diff options
author | Tristan Schwieren <tristan.schwieren@tum.de> | 2022-08-26 15:51:29 +0200 |
---|---|---|
committer | Tristan Schwieren <tristan.schwieren@tum.de> | 2022-08-26 17:49:07 +0200 |
commit | 7777cef05fedae221bf4b82c6b5a1de87a7d101e (patch) | |
tree | 4fe985301185257f5d4dfd78e5944cc062cd5f1f | |
parent | 45f2059a57f4a55214bb25b1efc8da2f184ef1ae (diff) | |
download | gnunet-7777cef05fedae221bf4b82c6b5a1de87a7d101e.tar.gz gnunet-7777cef05fedae221bf4b82c6b5a1de87a7d101e.zip |
-switch to EdDSA egos only for signature rest endpoint
-rw-r--r-- | src/identity/plugin_rest_identity.c | 22 | ||||
-rwxr-xr-x | src/identity/test_plugin_rest_identity_signature.sh | 40 | ||||
-rw-r--r-- | src/include/gnunet_crypto_lib.h | 32 | ||||
-rw-r--r-- | src/util/crypto_ecc.c | 90 |
4 files changed, 112 insertions, 72 deletions
diff --git a/src/identity/plugin_rest_identity.c b/src/identity/plugin_rest_identity.c index 06ef7a174..15e0987f2 100644 --- a/src/identity/plugin_rest_identity.c +++ b/src/identity/plugin_rest_identity.c | |||
@@ -1202,9 +1202,10 @@ void | |||
1202 | ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego) | 1202 | ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego) |
1203 | { | 1203 | { |
1204 | struct RequestHandle *handle = ((struct ego_sign_data_cls *) cls)->handle; | 1204 | struct RequestHandle *handle = ((struct ego_sign_data_cls *) cls)->handle; |
1205 | char *data = (char *) ((struct ego_sign_data_cls *) cls)->data; // data is url decoded | 1205 | unsigned char *data |
1206 | = (unsigned char *) ((struct ego_sign_data_cls *) cls)->data; // data is url decoded | ||
1206 | struct MHD_Response *resp; | 1207 | struct MHD_Response *resp; |
1207 | struct GNUNET_CRYPTO_EcdsaSignature sig; | 1208 | struct GNUNET_CRYPTO_EddsaSignature sig; |
1208 | char *sig_str; | 1209 | char *sig_str; |
1209 | char *result; | 1210 | char *result; |
1210 | 1211 | ||
@@ -1216,7 +1217,15 @@ ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego) | |||
1216 | return; | 1217 | return; |
1217 | } | 1218 | } |
1218 | 1219 | ||
1219 | if ( GNUNET_OK != GNUNET_CRYPTO_ecdsa_sign_raw (&(ego->pk.ecdsa_key), | 1220 | if (ntohl (ego->pk.type) != GNUNET_IDENTITY_TYPE_EDDSA) |
1221 | { | ||
1222 | handle->response_code = MHD_HTTP_BAD_REQUEST; | ||
1223 | handle->emsg = GNUNET_strdup ("Ego has to use an EdDSA key"); | ||
1224 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1225 | return; | ||
1226 | } | ||
1227 | |||
1228 | if ( GNUNET_OK != GNUNET_CRYPTO_eddsa_sign_raw (&(ego->pk.eddsa_key), | ||
1220 | (void *) data, | 1229 | (void *) data, |
1221 | strlen (data), | 1230 | strlen (data), |
1222 | &sig)) | 1231 | &sig)) |
@@ -1227,10 +1236,9 @@ ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego) | |||
1227 | return; | 1236 | return; |
1228 | } | 1237 | } |
1229 | 1238 | ||
1230 | // TODO: Encode the signature | 1239 | sig_str = malloc (64); |
1231 | sig_str = malloc(64); | 1240 | GNUNET_CRYPTO_eddsa_signature_encode ( |
1232 | GNUNET_CRYPTO_ecdsa_signature_encode( | 1241 | (const struct GNUNET_CRYPTO_EddsaSignature *) &sig, |
1233 | (const struct GNUNET_CRYPTO_EcdsaSignature *) &sig, | ||
1234 | &sig_str); | 1242 | &sig_str); |
1235 | 1243 | ||
1236 | GNUNET_asprintf (&result, | 1244 | GNUNET_asprintf (&result, |
diff --git a/src/identity/test_plugin_rest_identity_signature.sh b/src/identity/test_plugin_rest_identity_signature.sh index 2a56996d5..6b3470388 100755 --- a/src/identity/test_plugin_rest_identity_signature.sh +++ b/src/identity/test_plugin_rest_identity_signature.sh | |||
@@ -5,6 +5,13 @@ | |||
5 | header='{"alg":"ES256"}' | 5 | header='{"alg":"ES256"}' |
6 | payload='{"iss":"joe",\r\n "exp":1300819380,\r\n "http://example.com/is_root":true}' | 6 | payload='{"iss":"joe",\r\n "exp":1300819380,\r\n "http://example.com/is_root":true}' |
7 | 7 | ||
8 | key='{"kty":"EC", | ||
9 | "crv":"P-256", | ||
10 | "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", | ||
11 | "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", | ||
12 | "d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI" | ||
13 | }' | ||
14 | |||
8 | header_payload_test=( | 15 | header_payload_test=( |
9 | 101 121 74 104 98 71 99 105 79 105 74 70 85 122 73 | 16 | 101 121 74 104 98 71 99 105 79 105 74 70 85 122 73 |
10 | 49 78 105 74 57 46 101 121 74 112 99 51 77 105 79 105 | 17 | 49 78 105 74 57 46 101 121 74 112 99 51 77 105 79 105 |
@@ -15,27 +22,50 @@ header_payload_test=( | |||
15 | 98 83 57 112 99 49 57 121 98 50 57 48 73 106 112 48 | 22 | 98 83 57 112 99 49 57 121 98 50 57 48 73 106 112 48 |
16 | 99 110 86 108 102 81) | 23 | 99 110 86 108 102 81) |
17 | 24 | ||
25 | base64url_add_padding() { | ||
26 | for i in $( seq 1 $(( 4 - ${#1} % 4 )) ); do padding+="="; done | ||
27 | echo "$1""$padding" | ||
28 | } | ||
29 | |||
18 | base64url_encode () { | 30 | base64url_encode () { |
19 | echo -n -e "$1" | base64 -w0 | tr '+/' '-_' | tr -d '=' | 31 | echo -n -e "$1" | base64 -w0 | tr '+/' '-_' | tr -d '=' |
20 | } | 32 | } |
21 | 33 | ||
34 | base64url_decode () { | ||
35 | padded_input=$(base64url_add_padding "$1") | ||
36 | echo -n "$padded_input" | tr '_-' '/+' | base64 -w0 --decode | ||
37 | } | ||
38 | |||
39 | base32crockford_encode () { | ||
40 | echo -n "$i" | basenc --base32hex | tr 'IJKLMNOPQRSTUV' 'JKMNPQRSTVWXYZ' | ||
41 | } | ||
42 | |||
43 | header_enc=$(base64url_encode "$header") | ||
44 | payload_enc=$(base64url_encode "$payload") | ||
45 | |||
22 | # encode header_payload test vektor | 46 | # encode header_payload test vektor |
23 | for i in "${header_payload_test[@]}" | 47 | for i in "${header_payload_test[@]}" |
24 | do | 48 | do |
25 | header_payload_test_enc+=$(printf "\x$(printf %x $i)") | 49 | header_payload_test_enc+=$(printf "\x$(printf %x $i)") |
26 | done | 50 | done |
27 | 51 | ||
28 | header_enc=$(base64url_encode "$header") | 52 | # test base64url encoding and header-payload concatenation |
29 | payload_enc=$(base64url_encode "$payload") | ||
30 | |||
31 | # test base64url encoding and header & payload concatenation | ||
32 | if [ "$header_enc.$payload_enc" != $header_payload_test_enc ] ; | 53 | if [ "$header_enc.$payload_enc" != $header_payload_test_enc ] ; |
