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEeMBwGA1UECxMVQ2VydGlm\n'+ } else {
'aWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDEw9ib3NzLmVtdWxhYi5uZXQxKDAmBgkq\n'+ console.info(json.value);
'hkiG9w0BCQEWGXRlc3RiZWQtb3BzQGZsdXgudXRhaC5lZHUCAwEv7TANBgkqhkiG\n'+ success(json.value.r2_encrypted);
'9w0BAQEFAASBgDaDHASj7fN7Dp3dvp/Gm2pgfeIf6W+bhanzmgb/21PqU4wQDjDD\n'+ }
'IWsdmGigRKsvn4D/a2kbI27s3QrSf8bsZXeKRsDNm0wWvtdhPQuiiFHYwXjYmE7j\n'+ }
'Zi6OEWLxCoVfNL/fdjNppAqGKn2rg6vPVArBGYk+JpAB8QwWJjA2mQIeMFEGCSqG\n'+ var $xmlthing = sup.CallServerMethod(ajaxurl,
'SIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQI5C991yqoRxiAKAfhoqHKJjQTAp3A\n'+ "geni-login", "CreateSecret",
'W5P/6+wNAa5TLBMbDlEyN3L3FolO4LKqJ5tbnKo=\n'+ {"r1_encrypted" : r1,
'-----END PKCS7-----\n'); "certificate" : cert});
$xmlthing.done(callback);
} }
function complete(credential, authenticationToken, encryptedCredential) function complete(credential, signature)
{ {
$('#credential').show(); // signature is undefined if something failed before
$('#credential').val(credential); VerifySpeaksfor(credential, signature);
console.log(authenticationToken, encryptedCredential); // console.log(credential);
// console.log(signature);
} }
$(document).ready(initialize); $(document).ready(initialize);
}); });
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment