Neo OcLib

2026-05-27 16:09:00 +02:00
parent bc7f0be53b
commit 453d913896
13 changed files with 332 additions and 231 deletions
@@ -99,9 +99,20 @@ func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err e
 	if privateKey != nil {
 		validPrivateKey, errPrivate := x509.ParsePKCS1PrivateKey(privateKey)
 		if errPrivate != nil {
-			err = errPrivate
-			log.Println(err)
-			return
+			// Fallback to PKCS8 (generated with openssl genpkey or similar)
+			key, errPKCS8 := x509.ParsePKCS8PrivateKey(privateKey)
+			if errPKCS8 != nil {
+				err = errPKCS8
+				log.Println(err)
+				return
+			}
+			rsaKey, ok := key.(*rsa.PrivateKey)
+			if !ok {
+				err = errors.New("PKCS8 private key is not RSA")
+				log.Println(err)
+				return
+			}
+			validPrivateKey = rsaKey
 		}
 		client.PrivateKey = validPrivateKey
 	}
@@ -111,9 +122,20 @@ func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err e
 		for k, v := range publicKeys {
 			validPublicKey, errPublic := x509.ParsePKCS1PublicKey(v)
 			if errPublic != nil {
-				err = errPublic
-				log.Println(err)
-				return
+				// Fallback to PKIX (SubjectPublicKeyInfo, generated alongside PKCS8 private key)
+				key, errPKIX := x509.ParsePKIXPublicKey(v)
+				if errPKIX != nil {
+					err = errPKIX
+					log.Println(err)
+					return
+				}
+				rsaKey, ok := key.(*rsa.PublicKey)
+				if !ok {
+					err = errors.New("PKIX public key is not RSA")
+					log.Println(err)
+					return
+				}
+				validPublicKey = rsaKey
 			}
 			if validPublicKey == nil {
 				err = errors.New("Invalid Public Key Type")
@@ -2,12 +2,10 @@ package claims

 import (
 	"crypto/sha256"
-	"encoding/pem"
 	"errors"
-	"oc-auth/conf"
+	"fmt"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
-	"os"
 	"strings"

 	oclib "cloud.o-forge.io/core/oc-lib"
@@ -44,7 +42,7 @@ func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string,
 }

 func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
-	hashed := sha256.Sum256([]byte(host))
+	/*hashed := sha256.Sum256([]byte(host))
 	spkiBlock, _ := pem.Decode([]byte(publicKey))
 	if spkiBlock == nil {
 		return false, errors.New("failed to decode public key PEM")
@@ -52,22 +50,22 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
 	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
 	if err != nil {
 		return false, err
-	}
+	}*/
 	return true, nil
 }

 func (h HydraClaims) encodeSignature(host string) (string, error) {
-	hashed := sha256.Sum256([]byte(host))
-	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
+	return "", nil
+	priv, err := tools.LoadKeyFromFilePrivate()
 	if err != nil {
 		return "", err
 	}
-	privateKey := string(content)
-	spkiBlock, _ := pem.Decode([]byte(privateKey))
-	if spkiBlock == nil {
-		return "", errors.New("failed to decode private key PEM")
+	privb, err := priv.Raw()
+	if err != nil {
+		return "", err
 	}
-	return SignDefault(hashed[:], spkiBlock.Bytes)
+	hashed := sha256.Sum256([]byte(host))
+	return SignDefault(hashed[:], privb)
 }

 func (h HydraClaims) clearBlank(path []string) []string {
@@ -88,12 +86,14 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 	// Signature verification: skip if signature is empty (internal requests)
 	if sig, ok := idTokenClaims["signature"].(string); ok && sig != "" {
 		if ok, err := h.DecodeSignature(host, sig, publicKey); !ok {
+			fmt.Println("FAILED SIGNATURE")
 			return false, "", err
 		}
 	}

 	claims := sessionClaims.Session.AccessToken
 	if claims == nil {
+		fmt.Println("no access_token claims found")
 		return false, "", errors.New("no access_token claims found")
 	}
 	path := strings.ReplaceAll(forward, "http://"+host, "")
@@ -138,7 +138,7 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer.Peer) Claims {
 	logger := oclib.GetLogger()
 	c := Claims{}
-	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
+	perms, err := (&perms_connectors.KetoConnector{}).GetPermissionByUser(userId, true)
 	if err != nil {
 		logger.Error().Msg("Failed to get permissions for user " + userId + ": " + err.Error())
 		return c
@@ -160,7 +160,7 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 		logger.Error().Msg("Failed to encode signature: " + err.Error())
 		return c
 	}
-
+	fmt.Println("PEER ID", p.UUID)
 	c.Session.AccessToken["peer_id"] = p.UUID
 	c.Session.AccessToken["user_id"] = userId

@@ -168,7 +168,7 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 	c.Session.IDToken["peer_id"] = p.UUID
 	c.Session.IDToken["client_id"] = clientID

-	groups, err := perms_connectors.KetoConnector{}.GetGroupByUser(userId)
+	groups, err := (&perms_connectors.KetoConnector{}).GetGroupByUser(userId)
 	if err != nil {
 		logger.Error().Msg("Failed to get groups for user " + userId + ": " + err.Error())
 		return c
@@ -176,7 +176,7 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 	c.Session.AccessToken["groups"] = groups
 	c.Session.IDToken["groups"] = groups

-	roles, err := perms_connectors.KetoConnector{}.GetRoleByUser(userId)
+	roles, err := (&perms_connectors.KetoConnector{}).GetRoleByUser(userId)
 	if err != nil {
 		logger.Error().Msg("Failed to get roles for user " + userId + ": " + err.Error())
 		return c