[Debian-iot-packaging] [glewlwyd] 01/02: Import Upstream version 1.2
Thorsten Alteholz
alteholz at moszumanska.debian.org
Tue Sep 19 20:19:22 UTC 2017
This is an automated email from the git hooks/post-receive script.
alteholz pushed a commit to branch master
in repository glewlwyd.
commit 44a12dfffc5840ca79630591c2664d4244ad8e19
Author: Thorsten Alteholz <debian at alteholz.de>
Date: Tue Sep 19 22:18:59 2017 +0200
Import Upstream version 1.2
---
INSTALL.md | 35 ++++++++++++++++++++------
glewlwyd.conf.sample | 20 ++++++++++++---
src/glewlwyd.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 107 insertions(+), 19 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index a87f493..378fef2 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -1,10 +1,18 @@
# Installation
-## From docker
+## Debian package
+
+Glewlwyd is now available in Debian Buster (testing), and Debian sid. To install it on your device, use the following command as root:
+
+```shell
+# apt install glewlwyd
+```
+
+## Docker
[Rafael](https://github.com/rafaelhdr/) is currently working on a [docker image](https://github.com/rafaelhdr/glewlwyd-oauth2-server) for Glewlwyd, Kudos to him! This is a work-in-progress but you already can easily build an image with MariaDB or SQLite3 backend. Check out the documentation for more informations.
-## From Github
+## Manual install from Github
You must install the following libraries including their header files:
@@ -198,18 +206,31 @@ sqlite> INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_use
### JWT configuration
-You can choose between SHA (HS512) and RSA (RS512) anglorithms to sign the tokens. Note that if you use SHA, you will need to share the `sha_secret` value with the resource providers and keep it safe in all places. If you use RSA algorithm, you will need to share the public key `rsa_pub_file` with resource providers, and you will need to keep the private key `rsa_key_file` safe.
+You can choose between SHA (HS256, HS384, HS512), RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) anglorithms to sign the tokens. Note that if you use SHA, you will need to share the `sha_secret` value with the resource providers and keep it safe in all places. If you use RSA or ECDSA algorithm, you will need to share the public key specified in `[rsa|ecdsa]_pub_file` with resource providers, and you will need to keep the private key `[rsa|ecdsa]_key_file` safe.
+
+The values available for the parameter `key_size` are 256, 284 and 512 only. To choose your signature algorithm, set the value `true` to the parameter `use_[rsa|ecdsa|sha]` you want, and `false` to the other ones. Finally, set the additional parameter used for your algorithm:
+- `*_key_file` and `*_pub_file` if you choose ECDSA or RSA signatures, with the path to the public and private signature files
+- `sha_secret` if you choose SHA signatures, with the value of the secret
#### RSA private/public key creation
-You can use the following command to create a pair of private and public keys for the RSA algorithm:
+You can use the following example commands to create a pair of private and public keys for the algorithms RSA or ECDSA:
```SHELL
-$ openssl genrsa -out private.key 4096
-$ openssl rsa -in private.key -outform PEM -pubout -out public.pem
+$ # RS512
+$ # private key
+$ openssl genrsa -out private-rsa.key 4096
+$ # public key
+$ openssl rsa -in private-rsa.key -outform PEM -pubout -out public-rsa.pem
+
+$ # ES512
+$ # private key
+$ openssl ecparam -genkey -name secp521r1 -noout -out private-ecdsa.key
+$ # public key
+$ openssl ec -in private-ecdsa.key -pubout -out public-ecdsa.pem
```
-For more information about generating RSA keys, see [OpenSSL Documentation](https://www.openssl.org/docs/)
+For more information about generating keys, see [OpenSSL Documentation](https://www.openssl.org/docs/)
### Install service
diff --git a/glewlwyd.conf.sample b/glewlwyd.conf.sample
index f8b552e..c3a11cd 100644
--- a/glewlwyd.conf.sample
+++ b/glewlwyd.conf.sample
@@ -117,18 +117,18 @@ grant_url="https://example.org/glewlwyd/app/grant.html?"
