coolaj86/go-mockid
1
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

Compare commits

base: coolaj86:a33b0dbf6afd7b673de8e7ad315e62492dbedd47
Branches Tags
coolaj86:master
coolaj86:gapi
..
compare: coolaj86:364de7114ae8b767af24d41c6310821557b58d04
Branches Tags
coolaj86:master
coolaj86:gapi

2 Commits
a33b0dbf6a ... 364de7114a

Author SHA1 Message Date
AJ ONeal
364de7114a add ability to post public keys 2019-08-19 03:40:16 +00:00
AJ ONeal
10450e9b98 add easy header and exp options 2019-08-19 03:40:07 +00:00
2 changed files with 286 additions and 42 deletions
Show Stats Expand all files Collapse all files

236
mockid.go
View File

@ -5,15 +5,20 @@ import (
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"crypto/sha512"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"flag" "flag"
"fmt" "fmt"
"io/ioutil"
"log" "log"
"math/big" "math/big"
"net/http" "net/http"
"net/url"
"os" "os"
"path/filepath"
"strconv" "strconv"
"strings"
"time" "time"
) )
@ -23,10 +28,14 @@ type PrivateJWK struct {
} }
type PublicJWK struct { type PublicJWK struct {
Crv string `json:"crv"` Crv string `json:"crv"`
KeyID string `json:"kid,omitempty"`
Kty string `json:"kty,omitempty"`
X string `json:"x"` X string `json:"x"`
Y string `json:"y"` Y string `json:"y"`
} }
var jwksPrefix string
func main() { func main() {
done := make(chan bool) done := make(chan bool)
var port int var port int
@ -52,6 +61,7 @@ func main() {
portFlag := flag.Int("port", 0, "Port on which the HTTP server should run") portFlag := flag.Int("port", 0, "Port on which the HTTP server should run")
urlFlag := flag.String("url", "", "Outward-facing address, such as https://example.com") urlFlag := flag.String("url", "", "Outward-facing address, such as https://example.com")
prefixFlag := flag.String("jwkspath", "", "The path to the JWKs storage directory")
flag.Parse() flag.Parse()
if nil != portFlag && *portFlag > 0 { if nil != portFlag && *portFlag > 0 {
@ -71,6 +81,121 @@ func main() {
host = "http://localhost:" + strconv.Itoa(port) host = "http://localhost:" + strconv.Itoa(port)
} }
if nil != prefixFlag && "" != *prefixFlag {
jwksPrefix = *prefixFlag
} else {
jwksPrefix = "public-jwks"
}
err := os.MkdirAll(jwksPrefix, 0755)
if nil != err {
fmt.Fprintf(os.Stderr, "couldn't write %q: %s", jwksPrefix, err)
os.Exit(1)
}
http.HandleFunc("/api/jwks", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s %s", r.Method, r.Host, r.URL.Path)
if "POST" != r.Method {
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
return
}
tok := make(map[string]interface{})
decoder := json.NewDecoder(r.Body)
err := decoder.Decode(&tok)
if nil != err {
http.Error(w, "Bad Request: invalid json", http.StatusBadRequest)
return
}
defer r.Body.Close()
// TODO better, JSON error messages
if _, ok := tok["d"]; ok {
http.Error(w, "Bad Request: private key", http.StatusBadRequest)
return
}
kty, _ := tok["kty"].(string)
if "EC" != kty {
http.Error(w, "Bad Request: only EC keys are supported", http.StatusBadRequest)
return
}
crv, ok := tok["crv"].(string)
if 5 != len(crv) || "P-" != crv[:2] {
http.Error(w, "Bad Request: bad curve", http.StatusBadRequest)
return
}
x, ok := tok["x"].(string)
if !ok {
http.Error(w, "Bad Request: missing 'x'", http.StatusBadRequest)
return
}
y, ok := tok["y"].(string)
if !ok {
http.Error(w, "Bad Request: missing 'y'", http.StatusBadRequest)
return
}
// TODO RSA
thumbprintable := []byte(
fmt.Sprintf(`{"crv":%q,"kty":"EC","x":%q,"y":%q}`, crv, x, y),
)
var thumb []byte
switch crv[2:] {
case "256":
hash := sha256.Sum256(thumbprintable)
thumb = hash[:]
case "384":
hash := sha512.Sum384(thumbprintable)
thumb = hash[:]
case "521":
hash := sha512.Sum512(thumbprintable)
thumb = hash[:]
default:
http.Error(w, "Bad Request: bad curve", http.StatusBadRequest)
return
}
kid := base64.RawURLEncoding.EncodeToString(thumb)
