Merge pull request #85 from w3c/rl-integration

Rl integration

Author: UlfBj

.gitignore

@@ -22,11 +22,14 @@ http-mgr-log.txt
 servercore-log.txt
 
 #helper files
+viss
 vsspathlist.json
 vss_vissv2.binary
 certificate.pem
 config.json
 feeder
+feeder/feeder-rl/config.json
+
 
 # Test binary, built with `go test -c`
 *.test
@@ -50,6 +53,7 @@ http_mgr
 agt_server
 at_server
 mqtt_mgr
+vissv2server
 
 # Folders
 !server/service_mgr/
@@ -67,3 +71,4 @@ logs/
 ***workspace.code-workspace
 ***.vscode
 /client/client-1.0/grpc_client/grpc_map_client/static/node_modules/
+/client/client-1.0/grpc_client/grpc_client

Dockerfile

@@ -5,7 +5,7 @@
 # To run with redis as state storage use docker compose. This can be used to build individual images but will not
 # run.
 
-ARG GO_VERSION=1.18
+ARG GO_VERSION=1.18.3
 ARG VSSTREE_NAME="vss_vissv2.binary"
 ARG BUILD_IMAGE="golang:latest"
 ARG RUNTIME_IMAGE="debian:bullseye-slim"
@@ -17,6 +17,9 @@ WORKDIR /build
 
 #add bin folder to store the compiled files
 RUN mkdir bin
+#corporate proxy settings can sometimes cause tls verification error. Add root crt to docker container.
+COPY testCredGen/cicso-umbrella/cisco.crt /usr/local/share/ca-certificates/cisco.crt
+RUN update-ca-certificates
 
 #copy the content of the server and utils dir and .mod/.sum files to builder
 COPY redis/redis.conf ./etc/
@@ -74,9 +77,9 @@ COPY --from=builder /build/bin/vissv2server .
 COPY --from=builder /build/server/transport_sec/transportSec.json ../transport_sec/transportSec.json
 COPY --from=builder /build/server/vissv2server/atServer/purposelist.json atServer/purposelist.json
 COPY --from=builder /build/server/vissv2server/atServer/scopelist.json atServer/scopelist.json
-COPY --from=builder /build/server/vissv2server/feeder-registration.json .
+COPY --from=builder /build/server/vissv2server/feeder-registration.docker.json feeder-registration.json
 COPY --from=builder /build/server/vissv2server/vss_vissv2.binary .
-
+COPY --from=builder /build/server/agt_server/agt_public_key.rsa .
 
 ENTRYPOINT ["/app/vissv2server","-s","redis"]
 

client/client-1.0/Javascript/agtclient.html

@@ -37,11 +37,14 @@ <h2>AGT client example</h2>
         function sendPost() {
           var xhttp = new XMLHttpRequest();
           xhttp.onreadystatechange = function() {
-              if (this.readyState == 4 && this.status == 200) {
+              if (this.readyState == 4 && this.status == 201) {
                   postOutput.innerHTML += "Server: " + this.responseText + "\n";
               }
           };
           var params = postValue.value;
+          console.log("params: " + params);
+          console.log("postpath: " + postPath.value);
+
           xhttp.open("POST", "http://" + hostIP + ":7500/" + postPath.value, true);
           xhttp.send(params);
           postPath.value = "";

client/client-1.0/grpc_client/grpc_client.go

@@ -48,7 +48,8 @@ func initCommandList() {
 	//commandList[1] = `{"action":"subscribe","path":"Vehicle","filter":{"type":"paths","parameter":["Speed", "Chassis/Accelerator/PedalPosition"]},"requestId":"246"}`
 	//commandList[1] = `{"action":"subscribe","path":"Vehicle/Speed","requestId":"258"}`
 	commandList[2] = `{"action":"unsubscribe","subscriptionId":"1","requestId":"240"}`
-	commandList[3] = `{"action":"set", "path":"Vehicle/Body/Lights/IsLeftIndicatorOn", "value":"999", "requestId":"245"}`
+	commandList[3] = `{"action":"set", "path":"Vehicle/Body/Lights/IsLeftIndicatorOn", "value":"true", "requestId":"245"}`
+	commandList[1] = `{"action":"subscribe","path":"Vehicle","filter":[{"type":"paths","parameter":["Body.Lights.IsLeftIndicatorOn", "Chassis.Accelerator.PedalPosition"]}, {"type":"change","parameter":{"logic-op":"ne", "diff": "0"}}],"requestId":"285"}`
 }
 
