From a97e16efa84b72dd51dcb181d4ebdbcc58a111f9 Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Mon, 5 Dec 2016 22:18:50 +0100 Subject: - add better test for verification --- src/credential/test_credential_lookup.sh | 66 -------------------------------- src/credential/test_credential_verify.sh | 62 ++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 66 deletions(-) delete mode 100755 src/credential/test_credential_lookup.sh create mode 100755 src/credential/test_credential_verify.sh (limited to 'src/credential') diff --git a/src/credential/test_credential_lookup.sh b/src/credential/test_credential_lookup.sh deleted file mode 100755 index fc6a59c50..000000000 --- a/src/credential/test_credential_lookup.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -trap "gnunet-arm -e -c test_credential_lookup.conf" SIGINT - -LOCATION=$(which gnunet-config) -if [ -z $LOCATION ] -then - LOCATION="gnunet-config" -fi -$LOCATION --version 1> /dev/null -if test $? != 0 -then - echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX" - exit 77 -fi - -rm -rf `gnunet-config -c test_credential_lookup.conf -s PATHS -o GNUNET_HOME -f` - -# (1) PKEY1.user -> PKEY2.resu.user -# (2) PKEY2.resu -> PKEY3 -# (3) PKEY3.user -> PKEY4 - - -which timeout &> /dev/null && DO_TIMEOUT="timeout 30" -TEST_ISSUER="PKEY1" -TEST_ATTR="user" -TEST_SUB_ATTR="resu" -TEST_DELEGATION_SUBJECT="PKEY2" -TEST_DELEGATION_ATTR="$TEST_SUB_ATTR.$TEST_ATTR" -TEST_SUBDELEGATION_SUBJECT="PKEY3" -TEST_SUBJECT="PKEY4" -TEST_CREDENTIAL="c1" -gnunet-arm -s -c test_credential_lookup.conf -gnunet-identity -C testone -c test_credential_lookup.conf -gnunet-identity -C testtwo -c test_credential_lookup.conf -gnunet-identity -C testthree -c test_credential_lookup.conf -gnunet-identity -C testfour -c test_credential_lookup.conf - -#TODO1 Get credential and store it with subject (3) -CRED=`$DO_TIMEOUT gnunet-credential --issue --issuer=$TEST_SUBDELEGATION_SUBJECT --attribute=$TEST_SUB_ATTR --expiration 1m -c test_credential_lookup.conf` -gnunet-namestore -p -z testfour -a -n $TEST_CREDENTIAL -t CRED -V $CRED -e 5m -c test_credential_lookup.conf - -# (1) -gnunet-namestore -p -z testone -a -n $TEST_ATTR -t ATTR -V "$TEST_DELEGATION_SUBJECT $TEST_DELEGATION_ATTR" - -# (2) -gnunet-namestore -p -z testtwo -a -n $TEST_SUB_ATTR -t ATTR -V "$TEST_SUBDELEGATION_SUBJECT" - - -#TODO2 Add -z swich like in gnunet-gns -RES_IP=`$DO_TIMEOUT gnunet-credential --verify --issuer=$TEST_ISSUER --attribute="$TEST_DELEGATION_ATTR" --subject=$TEST_SUBJECT --credential=$TEST_CREDENTIAL -c test_credential_lookup.conf` - -#TODO cleanup properly -gnunet-namestore -z testsubject -d -n newcred -t CRED -e never -c test_credential_lookup.conf -gnunet-identity -D testsubject -c test_credential_lookup.conf -gnunet-arm -e -c test_credential_lookup.conf - -#TODO3 proper test -exit 0 - -#if [ "$RES_IP" == "$TEST_CRED" ] -#then -# exit 0 -#else -# echo "FAIL: Failed to resolve to proper IP, got $RES_IP." -# exit 1 -#fi diff --git a/src/credential/test_credential_verify.sh b/src/credential/test_credential_verify.sh new file mode 100755 index 000000000..6e5ba4647 --- /dev/null +++ b/src/credential/test_credential_verify.sh @@ -0,0 +1,62 @@ +#!/bin/bash +trap "gnunet-arm -e -c test_credential_lookup.conf" SIGINT + +LOCATION=$(which gnunet-config) +if [ -z $LOCATION ] +then + LOCATION="gnunet-config" +fi +$LOCATION --version 1> /dev/null +if test $? != 0 +then + echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX" + exit 77 +fi + +rm -rf `gnunet-config -c test_credential_lookup.conf -s PATHS -o GNUNET_HOME -f` + +# (1) Authority.test -> Intermediate.org.user +# (2) Intermediate.org -> Issuer +# (3) Issuer.user -> Subject + + +which timeout &> /dev/null && DO_TIMEOUT="timeout 30" +gnunet-arm -s -c test_credential_lookup.conf +gnunet-identity -C testissuer -c test_credential_lookup.conf +gnunet-identity -C testsubject -c test_credential_lookup.conf +gnunet-identity -C testintermediate -c test_credential_lookup.conf +gnunet-identity -C testauthority -c test_credential_lookup.conf + +TEST_ATTR="user" +INTERMEDIATE_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testintermediate | awk '{print $3}') +SUBJECT_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testsubject | awk '{print $3}') +ISSUER_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testissuer | awk '{print $3}') +CRED=`$DO_TIMEOUT gnunet-credential --issue --ego=testissuer --subject=$SUBJECT_KEY --attribute=$TEST_ATTR -c test_credential_lookup.conf` + +TEST_CREDENTIAL="t1" +gnunet-namestore -p -z testsubject -a -n $TEST_CREDENTIAL -t CRED -V "$CRED" -e 5m -c test_credential_lookup.conf + +INTERMEDIATE_ATTR="org" +gnunet-namestore -p -z testintermediate -a -n $INTERMEDIATE_ATTR -t ATTR -V "$ISSUER_KEY" -e 5m -c test_credential_lookup.conf + +AUTHORITY_ATTR="test" +gnunet-namestore -p -z testauthority -a -n $AUTHORITY_ATTR -t ATTR -V "$INTERMEDIATE_KEY $INTERMEDIATE_ATTR.$TEST_ATTR" -e 5m -c test_credential_lookup.conf + +#TODO2 Add -z swich like in gnunet-gns +#RES_CRED=`$DO_TIMEOUT gnunet-credential --verify --issuer=$ISSUER_KEY --attribute="$TEST_ATTR" --subject=$SUBJECT_KEY --credential=$TEST_CREDENTIAL -c test_credential_lookup.conf` +valgrind gnunet-credential --verify --issuer=$AUTHORITY_KEY --attribute=$AUTHORITY_ATTR --subject=$SUBJECT_KEY --credential=$TEST_CREDENTIAL -c test_credential_lookup.conf + +#TODO cleanup properly +gnunet-namestore -z testsubject -d -n $TEST_CREDENTIAL -t CRED -e never -c test_credential_lookup.conf +gnunet-arm -e -c test_credential_lookup.conf + +#TODO3 proper test +exit 0 + +if [ "$RES_CRED" == "Ok!" ] +then + exit 0 +else + echo "FAIL: Failed to verify credential $RES_IP." + exit 1 +fi -- cgit v1.2.3 From 10b2bbf99b0dc611a735ad0a04d3ab5109a090f0 Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Tue, 6 Dec 2016 10:09:21 +0100 Subject: -add expiration to cred --- src/credential/credential_api.c | 22 +++++++----------- src/credential/gnunet-credential.c | 34 +++++++++++++++++++++++++++- src/credential/gnunet-service-credential.c | 1 + src/credential/plugin_gnsrecord_credential.c | 19 +++++++++++++--- src/credential/test_credential_issue.sh | 2 +- src/include/gnunet_credential_service.h | 8 ++++++- 6 files changed, 66 insertions(+), 20 deletions(-) (limited to 'src/credential') diff --git a/src/credential/credential_api.c b/src/credential/credential_api.c index 3be2d8bbb..eb7af5b53 100644 --- a/src/credential/credential_api.c +++ b/src/credential/credential_api.c @@ -425,35 +425,29 @@ struct GNUNET_CREDENTIAL_CredentialRecordData * GNUNET_CREDENTIAL_issue (struct GNUNET_CREDENTIAL_Handle *handle, const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, struct GNUNET_CRYPTO_EcdsaPublicKey *subject, - const char *attribute) + const char *attribute, + struct GNUNET_TIME_Absolute *expiration) { struct GNUNET_CREDENTIAL_CredentialRecordData *crd; - struct GNUNET_CRYPTO_EccSignaturePurpose *purp; crd = GNUNET_malloc (sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData) + strlen (attribute) + 1); - purp = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) + - strlen (attribute) + 1); - purp->size = htonl (strlen (attribute) + 1 + + crd->purpose.size = htonl (strlen (attribute) + 1 + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) + - sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose)); + sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + + sizeof (uint64_t)); - purp->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CREDENTIAL); + crd->purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CREDENTIAL); GNUNET_CRYPTO_ecdsa_key_get_public (issuer, &crd->issuer_key); crd->subject_key = *subject; + crd->expiration = GNUNET_htonll (expiration->abs_value_us); GNUNET_memcpy (&crd[1], attribute, strlen (attribute)); - GNUNET_memcpy (&purp[1], - subject, - sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); - GNUNET_memcpy (&purp[1] + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey), - attribute, - strlen (attribute)); if (GNUNET_OK != GNUNET_CRYPTO_ecdsa_sign (issuer, - purp, + &crd->purpose, &crd->sig)) { GNUNET_break (0); diff --git a/src/credential/gnunet-credential.c b/src/credential/gnunet-credential.c index a7b92447b..a2d494f2a 100644 --- a/src/credential/gnunet-credential.c +++ b/src/credential/gnunet-credential.c @@ -67,6 +67,11 @@ static char *subject_key; */ static char *subject_credential; +/** + * Credential TTL + */ +static char *expiration; + /** * Subject key */ @@ -180,6 +185,8 @@ identity_cb (void *cls, { const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; struct GNUNET_CREDENTIAL_CredentialRecordData *crd; + struct GNUNET_TIME_Absolute etime_abs; + struct GNUNET_TIME_Relative etime_rel; char *res; el = NULL; @@ -194,13 +201,35 @@ identity_cb (void *cls, GNUNET_SCHEDULER_shutdown (); return; } + if (NULL == expiration) + { + fprintf (stderr, + "Please specify a TTL\n"); + GNUNET_SCHEDULER_shutdown (); + return; + } else if (GNUNET_OK == GNUNET_STRINGS_fancy_time_to_relative (expiration, + &etime_rel)) + { + etime_abs = GNUNET_TIME_relative_to_absolute (etime_rel); + } else if (GNUNET_OK != GNUNET_STRINGS_fancy_time_to_absolute (expiration, + &etime_abs)) + { + fprintf (stderr, + "%s is not a valid ttl!\n", + expiration); + GNUNET_SCHEDULER_shutdown (); + return; + } + + privkey = GNUNET_IDENTITY_ego_get_private_key (ego); GNUNET_free_non_null (issuer_ego_name); issuer_ego_name = NULL; crd = GNUNET_CREDENTIAL_issue (credential, privkey, &subject_pkey, - issuer_attr); + issuer_attr, + &etime_abs); res = GNUNET_GNSRECORD_value_to_string (GNUNET_GNSRECORD_TYPE_CREDENTIAL, crd, sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData) + strlen (issuer_attr) + 1); @@ -353,6 +382,9 @@ main (int argc, char *const *argv) {'a', "attribute", "ATTR", gettext_noop ("The issuer attribute