diff options
author | Mauro <you@example.com> | 2021-06-30 07:57:22 +0000 |
---|---|---|
committer | Mauro Sardara <msardara@cisco.com> | 2021-07-06 16:16:04 +0000 |
commit | 08233d44a6cfde878d7e10bca38ae935ed1c8fd5 (patch) | |
tree | 7ecc534d55bdc7e8dd15ecab084720910bcdf4d9 /libtransport/src/auth | |
parent | 147ba39bed26887f5eba84757e2463ab8e370a9a (diff) |
[HICN-713] Transport Library Major Refactoring 2
Co-authored-by: Luca Muscariello <muscariello@ieee.org>
Co-authored-by: Michele Papalini <micpapal@cisco.com>
Co-authored-by: Olivier Roques <oroques+fdio@cisco.com>
Co-authored-by: Giulio Grassi <gigrassi@cisco.com>
Signed-off-by: Mauro Sardara <msardara@cisco.com>
Change-Id: I5b2c667bad66feb45abdb5effe22ed0f6c85d1c2
Diffstat (limited to 'libtransport/src/auth')
-rw-r--r-- | libtransport/src/auth/CMakeLists.txt | 4 | ||||
-rw-r--r-- | libtransport/src/auth/crypto_hash.cc | 201 | ||||
-rw-r--r-- | libtransport/src/auth/crypto_suite.cc | 81 | ||||
-rw-r--r-- | libtransport/src/auth/identity.cc | 286 | ||||
-rw-r--r-- | libtransport/src/auth/signer.cc | 277 | ||||
-rw-r--r-- | libtransport/src/auth/verifier.cc | 427 |
6 files changed, 901 insertions, 375 deletions
diff --git a/libtransport/src/auth/CMakeLists.txt b/libtransport/src/auth/CMakeLists.txt index 0e7b5832b..699bc1050 100644 --- a/libtransport/src/auth/CMakeLists.txt +++ b/libtransport/src/auth/CMakeLists.txt @@ -11,12 +11,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -cmake_minimum_required(VERSION 3.5 FATAL_ERROR) - list(APPEND SOURCE_FILES ${CMAKE_CURRENT_SOURCE_DIR}/signer.cc ${CMAKE_CURRENT_SOURCE_DIR}/verifier.cc ${CMAKE_CURRENT_SOURCE_DIR}/identity.cc + ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hash.cc + ${CMAKE_CURRENT_SOURCE_DIR}/crypto_suite.cc ) set(SOURCE_FILES ${SOURCE_FILES} PARENT_SCOPE) diff --git a/libtransport/src/auth/crypto_hash.cc b/libtransport/src/auth/crypto_hash.cc new file mode 100644 index 000000000..b4b0a8b81 --- /dev/null +++ b/libtransport/src/auth/crypto_hash.cc @@ -0,0 +1,201 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <hicn/transport/auth/crypto_hash.h> + +using namespace std; + +namespace transport { +namespace auth { + +CryptoHash::CryptoHash() : CryptoHash(CryptoHashType::UNKNOWN) {} + +CryptoHash::CryptoHash(const CryptoHash &other) + : digest_type_(other.digest_type_), + digest_(other.digest_), + digest_size_(other.digest_size_) {} + +CryptoHash::CryptoHash(CryptoHash &&other) + : digest_type_(move(other.digest_type_)), + digest_(other.digest_), + digest_size_(other.digest_size_) { + other.reset(); +} + +CryptoHash::CryptoHash(CryptoHashType hash_type) { setType(hash_type); } + +CryptoHash::CryptoHash(const uint8_t *hash, size_t size, + CryptoHashType hash_type) + : digest_type_(hash_type), digest_size_(size) { + digest_.resize(size); + memcpy(digest_.data(), hash, size); +} + +CryptoHash::CryptoHash(const vector<uint8_t> &hash, CryptoHashType hash_type) + : CryptoHash(hash.data(), hash.size(), hash_type) {} + +CryptoHash &CryptoHash::operator=(const CryptoHash &other) { + digest_type_ = other.digest_type_; + digest_ = other.digest_; + digest_size_ = other.digest_size_; + return *this; +} + +bool CryptoHash::operator==(const CryptoHash &other) const { + return (digest_type_ == other.digest_type_ && digest_ == other.digest_); +} + +void CryptoHash::computeDigest(const uint8_t *buffer, size_t len) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(digest_type_); + + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } + + EVP_Digest(buffer, len, digest_.data(), (unsigned int *)&digest_size_, + (*hash_evp)(), nullptr); +} + +void CryptoHash::computeDigest(const vector<uint8_t> &buffer) { + computeDigest(buffer.data(), buffer.size()); +} + +void CryptoHash::computeDigest(const utils::MemBuf *buffer) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(digest_type_); + + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } + + EVP_MD_CTX *mcdtx = EVP_MD_CTX_new(); + const utils::MemBuf *p = buffer; + + if (EVP_DigestInit_ex(mcdtx, (*hash_evp)(), nullptr) == 0) { + throw errors::RuntimeException("Digest initialization failed"); + } + + do { + if (EVP_DigestUpdate(mcdtx, p->data(), p->length()) != 1) { + throw errors::RuntimeException("Digest update failed"); + } + + p = p->next(); + } while (p != buffer); + + if (EVP_DigestFinal_ex(mcdtx, digest_.data(), + (unsigned int *)&digest_size_) != 1) { + throw errors::RuntimeException("Digest computation failed"); + } + + EVP_MD_CTX_free(mcdtx); +} + +vector<uint8_t> CryptoHash::getDigest() const { return digest_; } + +string CryptoHash::getStringDigest() const { + stringstream string_digest; + + string_digest << hex << setfill('0'); + + for (auto byte : digest_) { + string_digest << hex << setw(2) << static_cast<int>(byte); + } + + return string_digest.str(); +} + +CryptoHashType CryptoHash::getType() const { return digest_type_; } + +size_t CryptoHash::getSize() const { return digest_size_; } + +void CryptoHash::setType(CryptoHashType hash_type) { + reset(); + digest_type_ = hash_type; + digest_size_ = CryptoHash::getSize(hash_type); + digest_.resize(digest_size_); +} + +void CryptoHash::display() { + switch (digest_type_) { + case CryptoHashType::SHA256: + cout << "SHA256"; + break; + case CryptoHashType::SHA512: + cout << "SHA512"; + break; + case CryptoHashType::BLAKE2S256: + cout << "BLAKE2s256"; + break; + case CryptoHashType::BLAKE2B512: + cout << "BLAKE2b512"; + break; + default: + cout << "UNKNOWN"; + break; + } + + cout << ": " << getStringDigest() << endl; +} + +void CryptoHash::reset() { + digest_type_ = CryptoHashType::UNKNOWN; + digest_.clear(); + digest_size_ = 0; +} + +CryptoHashEVP CryptoHash::getEVP(CryptoHashType hash_type) { + switch (hash_type) { + case CryptoHashType::SHA256: + return &EVP_sha256; + break; + case CryptoHashType::SHA512: + return &EVP_sha512; + break; + case CryptoHashType::BLAKE2S256: + return &EVP_blake2s256; + break; + case CryptoHashType::BLAKE2B512: + return &EVP_blake2b512; + break; + default: + return nullptr; + break; + } +} + +size_t CryptoHash::getSize(CryptoHashType hash_type) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type); + + if (hash_evp == nullptr) { + return 0; + } + + return EVP_MD_size((*hash_evp)()); +} + +bool CryptoHash::compareDigest(const uint8_t *digest1, const uint8_t *digest2, + CryptoHashType hash_type) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type); + + if (hash_evp == nullptr) { + return false; + } + + return !static_cast<bool>( + memcmp(digest1, digest2, CryptoHash::getSize(hash_type))); +} + +} // namespace auth +} // namespace transport diff --git a/libtransport/src/auth/crypto_suite.cc b/libtransport/src/auth/crypto_suite.cc new file mode 100644 index 000000000..7e898ef09 --- /dev/null +++ b/libtransport/src/auth/crypto_suite.cc @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <hicn/transport/auth/crypto_suite.h> + +namespace transport { +namespace auth { + +CryptoSuite getSuite(int nid) { + switch (nid) { + case NID_ecdsa_with_SHA256: + return CryptoSuite::ECDSA_SHA256; + break; + case NID_ecdsa_with_SHA512: + return CryptoSuite::ECDSA_SHA512; + break; + case NID_sha256WithRSAEncryption: + return CryptoSuite::RSA_SHA256; + break; + case NID_sha512WithRSAEncryption: + return CryptoSuite::RSA_SHA512; + break; + case NID_hmacWithSHA256: + return CryptoSuite::HMAC_SHA256; + break; + case NID_hmacWithSHA512: + return CryptoSuite::HMAC_SHA512; + break; + case NID_dsa_with_SHA256: + return CryptoSuite::DSA_SHA256; + break; + case NID_dsa_with_SHA512: + return CryptoSuite::DSA_SHA512; + break; + default: + return CryptoSuite::UNKNOWN; + break; + } +} + +CryptoHashType getHashType(CryptoSuite suite) { + switch (suite) { + case CryptoSuite::ECDSA_BLAKE2B512: + case CryptoSuite::RSA_BLAKE2B512: + case CryptoSuite::HMAC_BLAKE2B512: + case CryptoSuite::DSA_BLAKE2B512: + return CryptoHashType::BLAKE2B512; + case CryptoSuite::ECDSA_BLAKE2S256: + case CryptoSuite::RSA_BLAKE2S256: + case CryptoSuite::HMAC_BLAKE2S256: + case CryptoSuite::DSA_BLAKE2S256: + return CryptoHashType::BLAKE2S256; + case CryptoSuite::ECDSA_SHA256: + case CryptoSuite::RSA_SHA256: + case CryptoSuite::HMAC_SHA256: + case CryptoSuite::DSA_SHA256: + return CryptoHashType::SHA256; + case CryptoSuite::ECDSA_SHA512: + case CryptoSuite::RSA_SHA512: + case CryptoSuite::HMAC_SHA512: + case CryptoSuite::DSA_SHA512: + return CryptoHashType::SHA512; + default: + return CryptoHashType::UNKNOWN; + } +} + +} // namespace auth +} // namespace transport diff --git a/libtransport/src/auth/identity.cc b/libtransport/src/auth/identity.cc index bd787b9b6..f56532033 100644 --- a/libtransport/src/auth/identity.cc +++ b/libtransport/src/auth/identity.cc @@ -17,90 +17,262 @@ using namespace std; +// function needed to create the a certificate +static bool _addRandomSerial(X509 *cert) { + unsigned long serial = 0; + unsigned char serial_bytes[sizeof(serial)]; + + // Construct random positive serial number. + RAND_bytes(serial_bytes, sizeof(serial_bytes)); + serial_bytes[0] &= 0x7F; + serial = 0; + for (size_t i = 0; i < sizeof(serial_bytes); i++) { + serial = (256 * serial) + serial_bytes[i]; + } + ASN1_INTEGER_set(X509_get_serialNumber(cert), serial); + return true; +} + +static bool _addValidityPeriod(X509 *cert, size_t validityDays) { + // Set the validity from now for the specified number of days. + X509_gmtime_adj(X509_get_notBefore(cert), (long)0); + X509_gmtime_adj(X509_get_notAfter(cert), (long)(60 * 60 * 24 * validityDays)); + return true; +} + +static bool _addSubjectName(X509 *cert, const char *subjectname) { + // Set up the simple subject name and issuer name for the certificate. + X509_NAME *name = X509_get_subject_name(cert); + + if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, + (unsigned char *)subjectname, -1, -1, 0)) { + if (X509_set_issuer_name(cert, name)) { + return true; + } + } + return false; +} +static bool _addCertificateExtensionWithContext(X509 *cert, int nid, + const char *value) { + X509_EXTENSION *extension; + X509V3_CTX context; + + X509V3_set_ctx_nodb(&context); + X509V3_set_ctx(&context, cert, cert, NULL, NULL, 0); + extension = X509V3_EXT_conf_nid(NULL, &context, nid, value); + if (extension == NULL) { + return false; + } + X509_add_ext(cert, extension, -1); + X509_EXTENSION_free(extension); + return true; +} +static bool _addCertificateExtension(X509 *cert, int nid, const char *value) { + X509_EXTENSION *extension = X509V3_EXT_conf_nid(NULL, NULL, nid, value); + if (extension == NULL) { + return false; + } + X509_add_ext(cert, extension, -1); + X509_EXTENSION_free(extension); + return true; +} + +static bool _addExtensions(X509 *cert) { + // Add the necessary extensions. + if (_addCertificateExtension(cert, NID_basic_constraints, + "critical,CA:FALSE") == true) { + if (_addCertificateExtension( + cert, NID_key_usage, + "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment," + "keyAgreement") == true) { + if (_addCertificateExtension(cert, NID_ext_key_usage, "clientAuth") == + true) { + return true; + } + } + } + return false; +} +static bool _addKeyIdentifier(X509 *cert) { + unsigned char spkid[SHA256_DIGEST_LENGTH]; + char spkid_hex[1 + 2 * SHA256_DIGEST_LENGTH]; + if (ASN1_item_digest(ASN1_ITEM_rptr(X509_PUBKEY), EVP_sha256(), + X509_get_X509_PUBKEY(cert), spkid, NULL)) { + for (int i = 0; i < 32; i++) { + snprintf(&spkid_hex[2 * i], 3, "%02X", (unsigned)spkid[i]); + } + if (_addCertificateExtension(cert, NID_subject_key_identifier, spkid_hex) == + true) { + if (_addCertificateExtensionWithContext( + cert, NID_authority_key_identifier, "keyid:always") == true) { + return true; + } + } + } + return false; +} + namespace transport { namespace auth { Identity::Identity(const string &keystore_path, const string &keystore_pwd, CryptoSuite suite, unsigned int signature_len, unsigned int validity_days, const string &subject_name) - : identity_(nullptr), signer_(nullptr) { - parcSecurity_Init(); - - bool success = parcPkcs12KeyStore_CreateFile( - keystore_path.c_str(), keystore_pwd.c_str(), subject_name.c_str(), - parcCryptoSuite_GetSigningAlgorithm(static_cast<PARCCryptoSuite>(suite)), - signature_len, validity_days); + : cert_(X509_new(), ::X509_free) { + // create the file and complete it. + // first we create the certificate - parcAssertTrue( - success, - "parcPkcs12KeyStore_CreateFile('%s', '%s', '%s', %d, %d, %d) failed.", - keystore_path.c_str(), keystore_pwd.c_str(), subject_name.c_str(), - static_cast<int>(suite), static_cast<int>(signature_len), validity_days); + // to create the cert we will need a private key - PARCIdentityFile *identity_file = - parcIdentityFile_Create(keystore_path.c_str(), keystore_pwd.c_str()); + std::shared_ptr<EVP_PKEY> privateKey(EVP_PKEY_new(), EVP_PKEY_free); - identity_ = - parcIdentity_Create(identity_file, PARCIdentityFileAsPARCIdentity); + if (suite == CryptoSuite::RSA_SHA512 || suite == CryptoSuite::RSA_SHA256) { + RSA *rsa = RSA_new(); + BIGNUM *pub_exp; - PARCSigner *signer = parcIdentity_CreateSigner( - identity_, - parcCryptoSuite_GetCryptoHash(static_cast<PARCCryptoSuite>(suite))); + pub_exp = BN_new(); - signer_ = make_shared<AsymmetricSigner>(signer); - - parcSigner_Release(&signer); - parcIdentityFile_Release(&identity_file); + BN_set_word(pub_exp, RSA_F4); + if (1 != RSA_generate_key_ex(rsa, signature_len, pub_exp, NULL)) + throw errors::RuntimeException("can't generate the key"); + if (1 != EVP_PKEY_set1_RSA(privateKey.get(), rsa)) + throw errors::RuntimeException("can't generate the key"); + } else if (suite == CryptoSuite::ECDSA_SHA256) { + int curve_params; + switch (signature_len) { + case 160u: + curve_params = NID_secp160k1; + break; + case 192u: + curve_params = NID_secp192k1; + break; + case 224u: + curve_params = NID_secp224k1; + break; + case 256u: + curve_params = NID_secp256k1; + break; + default: + curve_params = -1; + break; + } + if (curve_params == -1) + throw errors::RuntimeException("can't generate the key"); + EC_KEY *ec_key = EC_KEY_new_by_curve_name(curve_params); + if (ec_key == NULL) + throw errors::RuntimeException("can't create ecdsa key from curve"); + EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE); + if (EC_KEY_generate_key(ec_key) == 0) + throw errors::RuntimeException("can't generate the ecdsa key"); + if (EVP_PKEY_set1_EC_KEY(privateKey.get(), ec_key) == 0) + throw errors::RuntimeException("can't generate the ecdsa key"); + } else if (suite == CryptoSuite::DSA_SHA256) { + DSA *dsa = DSA_new(); + unsigned char buffer[32]; + if (RAND_bytes(buffer, sizeof(buffer)) != 1) { + throw errors::RuntimeException("can't generate the key"); + } + if (DSA_generate_parameters_ex(dsa, signature_len, buffer, sizeof(buffer), + NULL, NULL, NULL) != 1) + throw errors::RuntimeException("can't generate the key"); + if (DSA_generate_key(dsa) != 1) + throw errors::RuntimeException("can't generate the key"); + if (EVP_PKEY_set1_DSA(privateKey.get(), dsa) != 1) + throw errors::RuntimeException("can't generate the key"); + } + bool success = true; + success = success && (X509_set_version(cert_.get(), 2) == 1); // 2 => X509v3 + success = success && _addRandomSerial(cert_.get()); + success = success && _addValidityPeriod(cert_.get(), validity_days); + success = success && (X509_set_pubkey(cert_.get(), privateKey.get()) == 1); + success = success && _addSubjectName(cert_.get(), subject_name.c_str()); + success = success && _addExtensions(cert_.get()); + success = + success && (X509_sign(cert_.get(), privateKey.get(), EVP_sha256()) != 0); + success = success && _addKeyIdentifier(cert_.get()); + if (!success) { + throw errors::RuntimeException("error while creating the certificate"); + } + // the certificate is created. We create the pkcs12 object to write the p12 + // file + PKCS12 *p12 = PKCS12_create( + keystore_pwd.c_str(), "ccnxuser", privateKey.get(), cert_.get(), NULL, 0, + 0, 0 /*default iter*/, PKCS12_DEFAULT_ITER /*mac_iter*/, 0); + filename_ = keystore_path; + int fp = open(filename_.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0600); + if (fp == -1) throw errors::RuntimeException("impossible to create the file"); + FILE *fp_f = fdopen(fp, "wb"); + if (fp_f == NULL) + throw errors::RuntimeException("impossible to create the file"); + i2d_PKCS12_fp(fp_f, p12); + fclose(fp_f); + close(fp); + std::shared_ptr<EVP_PKEY> publickey(X509_get_pubkey(cert_.get()), + EVP_PKEY_free); + signer_ = std::shared_ptr<AsymmetricSigner>( + new AsymmetricSigner(suite, privateKey, publickey)); + signer_->signature_len_ = signature_len; } Identity::Identity(string &keystore_path, string &keystore_pwd, CryptoHashType hash_type) - : identity_(nullptr), signer_(nullptr) { - parcSecurity_Init(); - - PARCIdentityFile *identity_file = - parcIdentityFile_Create(keystore_path.c_str(), keystore_pwd.c_str()); - - identity_ = - parcIdentity_Create(identity_file, PARCIdentityFileAsPARCIdentity); - - PARCSigner *signer = parcIdentity_CreateSigner( - identity_, static_cast<PARCCryptoHashType>(hash_type)); - - signer_ = make_shared<AsymmetricSigner>(signer); - - parcSigner_Release(&signer); - parcIdentityFile_Release(&identity_file); + : cert_(X509_new(), ::X509_free) { + filename_ = keystore_path; + pwd_ = keystore_path; + // get the key and certificate by first opening the keystore file + FILE *p12file = fopen(keystore_path.c_str(), "r"); + if (p12file == NULL) + throw errors::RuntimeException("impossible open keystore"); + PKCS12 *p12 = d2i_PKCS12_fp(p12file, NULL); + EVP_PKEY *privatekey; + EVP_PKEY *publickey; + X509 *cert = cert_.get(); + // now we parse the file to get the first key and certificate + if (1 != PKCS12_parse(p12, keystore_pwd.c_str(), &privatekey, &cert, NULL)) + throw errors::RuntimeException("impossible to get the private key"); + publickey = X509_get_pubkey(cert); + // to have the cryptosuite we use the nid number that is used to identify the + // suite. + CryptoSuite suite = getSuite(X509_get_signature_nid(cert)); + signer_ = std::shared_ptr<AsymmetricSigner>(new AsymmetricSigner( + suite, std::shared_ptr<EVP_PKEY>(privatekey, EVP_PKEY_free), + std::shared_ptr<EVP_PKEY>(publickey, EVP_PKEY_free))); + PKCS12_free(p12); } -Identity::Identity(const Identity &other) - : identity_(nullptr), signer_(other.signer_) { - parcSecurity_Init(); - identity_ = parcIdentity_Acquire(other.identity_); +Identity::Identity(const Identity &other) { + pwd_ = other.pwd_; + filename_ = other.filename_; + signer_ = other.signer_; + cert_ = other.cert_; } -Identity::Identity(Identity &&other) - : identity_(nullptr), signer_(move(other.signer_)) { - parcSecurity_Init(); - identity_ = parcIdentity_Acquire(other.identity_); - parcIdentity_Release(&other.identity_); +Identity::Identity(Identity &&other) { + signer_ = std::move(other.signer_); + other.signer_.reset(); + cert_ = std::move(other.cert_); + other.cert_.reset(); + pwd_ = other.pwd_; + other.pwd_ = ""; + filename_ = other.filename_; + other.filename_ = ""; + signer_ = other.signer_; + other.signer_ = nullptr; } -Identity::~Identity() { - if (identity_) parcIdentity_Release(&identity_); - parcSecurity_Fini(); -} +Identity::~Identity() {} shared_ptr<AsymmetricSigner> Identity::getSigner() const { return signer_; } -string Identity::getFilename() const { - return string(parcIdentity_GetFileName(identity_)); -} +string Identity::getFilename() const { return filename_; } -string Identity::getPassword() const { - return string(parcIdentity_GetPassWord(identity_)); +std::shared_ptr<X509> Identity::getCertificate() const { return cert_; } +std::shared_ptr<EVP_PKEY> Identity::getPrivateKey() const { + return signer_->key_; } +string Identity::getPassword() const { return pwd_; } + Identity Identity::generateIdentity(const string &subject_name) { string keystore_name = "keystore"; string keystore_password = "password"; diff --git a/libtransport/src/auth/signer.cc b/libtransport/src/auth/signer.cc index 99c3d099d..884e850ca 100644 --- a/libtransport/src/auth/signer.cc +++ b/libtransport/src/auth/signer.cc @@ -15,193 +15,214 @@ #include <hicn/transport/auth/signer.h> -extern "C" { -#ifndef _WIN32 -TRANSPORT_CLANG_DISABLE_WARNING("-Wextern-c-compat") -#endif -#include <hicn/hicn.h> -} - -#include <chrono> - -#define ALLOW_UNALIGNED_READS 1 - using namespace std; namespace transport { namespace auth { -Signer::Signer() : signer_(nullptr), key_id_(nullptr) { parcSecurity_Init(); } +// --------------------------------------------------------- +// Base Signer +// --------------------------------------------------------- +Signer::Signer() + : suite_(CryptoSuite::UNKNOWN), signature_len_(0), key_(nullptr) {} -Signer::Signer(PARCSigner *signer) : Signer() { setSigner(signer); } - -Signer::~Signer() { - if (signer_) parcSigner_Release(&signer_); - if (key_id_) parcKeyId_Release(&key_id_); - parcSecurity_Fini(); -} +Signer::~Signer() {} void Signer::signPacket(PacketPtr packet) { - parcAssertNotNull(signer_, "Expected non-null signer"); - - const utils::MemBuf &header_chain = *packet; + assert(key_ != nullptr); core::Packet::Format format = packet->getFormat(); - auto suite = getCryptoSuite(); - size_t signature_len = getSignatureSize(); if (!packet->authenticationHeader()) { throw errors::MalformedAHPacketException(); } - packet->setSignatureSize(signature_len); + // Set signature size + size_t signature_field_len = getSignatureFieldSize(); + packet->setSignatureSize(signature_field_len); + packet->setSignatureSizeGap(0u); // Copy IP+TCP / ICMP header before zeroing them hicn_header_t header_copy; hicn_packet_copy_header(format, packet->packet_start_, &header_copy, false); - packet->resetForHash(); - // Fill in the HICN_AH header + // Fill in the hICN AH header auto now = chrono::duration_cast<chrono::milliseconds>( chrono::system_clock::now().time_since_epoch()) .count(); packet->setSignatureTimestamp(now); - packet->setValidationAlgorithm(suite); + packet->setValidationAlgorithm(suite_); - // Set the key ID - KeyId key_id; - key_id.first = static_cast<uint8_t *>( - parcBuffer_Overlay((PARCBuffer *)parcKeyId_GetKeyId(key_id_), 0)); - packet->setKeyId(key_id); + // Set key ID + vector<uint8_t> key_id = key_id_.getDigest(); + packet->setKeyId({key_id.data(), key_id.size()}); - // Calculate hash - CryptoHasher hasher(parcSigner_GetCryptoHasher(signer_)); - const utils::MemBuf *current = &header_chain; + // Reset fields to compute the packet hash + packet->resetForHash(); - hasher.init(); + // Compute the signature and put it in the packet + signBuffer(packet); + hicn_packet_copy_header(format, &header_copy, packet->packet_start_, false); - do { - hasher.updateBytes(current->data(), current->length()); - current = current->next(); - } while (current != &header_chain); + // Set the gap between the signature field size and the signature real size. + packet->setSignatureSizeGap(signature_field_len - signature_len_); + memcpy(packet->getSignature(), signature_.data(), signature_len_); +} - CryptoHash hash = hasher.finalize(); +void Signer::signBuffer(const std::vector<uint8_t> &buffer) { + assert(key_ != nullptr); + CryptoHashEVP hash_evp = CryptoHash::getEVP(getHashType()); - // Compute signature - PARCSignature *signature = parcSigner_SignDigestNoAlloc( - signer_, hash.hash_, packet->getSignature(), (uint32_t)signature_len); - PARCBuffer *buffer = parcSignature_GetSignature(signature); - size_t bytes_len = parcBuffer_Remaining(buffer); + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } - if (bytes_len > signature_len) { - throw errors::MalformedAHPacketException(); + shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); + + if (mdctx == nullptr) { + throw errors::RuntimeException("Digest context allocation failed"); } - // Put signature in AH header - hicn_packet_copy_header(format, &header_copy, packet->packet_start_, false); + if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, + key_.get()) != 1) { + throw errors::RuntimeException("Digest initialization failed"); + } - // Release allocated objects - parcSignature_Release(&signature); -} + if (EVP_DigestSignUpdate(mdctx.get(), buffer.data(), buffer.size()) != 1) { + throw errors::RuntimeException("Digest update failed"); + } -void Signer::setSigner(PARCSigner *signer) { - parcAssertNotNull(signer, "Expected non-null signer"); + if (EVP_DigestSignFinal(mdctx.get(), nullptr, &signature_len_) != 1) { + throw errors::RuntimeException("Digest computation failed"); + } - if (signer_) parcSigner_Release(&signer_); - if (key_id_) parcKeyId_Release(&key_id_); + signature_.resize(signature_len_); - signer_ = parcSigner_Acquire(signer); - key_id_ = parcSigner_CreateKeyId(signer_); -} + if (EVP_DigestSignFinal(mdctx.get(), signature_.data(), &signature_len_) != + 1) { + throw errors::RuntimeException("Digest computation failed"); + } -size_t Signer::getSignatureSize() const { - parcAssertNotNull(signer_, "Expected non-null signer"); - return parcSigner_GetSignatureSize(signer_); + signature_.resize(signature_len_); } -CryptoSuite Signer::getCryptoSuite() const { - parcAssertNotNull(signer_, "Expected non-null signer"); - return static_cast<CryptoSuite>(parcSigner_GetCryptoSuite(signer_)); -} +void Signer::signBuffer(const utils::MemBuf *buffer) { + assert(key_ != nullptr); + CryptoHashEVP hash_evp = CryptoHash::getEVP(getHashType()); -CryptoHashType Signer::getCryptoHashType() const { - parcAssertNotNull(signer_, "Expected non-null signer"); - return static_cast<CryptoHashType>(parcSigner_GetCryptoHashType(signer_)); -} + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } -PARCSigner *Signer::getParcSigner() const { return signer_; } + const utils::MemBuf *p = buffer; + shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); -PARCKeyStore *Signer::getParcKeyStore() const { - parcAssertNotNull(signer_, "Expected non-null signer"); - return parcSigner_GetKeyStore(signer_); -} + if (mdctx == nullptr) { + throw errors::RuntimeException("Digest context allocation failed"); + } + + if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, + key_.get()) != 1) { + throw errors::RuntimeException("Digest initialization failed"); + } + + do { + if (EVP_DigestSignUpdate(mdctx.get(), p->data(), p->length()) != 1) { + throw errors::RuntimeException("Digest update failed"); + } -AsymmetricSigner::AsymmetricSigner(CryptoSuite suite, PARCKeyStore *key_store) { - parcAssertNotNull(key_store, "Expected non-null key_store"); + p = p->next(); + } while (p != buffer); - auto crypto_suite = static_cast<PARCCryptoSuite>(suite); + if (EVP_DigestSignFinal(mdctx.get(), nullptr, &signature_len_) != 1) { + throw errors::RuntimeException("Digest computation failed"); + } + + signature_.resize(signature_len_); - switch (suite) { - case CryptoSuite::DSA_SHA256: - case CryptoSuite::RSA_SHA256: - case CryptoSuite::RSA_SHA512: - case CryptoSuite::ECDSA_256K1: - break; - default: - throw errors::RuntimeException( - "Invalid crypto suite for asymmetric signer"); + if (EVP_DigestSignFinal(mdctx.get(), signature_.data(), &signature_len_) != + 1) { + throw errors::RuntimeException("Digest computation failed"); } - setSigner( - parcSigner_Create(parcPublicKeySigner_Create(key_store, crypto_suite), - PARCPublicKeySignerAsSigner)); + signature_.resize(signature_len_); } -SymmetricSigner::SymmetricSigner(CryptoSuite suite, PARCKeyStore *key_store) { - parcAssertNotNull(key_store, "Expected non-null key_store"); +vector<uint8_t> Signer::getSignature() const { return signature_; } - auto crypto_suite = static_cast<PARCCryptoSuite>(suite); +size_t Signer::getSignatureSize() const { return signature_len_; } - switch (suite) { - case CryptoSuite::HMAC_SHA256: - case CryptoSuite::HMAC_SHA512: - break; - default: - throw errors::RuntimeException( - "Invalid crypto suite for symmetric signer"); +size_t Signer::getSignatureFieldSize() const { + if (signature_len_ % 4 == 0) { + return signature_len_; } - setSigner(parcSigner_Create(parcSymmetricKeySigner_Create( - (PARCSymmetricKeyStore *)key_store, - parcCryptoSuite_GetCryptoHash(crypto_suite)), - PARCSymmetricKeySignerAsSigner)); + return (signature_len_ + 4) - (signature_len_ % 4); } -SymmetricSigner::SymmetricSigner(CryptoSuite suite, const string &passphrase) { - auto crypto_suite = static_cast<PARCCryptoSuite>(suite); - - switch (suite) { - case CryptoSuite::HMAC_SHA256: - case CryptoSuite::HMAC_SHA512: - break; - default: - throw errors::RuntimeException( - "Invalid crypto suite for symmetric signer"); - } +CryptoHashType Signer::getHashType() const { + return ::transport::auth::getHashType(suite_); +} + +CryptoSuite Signer::getSuite() const { return suite_; } - PARCBufferComposer *composer = parcBufferComposer_Create(); - parcBufferComposer_PutString(composer, passphrase.c_str()); - PARCBuffer *key_buf = parcBufferComposer_ProduceBuffer(composer); - parcBufferComposer_Release(&composer); +// --------------------------------------------------------- +// Void Signer +// --------------------------------------------------------- +void VoidSigner::signPacket(PacketPtr packet){}; - PARCSymmetricKeyStore *key_store = parcSymmetricKeyStore_Create(key_buf); - PARCSymmetricKeySigner *key_signer = parcSymmetricKeySigner_Create( - key_store, parcCryptoSuite_GetCryptoHash(crypto_suite)); +void VoidSigner::signBuffer(const std::vector<uint8_t> &buffer){}; - setSigner(parcSigner_Create(key_signer, PARCSymmetricKeySignerAsSigner)); +void VoidSigner::signBuffer(const utils::MemBuf *buffer){}; + +// --------------------------------------------------------- +// Asymmetric Signer +// --------------------------------------------------------- +AsymmetricSigner::AsymmetricSigner(CryptoSuite suite, shared_ptr<EVP_PKEY> key, + shared_ptr<EVP_PKEY> pub_key) { + suite_ = suite; + key_ = key; + key_id_ = CryptoHash(getHashType()); + + vector<uint8_t> pbk(i2d_PublicKey(pub_key.get(), nullptr)); + uint8_t *pbk_ptr = pbk.data(); + int len = i2d_PublicKey(pub_key.get(), &pbk_ptr); + + signature_len_ = EVP_PKEY_size(key.get()); + signature_.resize(signature_len_); + key_id_.computeDigest(pbk_ptr, len); +} + +size_t AsymmetricSigner::getSignatureFieldSize() const { + size_t field_size = EVP_PKEY_size(key_.get()); + + if (field_size % 4 == 0) { + return field_size; + } + + return (field_size + 4) - (field_size % 4); +} + +// --------------------------------------------------------- +// Symmetric Signer +// --------------------------------------------------------- +SymmetricSigner::SymmetricSigner(CryptoSuite suite, const string &passphrase) { + suite_ = suite; + key_ = shared_ptr<EVP_PKEY>( + EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, nullptr, + (const unsigned char *)passphrase.c_str(), + passphrase.size()), + EVP_PKEY_free); + key_id_ = CryptoHash(getHashType()); + + CryptoHashEVP hash_evp = CryptoHash::getEVP(getHashType()); + + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } - parcSymmetricKeySigner_Release(&key_signer); - parcSymmetricKeyStore_Release(&key_store); - parcBuffer_Release(&key_buf); + signature_len_ = EVP_MD_size((*hash_evp)()); + signature_.resize(signature_len_); + key_id_.computeDigest((uint8_t *)passphrase.c_str(), passphrase.size()); } } // namespace auth diff --git a/libtransport/src/auth/verifier.cc b/libtransport/src/auth/verifier.cc index c6648a763..c9ac1650f 100644 --- a/libtransport/src/auth/verifier.cc +++ b/libtransport/src/auth/verifier.cc @@ -16,168 +16,125 @@ #include <hicn/transport/auth/verifier.h> #include <protocols/errors.h> -extern "C" { -#ifndef _WIN32 -TRANSPORT_CLANG_DISABLE_WARNING("-Wextern-c-compat") -#endif -#include <hicn/hicn.h> -} - -#include <sys/stat.h> - using namespace std; namespace transport { namespace auth { -const std::vector<VerificationPolicy> Verifier::DEFAULT_FAILED_POLICIES = { +const vector<VerificationPolicy> Verifier::DEFAULT_FAILED_POLICIES = { VerificationPolicy::DROP, VerificationPolicy::ABORT, }; +// --------------------------------------------------------- +// Base Verifier +// --------------------------------------------------------- Verifier::Verifier() - : hasher_(nullptr), - verifier_(nullptr), - verification_failed_cb_(interface::VOID_HANDLER), - failed_policies_(DEFAULT_FAILED_POLICIES) { - parcSecurity_Init(); - PARCInMemoryVerifier *in_memory_verifier = parcInMemoryVerifier_Create(); - verifier_ = - parcVerifier_Create(in_memory_verifier, PARCInMemoryVerifierAsVerifier); - parcInMemoryVerifier_Release(&in_memory_verifier); -} + : verification_failed_cb_(interface::VOID_HANDLER), + failed_policies_(DEFAULT_FAILED_POLICIES) {} -Verifier::~Verifier() { - if (hasher_) parcCryptoHasher_Release(&hasher_); - if (verifier_) parcVerifier_Release(&verifier_); - parcSecurity_Fini(); -} +Verifier::~Verifier() {} bool Verifier::verifyPacket(PacketPtr packet) { - bool valid_packet = false; core::Packet::Format format = packet->getFormat(); if (!packet->authenticationHeader()) { throw errors::MalformedAHPacketException(); } - // Get crypto suite and hash type - auto suite = static_cast<PARCCryptoSuite>(packet->getValidationAlgorithm()); - PARCCryptoHashType hash_type = parcCryptoSuite_GetCryptoHash(suite); + // Get crypto suite, hash type, signature length + CryptoSuite suite = packet->getValidationAlgorithm(); + CryptoHashType hash_type = getHashType(suite); + size_t signature_len = packet->getSignatureSizeReal(); // Copy IP+TCP / ICMP header before zeroing them hicn_header_t header_copy; hicn_packet_copy_header(format, packet->packet_start_, &header_copy, false); + packet->setSignatureSizeGap(0u); - // Fetch packet signature + // Retrieve packet signature uint8_t *packet_signature = packet->getSignature(); - size_t signature_len = Verifier::getSignatureSize(packet); vector<uint8_t> signature_raw(packet_signature, packet_signature + signature_len); - // Create a signature buffer from the raw packet signature - PARCBuffer *bits = - parcBuffer_Wrap(signature_raw.data(), signature_len, 0, signature_len); - parcBuffer_Rewind(bits); - - // If the signature algo is ECDSA, the signature might be shorter than the - // signature field - PARCSigningAlgorithm algo = parcCryptoSuite_GetSigningAlgorithm(suite); - if (algo == PARCSigningAlgorithm_ECDSA) { - while (parcBuffer_HasRemaining(bits) && parcBuffer_GetUint8(bits) == 0) - ; - parcBuffer_SetPosition(bits, parcBuffer_Position(bits) - 1); - } - - if (!parcBuffer_HasRemaining(bits)) { - parcBuffer_Release(&bits); - return false; - } - - // Create a signature object from the signature buffer - PARCSignature *signature = parcSignature_Create( - parcCryptoSuite_GetSigningAlgorithm(suite), hash_type, bits); - - // Fetch the key to verify the signature - KeyId key_buffer = packet->getKeyId(); - PARCBuffer *buffer = parcBuffer_Wrap(key_buffer.first, key_buffer.second, 0, - key_buffer.second); - PARCKeyId *key_id = parcKeyId_Create(buffer); - // Reset fields that are not used to compute signature packet->resetForHash(); - // Compute the packet hash - if (!hasher_) - setHasher(parcVerifier_GetCryptoHasher(verifier_, key_id, hash_type)); - CryptoHash local_hash = computeHash(packet); - - // Compare the packet signature to the locally computed one - valid_packet = parcVerifier_VerifyDigestSignature( - verifier_, key_id, local_hash.hash_, suite, signature); + // Check signatures + bool valid_packet = verifyBuffer(static_cast<utils::MemBuf *>(packet), + signature_raw, hash_type); - // Restore the fields that were reset + // Restore header hicn_packet_copy_header(format, &header_copy, packet->packet_start_, false); - - // Release allocated objects - parcBuffer_Release(&buffer); - parcKeyId_Release(&key_id); - parcSignature_Release(&signature); - parcBuffer_Release(&bits); + packet->setSignatureSizeGap(packet->getSignatureSize() - signature_len); return valid_packet; } -vector<VerificationPolicy> Verifier::verifyPackets( - const vector<PacketPtr> &packets) { - vector<VerificationPolicy> policies(packets.size(), VerificationPolicy::DROP); +Verifier::PolicyMap Verifier::verifyPackets(const vector<PacketPtr> &packets) { + PolicyMap policies; + + for (const auto &packet : packets) { + Suffix suffix = packet->getName().getSuffix(); + VerificationPolicy policy = VerificationPolicy::ABORT; - for (unsigned int i = 0; i < packets.size(); ++i) { - if (verifyPacket(packets[i])) { - policies[i] = VerificationPolicy::ACCEPT; + if (verifyPacket(packet)) { + policy = VerificationPolicy::ACCEPT; } - callVerificationFailedCallback(packets[i], policies[i]); + policies[suffix] = policy; + callVerificationFailedCallback(packet, policy); } return policies; } -vector<VerificationPolicy> Verifier::verifyPackets( - const vector<PacketPtr> &packets, - const unordered_map<Suffix, HashEntry> &suffix_map) { - vector<VerificationPolicy> policies(packets.size(), - VerificationPolicy::UNKNOWN); +Verifier::PolicyMap Verifier::verifyHashes(const SuffixMap &packet_map, + const SuffixMap &suffix_map) { + PolicyMap policies; - for (unsigned int i = 0; i < packets.size(); ++i) { - uint32_t suffix = packets[i]->getName().getSuffix(); - auto manifest_hash = suffix_map.find(suffix); + for (const auto &packet_hash : packet_map) { + VerificationPolicy policy = VerificationPolicy::UNKNOWN; + auto manifest_hash = suffix_map.find(packet_hash.first); if (manifest_hash != suffix_map.end()) { - CryptoHashType hash_type = manifest_hash->second.first; - CryptoHash packet_hash = packets[i]->computeDigest(hash_type); - - if (!CryptoHash::compareBinaryDigest( - packet_hash.getDigest<uint8_t>().data(), - manifest_hash->second.second.data(), hash_type)) { - policies[i] = VerificationPolicy::ABORT; - } else { - policies[i] = VerificationPolicy::ACCEPT; + policy = VerificationPolicy::ABORT; + + if (packet_hash.second == manifest_hash->second) { + policy = VerificationPolicy::ACCEPT; } } - callVerificationFailedCallback(packets[i], policies[i]); + policies[packet_hash.first] = policy; } return policies; } -void Verifier::addKey(PARCKey *key) { parcVerifier_AddKey(verifier_, key); } +Verifier::PolicyMap Verifier::verifyPackets(const vector<PacketPtr> &packets, + const SuffixMap &suffix_map) { + PolicyMap policies; + + for (const auto &packet : packets) { + Suffix suffix = packet->getName().getSuffix(); + VerificationPolicy policy = VerificationPolicy::UNKNOWN; + auto manifest_hash = suffix_map.find(suffix); + + if (manifest_hash != suffix_map.end()) { + policy = VerificationPolicy::ABORT; + CryptoHashType hash_type = manifest_hash->second.getType(); + CryptoHash packet_hash = packet->computeDigest(hash_type); + + if (packet_hash == manifest_hash->second) { + policy = VerificationPolicy::ACCEPT; + } + } -void Verifier::setHasher(PARCCryptoHasher *hasher) { - parcAssertNotNull(hasher, "Expected non-null hasher"); - if (hasher_) parcCryptoHasher_Release(&hasher_); - hasher_ = parcCryptoHasher_Acquire(hasher); + policies[suffix] = policy; + callVerificationFailedCallback(packet, policy); + } + + return policies; } void Verifier::setVerificationFailedCallback( @@ -192,27 +149,6 @@ void Verifier::getVerificationFailedCallback( *verfication_failed_cb = &verification_failed_cb_; } -size_t Verifier::getSignatureSize(const PacketPtr packet) { - return packet->getSignatureSize(); -} - -CryptoHash Verifier::computeHash(PacketPtr packet) { - parcAssertNotNull(hasher_, "Expected non-null hasher"); - - CryptoHasher crypto_hasher(hasher_); - const utils::MemBuf &header_chain = *packet; - const utils::MemBuf *current = &header_chain; - - crypto_hasher.init(); - - do { - crypto_hasher.updateBytes(current->data(), current->length()); - current = current->next(); - } while (current != &header_chain); - - return crypto_hasher.finalize(); -} - void Verifier::callVerificationFailedCallback(PacketPtr packet, VerificationPolicy &policy) { if (verification_failed_cb_ == interface::VOID_HANDLER) { @@ -228,107 +164,222 @@ void Verifier::callVerificationFailedCallback(PacketPtr packet, } } +// --------------------------------------------------------- +// Void Verifier +// --------------------------------------------------------- bool VoidVerifier::verifyPacket(PacketPtr packet) { return true; } -vector<VerificationPolicy> VoidVerifier::verifyPackets( +bool VoidVerifier::verifyBuffer(const vector<uint8_t> &buffer, + const vector<uint8_t> &signature, + CryptoHashType hash_type) { + return true; +} + +bool VoidVerifier::verifyBuffer(const utils::MemBuf *buffer, + const vector<uint8_t> &signature, + CryptoHashType hash_type) { + return true; +} + +Verifier::PolicyMap VoidVerifier::verifyPackets( const vector<PacketPtr> &packets) { - return vector<VerificationPolicy>(packets.size(), VerificationPolicy::ACCEPT); + PolicyMap policies; + + for (const auto &packet : packets) { + policies[packet->getName().getSuffix()] = VerificationPolicy::ACCEPT; + } + + return policies; } -vector<VerificationPolicy> VoidVerifier::verifyPackets( - const vector<PacketPtr> &packets, - const unordered_map<Suffix, HashEntry> &suffix_map) { - return vector<VerificationPolicy>(packets.size(), VerificationPolicy::ACCEPT); +Verifier::PolicyMap VoidVerifier::verifyPackets( + const vector<PacketPtr> &packets, const SuffixMap &suffix_map) { + return verifyPackets(packets); } -AsymmetricVerifier::AsymmetricVerifier(PARCKey *pub_key) { addKey(pub_key); } +// --------------------------------------------------------- +// Asymmetric Verifier +// --------------------------------------------------------- +AsymmetricVerifier::AsymmetricVerifier(shared_ptr<EVP_PKEY> key) { + setKey(key); +} AsymmetricVerifier::AsymmetricVerifier(const string &cert_path) { - setCertificate(cert_path); + useCertificate(cert_path); +} + +AsymmetricVerifier::AsymmetricVerifier(shared_ptr<X509> cert) { + useCertificate(cert); } -void AsymmetricVerifier::setCertificate(const string &cert_path) { - PARCCertificateFactory *factory = parcCertificateFactory_Create( - PARCCertificateType_X509, PARCContainerEncoding_PEM); +void AsymmetricVerifier::setKey(shared_ptr<EVP_PKEY> key) { key_ = key; }; - struct stat buffer; - if (stat(cert_path.c_str(), &buffer) != 0) { - throw errors::RuntimeException("Certificate does not exist"); +void AsymmetricVerifier::useCertificate(const string &cert_path) { + FILE *certf = fopen(cert_path.c_str(), "rb"); + + if (certf == nullptr) { + throw errors::RuntimeException("Certificate not found"); } - PARCCertificate *certificate = - parcCertificateFactory_CreateCertificateFromFile(factory, - cert_path.c_str(), NULL); - PARCKey *key = parcCertificate_GetPublicKey(certificate); + shared_ptr<X509> cert = shared_ptr<X509>( + PEM_read_X509(certf, nullptr, nullptr, nullptr), ::X509_free); + useCertificate(cert); - addKey(key); + fclose(certf); +} - parcKey_Release(&key); - parcCertificateFactory_Release(&factory); +void AsymmetricVerifier::useCertificate(shared_ptr<X509> cert) { + key_ = shared_ptr<EVP_PKEY>(X509_get_pubkey(cert.get()), ::EVP_PKEY_free); } -SymmetricVerifier::SymmetricVerifier(const string &passphrase) - : passphrase_(nullptr), signer_(nullptr) { - setPassphrase(passphrase); +bool AsymmetricVerifier::verifyBuffer(const vector<uint8_t> &buffer, + const vector<uint8_t> &signature, + CryptoHashType