 // {"action":"subscribe","path":"Vehicle","filter":{"type":"paths","parameter":["Speed", "Chassis.Accelerator.PedalPosition"]},"requestId":"246"}`

docker-compose-rl.yml

@@ -43,9 +43,10 @@ services:
       target: vissv2server
     entrypoint: [ /app/vissv2server,-s,redis]
     ports:
-      - "127.0.0.1:8081:8081"
+      - "0.0.0.0:8081:8081"
       - "127.0.0.1:8888:8888"
-      - "127.0.0.1:8887:8887"
+      - "0.0.0.0:8887:8887"
+      - "0.0.0.0:8600:8600"
     volumes:
       - ./logs:/app/logs
     volumes_from:

feeder/feeder-rl/config.json feeder/feeder-rl/config-template.json

@@ -1,12 +1,14 @@
 {
   "tls": "yes",
-  "cert_path_name": "certificate.pem",
+  "cert_path_name": "<path-and-name-goes-here>",
   "name_spaces": ["vss"],
-  "broker_url": "personal-l41hw7zrf4-demo-uo7acw3qiq-ez.a.run.app",
+  "broker_url": "<broker-url-goes-here>",
   "port":"443",
   "client_id" : "w3c-vissv2-server",
-  "api_key": "4CA32399-88237AAA-64EB4EE4-541E1D8F",
+  "api_key": "<api-key-goes-here>",
   "vss_tree_path": "../vss/vss-flat-json/normalized-json/vss_n.json",
-  "signalfilter": ["Vehicle.Speed","Vehicle.Body.Lights.IsLeftIndicatorOn","Vehicle.VehicleIdentification.VIN","Vehicle.CurrentLocation.Latitude","Vehicle.CurrentLocation.Longitude","Vehicle.Chassis.Accelerator.PedalPosition"]
-}
-
+  "signalfilter": ["Vehicle.Speed","Vehicle.Body.Lights.IsLeftIndicatorOn","Vehicle.VehicleIdentification.VIN","Vehicle.CurrentLocation.Latitude","Vehicle.CurrentLocation.Longitude","Vehicle.Chassis.Accelerator.PedalPosition"],
+  "publish-separate-connection": "false",
+  "publish_url": "<where-to-publish-url-goes-here>",
+  "publish_api-key": "<publish-api-key-goes-here>"
+}

go.mod

@@ -32,7 +32,7 @@ require (
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.4.2
 	github.com/mattn/go-sqlite3 v1.14.14
-	github.com/petervolvowinz/viss-rl-interfaces v0.0.6
+	github.com/petervolvowinz/viss-rl-interfaces v0.0.8
 	github.com/sirupsen/logrus v1.9.3
 	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0

go.sum

@@ -34,8 +34,8 @@ github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
-github.com/petervolvowinz/viss-rl-interfaces v0.0.6 h1:2nAyhfTuTIxPqKTVolAiuHLLvJNeM0uBoInqtlzJp10=
-github.com/petervolvowinz/viss-rl-interfaces v0.0.6/go.mod h1:7jOb8sy+8GhzonzaTzgcVV9XCKXMWkRDWqFHY6RnXH4=
+github.com/petervolvowinz/viss-rl-interfaces v0.0.8 h1:fTcAQVfRCt3jPA9IcqDRgnavPq1REAYfYL7YSj8MrhA=
+github.com/petervolvowinz/viss-rl-interfaces v0.0.8/go.mod h1:7jOb8sy+8GhzonzaTzgcVV9XCKXMWkRDWqFHY6RnXH4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=