if kid2, _ := tok["kid"].(string); "" != kid2 && kid != kid2 {
http.Error(w, "Bad Request: kid should be "+kid, http.StatusBadRequest)
return
}
// TODO allow posting at the top-level?
// TODO support a group of keys by PPID
// (right now it's only by KID)
if !strings.HasPrefix(r.Host, strings.ToLower(kid)+".") {
http.Error(w, "Bad Request: prefix should be "+kid, http.StatusBadRequest)
return
}
pub := []byte(fmt.Sprintf(
`{"crv":%q,"kid":%q,"kty":"EC","x":%q,"y":%q}`, crv, kid, x, y,
))
err = ioutil.WriteFile(
filepath.Join(jwksPrefix, strings.ToLower(kid)+".jwk.json"),
pub,
0644,
)
if nil != err {
fmt.Println("can't write file")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
var scheme string
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {
scheme = "https://"
} else {
scheme = "http://"
}
w.Write([]byte(fmt.Sprintf(
`{ "iss":%q, "jwks_url":%q }`, scheme+r.Host+"/", scheme+r.Host+"/.well-known/jwks.json",
)))
})
http.HandleFunc("/access_token", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/access_token", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s\n", r.Method, r.URL.Path) log.Printf("%s %s\n", r.Method, r.URL.Path)
var scheme string var scheme string
@ -79,13 +204,44 @@ func main() {
} else { } else {
scheme = "http://" scheme = "http://"
} }
_, _, token := genToken(scheme + r.Host, priv) _, _, token := genToken(scheme+r.Host, priv, r.URL.Query())
fmt.Fprintf(w, token) fmt.Fprintf(w, token)
}) })
http.HandleFunc("/authorization_header", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s\n", r.Method, r.URL.Path)
var scheme string
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {
scheme = "https://"
} else {
scheme = "http://"
}
var header string
headers, _ := r.URL.Query()["header"]
if 0 == len(headers) {
header = "Authorization"
} else {
header = headers[0]
}
var prefix string
prefixes, _ := r.URL.Query()["prefix"]
if 0 == len(prefixes) {
prefix = "Bearer "
} else {
prefix = prefixes[0]
}
_, _, token := genToken(scheme+r.Host, priv, r.URL.Query())
fmt.Fprintf(w, "%s: %s%s", header, prefix, token)
})
http.HandleFunc("/key.jwk.json", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/key.jwk.json", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.URL.Path) log.Printf("%s %s", r.Method, r.URL.Path)
fmt.Fprintf(w, `{ "kty": "EC" , "crv": %q , "d": %q , "x": %q , "y": %q , "ext": true , "key_ops": ["sign"] }`, jwk.Crv, jwk.D, jwk.X, jwk.Y) fmt.Fprintf(w, `{ "kty": "EC" , "crv": %q , "d": %q , "x": %q , "y": %q , "ext": true , "key_ops": ["sign"] }`, jwk.Crv, jwk.D, jwk.X, jwk.Y)
}) })
http.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
var scheme string var scheme string
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {
@ -96,24 +252,49 @@ func main() {
log.Printf("%s %s\n", r.Method, r.URL.Path) log.Printf("%s %s\n", r.Method, r.URL.Path)
fmt.Fprintf(w, `{ "issuer": "%s", "jwks_uri": "%s/.well-known/jwks.json" }`, scheme+r.Host, scheme+r.Host) fmt.Fprintf(w, `{ "issuer": "%s", "jwks_uri": "%s/.well-known/jwks.json" }`, scheme+r.Host, scheme+r.Host)
}) })
http.HandleFunc("/.well-known/jwks.json", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/.well-known/jwks.json", func(w http.ResponseWriter, r *http.Request) {
log.Printf("%s %s", r.Method, r.URL.Path) log.Printf("%s %s %s", r.Method, r.Host, r.URL.Path)
parts := strings.Split(r.Host, ".")
kid := parts[0]
b, err := ioutil.ReadFile(filepath.Join(jwksPrefix, strings.ToLower(kid)+".jwk.json"))
if nil != err {
//http.Error(w, "Not Found", http.StatusNotFound)
jwkstr := fmt.Sprintf( jwkstr := fmt.Sprintf(
`{ "keys": [ { "kty": "EC" , "crv": %q , "x": %q , "y": %q , "kid": %q , "ext": true , "key_ops": ["verify"] , "exp": %s } ] }`, `{ "keys": [ { "kty": "EC" , "crv": %q , "x": %q , "y": %q , "kid": %q , "ext": true , "key_ops": ["verify"] , "exp": %s } ] }`,
