Commit 45b21dd9 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Merge branch 'new-abs-format' into condiscon

parents ca000edb 993d43bf
...@@ -272,7 +272,7 @@ ...@@ -272,7 +272,7 @@
[[projects]] [[projects]]
branch = "master" branch = "master"
digest = "1:bb1a0e54dd761717865f96b989b382e0abf7f4863081cc65f5982799208254dd" digest = "1:efc4c33449984cda3f7880142fbf35fdc16c7e9c4c27c50a8e77bd055400cceb"
name = "github.com/privacybydesign/gabi" name = "github.com/privacybydesign/gabi"
packages = [ packages = [
".", ".",
...@@ -280,7 +280,7 @@ ...@@ -280,7 +280,7 @@
"safeprime", "safeprime",
] ]
pruneopts = "UT" pruneopts = "UT"
revision = "a5a01cfeac1cf9781b73016f7f5492fd1bfca2ff" revision = "ce779395f4c98898f21f8c49f71f4b3353995127"
[[projects]] [[projects]]
digest = "1:69b1cc331fca23d702bd72f860c6a647afd0aa9fcbc1d0659b1365e26546dd70" digest = "1:69b1cc331fca23d702bd72f860c6a647afd0aa9fcbc1d0659b1365e26546dd70"
...@@ -480,6 +480,7 @@ ...@@ -480,6 +480,7 @@
"github.com/privacybydesign/gabi", "github.com/privacybydesign/gabi",
"github.com/privacybydesign/gabi/big", "github.com/privacybydesign/gabi/big",
"github.com/sirupsen/logrus", "github.com/sirupsen/logrus",
"github.com/spf13/cast",
"github.com/spf13/cobra", "github.com/spf13/cobra",
"github.com/spf13/pflag", "github.com/spf13/pflag",
"github.com/spf13/viper", "github.com/spf13/viper",
......
...@@ -111,6 +111,10 @@ func (s *Server) verifyConfiguration(configuration *server.Configuration) error ...@@ -111,6 +111,10 @@ func (s *Server) verifyConfiguration(configuration *server.Configuration) error
} }
for _, file := range files { for _, file := range files {
filename := file.Name() filename := file.Name()
if filepath.Ext(filename) != ".xml" && strings.Count(filename, ".") != 3 {
s.conf.Logger.Infof("Skipping non-private key file %s encountered in private keys path", filename)
continue
}
issid := irma.NewIssuerIdentifier(strings.TrimSuffix(filename, filepath.Ext(filename))) // strip .xml issid := irma.NewIssuerIdentifier(strings.TrimSuffix(filename, filepath.Ext(filename))) // strip .xml
if _, ok := s.conf.IrmaConfiguration.Issuers[issid]; !ok { if _, ok := s.conf.IrmaConfiguration.Issuers[issid]; !ok {
return server.LogError(errors.Errorf("Private key %s belongs to an unknown issuer", filename)) return server.LogError(errors.Errorf("Private key %s belongs to an unknown issuer", filename))
......
...@@ -19,7 +19,6 @@ var RootCmd = &cobra.Command{ ...@@ -19,7 +19,6 @@ var RootCmd = &cobra.Command{
// This is called by main.main(). It only needs to happen once to the rootCmd. // This is called by main.main(). It only needs to happen once to the rootCmd.
func Execute() { func Execute() {
if err := RootCmd.Execute(); err != nil { if err := RootCmd.Execute(); err != nil {
fmt.Println(err)
os.Exit(-1) os.Exit(-1)
} }
} }
......
...@@ -22,12 +22,21 @@ var ( ...@@ -22,12 +22,21 @@ var (
httpServer *http.Server httpServer *http.Server
irmaServer *irmaserver.Server irmaServer *irmaserver.Server
logger *logrus.Logger logger *logrus.Logger
defaulturl string
) )
// sessionCmd represents the session command // sessionCmd represents the session command
var sessionCmd = &cobra.Command{ var sessionCmd = &cobra.Command{
Use: "session", Use: "session",
Short: "Perform an IRMA disclosure, issuance or signature session", Short: "Perform an IRMA disclosure, issuance or signature session",
Long: `Perform an IRMA disclosure, issuance or signature session on the command line
Using either the builtin IRMA server library, or an external IRMA server (specify its URL
with --server), an IRMA session is started; the QR is printed in the terminal; and the session
result is printed when the session completes or fails.