server/agt_server/agt_server.go

@@ -84,6 +84,7 @@ func makeAgtServerHandler(serverChannel chan string) func(http.ResponseWriter, *
 				} else {
 					w.Header().Set("Access-Control-Allow-Origin", "*")
 					w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(201) // USE 201 when responding to succesful POST requests
 					w.Write([]byte(response))
 				}
 			}

server/server

@@ -120,3 +120,14 @@ In case it is not valid, a set of error codes has been defined:
 #### 60-69 Permission Errors
 	- 60: Permission error: no access allowed with that purpose
 	- 61: Permission error: read-only access trying to write
+
+
+**Unit tests**
+
+Testing the Access Grant Token server and the Access Token server can be done running access_control_test.go
+The default feeder can be used but also a rl-feeder with recorded data playback. The AGT server must currently
+be started manually. Test cases can also be built and run,debugged individually. Recommend to use an IDE with debugger
+for this. 
+
+
+

server/vissv2server/atServer/README.md

@@ -0,0 +1,257 @@
+/******** Peter Winzell (c), 11/27/23 *********************************************/
+
+package atServer
+
+import (
+	"bytes"
+	"crypto/rsa"
+	"encoding/json"
+	"github.com/w3c/automotive-viss2/utils"
+	"log"
+	_ "log"
+	"net/http"
+	"strconv"
+	"testing"
+)
+
+//Prequisites: AGT Server and Vissv2 Server should be up and running (0.0.0.0 in docker)
+type TResponse struct {
+	Token string `json:"token"`
+}
+
+const agt_posttesturl = "http://0.0.0.0:7500/agts"
+const at_url = "http://0.0.0.0:8600/ats"
+const SHORT_TERM_TOKEN_LENGTH = 14400
+const LONG_TERM_TOKEN_LENGTH = 345600
+
+func getShortTermAGTResponse() (*http.Response, error) {
+	body := []byte(`{"vin":"GEO001","context":"Independent+OEM+Cloud","proof":"ABC","key":"DEF"}`)
+
+	r, err := http.NewRequest("POST", agt_posttesturl, bytes.NewBuffer(body))
+	if err != nil {
+		panic(err)
+	}
+	r.Header.Add("Content-Type", "application/json")
+	client := &http.Client{}
+	res, err := client.Do(r)
+	if err != nil {
+		panic(err)
+	}
+	return res, err
+}
+
+func getLongTermAGTResponse() (*http.Response, error) {
+	var privKey *rsa.PrivateKey
+	err := utils.ImportRsaKey(PRIV_KEY_DIRECTORY, &privKey)
+	if err != nil {
+		return nil, err
+	}
+
+	popToken := utils.PopToken{}
+	token, err := popToken.GenerateToken(privKey) // generate a proof-of-possession-token to get a LT token.
+
+	agtP := agtPayload{
+		Vin:     "GEO001",
+		Context: "Independent+OEM+Cloud",
+		Proof:   "ABC",
+		Key:     popToken.Jwk.Thumb, // Thumb print need to match.
+	}
+
+	body, err := json.Marshal(agtP) // POST a acces grant token request
+
+	r, err := http.NewRequest("POST", agt_posttesturl, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, err
+	}
+	r.Header.Add("Content-Type", "application/json")
+	r.Header.Add("PoP", token) // add the Pop as a proof of possesion.
+
+	client := &http.Client{}
+
+	return client.Do(r)
+}
+
+func TestShortTermTokenAccess(t *testing.T) {
+
+	res, err := getShortTermAGTResponse()
+	if err != nil {
+		t.Error(err)
+	}
+
+	defer res.Body.Close()
+
+	post := &TResponse{}
+	derr := json.NewDecoder(res.Body).Decode(post)
+	if derr != nil {
+		panic(derr)
+	}
+
+	if res.StatusCode != http.StatusCreated {
+		t.Error("status code expected to be 201 , got: ", res.StatusCode)
+	}
+
+	log.Printf("got token = %s", post.Token)
+	var Agt utils.ExtendedJwt
+	err = Agt.DecodeFromFull(post.Token) // parsing the JWT token
+	vin := Agt.PayloadClaims["vin"]
+	ctx := Agt.PayloadClaims["clx"]
+	iat, err := strconv.Atoi(Agt.PayloadClaims["iat"])
+	exp, err := strconv.Atoi(Agt.PayloadClaims["exp"])
+
