msidp-endpoint 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c3063389a5690ccaabdb90a88d5b829e4d679c75535e557abcd2894b5b7423e
-  data.tar.gz: 496d1e0b37bd567c2c955f716360e451b8ce768454095a3746364a423c1ee2ec
+  metadata.gz: 37385ee2c6bd0f32d4cc2a176e7140ba05a1f756a97e5539c963dcb1b4a9c075
+  data.tar.gz: d586b59889dbe8b58f4aaeba41abc5dc52fbbd07ed06367607c0b2bd703b603a
 SHA512:
-  metadata.gz: 7f70b2959ca814ec3d3c967b46183b5f79d3c9ccf642a30929b741d6321f22da91b918b5937ec943086c94cf8647108916b515674c44e27213d35d6cf3f9d93b
-  data.tar.gz: c6f5d2f9e19039707aad84c62f7b863d4b93b2c03ea21a4a4208ec6571ecddd825b8659eccec51aff3b7ad137b3357b9e2f49dd641781bf96318679175737897
+  metadata.gz: 7c7cdd5a0bad6a7da2ce4f43c63683c8b9d81308053490bdd1cc842195f6f1d7bc2dc02b1d65c6bb1009fc2ed734444c8e3007dcb9b6793edc6a51c5796b80f3
+  data.tar.gz: 7efc055c1962d6a7eeda5742cb8845303f4ea728ec30fd103d291748a603c99d7412843d7eb832527c564631a3e585cee18fb8fbe98105c94de8f899f1351309

data/exe/msidp-cert2assertion

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'msidp/certificate_credential'
+
+if ARGV.length < 4
+  progname = File.basename($PROGRAM_NAME)
+  warn <<~USAGE
+    Compute a client assetion for a certificate pair.
+    Usage:
+      #{progname} certificate_file private_key_file tenant_id client_id
+        certificate_file: public certificate file
+        private_key_file: private key file
+        tenant_id: tenant ID in GUID or domain-name format
+        client_id: applicaiton (client) ID
+  USAGE
+  exit 64
+end
+
+certificate, private_key, tenant_id, client_id = ARGV
+
+cert = OpenSSL::X509::Certificate.new(File.binread(certificate))
+key = OpenSSL::PKey::RSA.new(File.binread(private_key))
+
+cred = MSIDP::CertificateCredential.new(
+  cert, key, tenant_id: tenant_id, client_id: client_id
+)
+
+puts cred.assertion

data/lib/msidp/certificate_credential.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+require 'json'
+
+module MSIDP
+  # Certificate credential for application authentication
+  class CertificateCredential
+    # @return [String] tenant a directory tenant in GUID or domain-name format.
+    attr_accessor :tenant
+    # @return [String] client_id the assigned applicaiton (client) ID.
+    attr_accessor :client_id
+
+    # Initialize an instance
+    #
+    # @param [OpenSSL::X509::Certificate] cert a certificate.
+    # @param [OpenSSL::PKey] cert the private key paired with the certificate.
+    # @param [String] tenant a directory tenant in GUID or domain-name format.
+    # @param [String] client_id the assigned applicaiton (client) ID.
+    def initialize(cert, key, tenant:, client_id:)
+      @cert = cert
+      @key = key
+      @tenant = tenant
+      @client_id = client_id
+    end
+
+    # Computes the JWT assertion.
+    #
+    # @return [String] JWT assertion string.
+    def assertion
+      header_base64 = base64url_encode(header)
+      payload_base64 = base64url_encode(payload)
+      signature = @key.sign('sha256', "#{header_base64}.#{payload_base64}")
+      sign_base64 = base64url_encode(signature)
+      "#{header_base64}.#{payload_base64}.#{sign_base64}"
+    end
+
+    # JOSE header of the JWT.
+    #
+    # @return [String] JSON string of the JOSE header.
+    def header
+      digest = OpenSSL::Digest::SHA1.digest(@cert.to_der)
+      x5t = Base64.urlsafe_encode64(digest)
+      header = { alg: 'RS256', typ: 'JWT', x5t: x5t.to_s }
+      JSON.dump(header)
+    end
+
+    # JWS payload of the JWT claim.
+    #
+    # @return [String] JSON string of the JWS payload.
+    def payload
+      not_after = @cert.not_after.to_i
+      not_before = @cert.not_before.to_i
+      jti = make_jwt_id
+      payload = {
+        aud: "https://login.microsoftonline.com/#{tenant}/v2.0",
+        exp: not_after, iss: client_id, jti: jti,
+        nbf: not_after, sub: client_id, iat: not_before
+      }
+      JSON.dump(payload)
+    end
+
+    private
+
+    def base64url_encode(data)
+      Base64.urlsafe_encode64(data, padding: false)
+    end
+
+    def make_jwt_id
+      data = @cert.to_der
+      data << tenant
+      data << client_id
+      sha1hash_uuid(OpenSSL::Digest::SHA1.digest(data))
+    end
+
+    # rubocop:disable Style/FormatStringToken
+    def sha1hash_uuid(hash)
+      bytes = hash.bytes[0..15]
+      bytes[6] = bytes[6] & 0x0F | 0x50
+      bytes[8] = bytes[6] & 0x3F | 0x80
+      format(
+        '%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x',
+        *bytes
+      )
+    end
+    # rubocop:enable Style/FormatStringToken
+  end
+end

data/lib/msidp/endpoint/version.rb

@@ -2,6 +2,6 @@
 
 module MSIDP
   module Endpoint
-    VERSION = '0.1.1'
+    VERSION = '0.2.0'
   end
 end

metadata

@@ -1,25 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: msidp-endpoint
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - SHIMAYOSHI, Takao
 autorequire: 
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2022-01-18 00:00:00.000000000 Z
+date: 2022-03-07 00:00:00.000000000 Z
 dependencies: []
 description: Simple class library for Microsoft Identity Platform endpoints.
 email:
 - simayosi@cc.kyushu-u.ac.jp
-executables: []
+executables:
+- msidp-cert2assertion
 extensions: []
 extra_rdoc_files: []
 files:
 - LICENSE.txt
 - README.md
+- exe/msidp-cert2assertion
 - lib/msidp/access_token.rb
+- lib/msidp/certificate_credential.rb
 - lib/msidp/endpoint.rb
 - lib/msidp/endpoint/version.rb
 - lib/msidp/error.rb