33 | then | 54 | then |
34 | exit 1 | 55 | exit 1 |
35 | fi | 56 | fi |
36 | 57 | ||
37 | signature_enc=$(curl -s "localhost:7776/sign?user=tristan&data=$header_payload_enc" | jq -r '.signature') | 58 | signature_enc=$(curl -s "localhost:7776/sign?user=tristan&data=$header_payload_enc" | jq -r '.signature') |
38 | echo "$header_enc.$payload_enc.$signature_enc" | 59 | jwt="$header_enc.$payload_enc.$signature_enc" |
60 | echo $jwt | ||
61 | |||
62 | # Convert secret JWK to GNUnet skey | ||
63 | key_dec=$(base64url_decode $( echo -n "$key" | jq -r '.d')) | ||
64 | for i in $(echo -n $key_dec | xxd -p | tr -d '\n' | fold -w 2) | ||
65 | do | ||
66 | echo -n "$i " | ||
67 | done | ||
68 | echo "" | ||
39 | 69 | ||
40 | # TODO: Test Signature | 70 | # TODO: Test Signature |
41 | # Gen key: Public Key GNS zone type value + d in crockford encoding | 71 | # Gen key: Public Key GNS zone type value + d in crockford encoding |
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index 1d5722450..93945c731 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h | |||
@@ -1955,11 +1955,35 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
1955 | * @return enum GNUNET_GenericReturnValue | 1955 | * @return enum GNUNET_GenericReturnValue |
1956 | */ | 1956 | */ |
1957 | enum GNUNET_GenericReturnValue | 1957 | enum GNUNET_GenericReturnValue |
1958 | GNUNET_CRYPTO_ecdsa_sign_raw ( | 1958 | GNUNET_CRYPTO_eddsa_sign_raw ( |
1959 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | 1959 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, |
1960 | void *data, | 1960 | void *data, |
1961 | size_t len, | 1961 | size_t size, |
1962 | struct GNUNET_CRYPTO_EcdsaSignature *sig); | 1962 | struct GNUNET_CRYPTO_EddsaSignature *sig); |
1963 | |||
1964 | /** | ||
1965 | * @brief | ||
1966 | * | ||
1967 | * @param sig | ||
1968 | * @param sig_str | ||
1969 | * @return enum GNUNET_GenericReturnValue | ||
1970 | */ | ||
1971 | size_t | ||
1972 | GNUNET_CRYPTO_eddsa_signature_encode( | ||
1973 | const struct GNUNET_CRYPTO_EddsaSignature *sig, | ||
1974 | char **sig_str); | ||
1975 | |||
1976 | /** | ||
1977 | * @brief | ||
1978 | * | ||
1979 | * @param sig_str | ||
1980 | * @param sig | ||
1981 | * @return enum GNUNET_GenericReturnValue | ||
1982 | */ | ||
1983 | size_t | ||
1984 | GNUNET_CRYPTO_eddsa_signature_decode( | ||
1985 | const char *sig_str, | ||
1986 | struct GNUNET_CRYPTO_EddsaSignature *sig); | ||
1963 | 1987 | ||
1964 | /** | 1988 | /** |
1965 | * @brief | 1989 | * @brief |
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c index 36945e291..0ac6e2865 100644 --- a/src/util/crypto_ecc.c +++ b/src/util/crypto_ecc.c | |||
@@ -594,68 +594,46 @@ GNUNET_CRYPTO_ecdsa_sign_ ( | |||
594 | return GNUNET_OK; | 594 | return GNUNET_OK; |
595 | } | 595 | } |
596 | 596 | ||
597 | // TODO: Code reuse with GNUNET_CRYPTO_ecdsa_sign_ | ||
598 | // Refactor above as a wrapper around raw | ||
599 | enum GNUNET_GenericReturnValue | 597 | enum GNUNET_GenericReturnValue |
600 | GNUNET_CRYPTO_ecdsa_sign_raw ( | 598 | GNUNET_CRYPTO_eddsa_sign_raw ( |