+	//test that it is correct length
+	if (exp - iat) != SHORT_TERM_TOKEN_LENGTH {
+		t.Error("short term token error: ", exp-iat)
+	}
+	//test vin and context
+	if vin != "GEO001" {
+		t.Error("Vin does not match => ", vin)
+	}
+	if ctx != "Independent+OEM+Cloud" {
+		t.Error("roles fails to match => ", ctx)
+	}
+
+}
+
+const PRIV_KEY_DIRECTORY = "../../agt_server/agt_private_key.rsa"
+
+//TODO this should reside in utils somwhere , duplicate code.
+type agtPayload struct {
+	Vin     string `json:"vin"`
+	Context string `json:"context"`
+	Proof   string `json:"proof"`
+	//Key     utils.JsonWebKey `json:"key"`
+	Key string `json:"key"`
+}
+
+func TestLongTermTokenAccess(t *testing.T) {
+
+	res, err := getLongTermAGTResponse()
+	if err != nil {
+		panic(err)
+	}
+
+	defer res.Body.Close()
+
+	post := &TResponse{}
+	derr := json.NewDecoder(res.Body).Decode(post)
+	if derr != nil {
+		panic(derr)
+	}
+
+	if res.StatusCode != http.StatusCreated {
+		t.Error("status code expected to be 201 , got: ", res.StatusCode)
+	}
+
+	log.Printf("got token = %s", post.Token)
+	var Agt utils.ExtendedJwt
+	err = Agt.DecodeFromFull(post.Token) // parsing the JWT token
+	vin := Agt.PayloadClaims["vin"]
+	ctx := Agt.PayloadClaims["clx"]
+	iat, err := strconv.Atoi(Agt.PayloadClaims["iat"])
+	exp, err := strconv.Atoi(Agt.PayloadClaims["exp"])
+
+	//test that it is correct length
+	if (exp - iat) != LONG_TERM_TOKEN_LENGTH {
+		t.Error("short term token error: ", exp-iat)
+	}
+	//test vin and context
+	if vin != "GEO001" {
+		t.Error("Vin does not match => ", vin)
+	}
+	if ctx != "Independent+OEM+Cloud" {
+		t.Error("roles fails to match => ", ctx)
+	}
+
+}
+
+type atRequest struct {
+	Token   string `json:string "token"`
+	Purpose string `json:string "purpose"`
+	Pop     string `json:string "pop"`
+}
+
+func getAtToken(agttoken string) (*http.Response, error) {
+
+	atReq := &atRequest{
+		Token:   agttoken,
+		Purpose: "fuel-status",
+		Pop:     "GHI",
+	}
+	body, err := json.Marshal(atReq)
+	if err != nil {
+		return nil, err
+	}
+
+	r, err := http.NewRequest("POST", at_url, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, err
+	}
+
+	r.Header.Add("Content-Type", "application/json")
+	client := &http.Client{}
+	res, err := client.Do(r)
+	if err != nil {
+		return nil, err
+	}
+	return res, err
+}
+
+func parseATToken(res http.Response, t *testing.T) *TResponse {
+
+	defer res.Body.Close()
+
+	post := &TResponse{}
+	derr := json.NewDecoder(res.Body).Decode(post)
+	if derr != nil {
+		t.Error("could not parse http response")
+		return nil
+	}
+
+	if res.StatusCode != http.StatusCreated {
+		t.Error("status code expected to be 201 , got: ", res.StatusCode)
+
+	}
+
+	return post
+}
+
+// Viss server must be up and running
+func TestAtTokenAccess_ST(t *testing.T) {
+	res_ag, err := getShortTermAGTResponse() // Get Access Grant Token
+	if err != nil {
+		t.Error(err)
+	}
+
+	res, err := getAtToken(parseATToken(*res_ag, t).Token) // Get Access token
+
+	if err != nil {
+		t.Error(err)
+	}
+	if res.StatusCode != http.StatusCreated {
+		t.Error("status code expected to be 201 , got: ", res.StatusCode)
+	} else {
+		attokenpost := &TResponse{}
+		derr := json.NewDecoder(res.Body).Decode(attokenpost)
+
+		if derr != nil {
+			t.Error(derr)
+		}
+		log.Println(attokenpost.Token)
+	}
+
+}
+
+func TestAtTokenAccess_LT(t *testing.T) {
+	t.Error("not implemented yet")
+
+}
+
+// Test actual requests against server, server and a feeder for south-bound must be running.
+
+func TestGetAccessControlST(t *testing.T) {
+	t.Error("not implemented yet")
+}
+
+func TestGetAccessControlLT(t *testing.T) {
+	t.Error("not implemented yet")
+}

