Support repository for josesnchz/WAII. (Repository that implements authorization, authentification and other security concepts to w3c/automotive-viss2). This repository consists on a HTML Web application using javascript and golang that can be used to make AGT, AT and Data Requests. The future configuration API for AGT and AT (still on implementation phase) will also be here.
GO version 1.17 is required, since some modules related to crypto are written in go, then compiled to WASM. Since module compilation is required, a script that automatically compiles all modules is given. TLS communication between the web app and VISS servers must be used, although it is not already being used. It will be supported and implemented in future versions.
VISS server, AGT server and AT server must be launched along with the web client. Their IPs and ports must be set in each HTML file, inside the script containing the URL. These servers must be launched after cloning the repository josesnchz/WAII and following the steps provided in it.
A script is (will be) provided to automatically build the files provided and run the webserver. After using the script, client can be used visiting localhost:8080 in any browser supporting localStorage because Keys Generated and Tokens received are stored in the browser. In case the script is used, it is required to have screen installed, it can be downloaded and installed from the official repository.
# get screen
$sudo apt install screen
# compile files and start the webserver
$./viss-manager -run
# stop the webserver
$./viss-manager -stop
The client implements dynamic selection for the purpose of the AT request and the path of the VISS data request. Both of them depends on these files:
specs/purposelist.json
specs/vsspathlist.json
Purpose list is generated by the ecosystem manager, and it is used by the AT Server to provide Access Tokens depending on the AGT claims. VSS Path list is generated by the being read by VISSv2 server at startup, and it contains the data tree of the system. Both of them are imported from the w3c/automotive-viss2 repository. New files can be generated following the rules specified in that repository.
Although it is possible to start the system automatically using the script provided, modules can be compiled separately and launched manually. Go module must be compiled using GOARCH="wasm" and GOOS = "js". The main go implementation is in the file "scripts/go/gofuncs.go", which must be compiled to "scripts/go/golib.wasm".
$ GOARCH="wasm" GOOS="js" go build -o scripts/go/golib.wasm scripts/go/gofuncs.go
A very basic file server is required to run the web app. File server.go is provided for that purpose. It can be run using go.
$ go run server.go
After doing that, the web app will be avaliable in http://localhost:8080
This project demonstrates the authentication, authorization and data access flow described in VISSv2 protocol. AGT, AT and VISSv2 requests are therefore supported.
The client holds a keypair, which is used to sign the Proofs of Possession made to each of the servers. Two types of keys are supported: RSA 2048 bits and Elliptic Curve P-256. These can be generated by the system or imported from a file. Since this client is for demonstration purposes, keys are plain-text saved inside localStorage, altough in a short time, those will be generated using Web Cryptography API and stored using Indexed DB with extractable property disable for security purposes.
The client is able to make an AGT Request modifying all claims at its will. Those requests that do not follow the specification will be refused. The POP generated in case of use of a private key to sign a POP will be shown, along with the received token and the request body. Those can be pretty-printed or shown as raw data. Received tokens can be saved associated with the ID provided.
The client uses one of the tokens obtained from the AGT server to attest its authorization to access the data. The purposes supported are defined in the purposelist.json file, as described above. The signature (if used) to generate the pop can be overriden or not, along with the claims on it. Received tokens can be saved.
The client uses one of the tokens provided from the AT server to access data. Multiple protocols and methods will be supported. The data requested is selected after parsing the vsspathlist.json file, as descrived above