[squeak-dev] [ANN] ModifierKeysMorph & WebClientOAuth2 (Zinc-SSO port)
Levente Uzonyi
leves at caesar.elte.hu
Sat Jun 13 21:26:56 UTC 2020
Hi Tim,
On Sat, 13 Jun 2020, Tim Johnson wrote:
>
>
> On Jun 11, 2020, at 6:39 PM, Levente Uzonyi <leves at caesar.elte.hu> wrote:
>
> It is useful for SSO. But for automated workflows, where human intervention is undesired, there is another type of OAuth2 which may be called "server to server" or apparently "two-legged OAuth":
> https://developers.google.com/identity/protocols/oauth2/service-account
> I tried and failed to implement this last year. Where I failed was in computing the JSON Web Signature (JWS). I could generate JWTs successfully*, but JWSs for Google require "SHA256withRSA (also known as
> RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function)" which requires one very specific algorithm missing from SqueakSSL and which I simply could not engineer on my own at the time (or perhaps ever — I
> might just not be
> smart enough ;) ). I was able to get as far as crafting the JSON in Squeak and then signing using Python's implementation of the algorithm and it would work.
> If we could get server-to-server OAuth2 using WebClient, that would also allow us to, say, connect to Google Drive directly from Squeak, or be a client of Google Cloud Platform / Compute Engine, etc. I
> think that would be
> very cool.
> Sadly, I seem to recall this type of OAuth (and thus this algorithm) would also be necessary for GitHub/GitLab.
>
>
> The Cryptography package seems to have this stuff implemented, though I haven't verified the results. Here's how to use it:
> Let's say privateKey is an RSAPrivateKey with your private key (See class side methods and RSAPrivateKeyFileReader how to initialize it) and message is your serialized json to sign. Then
>
> privateKey v15SignMessageHash: (HashFunction newSHA256 digestInfoAsn1DerEncodingFromMessage: message)
>
> should return the signature.
>
>
> Thank you Levente. When I mentioned algorithms I was hoping you might respond. :)
>
> I found my old JWT code from last year on GitHub: https://github.com/tcj/beaufort (Oh no, it contains an old email address of mine in one of its tests...)
>
> I loaded Cryptography into an image so I could run my tests again, and noticed that the Cryptography package has seen a lot of work this year. Thanks for that.
>
> So: the tests I wrote last year (with a small change) pass now. This could be very good news and may be worth further investigation. Thank you again! I will update my tests (& remove my old email address...?) and upload a
> new version of this package.
>
> I am reminded that the issue I'd encountered last year was that HS256 could work, but RS256 could not. Now, unit tests are passing for both. (My BfJWTRFCTest>>#testConversion is not passing so I'll need to look into that.)
It fails because ByteArray >> #base64Encoded adds new line characters to
the resulting string. That should be changed in the Trunk.
>
> Here is the gist of my JWT signing code:
>
> BfJWT>>#signedWith: aKey
> | headerAndClaims |
> self secret: aKey.
> headerAndClaims := self headerAndClaims.
> ^ '{1}.{2}' format: { headerAndClaims . self signatureFrom: headerAndClaims }
>
> ... #signatureFrom: is implemented differently for HS256 versus RS256 subclasses of BfJWT. My RS256 encoding was like this:
>
> BfRS256 signatureFrom: aString
> | signedMessage hashed privateKey |
> privateKey := (Pkcs12PrivateKeyFileReader fromFile: 'timj-project-mar-2019-a94d67a8d0c8.p12') asPrivateKey.
> signedMessage := privateKey signMessage: aString.
> hashed := SHA256 new hashStream: signedMessage readStream.
You're using #signMessage: which does SHA1withRSA, then apply SHA256 on
the result. The change I suggested will do SHA256withRSA.
> ^ hashed base64UrlEncoded
>
> A year ago, I could have described how & why it wasn't working... but that information has left my brain now.
>
> For what it's worth, Norbert Hartl's JSONWebToken also lacks support for this RS256 encoding format.
>
> https://github.com/noha/JSONWebToken/commit/4a4d20eaa6e84e2676a577f74bc6e24c1ead0047
>
> It seems to be a common issue around the internet that people find RS256 very difficult.
It's indeed more complex. RS256 requires RSA while HS256 is simply a HMAC
(AFAIK). But we have RSA implemented in Cryptography, and even though the
API could be more user-friendly and have more documentation, it can still
be done with a single line of code.
Levente
>
> Thanks again,
> Tim
>
>
>
>
>
More information about the Squeak-dev
mailing list
|