server/vissv2server/atServer/access_control_test.go

@@ -35,7 +35,7 @@ const GAP = 3      // Used for PoP check
 const LIFETIME = 5 // Used for PoP check
 
 const theAtSecret = "averysecretkeyvalue2" //not shared
-const AGT_PUB_KEY_DIRECTORY = "atServer/agt_public_key.rsa"
+const AGT_PUB_KEY_DIRECTORY = "agt_public_key.rsa"
 const PORT = 8600
 const AT_DURATION = 1 * 60 * 60 // 1 hour
 
@@ -164,6 +164,7 @@ func makeAtServerHandler(serverChannel chan string) func(http.ResponseWriter, *h
 				} else {
 					w.Header().Set("Access-Control-Allow-Origin", "*")
 					//				    w.Header().Set("Content-Type", "application/json")
+					w.WriteHeader(201) // USE 201 when responding to succesful POST requests
 					w.Write([]byte(response))
 				}
 			}
@@ -190,7 +191,7 @@ func initAtServer(serverChannel chan string, muxServer *http.ServeMux) {
 		utils.Error.Fatal(server.ListenAndServeTLS("../transport_sec/"+utils.SecureConfiguration.ServerSecPath+"server.crt",
 			"../transport_sec/"+utils.SecureConfiguration.ServerSecPath+"server.key"))
 	} else { // No TLSmtvacuc14uma
-		utils.Info.Printf("initAtServer():Starting AT Server without TLS on %s/ats", PORT)
+		//utils.Info.Printf("initAtServer():Starting AT Server without TLS on %s/ats", PORT)
 		utils.Error.Fatal(http.ListenAndServe(":"+strconv.Itoa(PORT), muxServer))
 	}
 }
@@ -315,6 +316,9 @@ func noScopeResponse(input string) string {
 	return `{"no_access":` + res + `}`
 }
 
+// Validates an access token, returns validation message.
+// The only validation done is the one regarding the Access Token List
+
 func tokenValidationResponse(input string) string {
 	var inputMap map[string]interface{}
 	err := json.Unmarshal([]byte(input), &inputMap)
@@ -356,7 +360,7 @@ func searchCache(token string) (string, bool) {
 			return tokenCache[i].Token, true
 		}
 	}
-	return token, false	
+	return token, false
 }
 
 func cacheToken(token string, isCached bool) string {
@@ -381,7 +385,7 @@ func extractSignature(token string) string {
 	if lastDotIndex != -1 {
 		return token[lastDotIndex+1:]
 	}
-	utils.Error.Printf("extractSignature:Signature not found in token=%s")
+	utils.Error.Printf("extractSignature:Signature not found in token=%s", token)
 	return ""
 }
 
