-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgenerate-dpop-proof
executable file
·189 lines (150 loc) · 4.43 KB
/
generate-dpop-proof
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/usr/bin/env ruby
#
# OVERVIEW
# --------
#
# This script generates a DPoP proof JWT that complies with RFC 9449.
#
# USAGE
# -----
#
# generate-dpop-proof
# --at={ACCESS_TOKEN} # -a {ACCESS_TOKEN}
# --ath={ACCESS_TOKEN_HASH} # -h {ACCESS_TOKEN_HASH}
# --htm={HTM} # -m {HTM}
# --htu={HTU} # -u {HTU}
# --key={PRIVATE_KEY_IN_JWK_FORMAT} # -k {PRIVATE_KEY_IN_JWK_FORMAT}
# --nonce={NONCE} # -n {NONCE}
#
require 'bundler/inline'
gemfile do
source 'https://rubygems.org'
gem 'json-jwt'
gem 'optparse'
end
require 'base64'
require 'digest/sha2'
require 'securerandom'
require 'time'
#------------------------------------------------------------
# main
#------------------------------------------------------------
def main(args)
# Process the command line options.
options = Options.process(args)
# Prepare the payload.
payload = build_payload(options)
# Generate a JWS by signing with the key.
jws = sign(payload, options.key)
# Write the JWS to the standard output.
puts jws
end
#------------------------------------------------------------
# Prepare the payload.
#------------------------------------------------------------
def build_payload(options)
# JWT ID
jti = SecureRandom.alphanumeric(16)
# The current time in seconds for time-related claims
now = Time.now.to_i
# Payload
{
jti: jti,
htm: options.htm,
htu: options.htu,
iat: now,
ath: options.ath,
nonce: options.nonce
}.compact
end
#------------------------------------------------------------
# Generate a JWS by signing with the key.
#------------------------------------------------------------
def sign(payload, jwk)
# Prepare a JWT with the header and the payload.
jwt = JSON::JWT.new(payload)
# Set up some header parameters.
jwt.typ = 'dpop+jwt'
jwt.jwk = jwk.normalize # to a public key
# Sign the JWT with the key and convert it to JWS.
jwt.sign(jwk).to_s
end
#------------------------------------------------------------
# Command line options
#------------------------------------------------------------
class Options < OptionParser
DESC_AT = "The value of the access token, used to compute the value of the 'ath' claim."
DESC_ATH = "The value of the 'ath' claim."
DESC_HTM = "The value of the 'htm' claim."
DESC_HTU = "The value of the 'htu' claim."
DESC_KEY = "A file containing a private key in the JWK format."
DESC_NONCE = "The 'nonce' value that has been issued via the 'DPoP-Nonce' HTTP header."
attr_reader :ath, :htm, :htu, :key, :nonce
def initialize
super
@ath = nil
@htm = nil
@htu = nil
@key = nil
@nonce = nil
self.on('-a AT', '--at=AT', DESC_AT) do |at|
digest = Digest::SHA256.digest(at)
@ath = Base64.urlsafe_encode64(digest, padding:false)
end
self.on('-h ATH', '--ath=ATH', DESC_ATH) do |ath|
@ath = ath
end
self.on('-m HTM', '--htm=HTM', DESC_HTM) do |htm|
@htm = htm
end
self.on('-u HTU', '--htu=HTU', DESC_HTU) do |htu|
@htu = htu
end
self.on('-k FILE', '--key=FILE', DESC_KEY) do |file|
@key = read_jwk(file)
end
self.on('-n NONCE', '--nonce=NONCE', DESC_NONCE) do |nonce|
@nonce = nonce
end
end
private
def read_jwk(file)
json = File.read(file)
hash = JSON.parse(json, {symbolize_names: true})
JSON::JWK.new(hash)
end
def error_if_missing(value, option)
if value.nil?
raise OptionParser::ParseError.new "'#{option}' is missing."
end
end
public
def verify
error_if_missing(@htm, '--htm=HTM')
error_if_missing(@htu, '--htu=HTU')
error_if_missing(@key, '--key=FILE')
end
def self.process(args)
options = Options.new
options.parse(args)
options.verify()
return options
end
end
#------------------------------------------------------------
# Extension of the json-jwt library
#------------------------------------------------------------
module JSON
class JWT
# Override the 'sign' method not to include 'kid'.
def sign(private_key_or_secret, algorithm = :autodetect)
jws = JWS.new self
jws.alg = algorithm
jws.sign! private_key_or_secret
end
end
end
#------------------------------------------------------------
# Entry Point
#------------------------------------------------------------
main(ARGV)