diff options
author | Mauro Sardara <msardara@cisco.com> | 2020-02-21 11:52:28 +0100 |
---|---|---|
committer | Mauro Sardara <msardara@cisco.com> | 2020-02-26 13:19:16 +0100 |
commit | f4433f28b509a9f67ca85d79000ccf9c2f4b7a24 (patch) | |
tree | 0f754bc9d8222f3ace11849165753acd85be3b38 /libtransport/includes/hicn/transport/security | |
parent | 0e7669445b6be1163189521eabed7dd0124043c8 (diff) |
[HICN-534] Major rework on libtransport organization
Change-Id: I361b83a18b4fd59be136d5f0817fc28e17e89884
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Diffstat (limited to 'libtransport/includes/hicn/transport/security')
9 files changed, 562 insertions, 0 deletions
diff --git a/libtransport/includes/hicn/transport/security/CMakeLists.txt b/libtransport/includes/hicn/transport/security/CMakeLists.txt new file mode 100644 index 000000000..58a96780b --- /dev/null +++ b/libtransport/includes/hicn/transport/security/CMakeLists.txt @@ -0,0 +1,27 @@ +# Copyright (c) 2017-2019 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +cmake_minimum_required(VERSION 3.5 FATAL_ERROR) + +list(APPEND HEADER_FILES + ${CMAKE_CURRENT_SOURCE_DIR}/signer.h + ${CMAKE_CURRENT_SOURCE_DIR}/verifier.h + ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hasher.h + ${CMAKE_CURRENT_SOURCE_DIR}/crypto_suite.h + ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hash.h + ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hash_type.h + ${CMAKE_CURRENT_SOURCE_DIR}/identity.h + ${CMAKE_CURRENT_SOURCE_DIR}/key_id.h +) + +set(HEADER_FILES ${HEADER_FILES} PARENT_SCOPE)
\ No newline at end of file diff --git a/libtransport/includes/hicn/transport/security/crypto_hash.h b/libtransport/includes/hicn/transport/security/crypto_hash.h new file mode 100644 index 000000000..5a58f258b --- /dev/null +++ b/libtransport/includes/hicn/transport/security/crypto_hash.h @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <hicn/transport/errors/runtime_exception.h> +#include <hicn/transport/portability/portability.h> +#include <hicn/transport/security/crypto_hash_type.h> +#include <hicn/transport/utils/array.h> + +extern "C" { +#include <parc/security/parc_CryptoHash.h> +}; + +#include <cstring> +#include <unordered_map> + +namespace utils { + +class CryptoHasher; + +struct EnumClassHash { + template <typename T> + std::size_t operator()(T t) const { + return static_cast<std::size_t>(t); + } +}; + +static std::unordered_map<CryptoHashType, std::size_t, EnumClassHash> + hash_size_map = {{CryptoHashType::SHA_256, 32}, + {CryptoHashType::CRC32C, 4}, + {CryptoHashType::SHA_512, 64}}; + +class Signer; +class Verifier; + +class CryptoHash { + friend class CryptoHasher; + friend class Signer; + friend class Verifier; + + public: + CryptoHash() : hash_(nullptr) {} + + CryptoHash(const CryptoHash& other) { + if (other.hash_) { + hash_ = parcCryptoHash_Acquire(other.hash_); + } + } + + CryptoHash(CryptoHash&& other) { + if (other.hash_) { + hash_ = parcCryptoHash_Acquire(other.hash_); + } + } + + template <typename T> + CryptoHash(const T* buffer, std::size_t length, CryptoHashType hash_type) { + hash_ = parcCryptoHash_CreateFromArray( + static_cast<PARCCryptoHashType>(hash_type), buffer, length); + } + + ~CryptoHash() { + if (hash_) { + parcCryptoHash_Release(&hash_); + } + } + + CryptoHash& operator=(const CryptoHash& other) { + if (other.hash_) { + hash_ = parcCryptoHash_Acquire(other.hash_); + } + + return *this; + } + + template <typename T> + utils::Array<T> getDigest() const { + return utils::Array<T>( + static_cast<T*>(parcBuffer_Overlay(parcCryptoHash_GetDigest(hash_), 0)), + parcBuffer_Remaining(parcCryptoHash_GetDigest(hash_))); + } + + CryptoHashType getType() { + return static_cast<CryptoHashType>(parcCryptoHash_GetDigestType(hash_)); + } + + template <typename T> + static bool compareBinaryDigest(const T* digest1, const T* digest2, + CryptoHashType hash_type) { + if (hash_size_map.find(hash_type) == hash_size_map.end()) { + return false; + } + + return !static_cast<bool>( + std::memcmp(digest1, digest2, hash_size_map[hash_type])); + } + + TRANSPORT_ALWAYS_INLINE void display() { + parcBuffer_Display(parcCryptoHash_GetDigest(hash_), 2); + } + + private: + PARCCryptoHash* hash_; +}; + +} // namespace utils
\ No newline at end of file diff --git a/libtransport/includes/hicn/transport/security/crypto_hash_type.h b/libtransport/includes/hicn/transport/security/crypto_hash_type.h new file mode 100644 index 000000000..b7597e208 --- /dev/null +++ b/libtransport/includes/hicn/transport/security/crypto_hash_type.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +extern "C" { +#include <parc/security/parc_CryptoHashType.h> +}; + +namespace utils { + +enum class CryptoHashType : uint8_t { + SHA_256 = PARCCryptoHashType_SHA256, + SHA_512 = PARCCryptoHashType_SHA512, + CRC32C = PARCCryptoHashType_CRC32C, + NULL_HASH = PARCCryptoHashType_NULL +}; + +}
