Commit 2e1056cc authored by Jonathon Duerig's avatar Jonathon Duerig

Finish up authorization protocol for geni users.

The protocol now works perfectly.

TODO: Figure out why certificate parsing is failing
parent b4a2cfc6
......@@ -62,6 +62,7 @@ function Do_CreateSecret()
$infname = tempnam("/tmp", "pkcs7in");
$outfname = tempnam("/tmp", "pkcs7out");
$userCertName = tempnam("/tmp", "pkcs7cert");
#
# Decrypt the random bytes. To do this we have to put the stuff
......@@ -74,7 +75,7 @@ function Do_CreateSecret()
$exec_retval = 0;
exec("/usr/bin/openssl smime -decrypt -inform PEM -inkey ".
"${TBDIR}/etc/genicm.pem -in $infname -out $outfname",
"${TBDIR}/etc/genisa.pem -in $infname -out $outfname",
$exec_output_array, $exec_retval);
if ($exec_retval) {
......@@ -96,8 +97,12 @@ function Do_CreateSecret()
fwrite($fp, $r2_decrypted);
fclose($fp);
$fp = fopen($userCertName, "w");
fwrite($fp, $certificate);
fclose($fp);
exec("/usr/bin/openssl smime -encrypt -outform PEM ".
"-in $infname -out $outfname ${TBDIR}/etc/genicm.pem",
"-in $infname -out $outfname -aes256 $userCertName",
$exec_output_array, $exec_retval);
if ($exec_retval) {
......@@ -110,11 +115,9 @@ function Do_CreateSecret()
return;
}
$r2_encrypted = file_get_contents($outfname);
$secret = bin2hex(pack('H*', $r1_decrypted) ^ pack('H*', $r2_decrypted));
$secret = $r1_decrypted . $r2_decrypted;#bin2hex(pack('H*', $r1_decrypted) ^ pack('H*', $r2_decrypted));
$blob = array();
$blob["secret"] = $secret;
$blob["r1_decrypted"] = $r1_decrypted;
$blob["r2_encrypted"] = $r2_encrypted;
# Store in the session.
......
......@@ -6,44 +6,6 @@ function (_, sup, forge, loginString)
{
'use strict';
var ajaxurl;
var secret = null;
var foo = "-----BEGIN PKCS7-----\n" +
"MIIByQYJKoZIhvcNAQcDoIIBujCCAbYCAQAxggFcMIIBWAIBADCBwDCBuDELMAkG\n" +
"A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5\n" +
"MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEeMBwGA1UECxMVQ2VydGlm\n" +
"aWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDEw9ib3NzLmVtdWxhYi5uZXQxKDAmBgkq\n" +
"hkiG9w0BCQEWGXRlc3RiZWQtb3BzQGZsdXgudXRhaC5lZHUCAwEv7TANBgkqhkiG\n" +
"9w0BAQEFAASBgB3SoXZgUFEJrN8gGW06B0O7TzKs9vCSXgHPFGhTHLYWQy7MhV3z\n" +
"neFDhJw4I4fUu/JOWSMZ58EustIewj652ASYKEGEzzUpNyYA8vyVceiLatiZblMP\n" +
"vwPo3IBacDqPuiBFB1CPPO/vhd7/M1oZCknmm37sa4Has0fR8T5mIhIiMFEGCSqG\n" +
"SIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIenog8mG95S6AKN0z8UedzqQ22T4Z\n" +
"PHy/Lc5zyIDba6mmud8d1h5WT+gq+sP0aLPgQfA=\n" +
"-----END PKCS7-----\n";
var mycert = "-----BEGIN CERTIFICATE-----\n" +
"MIID4DCCA0mgAwIBAgIDAlCGMA0GCSqGSIb3DQEBBAUAMIG4MQswCQYDVQQGEwJV\n" +
"UzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHTAbBgNV\n" +
"BAoTFFV0YWggTmV0d29yayBUZXN0YmVkMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBB\n" +
"dXRob3JpdHkxGDAWBgNVBAMTD2Jvc3MuZW11bGFiLm5ldDEoMCYGCSqGSIb3DQEJ\n" +
"ARYZdGVzdGJlZC1vcHNAZmx1eC51dGFoLmVkdTAeFw0xNDAyMDMxNzAxMjJaFw0x\n" +
"NTAyMDMxNzAxMjJaMIGqMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEdMBsG\n" +
"A1UEChMUVXRhaCBOZXR3b3JrIFRlc3RiZWQxGzAZBgNVBAsTEnV0YWhlbXVsYWIu\n" +
"c3RvbGxlcjEtMCsGA1UEAxMkMGIyZWI5N2UtZWQzMC0xMWRiLTk2Y2ItMDAxMTQz\n" +
"ZTQ1M2ZlMSEwHwYJKoZIhvcNAQkBFhJzdG9sbGVyQGVtdWxhYi5uZXQwgZ8wDQYJ\n" +
"KoZIhvcNAQEBBQADgY0AMIGJAoGBAK5+JRzpLj9aJakzFHXyLri+eqNyfqySjsB8\n" +
"2gnzW4h6MAChQFuc4j3m/fIh39buzDRX3nhMF10etZKEHb7sPmA6hzQzq+0y8vGj\n" +