reset_password=true # optional, default false
reset_password_config =
{
- # SMTP parameters
+# SMTP parameters
smtp_host="localhost" # mandatory
smtp_port=25 # optional, default 25
smtp_use_tls=false # optional, default false
smtp_verify_certificate=false # optional, default false
-# smtp_user="user" # optional, default no value
-# smtp_password="password" # optional, default no value
+# smtp_user="user" # optional, default no value
+# smtp_password="password" # optional, default no value
token_expiration=604800 # in seconds, optional, default 604800
email_from="glewlwyd at example.org" # mandatory
email_subject="Glewlwyd email reset" # mandatory
- email_template="reset.eml" # mandatory
+ email_template="reset.eml" # mandatory
page_url_prefix="https://example.org/glewlwyd/app/reset.html?user=$USERNAME&code=$TOKEN" # mandatory
}
@@ -208,6 +208,9 @@ authentication =
# jwt parameters
jwt =
{
+ # key size for algorithms, values available are 256, 384 or 512, default 512
+ key_size = 512
+
# Use RSA algorithm to sign tokens (asymetric)
use_rsa = false
@@ -217,6 +220,15 @@ jwt =
# path to the public certificate file to validate signatures
rsa_pub_file = "public.pem"
+ # Use ECDSA algorithm to sign tokens (asymetric)
+ use_ecdsa = false
+
+ # path to the key (private) certificate file to sign tokens
+ ecdsa_key_file = "private.key"
+
+ # path to the public certificate file to validate signatures
+ ecdsa_pub_file = "public.pem"
+
# Use SHA algorithm to sign tokens (symetric)
use_sha = true
diff --git a/src/glewlwyd.c b/src/glewlwyd.c
index d2140c2..e168ea3 100644
--- a/src/glewlwyd.c
+++ b/src/glewlwyd.c
@@ -584,13 +584,13 @@ int build_config_from_file(struct config_elements * config) {
* cur_auth_ldap_description_property_client_write = NULL, * cur_auth_ldap_redirect_uri_property_client_write = NULL,
* cur_auth_ldap_confidential_property_client_write = NULL, * cur_auth_ldap_password_property_client_write = NULL,
* cur_auth_ldap_password_algorithm_client_write = NULL, * cur_auth_ldap_object_class_client_write = NULL,
- * cur_rsa_key_file = NULL, * cur_rsa_pub_file = NULL, * cur_sha_secret = NULL, * extension = NULL, * mime_type_value = NULL,
- * cur_secure_connection_key_file = NULL, * cur_secure_connection_pem_file = NULL, * cur_grant_url = NULL, * cur_login_url = NULL,
- * cur_reset_password_smtp_host = NULL, * cur_reset_password_smtp_user = NULL, * cur_reset_password_smtp_password = NULL,
- * cur_reset_password_email_from = NULL, * cur_reset_password_email_subject = NULL,
+ * cur_rsa_key_file = NULL, * cur_rsa_pub_file = NULL, * cur_ecdsa_key_file = NULL, * cur_ecdsa_pub_file = NULL, * cur_sha_secret = NULL,
+ * extension = NULL, * mime_type_value = NULL, * cur_secure_connection_key_file = NULL, * cur_secure_connection_pem_file = NULL,
+ * cur_grant_url = NULL, * cur_login_url = NULL, * cur_reset_password_smtp_host = NULL, * cur_reset_password_smtp_user = NULL,
+ * cur_reset_password_smtp_password = NULL, * cur_reset_password_email_from = NULL, * cur_reset_password_email_subject = NULL,
* cur_reset_password_email_template_path = NULL, * cur_reset_password_page_url_prefix = NULL;
- int db_mariadb_port = 0;
- int cur_database_auth = 0, cur_ldap_auth = 0, cur_use_scope = 0, cur_use_rsa = 0, cur_use_sha = 0, cur_use_secure_connection = 0, cur_auth_ldap_user_write = 0, cur_auth_ldap_client_write = 0, i;
+ int db_mariadb_port = 0, cur_key_size = 512;
+ int cur_database_auth = 0, cur_ldap_auth = 0, cur_use_scope = 0, cur_use_rsa = 0, cur_use_ecdsa = 0, cur_use_sha = 0, cur_use_secure_connection = 0, cur_auth_ldap_user_write = 0, cur_auth_ldap_client_write = 0, i;
config_init(&cfg);
