diff options
Diffstat (limited to 'libtransport/includes/hicn/transport/auth')
9 files changed, 85 insertions, 132 deletions
diff --git a/libtransport/includes/hicn/transport/auth/CMakeLists.txt b/libtransport/includes/hicn/transport/auth/CMakeLists.txt index 1e9fe4698..0b5ae1836 100644 --- a/libtransport/includes/hicn/transport/auth/CMakeLists.txt +++ b/libtransport/includes/hicn/transport/auth/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2017-2019 Cisco and/or its affiliates. +# Copyright (c) 2021 Cisco and/or its affiliates. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: @@ -15,7 +15,6 @@ list(APPEND HEADER_FILES ${CMAKE_CURRENT_SOURCE_DIR}/common.h ${CMAKE_CURRENT_SOURCE_DIR}/crypto_hash.h ${CMAKE_CURRENT_SOURCE_DIR}/crypto_suite.h - ${CMAKE_CURRENT_SOURCE_DIR}/identity.h ${CMAKE_CURRENT_SOURCE_DIR}/key_id.h ${CMAKE_CURRENT_SOURCE_DIR}/policies.h ${CMAKE_CURRENT_SOURCE_DIR}/signer.h diff --git a/libtransport/includes/hicn/transport/auth/common.h b/libtransport/includes/hicn/transport/auth/common.h index fb0e82eb7..d2282436e 100644 --- a/libtransport/includes/hicn/transport/auth/common.h +++ b/libtransport/includes/hicn/transport/auth/common.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Copyright (c) 2021 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: diff --git a/libtransport/includes/hicn/transport/auth/crypto_hash.h b/libtransport/includes/hicn/transport/auth/crypto_hash.h index 90f1627e9..9535e07c7 100644 --- a/libtransport/includes/hicn/transport/auth/crypto_hash.h +++ b/libtransport/includes/hicn/transport/auth/crypto_hash.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Copyright (c) 2021 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -27,8 +27,6 @@ extern "C" { namespace transport { namespace auth { -typedef const EVP_MD *(*CryptoHashEVP)(void); - enum class CryptoHashType : uint8_t { UNKNOWN, SHA256, @@ -42,7 +40,7 @@ class CryptoHash { // Constructors CryptoHash(); CryptoHash(const CryptoHash &other); - CryptoHash(CryptoHash &&other); + CryptoHash(CryptoHash &&other) noexcept; CryptoHash(CryptoHashType hash_type); CryptoHash(const uint8_t *hash, std::size_t size, CryptoHashType hash_type); CryptoHash(const std::vector<uint8_t> &hash, CryptoHashType hash_type); @@ -57,12 +55,10 @@ class CryptoHash { // Compute the hash of given buffer void computeDigest(const uint8_t *buffer, std::size_t len); void computeDigest(const std::vector<uint8_t> &buffer); - - // Compute the hash of given membuf void computeDigest(const utils::MemBuf *buffer); // Return the computed hash - std::vector<uint8_t> getDigest() const; + const utils::MemBuf::Ptr &getDigest() const; // Return the computed hash as a string std::string getStringDigest() const; @@ -82,19 +78,19 @@ class CryptoHash { // Reset hash void reset(); - // Return OpenSSL EVP function associated to a given hash type - static CryptoHashEVP getEVP(CryptoHashType hash_type); + // Return the OpenSSL EVP_MD pointer associated to a given hash type + static const EVP_MD *getMD(CryptoHashType hash_type); // Return hash size static std::size_t getSize(CryptoHashType hash_type); // Compare two raw buffers - static bool compareDigest(const uint8_t *h1, const uint8_t *h2, + static bool compareDigest(const uint8_t *digest1, const uint8_t *digest2, CryptoHashType hash_type); private: CryptoHashType digest_type_; - std::vector<uint8_t> digest_; + utils::MemBuf::Ptr digest_; std::size_t digest_size_; }; diff --git a/libtransport/includes/hicn/transport/auth/crypto_suite.h b/libtransport/includes/hicn/transport/auth/crypto_suite.h index d0f1de395..f3b535264 100644 --- a/libtransport/includes/hicn/transport/auth/crypto_suite.h +++ b/libtransport/includes/hicn/transport/auth/crypto_suite.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Copyright (c) 2021 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -26,29 +26,36 @@ namespace auth { enum class CryptoSuite : uint8_t { UNKNOWN, + DSA_BLAKE2B512, + DSA_BLAKE2S256, + DSA_SHA256, + DSA_SHA512, ECDSA_BLAKE2B512, ECDSA_BLAKE2S256, ECDSA_SHA256, ECDSA_SHA512, - RSA_BLAKE2B512, - RSA_BLAKE2S256, - RSA_SHA256, - RSA_SHA512, + ED25519, + ED448, HMAC_BLAKE2B512, HMAC_BLAKE2S256, HMAC_SHA256, HMAC_SHA512, - DSA_BLAKE2B512, - DSA_BLAKE2S256, - DSA_SHA256, - DSA_SHA512, + RSA_BLAKE2B512, + RSA_BLAKE2S256, + RSA_SHA256, + RSA_SHA512, }; // Return the suite associated to the given NID CryptoSuite getSuite(int nid); +// Return the string representation of given suite +std::string getStringSuite(CryptoSuite suite); + // Return the hash type associated to the given suite CryptoHashType getHashType(CryptoSuite suite); +// Return the OpenSSL EVP_MD pointer associated to a given suite +const EVP_MD *getMD(CryptoSuite suite); } // namespace auth } // namespace transport diff --git a/libtransport/includes/hicn/transport/auth/identity.h b/libtransport/includes/hicn/transport/auth/identity.h deleted file mode 100644 index be072f5d3..000000000 --- a/libtransport/includes/hicn/transport/auth/identity.h +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 2017-2021 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#pragma once - -#include <errno.h> -#include <fcntl.h> -#include <hicn/transport/auth/signer.h> -#include <unistd.h> - -extern "C" { -#include <openssl/pkcs12.h> -#include <openssl/rand.