jwk.Crv, jwk.X, jwk.Y, thumbprint, strconv.FormatInt(time.Now().Add(15*time.Minute).Unix(), 10), jwk.Crv, jwk.X, jwk.Y, thumbprint, strconv.FormatInt(time.Now().Add(15*time.Minute).Unix(), 10),
) )
fmt.Println(jwkstr)
fmt.Fprintf(w, jwkstr)
return
}
tok := &PublicJWK{}
err = json.Unmarshal(b, tok)
if nil != err {
// TODO delete the bad file?
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
jwkstr := fmt.Sprintf(
`{ "keys": [ { "kty": "EC", "crv": %q, "x": %q, "y": %q, "kid": %q,`+
` "ext": true, "key_ops": ["verify"], "exp": %s } ] }`,
tok.Crv, tok.X, tok.Y, tok.KeyID, strconv.FormatInt(time.Now().Add(15*time.Minute).Unix(), 10),
)
fmt.Println(jwkstr) fmt.Println(jwkstr)
fmt.Fprintf(w, jwkstr) fmt.Fprintf(w, jwkstr)
}) })
fs := http.FileServer(http.Dir("public")) fs := http.FileServer(http.Dir("public"))
http.Handle("/", fs) http.Handle("/", fs)
/* /*
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf(r.Method, r.URL.Path) log.Printf(r.Method, r.URL.Path)
http.Error(w, "Not Found", http.StatusNotFound) http.Error(w, "Not Found", http.StatusNotFound)
}) })
*/ */
fmt.Printf("Serving on port %d\n", port) fmt.Printf("Serving on port %d\n", port)
go func() { go func() {
@ -125,7 +306,7 @@ func main() {
fmt.Printf("Private Key:\n\t%s\n", string(b)) fmt.Printf("Private Key:\n\t%s\n", string(b))
b, _ = json.Marshal(jwk.PublicJWK) b, _ = json.Marshal(jwk.PublicJWK)
fmt.Printf("Public Key:\n\t%s\n", string(b)) fmt.Printf("Public Key:\n\t%s\n", string(b))
protected, payload, token := genToken(host, priv) protected, payload, token := genToken(host, priv, url.Values{})
fmt.Printf("Protected (Header):\n\t%s\n", protected) fmt.Printf("Protected (Header):\n\t%s\n", protected)
fmt.Printf("Payload (Claims):\n\t%s\n", payload) fmt.Printf("Payload (Claims):\n\t%s\n", payload)
fmt.Printf("Access Token:\n\t%s\n", token) fmt.Printf("Access Token:\n\t%s\n", token)
@ -133,15 +314,56 @@ func main() {
<-done <-done
} }
func genToken(host string, priv *ecdsa.PrivateKey) (string, string, string) { func parseExp(exp string) (int, error) {
if "" == exp {
exp = "15m"
}
mult := 1
switch exp[len(exp)-1] {
case 'w':
mult *= 7
fallthrough
case 'd':
mult *= 24
fallthrough
case 'h':
mult *= 60
fallthrough
case 'm':
mult *= 60
fallthrough
case 's':
// no fallthrough
default:
// could be 'k' or 'z', but we assume its empty
exp += "s"
}
num, err := strconv.Atoi(exp[:len(exp)-1])
if nil != err {
return 0, err
}
return num * mult, nil
}
func genToken(host string, priv *ecdsa.PrivateKey, query url.Values) (string, string, string) {
thumbprint := thumbprintKey(&priv.PublicKey) thumbprint := thumbprintKey(&priv.PublicKey)
protected := fmt.Sprintf(`{"typ":"JWT","alg":"ES256","kid":"%s"}`, thumbprint) protected := fmt.Sprintf(`{"typ":"JWT","alg":"ES256","kid":"%s"}`, thumbprint)
protected64 := base64.RawURLEncoding.EncodeToString([]byte(protected)) protected64 := base64.RawURLEncoding.EncodeToString([]byte(protected))
exp, err := parseExp(query.Get("exp"))
if nil != err {
// cryptic error code
// TODO propagate error
exp = 422
}
payload := fmt.Sprintf( payload := fmt.Sprintf(
`{"iss":"%s/","sub":"dummy","exp":%s}`, `{"iss":"%s/","sub":"dummy","exp":%s}`,
host, strconv.FormatInt(time.Now().Add(15*time.Minute).Unix(), 10), host, strconv.FormatInt(time.Now().Add(time.Duration(exp)*time.Second).Unix(), 10),
) )
payload64 := base64.RawURLEncoding.EncodeToString([]byte(payload)) payload64 := base64.RawURLEncoding.EncodeToString([]byte(payload))
hash := sha256.Sum256([]byte(fmt.Sprintf(`%s.%s`, protected64, payload64))) hash := sha256.Sum256([]byte(fmt.Sprintf(`%s.%s`, protected64, payload64)))
r, s, _ := ecdsa.Sign(rand.Reader, priv, hash[:]) r, s, _ := ecdsa.Sign(rand.Reader, priv, hash[:])
rb := r.Bytes() rb := r.Bytes()