@@ -627,7 +631,7 @@ func validateRequest(payload AtGenPayload) (bool, string) {
 		return false, `{"error": "AG token exp timestamp malformed"}`
 	}
 	if !validateTokenTimestamps(iat, exp) {
-		utils.Info.Printf("validateRequest:invalid token timestamps, iat=%d, exp=%d", payload.Agt.PayloadClaims["iat"], payload.Agt.PayloadClaims["exp"])
+		//utils.Info.Printf("validateRequest:invalid token timestamps, iat=%d, exp=%d", payload.Agt.PayloadClaims["iat"], payload.Agt.PayloadClaims["exp"])
 		return false, `{"error": "AG token timestamp validation failed"}`
 	}
 	// POP Checking

server/vissv2server/atServer/atServer.go

@@ -1,3 +1,5 @@
+**TLS** 
+
 The testCredGen script can be used to generate credentials for server and client(s) communication over HTTPS and WSS. 
 
 It uses openSSL for the generation, so this package must be installed on the computer if not there already.
@@ -66,4 +68,13 @@ to the corresponding ca and client directories in that repo,
 and change the "transportSec" parameter in the corresponding transportSec.json file to "yes".
 
 
+**Docker and TLS build verification**
+
+In the directory cisco-umbrella we have downloaded a cisco - https://docs.umbrella.com/deployment-umbrella/docs/install-cisco-umbrella-root-certificate -  root certificate and included that in the docker file. Sometimes
+corporate proxy settings are updated so that the build machines certificates does not recognize external repos. Including
+a root certificate in the docker file allows the build to use tls verification on these repos.
+
+
+
+
 

testCredGen/README.md

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg6gAwIBAgIIUW6l3kYeVMEwDQYJKoZIhvcNAQELBQAwMTEOMAwGA1UE
+ChMFQ2lzY28xHzAdBgNVBAMTFkNpc2NvIFVtYnJlbGxhIFJvb3QgQ0EwHhcNMTYw
+NjI4MTUzNzUzWhcNMzYwNjI4MTUzNzUzWjAxMQ4wDAYDVQQKEwVDaXNjbzEfMB0G
+A1UEAxMWQ2lzY28gVW1icmVsbGEgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAO7ZjfBSCaz5EMYSiWYoXjHPP/w7xFT4bXa82lOZ9CJJXDQw
+bZpBdmuqX9UWo769LIAaSUvkYEeZqcTsjrx/7juPKoOErhJY0cPK12LU9PbHXqEd
+XESIqBjdOC5oiIFHhTAKuuKRlL7rhPYkYhZtgdll4h0FLIG+xNsMVfzJb7z69X8Y
+vF9r1drLkd7oR2xHuRkXgzeblFVpF+DRF7WXNhLy0By38ZxtClxYUSitdz53W0ic
+maelG7EyCVNVxARxn5waaphRvki1hkuqqrm3JdlV165zAOdSz3JKzRISQinCTQuT
++RK/w0qLsDTyOVO/mEIVWLXu/Z1NtuXgj/jhegcCAwEAAaNCMEAwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFENzAN4kukAaQFQsfXzV
+AEiJDHCkMA0GCSqGSIb3DQEBCwUAA4IBAQBIEoceSPZLmo5sLmgDfQA+Fq5BKztL
+qg8aAvZdrbdMEKEBr1RDB0OAhuPcaaVxZi6Hjyql1N999Zmp8qIw/lLTt3VSTmEa
+29uPgjdMGLl9KyfZjARiA/PPvPdHTwg7TMJOet+w7P5nWabLNW55+Wc/JzCSFE30
++0Kdz/jojxlA/8t0xYLCdS2UK7zC4kuAbojHLJDbIQO3HeEWwVmg4FO89AHVvC4R
+Y+V0t7SaEradv6tPG9DHX7PLwjQ/Xs95NGDIJTeFwCRqYUlBu9iZjIvKba0e0tST
+Vuyw2+P2HuWazjBPawGrbfyw+uO3KO4WnNGjMutJJ920o8B5M8gW1+Ye
+-----END CERTIFICATE-----

testCredGen/cicso-umbrella/Cisco_Umbrella_Root_CA.cer

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg6gAwIBAgIIUW6l3kYeVMEwDQYJKoZIhvcNAQELBQAwMTEOMAwGA1UE
+ChMFQ2lzY28xHzAdBgNVBAMTFkNpc2NvIFVtYnJlbGxhIFJvb3QgQ0EwHhcNMTYw
+NjI4MTUzNzUzWhcNMzYwNjI4MTUzNzUzWjAxMQ4wDAYDVQQKEwVDaXNjbzEfMB0G
+A1UEAxMWQ2lzY28gVW1icmVsbGEgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAO7ZjfBSCaz5EMYSiWYoXjHPP/w7xFT4bXa82lOZ9CJJXDQw
+bZpBdmuqX9UWo769LIAaSUvkYEeZqcTsjrx/7juPKoOErhJY0cPK12LU9PbHXqEd
+XESIqBjdOC5oiIFHhTAKuuKRlL7rhPYkYhZtgdll4h0FLIG+xNsMVfzJb7z69X8Y
+vF9r1drLkd7oR2xHuRkXgzeblFVpF+DRF7WXNhLy0By38ZxtClxYUSitdz53W0ic
+maelG7EyCVNVxARxn5waaphRvki1hkuqqrm3JdlV165zAOdSz3JKzRISQinCTQuT
++RK/w0qLsDTyOVO/mEIVWLXu/Z1NtuXgj/jhegcCAwEAAaNCMEAwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFENzAN4kukAaQFQsfXzV
+AEiJDHCkMA0GCSqGSIb3DQEBCwUAA4IBAQBIEoceSPZLmo5sLmgDfQA+Fq5BKztL
+qg8aAvZdrbdMEKEBr1RDB0OAhuPcaaVxZi6Hjyql1N999Zmp8qIw/lLTt3VSTmEa
+29uPgjdMGLl9KyfZjARiA/PPvPdHTwg7TMJOet+w7P5nWabLNW55+Wc/JzCSFE30
++0Kdz/jojxlA/8t0xYLCdS2UK7zC4kuAbojHLJDbIQO3HeEWwVmg4FO89AHVvC4R
+Y+V0t7SaEradv6tPG9DHX7PLwjQ/Xs95NGDIJTeFwCRqYUlBu9iZjIvKba0e0tST
+Vuyw2+P2HuWazjBPawGrbfyw+uO3KO4WnNGjMutJJ920o8B5M8gW1+Ye
+-----END CERTIFICATE-----

testCredGen/cicso-umbrella/cisco.crt

@@ -193,7 +193,7 @@ func ImportRsaKey(filename string, privKey **rsa.PrivateKey) error {
 	return err
 }
 
-// Gets rsa public ket from pem file
+// Gets rsa public key from pem file
 func ImportRsaPubKey(filename string, pubKey **rsa.PublicKey) error {
 	pubFile, err := os.Open(filename)
 	if err != nil {

utils/cryptoutils.go

@@ -289,7 +289,7 @@ func (popToken *PopToken) Initialize(headerMap, payloadMap map[string]string, pu
 }
 
 // Generates popToken using a PrivateKey, can be used even if popToken is not initialized (claims are auto-fulfilled)
-func (popToken PopToken) GenerateToken(privKey crypto.PrivateKey) (token string, err error) {
+func (popToken *PopToken) GenerateToken(privKey crypto.PrivateKey) (token string, err error) {
 	// Initialization if is not
 	if popToken.HeaderClaims == nil {
 		if rsaPriv, ok := privKey.(*rsa.PrivateKey); ok {
@@ -315,6 +315,8 @@ func (popToken PopToken) GenerateToken(privKey crypto.PrivateKey) (token string,
 		return
 	}
 	popToken.PayloadClaims["jti"] = unparsedId.String()
+	popToken.PayloadClaims["aud"] = "vissv2/agts"
+	// popToken.PayloadClaims[""]
 	// Marshal header (must be in order)
 	iterator := []string{"typ", "alg", "jwk"}
 	for _, iter := range iterator {