diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-11-02 23:28:58 +0100 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-11-02 23:28:58 +0100 |
commit | c210c80e80231143f6eaa0f39e8e1d3303983791 (patch) | |
tree | 83b3bb9cbe4947bfd3ddbebb7694f9442834a22c | |
parent | 801afaa9147c4f70fc00fde1993f6ce0c91bd450 (diff) |
added start on stfe client
ChecksumV1 entries can be submitted using client-side ed25519
signatures. The resulting SignedDebugInfoV1 is then verified using the
log's announced signature scheme and public key (currently only ed25519).
-rw-r--r-- | client/add-entry/main.go | 150 | ||||
-rw-r--r-- | client/client.go | 139 | ||||
-rw-r--r-- | server/descriptor/.descriptor.go.swp | bin | 0 -> 12288 bytes | |||
-rw-r--r-- | server/descriptor/stfe.json | 4 | ||||
-rw-r--r-- | server/testdata/chain/ee.csr | 7 | ||||
-rw-r--r-- | server/testdata/chain/ee.key | 3 | ||||
-rw-r--r-- | server/testdata/chain/ee.pem | 9 | ||||
-rw-r--r-- | server/testdata/chain/rgdd-root.srl | 2 | ||||
-rw-r--r-- | verify.go | 32 | ||||
-rw-r--r-- | x509.go | 6 |
10 files changed, 346 insertions, 6 deletions
diff --git a/client/add-entry/main.go b/client/add-entry/main.go new file mode 100644 index 0000000..693aca8 --- /dev/null +++ b/client/add-entry/main.go @@ -0,0 +1,150 @@ +package main + +import ( + "context" + "flag" + "fmt" + + "crypto/ed25519" + "crypto/x509" + "encoding/base64" + "encoding/json" + "encoding/pem" + "io/ioutil" + "net/http" + + "github.com/golang/glog" + "github.com/system-transparency/stfe/client" + "github.com/system-transparency/stfe/server/descriptor" +) + +var ( + operators = flag.String("operators", "../../server/descriptor/stfe.json", "path to json-encoded list of log operators") + logId = flag.String("log_id", "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "base64-encoded log identifier") + chain = flag.String("chain", "../../server/testdata/chain/ee.pem", "path to pem-encoded certificate chain that the log accepts") + key = flag.String("key", "../../server/testdata/chain/ee.key", "path to ed25519 private key that corresponds to the chain's end-entity certificate") + name = flag.String("name", "foobar-1.2.3", "package name") + checksum = flag.String("checksum", "50e7967bce266a506f8f614bb5096beba580d205046b918f47d23b2ec626d75e", "base64-encoded package checksum") +) + +func main() { + flag.Parse() + + client, err := setup() + if err != nil { + glog.Fatal(err) + } + + pname, psum, err := params() + if err != nil { + glog.Fatal(err) + } + + sdi, err := client.AddEntry(context.Background(), pname, psum) + if err != nil { + glog.Fatalf("add-entry failed: %v", err) + } + glog.Infof("got valid StItem: %v", sdi) + glog.Flush() +} + +func params() ([]byte, []byte, error) { + b, err := base64.StdEncoding.DecodeString(*checksum) + if err != nil { + return nil, nil, fmt.Errorf("failed decoding checksum: %v", err) + } + return []byte(*name), b, nil +} + +func setup() (*client.Client, error) { + blob, err := ioutil.ReadFile(*chain) + if err != nil { + return nil, fmt.Errorf("failed reading certificate chain: %v", err) + } + c, err := parseChain(blob) + if err != nil { + return nil, fmt.Errorf("failed loading certificate chain: %v", err) + } + + blob, err = ioutil.ReadFile(*key) + if err != nil { + return nil, fmt.Errorf("failed reading ed25519 private key: %v", err) + } + k, err := parseEd25519PrivateKey(blob) + if err != nil { + return nil, fmt.Errorf("failed decoding ed25519 private key: %v", err) + } + + blob, err = ioutil.ReadFile(*operators) + if