A session request can either be constructed using the --disclose, --issue, and --sign together
with --message flags, or it can be specified as JSON to the --request flag.`,
Example: `irma session --disclose irma-demo.MijnOverheid.root.BSN Example: `irma session --disclose irma-demo.MijnOverheid.root.BSN
irma session --sign irma-demo.MijnOverheid.root.BSN --message message irma session --sign irma-demo.MijnOverheid.root.BSN --message message
irma session --issue irma-demo.MijnOverheid.ageLower=yes,yes,yes,no --disclose irma-demo.MijnOverheid.root.BSN irma session --issue irma-demo.MijnOverheid.ageLower=yes,yes,yes,no --disclose irma-demo.MijnOverheid.root.BSN
...@@ -45,7 +54,7 @@ irma session --server http://localhost:48680 --authmethod token --key mytoken -- ...@@ -45,7 +54,7 @@ irma session --server http://localhost:48680 --authmethod token --key mytoken --
noqr, _ := cmd.Flags().GetBool("noqr") noqr, _ := cmd.Flags().GetBool("noqr")
flags := cmd.Flags() flags := cmd.Flags()
if url != "" && serverurl != "" { if url != defaulturl && serverurl != "" {
die("Failed to read configuration", errors.New("--url can't be combined with --server")) die("Failed to read configuration", errors.New("--url can't be combined with --server"))
} }
...@@ -211,7 +220,8 @@ func configure(cmd *cobra.Command) (irma.RequestorRequest, *irma.Configuration, ...@@ -211,7 +220,8 @@ func configure(cmd *cobra.Command) (irma.RequestorRequest, *irma.Configuration,
func init() { func init() {
RootCmd.AddCommand(sessionCmd) RootCmd.AddCommand(sessionCmd)
defaulturl, err := server.LocalIP() var err error
defaulturl, err = server.LocalIP()
if err != nil { if err != nil {
logger.Warn("Could not determine local IP address: ", err.Error()) logger.Warn("Could not determine local IP address: ", err.Error())
} else { } else {
...@@ -220,10 +230,10 @@ func init() { ...@@ -220,10 +230,10 @@ func init() {
flags := sessionCmd.Flags() flags := sessionCmd.Flags()
flags.SortFlags = false flags.SortFlags = false
flags.StringP("url", "u", defaulturl, "external URL used when using the builtin library") flags.String("server", "", "External IRMA server to post request to (leave blank to use builtin library)")
flags.IntP("port", "p", 48680, "port to listen at") flags.StringP("url", "u", defaulturl, "external URL to which IRMA app connects (when not using --server)")
flags.IntP("port", "p", 48680, "port to listen at (when not using --server)")
flags.Bool("noqr", false, "Print JSON instead of draw QR") flags.Bool("noqr", false, "Print JSON instead of draw QR")
flags.String("server", "", "Server to post request to (leave blank to use builtin library)")
flags.StringP("request", "r", "", "JSON session request") flags.StringP("request", "r", "", "JSON session request")
flags.StringP("privkeys", "k", "", "path to private keys") flags.StringP("privkeys", "k", "", "path to private keys")
......
...@@ -11,18 +11,25 @@ import ( ...@@ -11,18 +11,25 @@ import (
"github.com/privacybydesign/gabi/big" "github.com/privacybydesign/gabi/big"
) )
const SignedMessageLDContext = "https://irma.app/ld/signature/v2"
// SignedMessage is a message signed with an attribute-based signature // SignedMessage is a message signed with an attribute-based signature
// The 'realnonce' will be calculated as: SigRequest.GetNonce() = ASN1(nonce, SHA256(message), timestampSignature) // The 'realnonce' will be calculated as: SigRequest.GetNonce() = ASN1(nonce, SHA256(message), timestampSignature)
type SignedMessage struct { type SignedMessage struct {
LDContext string `json:"@context"`
Signature gabi.ProofList `json:"signature"` Signature gabi.ProofList `json:"signature"`
Indices DisclosedAttributeIndices `json:"indices"` Indices DisclosedAttributeIndices `json:"indices"`
Nonce *big.Int `json:"nonce"` Nonce *big.Int `json:"nonce"`
Context *big.Int `json:"context"` Context *big.Int `json:"context"`
Message string `json:"message"` Message string `json:"message"`
Timestamp *atum.Timestamp `json:"timestamp"` Timestamp *atum.Timestamp `json:"timestamp"`
}
// Message version. Current version is 2. func (sm *SignedMessage) Version() int {
Version int `json:"v,omitempty"` if sm.LDContext == "" {
return 1
}
return 2
} }
func (sm *SignedMessage) GetNonce() *big.Int { func (sm *SignedMessage) GetNonce() *big.Int {
......
