1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
#! /usr/bin/env perl
# Copyright 2012, Matthias Andreas Benkard <code@mail.matthias.benkard.de>.
use common::sense;
use Modern::Perl;
use JSON;
use Crypt::OpenSSL::RSA;
use File::Slurp;
use CGI;
use CGI::Fast;
use CGI::Session;
use MIME::Base64 qw(encode_base64 decode_base64);
use Time::HiRes qw(time);
do "common.pl";
sub decode_base64_url($) {
# From: https://github.com/ptarjan/base64url/blob/master/perl.pl
(my $s = shift) =~ tr{-_}{+/};
$s .= '=' x (4 - length($s));
return decode_base64($s);
}
sub encode_base64_url($) {
my ($s) = shift;
$s = encode_base64($s);
$s =~ tr{+/}{-_};
$s =~ s/=*$//;
$s =~ s/\n//g;
return $s;
}
sub sign($$$$$) {
# NB. Treating the jwcrypto code as the spec here.
my ($key, $client_pubkey, $email, $duration, $domain) = @_;
my $issued_at = int(1000*time);
my $cert = {
iss => $domain,
exp => $issued_at + 1000*$duration,
iat => $issued_at,
"public-key" => $client_pubkey,
principal => { email => $email }
};
my $header = {typ => "JWT", alg => "RS256"};
my $header_bytes = encode_base64_url(encode_json($header));
my $cert_bytes = encode_base64_url(encode_json($cert));
my $string_to_sign = $header_bytes . "." . $cert_bytes;
my $sig = $key->sign($string_to_sign);
my $sig_bytes = encode_base64_url($sig);
return $header_bytes . "." . $cert_bytes . "." . $sig_bytes;
}
while (my $cgi = new CGI::Fast) {
$::MULKONF = {}; # to silence a warning
load_config();
my $cookie = $cgi->cookie('mulkid_session') or die "No session cookie";
my $session = new CGI::Session("driver:File", $cookie, {Directory=>"/tmp"}) or die "Invalid session cookie";
print $cgi->header(-content_type => 'application/json; charset=UTF-8');
my $key = Crypt::OpenSSL::RSA->new_private_key(scalar read_file($::MULKONF->{pemfile}));
$key->use_pkcs1_padding();
$key->use_sha256_hash();
my $user_pubkey = $cgi->param('pubkey') or die "Nothing to sign";
my $duration = $cgi->param('duration') || 24*3600;
my $email = $cgi->param('email') or die "No email address supplied";
my $session_user = $session->param('user');
my $domain;
if ($email =~ /^(.*?)@(.*)/) { $domain = $2; }
die "User is not authorized to use this email address"
unless ($session_user ~~ [email_users($email)]);
my $sig = sign $key, decode_json($user_pubkey), $email, $duration, $domain;
say encode_json({signature => $sig});
}
|