err != nil { + return nil, fmt.Errorf("failed reading log operators: %v", err) + } + var ops []descriptor.Operator + if err := json.Unmarshal(blob, &ops); err != nil { + return nil, fmt.Errorf("failed decoding log operators: %v", err) + } + + id, err := base64.StdEncoding.DecodeString(*logId) + if err != nil { + return nil, fmt.Errorf("failed decoding log identifier: %v", err) + } + + // TODO: define FindLog() for []Operator + var log *descriptor.Log + for _, op := range ops { + l, err := op.FindLog(id) + if err == nil { + log = l + break + } + } + if log == nil { + return nil, fmt.Errorf("unknown log identifier: %v", err) + } + return client.NewClient(log, &http.Client{}, c, &k), nil +} + +func parseEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) { + block, rest := pem.Decode(data) + if block == nil { + return nil, fmt.Errorf("pem block: is empty") + } + if block.Type != "PRIVATE KEY" { + return nil, fmt.Errorf("bad pem block type: %v", block.Type) + } + if len(rest) != 0 { + return nil, fmt.Errorf("pem block: trailing data") + } + + key, err := x509.ParsePKCS8PrivateKey(block.Bytes) + if err != nil { + fmt.Errorf("x509 parser failed: %v", err) + } + switch t := key.(type) { + case ed25519.PrivateKey: + return key.(ed25519.PrivateKey), nil + default: + return nil, fmt.Errorf("unexpected signing key type: %v", t) + } +} + +func parseChain(rest []byte) ([]*x509.Certificate, error) { + var chain []*x509.Certificate + for len(rest) > 0 { + var block *pem.Block + block, rest = pem.Decode(rest) + if block == nil { + break + } + if block.Type != "CERTIFICATE" { + return nil, fmt.Errorf("unexpected pem block type: %v", block.Type) + } + + certificate, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, fmt.Errorf("failed parsing x509 certificate: %v", err) + } + chain = append(chain, certificate) + } + return chain, nil +} diff --git a/client/client.go b/client/client.go new file mode 100644 index 0000000..e1663a0 --- /dev/null +++ b/client/client.go @@ -0,0 +1,139 @@ +package client + +import ( + "bytes" + "context" + "fmt" + + "crypto/ed25519" + "crypto/tls" + "crypto/x509" + "encoding/base64" + "encoding/json" + "io/ioutil" + "net/http" + + "github.com/golang/glog" + "github.com/system-transparency/stfe" + "github.com/system-transparency/stfe/server/descriptor" + "golang.org/x/net/context/ctxhttp" +) + +type Client struct { + Log *descriptor.Log + Client *http.Client + Chain []*x509.Certificate + PrivateKey *ed25519.PrivateKey +} + +// NewClient returns a new log client +func NewClient(log *descriptor.Log, client *http.Client, chain []*x509.Certificate, privateKey *ed25519.PrivateKey) *Client { + return &Client{ + Log: log, + Chain: chain, + Client: client, + PrivateKey: privateKey, + } +} + +func (c *Client) AddEntry(ctx context.Context, name, checksum []byte) (*stfe.StItem, error) { + glog.V(3).Info("creating add-entry request") + leaf, err := stfe.NewChecksumV1(name, checksum).Marshal() + if err != nil { + return nil, fmt.Errorf("failed marshaling StItem: %v", err) + } + data, err := json.Marshal(struct { + Item string `json:"item"` + Scheme uint16 `json:"signature_scheme"` + Signature string `json:"signature"` + Chain []string `json:"chain"` + }{ + Item: base64.StdEncoding.EncodeToString(leaf), + Scheme: uint16(tls.Ed25519), + Signature: base64.StdEncoding.EncodeToString(ed25519.Sign(*c.PrivateKey, serialized)), + Chain: c.b64Chain(), + }) + if err != nil { + return nil, fmt.Errorf("failed creating post data: %v", err) + } + // TODO: make http(s) config option + req, err := http.NewRequest("POST", "http://"+c.Log.BaseUrl+"/add-entry", bytes.NewBuffer(data)) + if err != nil { + return nil, fmt.Errorf("failed creating http request: %v", err) + } + req.Header.Set("Content-Type", "application/json") + + var itemStr string + if err := c.doRequest(ctx, req, &itemStr); err != nil { + return nil, err + } + b, err := base64.StdEncoding.DecodeString(itemStr) + if err != nil { + return nil, fmt.Errorf("failed decoding base64 body: %v", err) + } + var item stfe.StItem + if err := item.Unmarshal(b); err != nil { + return nil, fmt.Errorf("failed decoding StItem: %v", err) + } + + if item.Format != stfe.StFormatSignedDebugInfoV1 { + return nil, fmt.Errorf("bad StItem format: %v", item.Format) + } + if err := item.SignedDebugInfoV1.Verify(c.Log.Scheme, c.Log.PublicKey, serialized); err != nil { + return nil, fmt.Errorf("bad SignedDebugInfoV1 signature: %v", err) + } + return &item, nil +} + +func (c *Client) doRequest(ctx context.Context, req *http.Request, out interface{}) error { + glog.V(3).Infof("sending request: %v %v", req.Method, req.URL) + rsp, err := ctxhttp.Do(ctx, c.Client, req) + if err != nil { + return fmt.Errorf("http request failed: %v", err) + } + body, err := ioutil.ReadAll(rsp.Body) + rsp.Body.Close() + if err != nil { + return fmt.Errorf("http body read failed: %v", err) + } + if rsp.StatusCode != http.StatusOK { + return fmt.Errorf("http status code not ok: %v", rsp.StatusCode) + } + if err := json.Unmarshal(body, out); err != nil { + return fmt.Errorf("failed decoding json body: %v", err) + } + return nil +} + +func (c *Client) GetSth(ctx context.Context) (*stfe.StItem, error) { + glog.V(2).Info("creating get-sth request") + return nil, fmt.Errorf("TODO") +} + +func (c *Client) GetConsistencyProof(ctx context.Context, first, second uint64) (*stfe.StItem, error) { + glog.V(2).Info("creating get-consistency-proof request") + return nil, fmt.Errorf("TODO") +} + +func (c *Client) GetProofByHash(ctx context.Context, treeSize uint64, hash []byte) (*stfe.StItem, error) { + glog.V(2).Info("creating get-proof-by-hash request") + return nil, fmt.Errorf("TODO") +} + +func (c *Client) GetEntries(ctx context.Context, start, end uint64) (*stfe.StItem, error) { + glog.V(2).Info("creating get-entries request") + return nil, fmt.Errorf("TODO") +} + +func (c *Client) GetAnchors(ctx context.Context, start, end uint64) ([]*x509.Certificate, error) { + glog.V(2).Info("creating get-anchors request") + return nil, fmt.Errorf("TODO") +} + +func (c *Client) b64Chain() []string { + chain := make([]string, 0, len(c.Chain)) + for _, cert := range c.Chain { + chain = append(chain, base64.StdEncoding.EncodeToString(cert.Raw)) + } + return chain +} diff --git a/server/descriptor/.descriptor.go.swp b/server/descriptor/.descriptor.go.swp Binary files differnew file mode 100644 index 0000000..e12d5cd --- /dev/null +++ b/server/descriptor/.descriptor.go.swp diff --git a/server/descriptor/stfe.json b/server/descriptor/stfe.json index 69e84a0..d987c47 100644 --- a/server/descriptor/stfe.json +++ b/server/descriptor/stfe.json @@ -5,11 +5,11 @@ "logs": [ { "max_chain": 3, - "log_id": "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", + "id": "B9oCJk4XIOMXba8dBM5yUj+NLtqTE6xHwbvR9dYkHPM=", "signature_schemes": [ 2055 ], - "base_url": "example.com/st/v1", + "base_url": "localhost:6965/st/v1", "signature_scheme": 2055, "public_key": "MCowBQYDK2VwAyEAqM4b/SHOCRId9xgiCPn8D8r6+Nrk9JTZZqW6vj7TGa0=" } diff --git a/server/testdata/chain/ee.csr