601 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | 599 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, |
602 | void *data, | 600 | void *data, |
603 | size_t len, | 601 | size_t size, |
604 | struct GNUNET_CRYPTO_EcdsaSignature *sig) | 602 | struct GNUNET_CRYPTO_EddsaSignature *sig) |
605 | { | 603 | { |
606 | struct GNUNET_HashCode hash_code; | 604 | unsigned char sk[crypto_sign_SECRETKEYBYTES]; |
607 | gcry_sexp_t skey_sexp; | 605 | unsigned char pk[crypto_sign_PUBLICKEYBYTES]; |
608 | gcry_sexp_t sig_sexp; | 606 | int res; |
609 | gcry_sexp_t data_sexp; | ||
610 | gcry_error_t error; | ||
611 | gcry_mpi_t rs[2]; | ||
612 | |||
613 | // Decode private key | ||
614 | skey_sexp = decode_private_ecdsa_key (priv); | ||
615 | |||
616 | // Hash data | ||
617 | GNUNET_CRYPTO_hash (data, len, &hash_code); | ||
618 | if (0 != (error = gcry_sexp_build (&data_sexp, | ||
619 | NULL, | ||
620 | "(data(flags rfc6979)(hash %s %b))", | ||
621 | "sha512", | ||
622 | (int) sizeof(hash_code), | ||
623 | &hash_code))) | ||
624 | { | ||
625 | LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", error); | ||
626 | return GNUNET_SYSERR; | ||
627 | } | ||
628 | 607 | ||
629 | // Sign Hash | 608 | GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d)); |
630 | if (0 != (error = gcry_pk_sign (&sig_sexp, data_sexp, skey_sexp))) | 609 | res = crypto_sign_detached ((uint8_t *) sig, |
631 | { | 610 | NULL, |
632 | LOG (GNUNET_ERROR_TYPE_WARNING, | 611 | (uint8_t *) data, |
633 | _ ("ECC signing failed at %s:%d: %s\n"), | 612 | size, |
634 | __FILE__, | 613 | sk); |
635 | __LINE__, | 614 | return (res == 0) ? GNUNET_OK : GNUNET_SYSERR; |
636 | gcry_strerror (error)); | 615 | } |
637 | gcry_sexp_release (data_sexp); | ||
638 | gcry_sexp_release (skey_sexp); | ||
639 | return GNUNET_SYSERR; | ||
640 | } | ||
641 | gcry_sexp_release (skey_sexp); | ||
642 | gcry_sexp_release (data_sexp); | ||
643 | 616 | ||
644 | /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in | 617 | size_t |
645 | 'signature' */ | 618 | GNUNET_CRYPTO_eddsa_signature_encode ( |
646 | if (0 != (error = key_from_sexp (rs, sig_sexp, "sig-val", "rs"))) | 619 | const struct GNUNET_CRYPTO_EddsaSignature *sig, |
647 | { | 620 | char **sig_str) |
648 | GNUNET_break (0); | 621 | { |
649 | gcry_sexp_release (sig_sexp); | 622 | return GNUNET_STRINGS_base64url_encode ( |
650 | return GNUNET_SYSERR; | 623 | (void*) sig, |
651 | } | 624 | 32, |
652 | gcry_sexp_release (sig_sexp); | 625 | sig_str); |
653 | GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof(sig->r), rs[0]); | 626 | } |
654 | GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof(sig->s), rs[1]); | ||
655 | gcry_mpi_release (rs[0]); | ||
656 | gcry_mpi_release (rs[1]); | ||
657 | 627 | ||
658 | return GNUNET_OK; | 628 | size_t |
629 | GNUNET_CRYPTO_eddsa_signature_decode ( | ||
630 | const char *sig_str, | ||
631 | struct GNUNET_CRYPTO_EddsaSignature *sig) | ||
632 | { | ||
633 | return GNUNET_STRINGS_base64url_decode ( | ||
634 | sig_str, | ||
635 | strlen (sig_str), | ||
636 | (void **) &sig); | ||
659 | } | 637 | } |
660 | 638 | ||
661 | size_t | 639 | size_t |