\ No newline at end of file diff --git a/libtransport/includes/hicn/transport/security/crypto_hasher.h b/libtransport/includes/hicn/transport/security/crypto_hasher.h new file mode 100644 index 000000000..9367c3bc8 --- /dev/null +++ b/libtransport/includes/hicn/transport/security/crypto_hasher.h @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <hicn/transport/security/crypto_hash.h> + +extern "C" { +#include <parc/security/parc_CryptoHasher.h> +}; + +namespace utils { + +class CryptoHasher { + public: + CryptoHasher(CryptoHashType hash_type) + : hasher_(parcCryptoHasher_Create( + static_cast<PARCCryptoHashType>(hash_type))), + managed_(true) {} + + CryptoHasher(PARCCryptoHasher* hasher) : hasher_(hasher), managed_(false) {} + + ~CryptoHasher() { + if (managed_) { + parcCryptoHasher_Release(&hasher_); + } + } + + CryptoHasher& init() { + if (parcCryptoHasher_Init(hasher_) == -1) { + throw errors::RuntimeException("Cryptohash init failed."); + } + + return *this; + } + + template <typename T> + CryptoHasher& updateBytes(const T* buffer, std::size_t length) { + if (parcCryptoHasher_UpdateBytes(hasher_, buffer, length) == -1) { + throw errors::RuntimeException("Cryptohash updateBytes failed."); + } + return *this; + } + + CryptoHash finalize() { + CryptoHash hash; + hash.hash_ = parcCryptoHasher_Finalize(hasher_); + return hash; + } + + private: + PARCCryptoHasher* hasher_; + bool managed_; +}; + +} // namespace utils
\ No newline at end of file diff --git a/libtransport/includes/hicn/transport/security/crypto_suite.h b/libtransport/includes/hicn/transport/security/crypto_suite.h new file mode 100644 index 000000000..017938f8f --- /dev/null +++ b/libtransport/includes/hicn/transport/security/crypto_suite.h @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +extern "C" { +#include <parc/security/parc_CryptoSuite.h> +}; + +#include <cstdint> + +namespace utils { + +enum class CryptoSuite : uint8_t { + RSA_SHA256 = PARCCryptoSuite_RSA_SHA256, + DSA_SHA256 = PARCCryptoSuite_DSA_SHA256, + RSA_SHA512 = PARCCryptoSuite_RSA_SHA512, + HMAC_SHA256 = PARCCryptoSuite_HMAC_SHA256, + HMAC_SHA512 = PARCCryptoSuite_HMAC_SHA512, + NULL_CRC32C = PARCCryptoSuite_NULL_CRC32C, + ECDSA_256K1 = PARCCryptoSuite_ECDSA_SHA256, + UNKNOWN = PARCCryptoSuite_UNKNOWN +}; +} diff --git a/libtransport/includes/hicn/transport/security/identity.h b/libtransport/includes/hicn/transport/security/identity.h new file mode 100644 index 000000000..c5d4b975d --- /dev/null +++ b/libtransport/includes/hicn/transport/security/identity.h @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <hicn/transport/security/crypto_suite.h> +#include <hicn/transport/security/signer.h> + +#include <core/manifest_format.h> + +extern "C" { +#include <parc/security/parc_Identity.h> +#include <parc/security/parc_IdentityFile.h> +#include <parc/security/parc_Pkcs12KeyStore.h> +}; + +#include <string> + +namespace utils { + +class Identity { + public: + Identity(const std::string &keystore_name, + const std::string &keystore_password, CryptoSuite suite, + unsigned int signature_length, unsigned int validity_days, + const std::string &subject_name); + + Identity(const Identity &other); + + Identity(std::string &file_name, std::string &password, + transport::core::HashAlgorithm hash_algorithm); + + ~Identity(); + + static Identity generateIdentity(const std::string &subject_name); + + std::string getFileName(); + + std::string getPassword(); + + std::shared_ptr<Signer> getSigner(); + + size_t getSignatureLength() const; + + private: + PARCIdentity *identity_; + std::shared_ptr<Signer> signer_; + transport::core::HashAlgorithm hash_algorithm_; +}; + +} // namespace utils diff --git a/libtransport/includes/hicn/transport/security/key_id.h b/libtransport/includes/hicn/transport/security/key_id.h new file mode 100644 index 000000000..d67b73d7a --- /dev/null +++ b/libtransport/includes/hicn/transport/security/key_id.h @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <cstdint> +#include <utility> + +namespace utils { + +using KeyId = std::pair<uint8_t*, uint8_t>; + +} diff --git a/libtransport/includes/hicn/transport/security/signer.h b/libtransport/includes/hicn/transport/security/signer.h new file mode 100644 index 000000000..31b21462b --- /dev/null +++ b/libtransport/includes/hicn/transport/security/signer.h @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <hicn/transport/core/packet.h> + +extern "C" { +#include <parc/security/parc_CryptoHashType.h> +#include <parc/security/parc_CryptoSuite.h> +#include <parc/security/parc_KeyStore.h> +#include <parc/security/parc_Signer.h> +#include <parc/security/parc_SymmetricKeySigner.h> +} + +namespace utils { + +using Packet = transport::core::Packet; + +/** + * A signer can use a single key (asymmetric or symmetric) to sign a packet. + */ +class Signer { + friend class Identity; + + public: + /** + * Create a Signer + * + * @param keyStore A keystore containing a private key or simmetric key to + * use to sign packet with this Signer. + * @param suite CryptoSuite to use to verify the signature + */ + Signer(PARCKeyStore *keyStore, CryptoSuite suite); + + /** + * Create a Signer + * + * @param passphrase A string from which the symmetric key will be derived + * @param suite CryptoSuite to use to verify the signature + */ + Signer(const std::string &passphrase, CryptoSuite suite); + + Signer(const PARCSigner *signer, CryptoSuite suite); + + Signer(const PARCSigner *signer); + + ~Signer(); + + /** + * @brief Sign a packet + * + * This method is general and must be used for Public-private key signature, + * HMAC and CRC. + * + * @param packet A pointer to the header of the packet to sign. Mutable + * field in the packet must be set to 0. + * @param key_id Indentifier of the key to use to generate the signature. + */ + void sign(Packet &packet); + + size_t getSignatureLength(); + + PARCKeyStore *getKeyStore(); + + private: + PARCBufferComposer *composer_ = nullptr; + PARCBuffer *key_buffer_ = nullptr; + PARCSymmetricKeyStore *symmetricKeyStore_ = nullptr; + PARCSigner *signer_ = nullptr; + PARCSignature *signature_ = nullptr; + PARCKeyId *key_id_ = nullptr; + CryptoSuite suite_; + size_t signature_length_; + static uint8_t zeros[200]; +}; + +} // namespace utils diff --git a/libtransport/includes/hicn/transport/security/verifier.h b/libtransport/includes/hicn/transport/security/verifier.h new file mode 100644 index 000000000..7ec6e7eda --- /dev/null +++ b/libtransport/includes/hicn/transport/security/verifier.h @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <hicn/transport/core/packet.h> + +extern "C" { +#include <parc/security/parc_CertificateFactory.h> +#include <parc/security/parc_InMemoryVerifier.h> +#include <parc/security/parc_KeyId.h> +#include <parc/security/parc_Security.h> +#include <parc/security/parc_SymmetricKeySigner.h> +#include <parc/security/parc_Verifier.h> +} + +namespace utils { + +using Packet = transport::core::Packet; + +/** + * A verifier holds a crypto cache that contains all the keys to use for + * verify signatures/hmacs. + */ +class Verifier { + public: + Verifier(); + + ~Verifier(); + + /** + * @brief Check if a key is already in this Verifier. + * + * A PARCVerifier contains a CryptoCache with a set of key to use for + * verification purposes. + * + * @param keyId Identifier of the key to match in the CryptoCache of the + * Verifier. + * @return true if the key is found, false otherwise. + */ + bool hasKey(PARCKeyId *keyId); + + /** + * @brief Add a key to this Verifier + * + * @param key to add + * @return true if the key was added successfully, false otherwise. + */ + bool addKey(PARCKey *key); + + PARCKeyId *addKeyFromPassphrase(const std::string &passphrase, + CryptoSuite suite); + + PARCKeyId *addKeyFromCertificate(const std::string &file_name); + + /** + * @brief Verify a Signature + * + * This method is general and must be used for Public-private key signature, + * HMAC and CRC. + * + * @param signature A pointer to the buffer holding the signature + * @param sign_len Lenght of the signature (must be consistent with the type + * of the key) + * @param bufferSigned A pointer to the packet header signed with + * signature. Mutable fields and the signature field in the packet must be + * set to 0 + * @param buf_len Lenght of bufferSigned + * @param suite CryptoSuite to use to verify the signature + * @param key_id Indentifier of the key to use to verify the signature. The + * key must be already present in the Verifier. + */ + int verify(const Packet &packet); + + CryptoHash getPacketHash(const Packet &packet, + std::shared_ptr<CryptoHasher> hasher); + + private: + PARCVerifier *verifier_ = nullptr; + PARCCertificateFactory *factory_ = nullptr; + PARCCertificate *certificate_ = nullptr; + PARCKeyId *keyId_ = nullptr; + PARCKey *key_ = nullptr; + PARCBuffer *key_buffer_ = nullptr; + PARCSymmetricKeyStore *symmetricKeyStore_ = nullptr; + PARCSigner *signer_ = nullptr; + PARCBufferComposer *composer_ = nullptr; + static uint8_t zeros[200]; +}; + +} // namespace utils |