b/server/testdata/chain/ee.csr new file mode 100644 index 0000000..d3b6059 --- /dev/null +++ b/server/testdata/chain/ee.csr @@ -0,0 +1,7 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIHEMHgCAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf +BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAqMAUGAytlcAMhAN2ydopX +PU0rUaZg/tLvkc/5rKf5YcE1KU8mvMKRTTS1oAAwBQYDK2VwA0EAW3tF+3WqTY90 +0vVJCKEEokWfGFJGXwelJu0qMOIiZ3i5tVJGNtnzamALIEm5MwZX9XxFJnDUZ/G1 +OS8P7r2wBg== +-----END CERTIFICATE REQUEST----- diff --git a/server/testdata/chain/ee.key b/server/testdata/chain/ee.key new file mode 100644 index 0000000..e0d4e18 --- /dev/null +++ b/server/testdata/chain/ee.key @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEICoNwxwXHgfQsmCP3bcmyCr2qPnk4s602txur6Fv18+b +-----END PRIVATE KEY----- diff --git a/server/testdata/chain/ee.pem b/server/testdata/chain/ee.pem new file mode 100644 index 0000000..a3de1db --- /dev/null +++ b/server/testdata/chain/ee.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBRDCB9wIUDVhYPJbWJnID0hWjpfR51SpAM/owBQYDK2VwMEUxCzAJBgNVBAYT +AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn +aXRzIFB0eSBMdGQwHhcNMjAxMTAyMTkwMzMzWhcNMjMwODIzMTkwMzMzWjBFMQsw +CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu +ZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEA3bJ2ilc9TStRpmD+0u+Rz/ms +p/lhwTUpTya8wpFNNLUwBQYDK2VwA0EARtet9+teezrMe6ACgIvTHgFrIsnyNr+N +nu6m5oNnGKzmSnyGdrPGY8RlaEBwEn/6tb/ahI6+VLDaDEJjW8BVAA== +-----END CERTIFICATE----- diff --git a/server/testdata/chain/rgdd-root.srl b/server/testdata/chain/rgdd-root.srl index dac138f..a0a5632 100644 --- a/server/testdata/chain/rgdd-root.srl +++ b/server/testdata/chain/rgdd-root.srl @@ -1 +1 @@ -0D58583C96D6267203D215A3A5F479D52A4033F9 +0D58583C96D6267203D215A3A5F479D52A4033FA diff --git a/verify.go b/verify.go new file mode 100644 index 0000000..fbcf6df --- /dev/null +++ b/verify.go @@ -0,0 +1,32 @@ +package stfe + +import ( + "fmt" + + "crypto/ed25519" + "crypto/tls" + "crypto/x509" +) + +func (sdi *SignedDebugInfoV1) Verify(scheme tls.SignatureScheme, publicKey, message []byte) error { + if scheme != tls.Ed25519 { + return fmt.Errorf("unsupported signature scheme: %v", scheme) + } + + // TODO: fix so that publicKey is already passed as crypto.PublicKey + k, err := x509.ParsePKIXPublicKey(publicKey) + if err != nil { + return fmt.Errorf("failed parsing public key: %v", err) + } + + switch t := k.(type) { + case ed25519.PublicKey: + vk := k.(ed25519.PublicKey) + if !ed25519.Verify(vk, message, sdi.Signature) { + return fmt.Errorf("invalid signature: PublicKey(%v) Message(%v) Signature(%v)", vk, message, sdi.Signature) + } + return nil + default: + return fmt.Errorf("Unsupported public key: %s", t) + } +} @@ -156,12 +156,12 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif // verifySignature checks if signature is valid for some serialized data. The // only supported signature scheme is ecdsa_secp256r1_sha256(0x0403), see ยง4.3.2 -// in RFC 8446. TODO: replace ECDSA with ed25519(0x0807) +// in RFC 8446. func verifySignature(_ *LogParameters, certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error { - if scheme != tls.ECDSAWithP256AndSHA256 { + if scheme != tls.Ed25519 { return fmt.Errorf("unsupported signature scheme: %v", scheme) } - if err := certificate.CheckSignature(x509.ECDSAWithSHA256, serialized, signature); err != nil { + if err := certificate.CheckSignature(x509.PureEd25519, serialized, signature); err != nil { return fmt.Errorf("invalid signature: %v", err) } return nil |