diff options
Diffstat (limited to 'libtransport/src/auth/signer.cc')
-rw-r--r-- | libtransport/src/auth/signer.cc | 243 |
1 files changed, 142 insertions, 101 deletions
diff --git a/libtransport/src/auth/signer.cc b/libtransport/src/auth/signer.cc index 884e850ca..5fcb242be 100644 --- a/libtransport/src/auth/signer.cc +++ b/libtransport/src/auth/signer.cc @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2021 Cisco and/or its affiliates. + * Copyright (c) 2021-2022 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -13,9 +13,12 @@ * limitations under the License. */ +#include <glog/logging.h> #include <hicn/transport/auth/signer.h> +#include <hicn/transport/core/interest.h> +#include <hicn/transport/utils/chrono_typedefs.h> -using namespace std; +#include "hicn/transport/core/global_object_pool.h" namespace transport { namespace auth { @@ -24,131 +27,122 @@ namespace auth { // Base Signer // --------------------------------------------------------- Signer::Signer() - : suite_(CryptoSuite::UNKNOWN), signature_len_(0), key_(nullptr) {} + : suite_(CryptoSuite::UNKNOWN), + signature_(core::PacketManager<>::getInstance().getMemBuf()), + signature_len_(0), + key_(nullptr) {} Signer::~Signer() {} void Signer::signPacket(PacketPtr packet) { - assert(key_ != nullptr); - core::Packet::Format format = packet->getFormat(); - - if (!packet->authenticationHeader()) { + DCHECK(key_ != nullptr); + if (!packet->hasAH()) { throw errors::MalformedAHPacketException(); } // Set signature size size_t signature_field_len = getSignatureFieldSize(); - packet->setSignatureSize(signature_field_len); - packet->setSignatureSizeGap(0u); + packet->setSignatureFieldSize(signature_field_len); + packet->updateLength(); // update IP payload length // Copy IP+TCP / ICMP header before zeroing them - hicn_header_t header_copy; - hicn_packet_copy_header(format, packet->packet_start_, &header_copy, false); + u8 header_copy[HICN_HDRLEN_MAX]; + size_t header_len; + packet->saveHeader(header_copy, &header_len); + + // Copy bitmap from interest manifest + uint32_t request_bitmap[BITMAP_SIZE] = {0}; + if (packet->isInterest()) { + core::Interest *interest = dynamic_cast<core::Interest *>(packet); + if (interest->hasManifest()) + memcpy(request_bitmap, interest->getRequestBitmap(), + BITMAP_SIZE * sizeof(uint32_t)); + } // Fill in the hICN AH header - auto now = chrono::duration_cast<chrono::milliseconds>( - chrono::system_clock::now().time_since_epoch()) - .count(); + auto now = utils::SteadyTime::nowMs().count(); packet->setSignatureTimestamp(now); packet->setValidationAlgorithm(suite_); // Set key ID - vector<uint8_t> key_id = key_id_.getDigest(); - packet->setKeyId({key_id.data(), key_id.size()}); + const utils::MemBuf::Ptr &key_id = key_id_.getDigest(); + packet->setKeyId({key_id->writableData(), key_id->length()}); // Reset fields to compute the packet hash packet->resetForHash(); // Compute the signature and put it in the packet signBuffer(packet); - hicn_packet_copy_header(format, &header_copy, packet->packet_start_, false); + packet->setSignature(signature_); + packet->setSignatureSize(signature_len_); - // Set the gap between the signature field size and the signature real size. - packet->setSignatureSizeGap(signature_field_len - signature_len_); - memcpy(packet->getSignature(), signature_.data(), signature_len_); -} + // Restore header + packet->loadHeader(header_copy, header_len); -void Signer::signBuffer(const std::vector<uint8_t> &buffer) { - assert(key_ != nullptr); - CryptoHashEVP hash_evp = CryptoHash::getEVP(getHashType()); - - if (hash_evp == nullptr) { - throw errors::RuntimeException("Unknown hash type"); + // Restore bitmap in interest manifest + if (packet->isInterest()) { + core::Interest *interest = dynamic_cast<core::Interest *>(packet); + interest->setRequestBitmap(request_bitmap); } +} - shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); +void Signer::signBuffer(const uint8_t *buffer, std::size_t len) { + const EVP_MD *hash_md = getMD(suite_); - if (mdctx == nullptr) { - throw errors::RuntimeException("Digest context allocation failed"); + std::shared_ptr<EVP_MD_CTX> md_ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free); + if (md_ctx == nullptr) { + throw errors::RuntimeException("Signature context allocation failed"); } - if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, - key_.get()) != 1) { - throw errors::RuntimeException("Digest initialization failed"); + if (EVP_DigestSignInit(md_ctx.get(), nullptr, hash_md, nullptr, key_.get()) != + 1) { + throw errors::RuntimeException("Signature initialization failed"); } - if (EVP_DigestSignUpdate(mdctx.get(), buffer.data(), buffer.size()) != 1) { - throw errors::RuntimeException("Digest update failed"); - } + if (EVP_DigestSign(md_ctx.get(), nullptr, &signature_len_, buffer, len) != + 1) { + throw errors::RuntimeException("Signature length computation failed"); + }; - if (EVP_DigestSignFinal(mdctx.get(), nullptr, &signature_len_) != 1) { - throw errors::RuntimeException("Digest computation failed"); - } + DCHECK(signature_len_ <= signature_->tailroom()); + signature_->setLength(signature_len_); - signature_.resize(signature_len_); + if (EVP_DigestSign(md_ctx.get(), signature_->writableData(), &signature_len_, + buffer, len) != 1) { + throw errors::RuntimeException("Signature computation failed"); + }; - if (EVP_DigestSignFinal(mdctx.get(), signature_.data(), &signature_len_) != - 1) { - throw errors::RuntimeException("Digest computation failed"); - } + DCHECK(signature_len_ <= signature_->tailroom()); + signature_->setLength(signature_len_); +} - signature_.resize(signature_len_); +void Signer::signBuffer(const std::vector<uint8_t> &buffer) { + signBuffer(buffer.data(), buffer.size()); } void Signer::signBuffer(const utils::MemBuf *buffer) { - assert(key_ != nullptr); - CryptoHashEVP hash_evp = CryptoHash::getEVP(getHashType()); - - if (hash_evp == nullptr) { - throw errors::RuntimeException("Unknown hash type"); - } - - const utils::MemBuf *p = buffer; - shared_ptr<EVP_MD_CTX> mdctx(EVP_MD_CTX_create(), EVP_MD_CTX_free); - - if (mdctx == nullptr) { - throw errors::RuntimeException("Digest context allocation failed"); + if (buffer->isChained()) { + throw errors::RuntimeException( + "Signature of chained membuf is not supported."); } - if (EVP_DigestSignInit(mdctx.get(), nullptr, (*hash_evp)(), nullptr, - key_.get()) != 1) { - throw errors::RuntimeException("Digest initialization failed"); - } - - do { - if (EVP_DigestSignUpdate(mdctx.get(), p->data(), p->length()) != 1) { - throw errors::RuntimeException("Digest update failed"); - } - - p = p->next(); - } while (p != buffer); + signBuffer(buffer->data(), buffer->length()); +} - if (EVP_DigestSignFinal(mdctx.get(), nullptr, &signature_len_) != 1) { - throw errors::RuntimeException("Digest computation failed"); - } +const utils::MemBuf::Ptr &Signer::getSignature() const { return signature_; } - signature_.resize(signature_len_); +std::string Signer::getStringSignature() const { + std::stringstream string_sig; + string_sig << std::hex << std::setfill('0'); - if (EVP_DigestSignFinal(mdctx.get(), signature_.data(), &signature_len_) != - 1) { - throw errors::RuntimeException("Digest computation failed"); + for (size_t i = 0; i < signature_len_; ++i) { + string_sig << std::hex << std::setw(2) + << static_cast<int>(signature_->data()[i]); } - signature_.resize(signature_len_); + return string_sig.str(); } -vector<uint8_t> Signer::getSignature() const { return signature_; } - size_t Signer::getSignatureSize() const { return signature_len_; } size_t Signer::getSignatureFieldSize() const { @@ -159,37 +153,79 @@ size_t Signer::getSignatureFieldSize() const { return (signature_len_ + 4) - (signature_len_ % 4); } +CryptoSuite Signer::getSuite() const { return suite_; } + CryptoHashType Signer::getHashType() const { return ::transport::auth::getHashType(suite_); } -CryptoSuite Signer::getSuite() const { return suite_; } +void