hash_type) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type); + + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } + + shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); + + if (mdctx == nullptr) { + throw errors::RuntimeException("Digest context allocation failed"); + } + + if (EVP_DigestVerifyInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, + key_.get()) != 1) { + throw errors::RuntimeException("Digest initialization failed"); + } + + if (EVP_DigestVerifyUpdate(mdctx.get(), buffer.data(), buffer.size()) != 1) { + throw errors::RuntimeException("Digest update failed"); + } + + return EVP_DigestVerifyFinal(mdctx.get(), signature.data(), + signature.size()) == 1; +} + +bool AsymmetricVerifier::verifyBuffer(const utils::MemBuf *buffer, + const vector<uint8_t> &signature, + CryptoHashType hash_type) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type); + + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } + + const utils::MemBuf *p = buffer; + shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); + + if (mdctx == nullptr) { + throw errors::RuntimeException("Digest context allocation failed"); + } + + if (EVP_DigestVerifyInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, + key_.get()) != 1) { + throw errors::RuntimeException("Digest initialization failed"); + } + + do { + if (EVP_DigestVerifyUpdate(mdctx.get(), p->data(), p->length()) != 1) { + throw errors::RuntimeException("Digest update failed"); + } + + p = p->next(); + } while (p != buffer); + + return EVP_DigestVerifyFinal(mdctx.get(), signature.data(), + signature.size()) == 1; } -SymmetricVerifier::~SymmetricVerifier() { - if (passphrase_) parcBuffer_Release(&passphrase_); - if (signer_) parcSigner_Release(&signer_); +// --------------------------------------------------------- +// Symmetric Verifier +// --------------------------------------------------------- +SymmetricVerifier::SymmetricVerifier(const string &passphrase) { + setPassphrase(passphrase); } +// Create and set a symmetric key from a passphrase. void SymmetricVerifier::setPassphrase(const string &passphrase) { - if (passphrase_) parcBuffer_Release(&passphrase_); - - PARCBufferComposer *composer = parcBufferComposer_Create(); - parcBufferComposer_PutString(composer, passphrase.c_str()); - passphrase_ = parcBufferComposer_ProduceBuffer(composer); - parcBufferComposer_Release(&composer); + key_ = shared_ptr<EVP_PKEY>( + EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, nullptr, + (const unsigned char *)passphrase.c_str(), + passphrase.size()), + EVP_PKEY_free); } -void SymmetricVerifier::setSigner(const PARCCryptoSuite &suite) { - parcAssertNotNull(passphrase_, "Expected non-null passphrase"); +bool SymmetricVerifier::verifyBuffer(const vector<uint8_t> &buffer, + const vector<uint8_t> &signature, + CryptoHashType hash_type) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type); - if (signer_) parcSigner_Release(&signer_); + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } + + vector<uint8_t> signature_bis(signature.size()); + size_t signature_bis_len; + shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); - PARCSymmetricKeyStore *key_store = parcSymmetricKeyStore_Create(passphrase_); - PARCSymmetricKeySigner *key_signer = parcSymmetricKeySigner_Create( - key_store, parcCryptoSuite_GetCryptoHash(suite)); - signer_ = parcSigner_Create(key_signer, PARCSymmetricKeySignerAsSigner); + if (mdctx == nullptr) { + throw errors::RuntimeException("Digest context allocation failed"); + } - PARCKeyId *key_id = parcSigner_CreateKeyId(signer_); - PARCKey *key = parcKey_CreateFromSymmetricKey( - key_id, parcSigner_GetSigningAlgorithm(signer_), passphrase_); + if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, + key_.get()) != 1) { + throw errors::RuntimeException("Digest initialization failed"); + } - addKey(key); - setHasher(parcSigner_GetCryptoHasher(signer_)); + if (EVP_DigestSignUpdate(mdctx.get(), buffer.data(), buffer.size()) != 1) { + throw errors::RuntimeException("Digest update failed"); + } - parcSymmetricKeyStore_Release(&key_store); - parcSymmetricKeySigner_Release(&key_signer); - parcKeyId_Release(&key_id); - parcKey_Release(&key); + if (EVP_DigestSignFinal(mdctx.get(), signature_bis.data(), + &signature_bis_len) != 1) { + throw errors::RuntimeException("Digest computation failed"); + } + + return signature == signature_bis && signature.size() == signature_bis_len; } -vector<VerificationPolicy> SymmetricVerifier::verifyPackets( - const vector<PacketPtr> &packets) { - vector<VerificationPolicy> policies(packets.size(), VerificationPolicy::DROP); +bool SymmetricVerifier::verifyBuffer(const utils::MemBuf *buffer, + const vector<uint8_t> &signature, + CryptoHashType hash_type) { + CryptoHashEVP hash_evp = CryptoHash::getEVP(hash_type); + + if (hash_evp == nullptr) { + throw errors::RuntimeException("Unknown hash type"); + } - for (unsigned int i = 0; i < packets.size(); ++i) { - auto suite = - static_cast<PARCCryptoSuite>(packets[i]->getValidationAlgorithm()); + const utils::MemBuf *p = buffer; + vector<uint8_t> signature_bis(signature.size()); + size_t signature_bis_len; + shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); - if (!signer_ || suite != parcSigner_GetCryptoSuite(signer_)) { - setSigner(suite); - } + if (mdctx == nullptr) { + throw errors::RuntimeException("Digest context allocation failed"); + } - if (verifyPacket(packets[i])) { - policies[i] = VerificationPolicy::ACCEPT; + if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, + key_.get()) != 1) { + throw errors::RuntimeException("Digest initialization failed"); + } + + do { + if (EVP_DigestSignUpdate(mdctx.get(), p->data(), p->length()) != 1) { + throw errors::RuntimeException("Digest update failed"); } - callVerificationFailedCallback(packets[i], policies[i]); + p = p->next(); + } while (p != buffer); + + if (EVP_DigestSignFinal(mdctx.get(), signature_bis.data(), + &signature_bis_len) != 1) { + throw errors::RuntimeException("Digest computation failed"); } - return policies; + return signature == signature_bis && signature.size() == signature_bis_len; } } // namespace auth |