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> -} - -namespace transport { -namespace auth { - -class Identity { - // This class holds several information about a client, including its public - // key. - public: - // Generate a new identity from the given parameters. The identity will be - // saved in 'keystore_path' and encrypted using 'keystore_pwd'. - Identity(const std::string &keystore_path, const std::string &keystore_pwd, - CryptoSuite suite, unsigned int signature_len, - unsigned int validity_days, const std::string &subject_name); - - // Create an identity from an already existing keystore path. - Identity(std::string &keystore_path, std::string &keystore_pwd, - CryptoHashType hash_type); - - Identity(const Identity &other); - Identity(Identity &&other); - ~Identity(); - - // Return the asymmetric signer object created from the public key. - std::shared_ptr<AsymmetricSigner> getSigner() const; - - // Return the key store filename. - std::string getFilename() const; - - // Return the key store password. - std::string getPassword() const; - - std::shared_ptr<X509> getCertificate() const; - - std::shared_ptr<EVP_PKEY> getPrivateKey() const; - - // Generate a new random identity. - static Identity generateIdentity(const std::string &subject_name = ""); - - private: - static void free_key(EVP_PKEY *T) { EVP_PKEY_free(T); } - - std::string pwd_; - std::string filename_; - std::shared_ptr<AsymmetricSigner> signer_; - std::shared_ptr<X509> cert_; -}; - -} // namespace auth -} // namespace transport diff --git a/libtransport/includes/hicn/transport/auth/key_id.h b/libtransport/includes/hicn/transport/auth/key_id.h index 3aa09336f..8723ae698 100644 --- a/libtransport/includes/hicn/transport/auth/key_id.h +++ b/libtransport/includes/hicn/transport/auth/key_id.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2019 Cisco and/or its affiliates. + * Copyright (c) 2021 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: diff --git a/libtransport/includes/hicn/transport/auth/policies.h b/libtransport/includes/hicn/transport/auth/policies.h index 00464d54b..b9755595c 100644 --- a/libtransport/includes/hicn/transport/auth/policies.h +++ b/libtransport/includes/hicn/transport/auth/policies.h @@ -23,10 +23,10 @@ namespace auth { * perform after verification. */ enum class VerificationPolicy { + UNKNOWN, ABORT, - ACCEPT, DROP, - UNKNOWN, + ACCEPT, }; } // namespace auth diff --git a/libtransport/includes/hicn/transport/auth/signer.h b/libtransport/includes/hicn/transport/auth/signer.h index 405dd83cf..f9e07efae 100644 --- a/libtransport/includes/hicn/transport/auth/signer.h +++ b/libtransport/includes/hicn/transport/auth/signer.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2021 Cisco and/or its affiliates. + * Copyright (c) 2021 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -21,18 +21,19 @@ #include <hicn/transport/errors/errors.h> #include <hicn/transport/utils/membuf.h> +#include <memory> extern "C" { #include <openssl/evp.h> #include <openssl/hmac.h> +#include <openssl/pkcs12.h> +#include <openssl/x509.h> } namespace transport { namespace auth { -class Identity; class Signer { // The base class from which all signer classes derive. - friend class Identity; public: Signer(); @@ -41,11 +42,15 @@ class Signer { // Sign a packet. virtual void signPacket(PacketPtr packet); + virtual void signBuffer(const uint8_t *buffer, std::size_t len); virtual void signBuffer(const std::vector<uint8_t> &buffer); virtual void signBuffer(const utils::MemBuf *buffer); // Return the signature. - std::vector<uint8_t> getSignature() const; + const utils::MemBuf::Ptr &getSignature() const; + + // Return the signature as a string. + std::string getStringSignature() const; // Return the signature size in bytes. virtual std::size_t getSignatureSize() const; @@ -61,9 +66,12 @@ class Signer { // Return the hash algorithm associated to the signer. CryptoHashType getHashType() const; + // Print signature to stdout. + void display(); + protected: CryptoSuite suite_; - std::vector<uint8_t> signature_; + utils::MemBuf::Ptr signature_; std::size_t signature_len_; std::shared_ptr<EVP_PKEY> key_; CryptoHash key_id_; @@ -75,6 +83,7 @@ class VoidSigner : public Signer { VoidSigner() = default; void signPacket(PacketPtr packet) override; + void signBuffer(const uint8_t *buffer, std::size_t len) override; void signBuffer(const std::vector<uint8_t> &buffer) override; void signBuffer(const utils::MemBuf *buffer) override; }; @@ -84,10 +93,17 @@ class AsymmetricSigner : public