26
public/index.html
View File

@ -4,18 +4,24 @@ Compatible with
* OAuth2 * OAuth2
* OpenID Connect (OIDC) * OpenID Connect (OIDC)
* JOSE * JOSE (Signed Access Tokens)
* JWT * JWT
* JWK (Signed Access Tokens) * JWK
* JWS * JWS
<h1>Resources</h1> <h1>Resources</h1>
* https://mock.pocketid.app/access_token * https://mock.pocketid.app/access_token
* https://mock.pocketid.app/authorization_header
* https://xxx.mock.pocketid.app/.well-known/openid-configuration * https://xxx.mock.pocketid.app/.well-known/openid-configuration
* https://xxx.mock.pocketid.app/.well-known/jwks.json * https://xxx.mock.pocketid.app/.well-known/jwks.json
* https://mock.pocketid.app/key.jwk.json * https://mock.pocketid.app/key.jwk.json
* POST https://xxx.mock.pocketid.app/api/jwks
{ "kty":"EC", "crv":"P-256", "x":"xxx", "y":"yyy" }
* GET https://xxx.mock.pocketid.app/.well-known/jwks.json
<h2>Get a token</h2> <h2>Get a token</h2>
Get a verifiable access token Get a verifiable access token
@ -26,6 +32,22 @@ For example:
TOKEN=$(curl -fL https://mock.pocketid.app/access_token) TOKEN=$(curl -fL https://mock.pocketid.app/access_token)
You can set the expiration (`exp`) with query parameters:
* https://mock.pocketid.app/access_token?exp=90d (+90 days)
* https://mock.pocketid.app/access_token?exp=3h (+3 hours)
* https://mock.pocketid.app/access_token?exp=15m (+15 minutes)
* https://mock.pocketid.app/access_token?exp=1565739000 (exactly 2019-08-13 5:30pm)
(you can also get the whole header)
https://mock.pocketid.app/authorization_header
For example:
HEADER=$(curl -fL https://mock.pocketid.app/authorization_header)
# Authorization: Bearer &lt;token&gt;
<h3>The Token, Decoded</h3> <h3>The Token, Decoded</h3>
The Token will look like this: The Token will look like this: