Commit b5eca5c7 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Fix clock drift issues in keyshare server jwt validation

parent 4bc1dabd
......@@ -207,11 +207,15 @@ func startKeyshareSession(
claims := jwt.StandardClaims{}
_, err := parser.ParseWithClaims(ks.keyshareServer.token, &claims, ks.conf.KeyshareServerKeyFunc(managerID))
if err != nil {
irma.Logger.Info("Keyshare server token invalid, asking for PIN")
irma.Logger.Debug("Token: ", ks.keyshareServer.token)
ks.pinCheck = true
}
// Add a minute of leeway for possible clockdrift with the server,
// and for the rest of the protocol to take place with this token
if claims.VerifyExpiresAt(time.Now().Add(1*time.Minute).Unix(), true) {
if !claims.VerifyExpiresAt(time.Now().Add(1*time.Minute).Unix(), true) {
irma.Logger.Info("Keyshare server token expires too soon, asking for PIN")
irma.Logger.Debug("Token: ", ks.keyshareServer.token)
ks.pinCheck = true
}
}
......@@ -458,7 +462,9 @@ func (ks *keyshareSession) finishDisclosureOrSigning(challenge *big.Int, respons
jwt.StandardClaims
ProofP *gabi.ProofP
}{}
if _, err := jwt.ParseWithClaims(responses[managerID], &claims, ks.conf.KeyshareServerKeyFunc(managerID)); err != nil {
parser := new(jwt.Parser)
parser.SkipClaimsValidation = true // no need to abort due to clock drift issues
if _, err := parser.ParseWithClaims(responses[managerID], &claims, ks.conf.KeyshareServerKeyFunc(managerID)); err != nil {
ks.sessionHandler.KeyshareError(&managerID, err)
return
}
......
......@@ -107,7 +107,7 @@ func (client *Client) NewSession(sessionrequest string, handler Handler) Session
return client.newManualSession(disclosureRequest, handler, irma.ActionDisclosing)
}
handler.Failure(&irma.SessionError{Err: errors.New("Session request could not be parsed")})
handler.Failure(&irma.SessionError{Err: errors.New("Session request could not be parsed"), Info: sessionrequest})
return nil
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment