diff --git a/bare_minimum_crypto/cpp/Makefile b/bare_minimum_crypto/cpp/Makefile index b9bb048..2271b72 100644 --- a/bare_minimum_crypto/cpp/Makefile +++ b/bare_minimum_crypto/cpp/Makefile @@ -5,15 +5,18 @@ CXX_FLAGS=$(FLAGS) -c L_FLAGS=$(FLAGS) LIBS=-lsodium -bmc_test: bmc_test.o base64.o +bmc_test: bmc_test.o base64.o string_helpers.o $(CXX) -o $@ $^ $(L_FLAGS) $(LIBS) -bmc_test.o: bmc_test.cpp +bmc_test.o: bmc_test.cpp string_helpers.h $(CXX) -o $@ $(CXX_FLAGS) $< base64.o: cpp-base64/base64.cpp cpp-base64/base64.h $(CXX) -o $@ $(CXX_FLAGS) $< -clean: - rm bmc_test +string_helpers.o: string_helpers.cpp string_helpers.h cpp-base64/base64.h + $(CXX) -o $@ $(CXX_FLAGS) $< + +clean: + rm -f bmc_test bmc_test.o base64.o string_helpers.o diff --git a/bare_minimum_crypto/cpp/bmc_test.cpp b/bare_minimum_crypto/cpp/bmc_test.cpp index c323706..e5c9f17 100644 --- a/bare_minimum_crypto/cpp/bmc_test.cpp +++ b/bare_minimum_crypto/cpp/bmc_test.cpp @@ -11,29 +11,19 @@ #include "cpp-base64/base64.h" #include "json.hpp" +#include "string_helpers.h" + using namespace std; using chrono::duration_cast; using chrono::seconds; using chrono::system_clock; using nlohmann::json; +using namespace BareMinimumCrypto; + +const int64_t about_1_week = (int64_t)7 * 86400; const int64_t about_3_months = (int64_t)105 * 86400; - -// Not sure why the Base64 lib fails to provide this API -string b64_encode (const vector & v) { - return base64_encode (string_view ((const char *)v.data (), v.size ())); -} - -optional > b64_decode (const string & s) { - try { - const auto decoded = base64_decode (s); - const vector v ((const uint8_t *)&decoded [0], (const uint8_t *)&decoded [decoded.size ()]); - return v; - } - catch (const exception &) { - return nullopt; - } -} +const int64_t about_1_year = (int64_t)365 * 86400; struct ExpiringSignature { string cert_s; @@ -142,23 +132,28 @@ public: } string pub_to_base64 () const { - return b64_encode (pk); + return base64_encode (pk); } - optional sign_binary ( - const vector & payload, + optional sign_base64 ( + const string & payload_b64, string purpose, - int64_t now + int64_t now, + int64_t duration ) const { try_sodium_init (); - const auto not_after = now + about_3_months; + if (duration > about_1_year) { + return nullopt; + } + + const auto not_after = now + duration; const json j { {"not_before", now}, {"not_after", not_after}, {"purpose", purpose}, - {"payload_b64", b64_encode (payload)}, + {"payload_b64", payload_b64}, }; const auto cert_s = j.dump (); @@ -176,7 +171,12 @@ public: optional sign_key (const SigningKey & k, int64_t now) const { - return sign_binary (k.pk, "4QHAB7O5 trusted public key", now); + return sign_base64 (k.pub_to_base64 (), "4QHAB7O5 trusted public key", now, about_3_months); + } + + optional sign_data (const vector & v, int64_t now) const + { + return sign_base64 (base64_encode (v), "MS7WL26L signed data", now, about_1_week); } }; @@ -210,7 +210,7 @@ int check_base64 () { } vector v {1, 2, 3, 4, 5, 6}; - const auto s = b64_encode (v); + const auto s = base64_encode (v); if (s != "AQIDBAUG") { cerr << "Base64 encoding failed" << endl; @@ -236,13 +236,9 @@ int check_base64 () { return 0; } -int main () { - if (check_base64 () != 0) { - return 1; - } - - // Suppose we generate a root key and keep it somewhere safe - // (not a server) +int happy_path () { + // We generate a root key and keep it somewhere safe + // (offline, hopefully) SigningKey root_key; cerr << "Root pub key " << root_key.pub_to_base64 () << endl; @@ -250,11 +246,17 @@ int main () { return 1; } - // Suppose the server generates a signing key + // The server generates a signing key SigningKey signing_key; cerr << "Signing key " << signing_key.pub_to_base64 () << endl; const auto now = get_seconds_since_epoch (); + + // That signing key signs some important data + const auto important_data = copy_to_bytes ("Nikolai, Anna, Ivan, Mikhail, Ivan, Nikolai, Anna. 7 4 1 4 3 5 7 4"); + const ExpiringSignature signed_data = std::move (*signing_key.sign_data (important_data, now)); + + // The server signs our temporary signing key const ExpiringSignature cert = std::move (*root_key.sign_key (signing_key, now)); { @@ -281,27 +283,60 @@ int main () { { cerr << "Cert:" << endl; cerr << cert.cert_s << endl; - cerr << b64_encode (cert.sig) << endl; + cerr << base64_encode (cert.sig) << endl; } - // Suppose the client knows our root public key + // The client knows our root public key const auto root_pubkey = root_key.pubkey (); - if (crypto_sign_verify_detached (cert.sig.data (), (const uint8_t *)cert.cert_s.data (), cert.cert_s.size (), root_pubkey.data ()) != 0) { - cerr << "Bad signature" << endl; - return 1; - } - if (crypto_sign_verify_detached (cert.sig.data (), (const uint8_t *)cert.cert_s.data (), cert.cert_s.size () - 1, root_pubkey.data ()) == 0) { - cerr << "Signature should not have verified" << endl; - return 1; + { + auto verified_opt = verify_signed_data (cert, now, root_pubkey); + if (! verified_opt) { + cerr << "Couldn't verify cert" << endl; + return 1; + } + const auto verified = std::move (*verified_opt); + + if (verified.purpose != "4QHAB7O5 trusted public key") { + cerr << "Purpose did not match" << endl; + return 1; + } + if (verified.payload != signing_key.pubkey ()) { + cerr << "Pubkey payload did not match" << endl; + return 1; + } } { - const json j = json::parse (cert.cert_s); + auto verified_opt = verify_signed_data (signed_data, now, signing_key.pubkey ()); + if (! verified_opt) { + cerr << "Couldn't verify cert" << endl; + return 1; + } + const auto verified = std::move (*verified_opt); - cerr << "not_before: " << (int64_t)j ["not_before"] << endl; + if (verified.purpose != "MS7WL26L signed data") { + cerr << "Purpose did not match" << endl; + return 1; + } + if (verified.payload != important_data) { + cerr << "Pubkey payload did not match" << endl; + return 1; + } } - cerr << "Done." << endl; + return 0; +} + +int main () { + if (check_base64 () != 0) { + return 1; + } + + if (happy_path () != 0) { + return 1; + } + + cerr << "All good." << endl; return 0; } diff --git a/bare_minimum_crypto/cpp/string_helpers.cpp b/bare_minimum_crypto/cpp/string_helpers.cpp new file mode 100644 index 0000000..4cd015d --- /dev/null +++ b/bare_minimum_crypto/cpp/string_helpers.cpp @@ -0,0 +1,25 @@ +#include "string_helpers.h" + +#include "cpp-base64/base64.h" + +namespace BareMinimumCrypto { + using namespace std; + + vector copy_to_bytes (const string & s) { + return vector ((const uint8_t *)&s [0], (const uint8_t *)&s [s.size ()]); + } + + string base64_encode (const vector & v) { + return ::base64_encode (string_view ((const char *)v.data (), v.size ())); + } + + optional > b64_decode (const string & s) { + try { + const auto decoded = base64_decode (s); + return copy_to_bytes (decoded); + } + catch (const exception &) { + return nullopt; + } + } +} diff --git a/bare_minimum_crypto/cpp/string_helpers.h b/bare_minimum_crypto/cpp/string_helpers.h new file mode 100644 index 0000000..201534c --- /dev/null +++ b/bare_minimum_crypto/cpp/string_helpers.h @@ -0,0 +1,16 @@ +#pragma once + +#include +#include +#include +#include + +namespace BareMinimumCrypto { + using namespace std; + + vector copy_to_bytes (const string & s); + + // Not sure why the Base64 lib fails to provide this API + string base64_encode (const vector & v); + optional > b64_decode (const string & s); +}