move some hashing to SHA3; use a hash for the mytoken sub

b4350070 · Gabriel Zachmann · 3a4d97ee · b4350070 · b4350070 · b4350070
Commit b4350070 authored 3 years ago by Gabriel Zachmann
--- a/internal/db/dbrepo/authcodeinforepo/state/consentcode.go
+++ b/internal/db/dbrepo/authcodeinforepo/state/consentcode.go
@@ -43,7 +43,7 @@ func (c *ConsentCode) String() string {
 // GetState returns the state linked to a ConsentCode
 func (c *ConsentCode) GetState() string {
 	if c.state == "" {
-		c.state = hashUtils.HMACSHA512Str([]byte("state"), []byte(c.r))[:stateLen] + c.encodedInfo
+		c.state = hashUtils.HMACSHA3Str([]byte("state"), []byte(c.r))[:stateLen] + c.encodedInfo
 	}
 	return c.state
 }
--- a/internal/db/dbrepo/authcodeinforepo/state/state.go
+++ b/internal/db/dbrepo/authcodeinforepo/state/state.go
@@ -28,7 +28,7 @@ func NewState(state string) *State {
 // Hash returns the hash for this State
 func (s *State) Hash() string {
 	if s.hash == "" {
-		s.hash = hashUtils.SHA512Str([]byte(s.state))
+		s.hash = hashUtils.SHA3_512Str([]byte(s.state))
 	}
 	return s.hash
 }
@@ -36,7 +36,7 @@ func (s *State) Hash() string {
 // PollingCode returns the polling code for this State
 func (s *State) PollingCode() string {
 	if s.pollingCode == "" {
-		s.pollingCode = hashUtils.HMACSHA512Str([]byte("polling_code"), []byte(s.state))[:config.Get().Features.Polling.Len]
+		s.pollingCode = hashUtils.HMACSHA3Str([]byte("polling_code"), []byte(s.state))[:config.Get().Features.Polling.Len]
 		log.WithField("state", s.state).WithField("polling_code", s.pollingCode).Debug("Created polling_code for state")
 	}
 	return s.pollingCode

--- a/internal/utils/hashUtils/hashUtils.go
+++ b/internal/utils/hashUtils/hashUtils.go
@@ -4,6 +4,8 @@ import (
 	"crypto/hmac"
 	"crypto/sha512"
 	"encoding/base64"
+
+	"golang.org/x/crypto/sha3"
 )

 // SHA512 hashes the passed data with sha512
@@ -17,9 +19,21 @@ func SHA512Str(data []byte) string {
 	return base64.StdEncoding.EncodeToString(hash[:])
 }

-// HMACSHA512Str creates a hmac using sha512
-func HMACSHA512Str(data, secret []byte) string {
-	h := hmac.New(sha512.New, secret)
+// HMACSHA3Str creates a hmac using sha512
+func HMACSHA3Str(data, secret []byte) string {
+	h := hmac.New(sha3.New512, secret)
 	hmac := h.Sum(data)
 	return base64.StdEncoding.EncodeToString(hmac)
 }
+
+// SHA3_256Str hashes the passed data with SHA3 256
+func SHA3_256Str(data []byte) string {
+	hash := sha3.Sum256(data)
+	return base64.StdEncoding.EncodeToString(hash[:])
+}
+
+// SHA3_512Str hashes the passed data with SHA3 512
+func SHA3_512Str(data []byte) string {
+	hash := sha3.Sum512(data)
+	return base64.StdEncoding.EncodeToString(hash[:])
+}
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
+package utils
+
+import (
+	"github.com/oidc-mytoken/server/internal/utils/hashUtils"
+	"github.com/oidc-mytoken/server/shared/utils/issuerUtils"
+)
+
+// CreateMytokenSubject creates the subject of a Mytoken from the oidc subject and oidc issuer
+func CreateMytokenSubject(oidcSub, oidcIss string) string {
+	comb := issuerUtils.CombineSubIss(oidcSub, oidcIss)
+	return hashUtils.SHA3_256Str([]byte(comb))
+}
--- a/shared/mytoken/pkg/mytoken.go
+++ b/shared/mytoken/pkg/mytoken.go
@@ -5,6 +5,7 @@ import (

 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/jmoiron/sqlx"
+	"github.com/oidc-mytoken/server/internal/utils"

 	"github.com/oidc-mytoken/api/v0"
 	"github.com/oidc-mytoken/server/internal/config"
@@ -17,7 +18,6 @@ import (
 	event "github.com/oidc-mytoken/server/shared/mytoken/event/pkg"
 	"github.com/oidc-mytoken/server/shared/mytoken/pkg/mtid"
 	"github.com/oidc-mytoken/server/shared/mytoken/restrictions"
-	"github.com/oidc-mytoken/server/shared/utils/issuerUtils"
 	"github.com/oidc-mytoken/server/shared/utils/unixtime"
 )

@@ -63,7 +63,7 @@ func (mt *Mytoken) verifySubject() bool {
 	if mt.Subject == "" {
 		return false
 	}
-	if mt.Subject != issuerUtils.CombineSubIss(mt.OIDCSubject, mt.OIDCIssuer) {
+	if mt.Subject != utils.CreateMytokenSubject(mt.OIDCSubject, mt.OIDCIssuer) {
 		return false
 	}
 	return true
@@ -93,7 +93,7 @@ func NewMytoken(oidcSub, oidcIss string, r restrictions.Restrictions, c, sc api.
 		IssuedAt:             now,
 		NotBefore:            now,
 		Issuer:               config.Get().IssuerURL,
-		Subject:              issuerUtils.CombineSubIss(oidcSub, oidcIss),
+		Subject:              utils.CreateMytokenSubject(oidcSub, oidcIss),
 		Audience:             config.Get().IssuerURL,
 		OIDCIssuer:           oidcIss,
 		OIDCSubject:          oidcSub,