Signer { public: AsymmetricSigner() = default; - // Construct an AsymmetricSigner from a key store and a given crypto suite. + // Create an AsymmetricSigner from a keystore file (.p12). + AsymmetricSigner(std::string keystore_path, std::string password); + + // Construct an AsymmetricSigner from a key store and a given crypto + // suite. AsymmetricSigner(CryptoSuite suite, std::shared_ptr<EVP_PKEY> key, std::shared_ptr<EVP_PKEY> pub_key); + void setKey(CryptoSuite suite, std::shared_ptr<EVP_PKEY> key, + std::shared_ptr<EVP_PKEY> pub_key); + std::size_t getSignatureFieldSize() const override; }; diff --git a/libtransport/includes/hicn/transport/auth/verifier.h b/libtransport/includes/hicn/transport/auth/verifier.h index 6321d4ed5..2e086df4f 100644 --- a/libtransport/includes/hicn/transport/auth/verifier.h +++ b/libtransport/includes/hicn/transport/auth/verifier.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2021 Cisco and/or its affiliates. + * Copyright (c) 2021 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -40,9 +40,9 @@ class Verifier { // The VerificationFailedCallback will be called by the transport if a // data packet (either a manifest or a content object) was not validated. // The application decides what to do then by returning a - // VerificationPolicy object. + // new VerificationPolicy. using VerificationFailedCallback = std::function<auth::VerificationPolicy( - const core::ContentObject &content_object, std::error_code ec)>; + Suffix suffix, VerificationPolicy policy)>; // The list of VerificationPolicy that will trigger the // VerificationFailedCallback. @@ -54,12 +54,15 @@ class Verifier { // Verify a single packet or buffer. virtual bool verifyPacket(PacketPtr packet); + virtual bool verifyBuffer(const uint8_t *buffer, std::size_t len, + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) = 0; virtual bool verifyBuffer(const std::vector<uint8_t> &buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) = 0; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) = 0; virtual bool verifyBuffer(const utils::MemBuf *buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) = 0; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) = 0; // Verify a batch of packets. Return a mapping from packet suffixes to their // VerificationPolicy. @@ -96,13 +99,13 @@ class Verifier { void getVerificationFailedCallback( VerificationFailedCallback **verification_failed_cb); + // Call VerificationFailedCallback if it is set and update the packet policy. + void callVerificationFailedCallback(Suffix suffix, + VerificationPolicy &policy); + protected: VerificationFailedCallback verification_failed_cb_; std::vector<VerificationPolicy> failed_policies_; - - // Call VerificationFailedCallback if it is set and update the packet policy. - void callVerificationFailedCallback(PacketPtr packet, - VerificationPolicy &policy); }; class VoidVerifier : public Verifier { @@ -110,12 +113,15 @@ class VoidVerifier : public Verifier { // and always returns true. public: bool verifyPacket(PacketPtr packet) override; + bool verifyBuffer(const uint8_t *buffer, std::size_t len, + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; bool verifyBuffer(const std::vector<uint8_t> &buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) override; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; bool verifyBuffer(const utils::MemBuf *buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) override; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; PolicyMap verifyPackets(const std::vector<PacketPtr> &packets) override; @@ -143,12 +149,15 @@ class AsymmetricVerifier : public Verifier { void useCertificate(const std::string &cert_path); void useCertificate(std::shared_ptr<X509> cert); + bool verifyBuffer(const uint8_t *buffer, std::size_t len, + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; bool verifyBuffer(const std::vector<uint8_t> &buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) override; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; bool verifyBuffer(const utils::MemBuf *buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) override; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; private: std::shared_ptr<EVP_PKEY> key_; @@ -166,12 +175,15 @@ class SymmetricVerifier : public Verifier { // Create and set a symmetric key from a passphrase. void setPassphrase(const std::string &passphrase); + bool verifyBuffer(const uint8_t *buffer, std::size_t len, + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; bool verifyBuffer(const std::vector<uint8_t> &buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) override; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; bool verifyBuffer(const utils::MemBuf *buffer, - const std::vector<uint8_t> &signature, - CryptoHashType hash_type) override; + const utils::MemBuf::Ptr &signature, + CryptoSuite suite) override; protected: std::shared_ptr<EVP_PKEY> key_; |