From b6fc0005d55c5605515c8ca2a5b92fa90ac11c8d Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Thu, 11 Jan 2024 14:24:34 +0100
Subject: [PATCH] Add verification of maximum expiry time for Wire tokens

---
 acme/challenge.go                          | 10 +++++-----
 authority/provisioner/wire/wire_options.go |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/acme/challenge.go b/acme/challenge.go
index 9bf30487..0a8c48ba 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -584,6 +584,9 @@ func parseAndVerifyWireAccessToken(v verifyParams) (*wireAccessToken, *wireDpopT
 	if accessToken.ClientID != v.wireID.ClientID {
 		return nil, nil, fmt.Errorf("invalid Wire client ID %q", accessToken.ClientID)
 	}
+	if accessToken.Expiry.Time().After(v.t.Add(time.Hour * 24 * 365)) {
+		return nil, nil, fmt.Errorf("'exp' %s is too far into the future", accessToken.Expiry.Time().String())
+	}
 
 	dpopJWT, err := jose.ParseSigned(accessToken.Proof)
 	if err != nil {
@@ -594,6 +597,8 @@ func parseAndVerifyWireAccessToken(v verifyParams) (*wireAccessToken, *wireDpopT
 		return nil, nil, fmt.Errorf("failed parsing Wire DPoP token: %w", err)
 	}
 
+	// TODO(hs): DPoP verification
+
 	challenge, ok := dpopToken["chal"].(string)
 	if !ok {
 		return nil, nil, fmt.Errorf("invalid challenge in Wire DPoP token")
@@ -610,11 +615,6 @@ func parseAndVerifyWireAccessToken(v verifyParams) (*wireAccessToken, *wireDpopT
 		return nil, nil, fmt.Errorf("invalid Wire client handle %q", handle)
 	}
 
-	// TODO(hs): what to do with max expiry?
-	// maxExpiry:= strconv.FormatInt(time.Now().Add(time.Hour*24*365).Unix(), 10),
-	// 	"--max-expiry",
-	// 	expiry,
-
 	return &accessToken, &dpopToken, nil
 }
 
diff --git a/authority/provisioner/wire/wire_options.go b/authority/provisioner/wire/wire_options.go
index e378f692..9ab300fb 100644
--- a/authority/provisioner/wire/wire_options.go
+++ b/authority/provisioner/wire/wire_options.go
@@ -14,7 +14,7 @@ func (o *Options) GetOIDCOptions() *OIDCOptions {
 	return o.OIDC
 }
 
-// GetDPOPOptions returns the OIDC options.
+// GetDPOPOptions returns the DPoP options.
 func (o *Options) GetDPOPOptions() *DPOPOptions {
 	if o == nil {
 		return nil