to verify against or to issue"), 1, &GNUNET_GETOPT_set_string, &issuer_attr}, + {'T', "ttl", "EXP", + gettext_noop ("The time to live for the credential"), 1, + &GNUNET_GETOPT_set_string, &expiration}, GNUNET_GETOPT_OPTION_END }; int ret; diff --git a/src/credential/gnunet-service-credential.c b/src/credential/gnunet-service-credential.c index 792d8741e..7f18c77f6 100644 --- a/src/credential/gnunet-service-credential.c +++ b/src/credential/gnunet-service-credential.c @@ -327,6 +327,7 @@ send_lookup_response (void* cls, const struct GNUNET_CREDENTIAL_CredentialRecordData *crd; struct GNUNET_CRYPTO_EccSignaturePurpose *purp; struct CredentialRecordEntry *cr_entry; + uint32_t cred_verified; cred_record_count = 0; struct AttributeRecordEntry *attr_entry; diff --git a/src/credential/plugin_gnsrecord_credential.c b/src/credential/plugin_gnsrecord_credential.c index f6aec9bcc..60b677a4e 100644 --- a/src/credential/plugin_gnsrecord_credential.c +++ b/src/credential/plugin_gnsrecord_credential.c @@ -74,10 +74,13 @@ credential_value_to_string (void *cls, case GNUNET_GNSRECORD_TYPE_CREDENTIAL: { struct GNUNET_CREDENTIAL_CredentialRecordData cred; + struct GNUNET_TIME_Absolute etime_abs; char *cred_str; char *subject_pkey; char *issuer_pkey; char *signature; + const char *expiration; + if (data_size < sizeof (struct GNUNET_CREDENTIAL_CredentialRecordData)) return NULL; /* malformed */ @@ -87,14 +90,17 @@ credential_value_to_string (void *cls, cdata = data; subject_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&cred.subject_key); issuer_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&cred.issuer_key); + etime_abs.abs_value_us = GNUNET_ntohll(cred.expiration); + expiration = GNUNET_STRINGS_absolute_time_to_string (etime_abs); GNUNET_STRINGS_base64_encode ((char*)&cred.sig, sizeof (struct GNUNET_CRYPTO_EcdsaSignature), &signature); GNUNET_asprintf (&cred_str, - "%s.%s -> %s sig:%s", + "%s.%s -> %s exp:%s sig:%s", issuer_pkey, &cdata[sizeof (cred)], subject_pkey, + expiration, signature); GNUNET_free (subject_pkey); GNUNET_free (issuer_pkey); @@ -141,13 +147,17 @@ credential_string_to_value (void *cls, char issuer_pkey[enclen + 1]; char name[253 + 1]; char signature[128]; //TODO max payload size + char expiration[256]; + struct GNUNET_CRYPTO_EcdsaSignature *sig; + struct GNUNET_TIME_Absolute etime_abs; - if (4 != SSCANF (s, - "%52s.%253s -> %52s sig:%s", + if (5 != SSCANF (s, + "%52s.%253s -> %52s exp:%255s sig:%127s", issuer_pkey, name, subject_pkey, + expiration, signature)) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, @@ -163,10 +173,13 @@ credential_string_to_value (void *cls, GNUNET_CRYPTO_ecdsa_public_key_from_string (issuer_pkey, strlen (issuer_pkey), &cred->issuer_key); + GNUNET_STRINGS_fancy_time_to_absolute (expiration, + &etime_abs); GNUNET_STRINGS_base64_decode (signature, strlen (signature), (char**)&sig); cred->sig = *sig; + cred->expiration = htonl (etime_abs.abs_value_us); GNUNET_free (sig); GNUNET_memcpy (&cred[1], name, diff --git a/src/credential/test_credential_issue.sh b/src/credential/test_credential_issue.sh index 95eac2957..4d1ba67c7 100755 --- a/src/credential/test_credential_issue.sh +++ b/src/credential/test_credential_issue.sh @@ -29,7 +29,7 @@ gnunet-identity -C testsubject -c test_credential_lookup.conf SUBJECT_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testsubject | awk '{print $3}') ISSUER_KEY=$(gnunet-identity -d -c test_credential_lookup.conf | grep testissuer | awk '{print $3}') #TODO1 Get credential and store it with subject (3) -$DO_TIMEOUT gnunet-credential --issue --ego=testissuer --subject=$SUBJECT_KEY --attribute=$TEST_ATTR -c test_credential_lookup.conf +$DO_TIMEOUT valgrind gnunet-credential --issue --ego=testissuer --subject=$SUBJECT_KEY --attribute=$TEST_ATTR --ttl=5m -c test_credential_lookup.conf STATUS=$? gnunet-arm -e -c test_credential_lookup.conf diff --git a/src/include/gnunet_credential_service.h b/src/include/gnunet_credential_service.h index 151587768..a7de3c822 100644 --- a/src/include/gnunet_credential_service.h +++ b/src/include/gnunet_credential_service.h @@ -83,6 +83,10 @@ struct GNUNET_CREDENTIAL_CredentialRecordData { */ struct GNUNET_CRYPTO_EcdsaSignature sig; + /** + * Signature meta + */ + struct GNUNET_CRYPTO_EccSignaturePurpose purpose; /** * Public key of the issuer @@ -250,13 +254,15 @@ GNUNET_CREDENTIAL_remove_delegation (struct GNUNET_CREDENTIAL_Handle *handle, * @param issuer the ego that should be used to issue the attribute * @param subject the subject of the attribute * @param attribute the name of the attribute + * @param expiration the TTL of the credential * @return handle to the queued request */ struct GNUNET_CREDENTIAL_CredentialRecordData * GNUNET_CREDENTIAL_issue (struct GNUNET_CREDENTIAL_Handle *handle, const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, struct GNUNET_CRYPTO_EcdsaPublicKey *subject, - const char *attribute); + const char *attribute, + struct GNUNET_TIME_Absolute *expiration); /** -- cgit v1.2.3 From 97b457f5cbb8d4aeb7942ae23dc6dad84db30638 Mon Sep 17 00:00:00 2001 From: "Schanzenbach, Martin" Date: Tue, 6 Dec 2016 10:13:30 +0100 Subject: -fix --- src/credential/gnunet-service-credential.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) (limited to 'src/credential') diff --git a/src/credential/gnunet-service-credential.c b/src/credential/gnunet-service-credential.c index 7f18c77f6..ec84d18a6 100644 --- a/src/credential/gnunet-service-credential.c +++ b/src/credential/gnunet-service-credential.c @@ -325,7 +325,6 @@ send_lookup_response (void* cls, struct GNUNET_MQ_Envelope *env; struct VerifyResultMessage *rmsg; const struct GNUNET_CREDENTIAL_CredentialRecordData *crd; - struct GNUNET_CRYPTO_EccSignaturePurpose *purp; struct CredentialRecordEntry *cr_entry; uint32_t cred_verified; @@ -359,23 +358,13 @@ send_lookup_response (void* cls, GNUNET_CONTAINER_DLL_insert_tail (vrh->cred_chain_head, vrh->cred_chain_tail, cr_entry); - purp = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + - sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) + - strlen ((char*)&crd[1]) +1 ); - purp->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + - sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey) + - strlen ((char*)&crd[1]) +1 ); - - purp->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_CREDENTIAL); if(GNUNET_OK == GNUNET_CRYPTO_ecdsa_verify(GNUNET_SIGNATURE_PURPOSE_CREDENTIAL, - purp, + &crd->purpose, &crd->sig, &crd->issuer_key)) { - GNUNET_free (purp); break; } - GNUNET_free (purp); } -- cgit v1.2.3