♻️ refactor: splitting out util functions
parent
f387c69858
commit
3fdfc983e2
|
@ -5,15 +5,18 @@ CXX_FLAGS=$(FLAGS) -c
|
||||||
L_FLAGS=$(FLAGS)
|
L_FLAGS=$(FLAGS)
|
||||||
LIBS=-lsodium
|
LIBS=-lsodium
|
||||||
|
|
||||||
bmc_test: bmc_test.o base64.o
|
bmc_test: bmc_test.o base64.o string_helpers.o
|
||||||
$(CXX) -o $@ $^ $(L_FLAGS) $(LIBS)
|
$(CXX) -o $@ $^ $(L_FLAGS) $(LIBS)
|
||||||
|
|
||||||
bmc_test.o: bmc_test.cpp
|
bmc_test.o: bmc_test.cpp string_helpers.h
|
||||||
$(CXX) -o $@ $(CXX_FLAGS) $<
|
$(CXX) -o $@ $(CXX_FLAGS) $<
|
||||||
|
|
||||||
base64.o: cpp-base64/base64.cpp cpp-base64/base64.h
|
base64.o: cpp-base64/base64.cpp cpp-base64/base64.h
|
||||||
$(CXX) -o $@ $(CXX_FLAGS) $<
|
$(CXX) -o $@ $(CXX_FLAGS) $<
|
||||||
|
|
||||||
clean:
|
string_helpers.o: string_helpers.cpp string_helpers.h cpp-base64/base64.h
|
||||||
rm bmc_test
|
$(CXX) -o $@ $(CXX_FLAGS) $<
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f bmc_test bmc_test.o base64.o string_helpers.o
|
||||||
|
|
||||||
|
|
|
@ -11,29 +11,19 @@
|
||||||
#include "cpp-base64/base64.h"
|
#include "cpp-base64/base64.h"
|
||||||
#include "json.hpp"
|
#include "json.hpp"
|
||||||
|
|
||||||
|
#include "string_helpers.h"
|
||||||
|
|
||||||
using namespace std;
|
using namespace std;
|
||||||
using chrono::duration_cast;
|
using chrono::duration_cast;
|
||||||
using chrono::seconds;
|
using chrono::seconds;
|
||||||
using chrono::system_clock;
|
using chrono::system_clock;
|
||||||
using nlohmann::json;
|
using nlohmann::json;
|
||||||
|
|
||||||
|
using namespace BareMinimumCrypto;
|
||||||
|
|
||||||
|
const int64_t about_1_week = (int64_t)7 * 86400;
|
||||||
const int64_t about_3_months = (int64_t)105 * 86400;
|
const int64_t about_3_months = (int64_t)105 * 86400;
|
||||||
|
const int64_t about_1_year = (int64_t)365 * 86400;
|
||||||
// Not sure why the Base64 lib fails to provide this API
|
|
||||||
string b64_encode (const vector <uint8_t> & v) {
|
|
||||||
return base64_encode (string_view ((const char *)v.data (), v.size ()));
|
|
||||||
}
|
|
||||||
|
|
||||||
optional <vector <uint8_t>> b64_decode (const string & s) {
|
|
||||||
try {
|
|
||||||
const auto decoded = base64_decode (s);
|
|
||||||
const vector <uint8_t> v ((const uint8_t *)&decoded [0], (const uint8_t *)&decoded [decoded.size ()]);
|
|
||||||
return v;
|
|
||||||
}
|
|
||||||
catch (const exception &) {
|
|
||||||
return nullopt;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
struct ExpiringSignature {
|
struct ExpiringSignature {
|
||||||
string cert_s;
|
string cert_s;
|
||||||
|
@ -142,23 +132,28 @@ public:
|
||||||
}
|
}
|
||||||
|
|
||||||
string pub_to_base64 () const {
|
string pub_to_base64 () const {
|
||||||
return b64_encode (pk);
|
return base64_encode (pk);
|
||||||
}
|
}
|
||||||
|
|
||||||
optional <ExpiringSignature> sign_binary (
|
optional <ExpiringSignature> sign_base64 (
|
||||||
const vector <uint8_t> & payload,
|
const string & payload_b64,
|
||||||
string purpose,
|
string purpose,
|
||||||
int64_t now
|
int64_t now,
|
||||||
|
int64_t duration
|
||||||
) const {
|
) const {
|
||||||
try_sodium_init ();
|
try_sodium_init ();
|
||||||
|
|
||||||
const auto not_after = now + about_3_months;
|
if (duration > about_1_year) {
|
||||||
|
return nullopt;
|
||||||
|
}
|
||||||
|
|
||||||
|
const auto not_after = now + duration;
|
||||||
|
|
||||||
const json j {
|
const json j {
|
||||||
{"not_before", now},
|
{"not_before", now},
|
||||||
{"not_after", not_after},
|
{"not_after", not_after},
|
||||||
{"purpose", purpose},
|
{"purpose", purpose},
|
||||||
{"payload_b64", b64_encode (payload)},
|
{"payload_b64", payload_b64},
|
||||||
};
|
};
|
||||||
|
|
||||||
const auto cert_s = j.dump ();
|
const auto cert_s = j.dump ();
|
||||||
|
@ -176,7 +171,12 @@ public:
|
||||||
|
|
||||||
optional <ExpiringSignature> sign_key (const SigningKey & k, int64_t now) const
|
optional <ExpiringSignature> sign_key (const SigningKey & k, int64_t now) const
|
||||||
{
|
{
|
||||||
return sign_binary (k.pk, "4QHAB7O5 trusted public key", now);
|
return sign_base64 (k.pub_to_base64 (), "4QHAB7O5 trusted public key", now, about_3_months);
|
||||||
|
}
|
||||||
|
|
||||||
|
optional <ExpiringSignature> sign_data (const vector <uint8_t> & v, int64_t now) const
|
||||||
|
{
|
||||||
|
return sign_base64 (base64_encode (v), "MS7WL26L signed data", now, about_1_week);
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -210,7 +210,7 @@ int check_base64 () {
|
||||||
}
|
}
|
||||||
|
|
||||||
vector <uint8_t> v {1, 2, 3, 4, 5, 6};
|
vector <uint8_t> v {1, 2, 3, 4, 5, 6};
|
||||||
const auto s = b64_encode (v);
|
const auto s = base64_encode (v);
|
||||||
|
|
||||||
if (s != "AQIDBAUG") {
|
if (s != "AQIDBAUG") {
|
||||||
cerr << "Base64 encoding failed" << endl;
|
cerr << "Base64 encoding failed" << endl;
|
||||||
|
@ -236,13 +236,9 @@ int check_base64 () {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int main () {
|
int happy_path () {
|
||||||
if (check_base64 () != 0) {
|
// We generate a root key and keep it somewhere safe
|
||||||
return 1;
|
// (offline, hopefully)
|
||||||
}
|
|
||||||
|
|
||||||
// Suppose we generate a root key and keep it somewhere safe
|
|
||||||
// (not a server)
|
|
||||||
SigningKey root_key;
|
SigningKey root_key;
|
||||||
cerr << "Root pub key " << root_key.pub_to_base64 () << endl;
|
cerr << "Root pub key " << root_key.pub_to_base64 () << endl;
|
||||||
|
|
||||||
|
@ -250,11 +246,17 @@ int main () {
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Suppose the server generates a signing key
|
// The server generates a signing key
|
||||||
SigningKey signing_key;
|
SigningKey signing_key;
|
||||||
cerr << "Signing key " << signing_key.pub_to_base64 () << endl;
|
cerr << "Signing key " << signing_key.pub_to_base64 () << endl;
|
||||||
|
|
||||||
const auto now = get_seconds_since_epoch ();
|
const auto now = get_seconds_since_epoch ();
|
||||||
|
|
||||||
|
// That signing key signs some important data
|
||||||
|
const auto important_data = copy_to_bytes ("Nikolai, Anna, Ivan, Mikhail, Ivan, Nikolai, Anna. 7 4 1 4 3 5 7 4");
|
||||||
|
const ExpiringSignature signed_data = std::move (*signing_key.sign_data (important_data, now));
|
||||||
|
|
||||||
|
// The server signs our temporary signing key
|
||||||
const ExpiringSignature cert = std::move (*root_key.sign_key (signing_key, now));
|
const ExpiringSignature cert = std::move (*root_key.sign_key (signing_key, now));
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -281,27 +283,60 @@ int main () {
|
||||||
{
|
{
|
||||||
cerr << "Cert:" << endl;
|
cerr << "Cert:" << endl;
|
||||||
cerr << cert.cert_s << endl;
|
cerr << cert.cert_s << endl;
|
||||||
cerr << b64_encode (cert.sig) << endl;
|
cerr << base64_encode (cert.sig) << endl;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Suppose the client knows our root public key
|
// The client knows our root public key
|
||||||
const auto root_pubkey = root_key.pubkey ();
|
const auto root_pubkey = root_key.pubkey ();
|
||||||
|
|
||||||
if (crypto_sign_verify_detached (cert.sig.data (), (const uint8_t *)cert.cert_s.data (), cert.cert_s.size (), root_pubkey.data ()) != 0) {
|
{
|
||||||
cerr << "Bad signature" << endl;
|
auto verified_opt = verify_signed_data (cert, now, root_pubkey);
|
||||||
|
if (! verified_opt) {
|
||||||
|
cerr << "Couldn't verify cert" << endl;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
if (crypto_sign_verify_detached (cert.sig.data (), (const uint8_t *)cert.cert_s.data (), cert.cert_s.size () - 1, root_pubkey.data ()) == 0) {
|
const auto verified = std::move (*verified_opt);
|
||||||
cerr << "Signature should not have verified" << endl;
|
|
||||||
|
if (verified.purpose != "4QHAB7O5 trusted public key") {
|
||||||
|
cerr << "Purpose did not match" << endl;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
if (verified.payload != signing_key.pubkey ()) {
|
||||||
|
cerr << "Pubkey payload did not match" << endl;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
const json j = json::parse (cert.cert_s);
|
auto verified_opt = verify_signed_data (signed_data, now, signing_key.pubkey ());
|
||||||
|
if (! verified_opt) {
|
||||||
|
cerr << "Couldn't verify cert" << endl;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
const auto verified = std::move (*verified_opt);
|
||||||
|
|
||||||
cerr << "not_before: " << (int64_t)j ["not_before"] << endl;
|
if (verified.purpose != "MS7WL26L signed data") {
|
||||||
|
cerr << "Purpose did not match" << endl;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if (verified.payload != important_data) {
|
||||||
|
cerr << "Pubkey payload did not match" << endl;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
cerr << "Done." << endl;
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main () {
|
||||||
|
if (check_base64 () != 0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (happy_path () != 0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
cerr << "All good." << endl;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
#include "string_helpers.h"
|
||||||
|
|
||||||
|
#include "cpp-base64/base64.h"
|
||||||
|
|
||||||
|
namespace BareMinimumCrypto {
|
||||||
|
using namespace std;
|
||||||
|
|
||||||
|
vector <uint8_t> copy_to_bytes (const string & s) {
|
||||||
|
return vector <uint8_t> ((const uint8_t *)&s [0], (const uint8_t *)&s [s.size ()]);
|
||||||
|
}
|
||||||
|
|
||||||
|
string base64_encode (const vector <uint8_t> & v) {
|
||||||
|
return ::base64_encode (string_view ((const char *)v.data (), v.size ()));
|
||||||
|
}
|
||||||
|
|
||||||
|
optional <vector <uint8_t>> b64_decode (const string & s) {
|
||||||
|
try {
|
||||||
|
const auto decoded = base64_decode (s);
|
||||||
|
return copy_to_bytes (decoded);
|
||||||
|
}
|
||||||
|
catch (const exception &) {
|
||||||
|
return nullopt;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
#include <optional>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <string>
|
||||||
|
#include <vector>
|
||||||
|
|
||||||
|
namespace BareMinimumCrypto {
|
||||||
|
using namespace std;
|
||||||
|
|
||||||
|
vector <uint8_t> copy_to_bytes (const string & s);
|
||||||
|
|
||||||
|
// Not sure why the Base64 lib fails to provide this API
|
||||||
|
string base64_encode (const vector <uint8_t> & v);
|
||||||
|
optional <vector <uint8_t>> b64_decode (const string & s);
|
||||||
|
}
|
Loading…
Reference in New Issue