Signer::display() { + LOG(INFO) << getStringSuite(suite_) << ": " << getStringSignature(); +} // --------------------------------------------------------- // Void Signer // --------------------------------------------------------- -void VoidSigner::signPacket(PacketPtr packet){}; +void VoidSigner::signPacket(PacketPtr packet) {} + +void VoidSigner::signBuffer(const uint8_t *buffer, std::size_t len) {} -void VoidSigner::signBuffer(const std::vector<uint8_t> &buffer){}; +void VoidSigner::signBuffer(const std::vector<uint8_t> &buffer) {} -void VoidSigner::signBuffer(const utils::MemBuf *buffer){}; +void VoidSigner::signBuffer(const utils::MemBuf *buffer) {} // --------------------------------------------------------- // Asymmetric Signer // --------------------------------------------------------- -AsymmetricSigner::AsymmetricSigner(CryptoSuite suite, shared_ptr<EVP_PKEY> key, - shared_ptr<EVP_PKEY> pub_key) { +AsymmetricSigner::AsymmetricSigner(CryptoSuite suite, + std::shared_ptr<EVP_PKEY> key, + std::shared_ptr<EVP_PKEY> pub_key) + : Signer() { + setKey(suite, key, pub_key); +} + +AsymmetricSigner::AsymmetricSigner(std::string keystore_path, + std::string password) + : Signer() { + FILE *p12file = fopen(keystore_path.c_str(), "r"); + + if (p12file == nullptr) { + throw errors::RuntimeException("failed to read keystore"); + } + + std::unique_ptr<PKCS12, decltype(&PKCS12_free)> p12( + d2i_PKCS12_fp(p12file, nullptr), &PKCS12_free); + X509 *cert_raw; + EVP_PKEY *key_raw; + + if (PKCS12_parse(p12.get(), password.c_str(), &key_raw, &cert_raw, nullptr) != + 1) { + fclose(p12file); + throw errors::RuntimeException("failed to parse keystore"); + } + + std::shared_ptr<EVP_PKEY> key(key_raw, EVP_PKEY_free); + std::shared_ptr<EVP_PKEY> pub_key(X509_get_pubkey(cert_raw), EVP_PKEY_free); + + setKey(transport::auth::getSuite(X509_get_signature_nid(cert_raw)), key, + pub_key); + + fclose(p12file); +} + +void AsymmetricSigner::setKey(CryptoSuite suite, std::shared_ptr<EVP_PKEY> key, + std::shared_ptr<EVP_PKEY> pub_key) { suite_ = suite; key_ = key; - key_id_ = CryptoHash(getHashType()); - vector<uint8_t> pbk(i2d_PublicKey(pub_key.get(), nullptr)); - uint8_t *pbk_ptr = pbk.data(); - int len = i2d_PublicKey(pub_key.get(), &pbk_ptr); + signature_len_ = EVP_PKEY_size(key_.get()); + DCHECK(signature_len_ <= signature_->tailroom()); + signature_->setLength(signature_len_); - signature_len_ = EVP_PKEY_size(key.get()); - signature_.resize(signature_len_); - key_id_.computeDigest(pbk_ptr, len); + // Key ID is not supported yet. + uint8_t id[8] = {0}; + key_id_ = CryptoHash(getHashType()); + key_id_.computeDigest(id, 8); } size_t AsymmetricSigner::getSignatureFieldSize() const { @@ -205,24 +241,29 @@ size_t AsymmetricSigner::getSignatureFieldSize() const { // --------------------------------------------------------- // Symmetric Signer // --------------------------------------------------------- -SymmetricSigner::SymmetricSigner(CryptoSuite suite, const string &passphrase) { +SymmetricSigner::SymmetricSigner(CryptoSuite suite, + const std::string &passphrase) + : Signer() { suite_ = suite; - key_ = shared_ptr<EVP_PKEY>( + key_ = std::shared_ptr<EVP_PKEY>( EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, nullptr, (const unsigned char *)passphrase.c_str(), passphrase.size()), EVP_PKEY_free); - key_id_ = CryptoHash(getHashType()); - CryptoHashEVP hash_evp = CryptoHash::getEVP(getHashType()); - - if (hash_evp == nullptr) { + const EVP_MD *hash_md = getMD(suite_); + if (hash_md == nullptr) { throw errors::RuntimeException("Unknown hash type"); } - signature_len_ = EVP_MD_size((*hash_evp)()); - signature_.resize(signature_len_); - key_id_.computeDigest((uint8_t *)passphrase.c_str(), passphrase.size()); + signature_len_ = EVP_MD_size(hash_md); + DCHECK(signature_len_ <= signature_->tailroom()); + signature_->setLength(signature_len_); + + // Key ID is not supported yet. + uint8_t id[8] = {0}; + key_id_ = CryptoHash(getHashType()); + key_id_.computeDigest(id, 8); } } // namespace auth |