"3dSiyjsy8SOjGrZAKrBC2mV5eXIFklyglFHJF263SWbUzv48W/quQRFlG+hV3/oL\n" +
"OH0tQUzbAgMBAAGjggECMIH/MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGAYW2vo\n" +
"Fecr8tsRcL5H6gSXAUH9MHYGA1UdEQRvMG2GKHVybjpwdWJsaWNpZDpJRE4rZW11\n" +
"bGFiLm5ldCt1c2VyK3N0b2xsZXKBEnN0b2xsZXJAZW11bGFiLm5ldIYtdXJuOnV1\n" +
"aWQ6MGIyZWI5N2UtZWQzMC0xMWRiLTk2Y2ItMDAxMTQzZTQ1M2ZlMFgGCCsGAQUF\n" +
"BwEBBEwwSjBIBhRpg8yTgKiYzKjHvbGngICqrteKG4YwaHR0cHM6Ly93d3cuZW11\n" +
"bGFiLm5ldDoxMjM2OS9wcm90b2dlbmkveG1scnBjL3NhMA0GCSqGSIb3DQEBBAUA\n" +
"A4GBAAF8aadZH3vXTFt0od9ooZ+dWvAaGWlkiAmlwOcpUsT5D8G+rUcaz7iPWrju\n" +
"d3wPd/iFDIO7BqmolxSY6L/YjSwvtkvfMX8Q7gYkECmgCEX/ztMXRdcu9vGdfjYZ\n" +
"nIPONT767s7Qrx0S6nA9GOV8WvDdywUluFSwE45g+e7zs2CO\n" +
"-----END CERTIFICATE-----\n";
function initialize()
{
......@@ -65,29 +27,7 @@ function (_, sup, forge, loginString)
return false;
});
CreateSecret(foo, mycert);
}
function CreateSecret(r1, cert)
{
var callback = function(json) {
if (json.code) {
alert("Could not generate secret: " + json.value);
return;
}
console.info(json.value);
secret = json.value.secret;
var md = forge.md.sha256.create();
md.update(mycert + secret);
console.log(md.digest().toHex());
VerifySpeaksfor(mycert, md.digest().toHex());
}
var $xmlthing = sup.CallServerMethod(ajaxurl,
"geni-login", "CreateSecret",
{"r1_encrypted" : r1,
"certificate" : cert});
$xmlthing.done(callback);
// CreateSecret(foo, mycert);
}
function VerifySpeaksfor(speaksfor, signature)
......@@ -117,29 +57,31 @@ function (_, sup, forge, loginString)
$xmlthing.done(callback);
}
function authenticate(userCertificate, success, failure)
function authenticate(cert, r1, success, failure)
{
// Some AJAX call that ends with success or failure based on the result
// success should be called with the PKCS#7 string
success('-----BEGIN PKCS7-----\n'+
'MIIByQYJKoZIhvcNAQcDoIIBujCCAbYCAQAxggFcMIIBWAIBADCBwDCBuDELMAkG\n'+
'A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5\n'+
'MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEeMBwGA1UECxMVQ2VydGlm\n'+
'aWNhdGUgQXV0aG9yaXR5MRgwFgYDVQQDEw9ib3NzLmVtdWxhYi5uZXQxKDAmBgkq\n'+
'hkiG9w0BCQEWGXRlc3RiZWQtb3BzQGZsdXgudXRhaC5lZHUCAwEv7TANBgkqhkiG\n'+
'9w0BAQEFAASBgDaDHASj7fN7Dp3dvp/Gm2pgfeIf6W+bhanzmgb/21PqU4wQDjDD\n'+
'IWsdmGigRKsvn4D/a2kbI27s3QrSf8bsZXeKRsDNm0wWvtdhPQuiiFHYwXjYmE7j\n'+
'Zi6OEWLxCoVfNL/fdjNppAqGKn2rg6vPVArBGYk+JpAB8QwWJjA2mQIeMFEGCSqG\n'+
'SIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQI5C991yqoRxiAKAfhoqHKJjQTAp3A\n'+
'W5P/6+wNAa5TLBMbDlEyN3L3FolO4LKqJ5tbnKo=\n'+
'-----END PKCS7-----\n');
var callback = function(json) {
console.log('callback');
if (json.code) {
alert("Could not generate secret: " + json.value);
failure();
} else {
console.info(json.value);
success(json.value.r2_encrypted);
}
}
var $xmlthing = sup.CallServerMethod(ajaxurl,
"geni-login", "CreateSecret",
{"r1_encrypted" : r1,
"certificate" : cert});
$xmlthing.done(callback);
}
function complete(credential, authenticationToken, encryptedCredential)
function complete(credential, signature)
{
$('#credential').show();
$('#credential').val(credential);
console.log(authenticationToken, encryptedCredential);
// signature is undefined if something failed before
VerifySpeaksfor(credential, signature);
// console.log(credential);
// console.log(signature);
}
$(document).ready(initialize);
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment