296 lines
8.9 KiB
C++
296 lines
8.9 KiB
C++
#include <chrono>
|
|
#include <filesystem>
|
|
#include <fstream>
|
|
#include <iostream>
|
|
#include <optional>
|
|
#include <stdint.h>
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include "cxxopts.hpp"
|
|
#include "json.hpp"
|
|
|
|
#include "expiring_signature.h"
|
|
#include "receiver.h"
|
|
#include "sender.h"
|
|
#include "signing_key.h"
|
|
#include "sodium_helpers.h"
|
|
#include "string_helpers.h"
|
|
#include "time_helpers.h"
|
|
|
|
using namespace std;
|
|
using nlohmann::json;
|
|
using namespace BareMinimumCrypto;
|
|
namespace fs = std::filesystem;
|
|
|
|
int file (const string & file_path) {
|
|
cout << "Reading `" << file_path << "`" << endl;
|
|
|
|
const auto j = std::move (*try_load_msgpack_file (file_path));
|
|
|
|
if (! j.contains ("app")) {
|
|
cout << "Can't find app magic string. This file was probably not made by BMC." << endl;
|
|
return 1;
|
|
}
|
|
|
|
const string app = j ["app"];
|
|
|
|
if (app != "4B27CL32") {
|
|
cout << "Can't find app magic string. This file was probably not made by BMC." << endl;
|
|
return 1;
|
|
}
|
|
|
|
const string schema = j ["schema"];
|
|
|
|
cout << "Schema: " << schema << endl;
|
|
|
|
if (schema == "3T6XF5DZ") {
|
|
cout << "File is a secret key for humans. (It's passphrase-protected)" << endl;
|
|
|
|
// Read msgpack fields
|
|
const auto key = std::move (*HumanKeyFile::try_from_msgpack (j));
|
|
|
|
// Read data from other places
|
|
const auto now = Instant::now ();
|
|
|
|
// Print normal stuff
|
|
cout << "Generated at Unix time " << key.time_created.x
|
|
<< " (" << now.x - key.time_created.x << " seconds ago)"
|
|
<< endl;
|
|
cout << "Generated on machine ID " << key.machine_id << endl;
|
|
cout << "Claims to have Base64 pubkey `" << base64_encode (key.pubkey) << "`" << endl;
|
|
|
|
// Print warnings
|
|
if (now.x < key.time_created.x) {
|
|
cout << "* The key was generated in the past. Someone's clock is wrong." << endl;
|
|
}
|
|
if (get_machine_id () != key.machine_id) {
|
|
cout << "* The key was generated on another machine. You should report this." << endl;
|
|
}
|
|
if (fs::status (file_path).permissions () != fs::perms::owner_read) {
|
|
cout << "* The key doesn't have the right permissions. Try `chmod 400` on it." << endl;
|
|
}
|
|
}
|
|
else if (schema == "2PVHIKMA") {
|
|
cout << "File is a secret key for machines. (No passphrase)" << endl;
|
|
|
|
// Read msgpack fields
|
|
const auto key = std::move (*MachineKeyFile::try_from_msgpack (j));
|
|
|
|
// Read data from other places
|
|
const auto now = Instant::now ();
|
|
|
|
// Print normal stuff
|
|
cout << "Generated at Unix time " << key.time_created.x
|
|
<< " (" << now.x - key.time_created.x << " seconds ago)"
|
|
<< endl;
|
|
cout << "Generated on machine ID " << key.machine_id << endl;
|
|
cout << "Claims to have Base64 pubkey `" << base64_encode (key.pubkey ()) << "`" << endl;
|
|
|
|
// Print warnings
|
|
if (now.x < key.time_created.x) {
|
|
cout << "* The key was generated in the past. Someone's clock is wrong." << endl;
|
|
}
|
|
if (get_machine_id () != key.machine_id) {
|
|
cout << "* The key was generated on another machine. You should report this." << endl;
|
|
}
|
|
if (fs::status (file_path).permissions () != fs::perms::owner_read) {
|
|
cout << "* The key doesn't have the right permissions. Try `chmod 400` on it." << endl;
|
|
}
|
|
}
|
|
else if (schema == "MSYZGDBI") {
|
|
cout << "File is a signed certificate, possibly for a pubkey." << endl;
|
|
|
|
cout << "Claims to be signed by pubkey `" << base64_encode (j ["signer_pubkey"].get_binary ()) << "`" << endl;
|
|
|
|
const auto cert_bytes = j ["cert"].get_binary ();
|
|
const auto cert = json::from_msgpack (cert_bytes);
|
|
|
|
const TimeRange tr {
|
|
cert ["not_before"],
|
|
cert ["not_after"],
|
|
};
|
|
|
|
const auto now = Instant::now ();
|
|
|
|
if (! tr.contains (now)) {
|
|
cout << "Cert is NOT valid." << endl;
|
|
|
|
if (now.x <= tr.not_before) {
|
|
cout << "Cert is from the future. Is your clock behind? Is the signer's clock ahead?" << endl;
|
|
}
|
|
else if (now.x >= tr.not_after) {
|
|
cout << "Cert expired " << now.x - tr.not_after << " seconds ago. Don't trust it." << endl;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
cout << "Cert is valid for another " << tr.not_after - now.x << " seconds." << endl;
|
|
|
|
const auto payload = cert ["payload"].get_binary ();
|
|
|
|
if (payload.size () == crypto_sign_PUBLICKEYBYTES) {
|
|
cout << "Payload might be the pubkey `" << base64_encode (payload) << "`" << endl;
|
|
}
|
|
else {
|
|
cout << "Payload doesn't have the right size to be a pubkey." << endl;
|
|
}
|
|
}
|
|
else {
|
|
cout << "Unknown schema. Maybe this file is from a newer version of BMC?" << endl;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int test () {
|
|
if (test_base64 () != 0) {
|
|
return 1;
|
|
}
|
|
|
|
cerr << "crypto_sign_PUBLICKEYBYTES = " << crypto_sign_PUBLICKEYBYTES << endl;
|
|
cerr << "crypto_sign_SECRETKEYBYTES = " << crypto_sign_SECRETKEYBYTES << endl;
|
|
|
|
// We generate a root key and keep it somewhere safe
|
|
// (offline, hopefully)
|
|
|
|
SigningKey root_key;
|
|
cerr << "Root pub key " << base64_encode (root_key.pubkey ()) << endl;
|
|
|
|
if (test_time () != 0) {
|
|
return 1;
|
|
}
|
|
|
|
const auto now = Instant::now ();
|
|
|
|
// The sender generates a key
|
|
SigningKey sender_key;
|
|
cerr << "Sender key " << base64_encode (sender_key.pubkey ()) << endl;
|
|
|
|
// The root signs the sender key
|
|
const auto sender_cert = std::move (*root_key.sign_key (sender_key.pubkey (), now));
|
|
|
|
const auto sender = std::move (*Sender::create (sender_key, sender_cert));
|
|
|
|
// The sender signs some important data
|
|
const auto important_data = copy_to_bytes ("Nikolai, Anna, Ivan, Mikhail, Ivan, Nikolai, Anna. 7 4 1 4 3 5 7 4");
|
|
const auto signed_data = std::move (*sender.sign (important_data));
|
|
|
|
// The receiver verifies the data by the root public key,
|
|
// even though the receiver has never seen the sender-key.
|
|
|
|
auto verified_opt = Receiver::verify_cert_and_data (root_key.pubkey (), signed_data);
|
|
if (! verified_opt) {
|
|
cerr << "Receiver couldn't verify cert and data" << endl;
|
|
return 1;
|
|
}
|
|
const auto verified = std::move (*verified_opt);
|
|
|
|
if (verified != important_data) {
|
|
cerr << "Verified payload did not match expected payload" << endl;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int main (int argc, char ** argv) {
|
|
cxxopts::Options options ("BareMinimumCrypto", "Simple crypto things you might need.");
|
|
options.add_options ()
|
|
// Commands
|
|
("help", "Print usage")
|
|
("file", "Print info about any file generated by BMC", cxxopts::value <string> ())
|
|
("generate-human-key", "Generate a passphrase-protected key for human use", cxxopts::value <string> ())
|
|
("generate-machine-key", "Generate a key for machine use, with no passphrase", cxxopts::value <string> ())
|
|
("generate-key-cert", "Certify a key for 3 months and save the cert here", cxxopts::value <string> ())
|
|
|
|
// cxxopts nonsense
|
|
("using-key", "Key to load for other operations", cxxopts::value <string> ())
|
|
|
|
// Other stuff
|
|
("test", "Run self-test")
|
|
;
|
|
|
|
auto result = options.parse (argc, argv);
|
|
|
|
if (result.count ("help")) {
|
|
cout << options.help () << endl;
|
|
}
|
|
else if (result.count ("file")) {
|
|
const auto file_path = result ["file"].as <string> ();
|
|
return file (file_path);
|
|
}
|
|
else if (result.count ("generate-human-key")) {
|
|
const auto file_path = result ["generate-human-key"].as <string> ();
|
|
const auto passphrase = get_passphrase_from_user ();
|
|
|
|
auto key_opt = HumanKeyFile::generate (file_path, passphrase);
|
|
if (! key_opt) {
|
|
cerr << "Error. Key was not generated" << endl;
|
|
return 1;
|
|
}
|
|
cout << "The pubkey is `" << base64_encode (key_opt->pubkey ()) << "`" << endl;
|
|
}
|
|
else if (result.count ("generate-machine-key")) {
|
|
const auto file_path = result ["generate-machine-key"].as <string> ();
|
|
|
|
auto key_opt = MachineKeyFile::generate (file_path);
|
|
if (! key_opt) {
|
|
cerr << "Error. Key was not generated" << endl;
|
|
return 1;
|
|
}
|
|
cout << "The pubkey is `" << base64_encode (key_opt->pubkey ()) << "`" << endl;
|
|
}
|
|
else if (result.count ("generate-key-cert")) {
|
|
if (! result.count ("using-key")) {
|
|
cerr << "Usage: bmc --generate-key-cert output.cert --using-key human.key" << endl;
|
|
return 1;
|
|
}
|
|
|
|
const auto key_path = result ["using-key"].as <string> ();
|
|
const auto output_path = result ["generate-key-cert"].as <string> ();
|
|
const auto passphrase = get_passphrase_from_user ();
|
|
|
|
auto key_opt = HumanKeyFile::load (key_path, passphrase);
|
|
if (! key_opt) {
|
|
cerr << "Error, could not load human key." << endl;
|
|
return 1;
|
|
}
|
|
const auto key = std::move (*key_opt);
|
|
|
|
cout << "Paste Base64-encoded public key" << endl;
|
|
string pubkey_b64;
|
|
cin >> pubkey_b64;
|
|
|
|
auto pubkey_opt = base64_decode (pubkey_b64);
|
|
const auto pubkey = std::move (*pubkey_opt);
|
|
|
|
auto sig_opt = key.sign (pubkey, TimeRange::from_start_and_dur (Instant::now (), about_3_months));
|
|
if (! sig_opt) {
|
|
cerr << "Error, could not sign pubkey." << endl;
|
|
return 1;
|
|
}
|
|
const auto sig = std::move (*sig_opt);
|
|
const auto sig_bytes = sig.to_msgpack ();
|
|
|
|
ofstream f;
|
|
f.open (output_path, ofstream::binary);
|
|
|
|
if (! f.is_open ()) {
|
|
cerr << "Error, could not open output file" << endl;
|
|
return 1;
|
|
}
|
|
|
|
f.write ((const char *)sig_bytes.data (), sig_bytes.size ());
|
|
}
|
|
else if (result.count ("test")) {
|
|
if (test () != 0) {
|
|
return 1;
|
|
}
|
|
|
|
cerr << "All good." << endl;
|
|
}
|
|
return 0;
|
|
}
|