@@ -1301,7 +1301,14 @@ int build_config_from_file(struct config_elements * config) {
jwt = config_setting_get_member(root, "jwt");
if (jwt != NULL) {
config_setting_lookup_bool(jwt, "use_rsa", &cur_use_rsa);
+ config_setting_lookup_bool(jwt, "use_ecdsa", &cur_use_ecdsa);
config_setting_lookup_bool(jwt, "use_sha", &cur_use_sha);
+ config_setting_lookup_int(jwt, "key_size", &cur_key_size);
+ if (cur_key_size != 256 && cur_key_size != 384 && cur_key_size != 512) {
+ config_destroy(&cfg);
+ fprintf(stderr, "Error, key_size incorrect, values available are 256, 384 or 512\n");
+ return 0;
+ }
if (cur_use_rsa) {
config_setting_lookup_string(jwt, "rsa_key_file", &cur_rsa_key_file);
config_setting_lookup_string(jwt, "rsa_pub_file", &cur_rsa_pub_file);
@@ -1313,7 +1320,13 @@ int build_config_from_file(struct config_elements * config) {
key = get_file_content(cur_rsa_key_file);
if (key != NULL) {
key_len = strlen(key);
- jwt_set_alg(config->jwt, JWT_ALG_RS512, (const unsigned char *)key, key_len);
+ if (cur_key_size == 256) {
+ jwt_set_alg(config->jwt, JWT_ALG_RS256, (const unsigned char *)key, key_len);
+ } else if (cur_key_size == 384) {
+ jwt_set_alg(config->jwt, JWT_ALG_RS384, (const unsigned char *)key, key_len);
+ } else if (cur_key_size == 512) {
+ jwt_set_alg(config->jwt, JWT_ALG_RS512, (const unsigned char *)key, key_len);
+ }
o_free(key);
} else {
config_destroy(&cfg);
@@ -1332,11 +1345,53 @@ int build_config_from_file(struct config_elements * config) {
fprintf(stderr, "Error, rsa_key_file or rsa_pub_file incorrect\n");
return 0;
}
+ } else if (cur_use_ecdsa) {
+ config_setting_lookup_string(jwt, "ecdsa_key_file", &cur_ecdsa_key_file);
+ config_setting_lookup_string(jwt, "ecdsa_pub_file", &cur_ecdsa_pub_file);
+ if (cur_ecdsa_key_file != NULL && cur_ecdsa_pub_file != NULL) {
+ char * key;
+ size_t key_len;
+
+ jwt_new(&(config->jwt));
+ key = get_file_content(cur_ecdsa_key_file);
+ if (key != NULL) {
+ key_len = strlen(key);
+ if (cur_key_size == 256) {
+ jwt_set_alg(config->jwt, JWT_ALG_ES256, (const unsigned char *)key, key_len);
+ } else if (cur_key_size == 384) {
+ jwt_set_alg(config->jwt, JWT_ALG_ES384, (const unsigned char *)key, key_len);
+ } else if (cur_key_size == 512) {
+ jwt_set_alg(config->jwt, JWT_ALG_ES512, (const unsigned char *)key, key_len);
+ }
+ o_free(key);
+ } else {
+ config_destroy(&cfg);
+ fprintf(stderr, "Error, ecdsa_key_file content incorrect\n");
+ return 0;
+ }
+
+ config->jwt_decode_key = get_file_content(cur_ecdsa_pub_file);
+ if (config->jwt_decode_key == NULL) {
+ config_destroy(&cfg);
+ fprintf(stderr, "Error, ecdsa_pub_file content incorrect\n");
+ return 0;
+ }
+ } else {
+ config_destroy(&cfg);
+ fprintf(stderr, "Error, ecdsa_key_file or ecdsa_pub_file incorrect\n");
+ return 0;
+ }
} else if (cur_use_sha) {
jwt_new(&(config->jwt));
config_setting_lookup_string(jwt, "sha_secret", &cur_sha_secret);
if (cur_sha_secret != NULL) {
- jwt_set_alg(config->jwt, JWT_ALG_HS512, (const unsigned char *)cur_sha_secret, strlen(cur_sha_secret));
+ if (cur_key_size == 256) {
+ jwt_set_alg(config->jwt, JWT_ALG_HS256, (const unsigned char *)cur_sha_secret, strlen(cur_sha_secret));
+ } else if (cur_key_size == 384) {
+ jwt_set_alg(config->jwt, JWT_ALG_HS384, (const unsigned char *)cur_sha_secret, strlen(cur_sha_secret));
+ } else if (cur_key_size == 512) {
+ jwt_set_alg(config->jwt, JWT_ALG_HS512, (const unsigned char *)cur_sha_secret, strlen(cur_sha_secret));
+ }
config->jwt_decode_key = o_strdup(cur_sha_secret);
} else {
config_destroy(&cfg);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-iot/glewlwyd.git
More information about the Debian-iot-packaging
mailing list