...@@ -20,10 +20,10 @@ type LogEntry struct { ...@@ -20,10 +20,10 @@ type LogEntry struct {
request irma.SessionRequest // cached parsed version of Request; get with LogEntry.SessionRequest() request irma.SessionRequest // cached parsed version of Request; get with LogEntry.SessionRequest()
// Session type-specific info // Session type-specific info
Removed map[irma.CredentialTypeIdentifier][]irma.TranslatedString `json:",omitempty"` // In case of credential removal Removed map[irma.CredentialTypeIdentifier][]irma.TranslatedString `json:",omitempty"` // In case of credential removal
SignedMessage []byte `json:",omitempty"` // In case of signature sessions SignedMessage []byte `json:",omitempty"` // In case of signature sessions
Timestamp *atum.Timestamp `json:",omitempty"` // In case of signature sessions Timestamp *atum.Timestamp `json:",omitempty"` // In case of signature sessions
SignatureVersion int `json:",omitempty"` // In case of signature sessions SignedMessageLDContext string `json:",omitempty"` // In case of signature sessions
IssueCommitment *irma.IssueCommitmentMessage `json:",omitempty"` IssueCommitment *irma.IssueCommitmentMessage `json:",omitempty"`
Disclosure *irma.Disclosure `json:",omitempty"` Disclosure *irma.Disclosure `json:",omitempty"`
...@@ -106,12 +106,12 @@ func (entry *LogEntry) GetSignedMessage() (abs *irma.SignedMessage, err error) { ...@@ -106,12 +106,12 @@ func (entry *LogEntry) GetSignedMessage() (abs *irma.SignedMessage, err error) {
} }
sigrequest := request.(*irma.SignatureRequest) sigrequest := request.(*irma.SignatureRequest)
return &irma.SignedMessage{ return &irma.SignedMessage{
LDContext: entry.SignedMessageLDContext,
Signature: entry.Disclosure.Proofs, Signature: entry.Disclosure.Proofs,
Nonce: sigrequest.Nonce, Nonce: sigrequest.Nonce,
Context: sigrequest.GetContext(), Context: sigrequest.GetContext(),
Message: string(entry.SignedMessage), Message: string(entry.SignedMessage),
Timestamp: entry.Timestamp, Timestamp: entry.Timestamp,
Version: entry.SignatureVersion,
}, nil }, nil
} }
...@@ -135,7 +135,7 @@ func (session *session) createLogEntry(response interface{}) (*LogEntry, error) ...@@ -135,7 +135,7 @@ func (session *session) createLogEntry(response interface{}) (*LogEntry, error)
request := session.request.(*irma.SignatureRequest) request := session.request.(*irma.SignatureRequest)
entry.SignedMessage = []byte(request.Message) entry.SignedMessage = []byte(request.Message)
entry.Timestamp = session.timestamp entry.Timestamp = session.timestamp
entry.SignatureVersion = 2 entry.SignedMessageLDContext = irma.SignedMessageLDContext
fallthrough fallthrough
case irma.ActionDisclosing: case irma.ActionDisclosing:
......
...@@ -611,13 +611,13 @@ func (sr *SignatureRequest) SignatureFromMessage(message interface{}, timestamp ...@@ -611,13 +611,13 @@ func (sr *SignatureRequest) SignatureFromMessage(message interface{}, timestamp
nonce = bigZero nonce = bigZero
} }
return &SignedMessage{ return &SignedMessage{
LDContext: SignedMessageLDContext,
Signature: signature.Proofs, Signature: signature.Proofs,
Indices: signature.Indices, Indices: signature.Indices,
Nonce: nonce, Nonce: nonce,
Context: sr.GetContext(), Context: sr.GetContext(),
Message: sr.Message, Message: sr.Message,
Timestamp: timestamp, Timestamp: timestamp,
Version: 2,
}, nil }, nil
} }
......
...@@ -375,15 +375,18 @@ func (s *Server) handleJwtProofs(w http.ResponseWriter, r *http.Request) { ...@@ -375,15 +375,18 @@ func (s *Server) handleJwtProofs(w http.ResponseWriter, r *http.Request) {
// Fill standard claims // Fill standard claims
switch res.Type { switch res.Type {
case irma.ActionDisclosing: case irma.ActionDisclosing:
claims["subject"] = "verification_result" claims["sub"] = "disclosure_result"
case irma.ActionSigning: case irma.ActionSigning:
claims["subject"] = "abs_result" claims["sub"] = "abs_result"
default:
server.WriteError(w, server.ErrorInvalidRequest, "")
return
} }
claims["iat"] = time.Now().Unix() claims["iat"] = time.Now().Unix()
if s.conf.JwtIssuer != "" { if s.conf.JwtIssuer != "" {
claims["iss"] = s.conf.JwtIssuer claims["iss"] = s.conf.JwtIssuer
} }
claims["status"] = res.Status claims["status"] = res.ProofStatus
validity := s.irmaserv.GetRequest(sessiontoken).Base().ResultJwtValidity validity := s.irmaserv.GetRequest(sessiontoken).Base().ResultJwtValidity
if validity != 0 { if validity != 0 {
claims["exp"] = time.Now().Unix() + int64(validity) claims["exp"] = time.Now().Unix() + int64(validity)
......
...@@ -112,7 +112,7 @@ func (sm *SignedMessage) VerifyTimestamp(message string, conf *Configuration) er ...@@ -112,7 +112,7 @@ func (sm *SignedMessage) VerifyTimestamp(message string, conf *Configuration) er
} }
} }
bts, err := TimestampRequest(message, sigs, disclosed, sm.Version >= 2, conf) bts, err := TimestampRequest(message, sigs, disclosed, sm.Version() >= 2, conf)
if err != nil { if err != nil {
return err return err
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment