void QRCodeProtocol::begin(KeyExchangeSession &session, KeyExchangeData &data)
{
// get existing security key
SecurityKey key = SecurityKeyManager::getInstance().get(session.getPeer(), SecurityKey::KEY_PUBLIC);
// get key fingerprint
const std::string fingerprint = key.getFingerprint();
// prepare a response
KeyExchangeData response(KeyExchangeData::COMPLETE, session);
if (fingerprint == data.str())
{
// store existing key with HIGH trust level
session.putKey(key.getData(), key.type, SecurityKey::HIGH);
// finish the key-exchange
manager.finish(session);
}
else
{
// signal error
throw ibrcommon::Exception("fingerprint is missing");
}
}
void ExtensionSecurityBlock::encrypt(dtn::data::Bundle& bundle, const SecurityKey &key, dtn::data::Bundle::iterator it, const dtn::data::EID& source, const dtn::data::EID& destination)
{
uint32_t salt = 0;
// load the rsa key
RSA *rsa_key = key.getRSA();
// key used for encrypting the block. the key will be encrypted using RSA
unsigned char ephemeral_key[ibrcommon::AES128Stream::key_size_in_bytes];
createSaltAndKey(salt, ephemeral_key, ibrcommon::AES128Stream::key_size_in_bytes);
dtn::security::ExtensionSecurityBlock& esb = SecurityBlock::encryptBlock<ExtensionSecurityBlock>(bundle, it, salt, ephemeral_key);
// set the source and destination address of the new block
if (source != bundle.source) esb.setSecuritySource( source );
if (destination != bundle.destination) esb.setSecurityDestination( destination );
// encrypt the ephemeral key and place it in _ciphersuite_params
addSalt(esb._ciphersuite_params, salt);
addKey(esb._ciphersuite_params, ephemeral_key, ibrcommon::AES128Stream::key_size_in_bytes, rsa_key);
esb._ciphersuite_flags |= CONTAINS_CIPHERSUITE_PARAMS;
// free the rsa key
key.free(rsa_key);
}
void handleRequests(const string_t& requests) {
try {
Poco::Path pp(requests);
Poco::Path lics = pp.parent().makeDirectory().pushDirectory("licenses");
Poco::FileInputStream fis(requests);
while (!fis.eof()) {
string_t sl;
string_t sha;
string_t user;
std::getline(fis, sl);
/// check if there is custom mapping file specified current font
string_t::size_type p = sl.find('|');
sha = sl.substr(0, p);
sl = Poco::trim(sl);
if (p != string_t::npos)
user = sl.substr(p + 1);
sha = Poco::trim(sha);
user = Poco::trim(user);
if (sha.empty())
continue;
Poco::Path tmp = lics;
tmp.pushDirectory(sha);
string_t ss = tmp.toString();
if ( !Poco::File(ss + LICENSE_FILE).exists() ) {
SecurityKey sk;
sk.create(sha, false);
Poco::File(ss).createDirectories();
sk.save(ss + LICENSE_FILE);
}
}
}
catch (const std::exception& e) {
std::cout << e.what() << std::endl;
}
catch (...) {
}
}
void PayloadIntegrityBlock::verify(const dtn::data::Bundle &bundle, const SecurityKey &key)
{
// iterate over all PIBs to find the right one
dtn::data::Bundle::const_find_iterator it(bundle.begin(), PayloadIntegrityBlock::BLOCK_TYPE);
while (it.next(bundle.end()))
{
const PayloadIntegrityBlock &sb = dynamic_cast<const PayloadIntegrityBlock&>(**it);
// check if we have the public key of the security source
// skip this block if the given key isn't the right one
if (!sb.isSecuritySource(bundle, key.reference)) continue;
// check the correct algorithm
if (sb._ciphersuite_id != SecurityBlock::PIB_RSA_SHA256)
{
throw VerificationFailedException("can not verify the PIB because of an invalid algorithm");
}
EVP_PKEY *pkey = key.getEVP();
if (pkey == NULL) throw VerificationFailedException("verification error");
ibrcommon::RSASHA256Stream rs2s(pkey, true);
// serialize the bundle in the mutable form
dtn::security::MutableSerializer ms(rs2s, &sb);
(dtn::data::DefaultSerializer&)ms << bundle; rs2s << std::flush;
try {
int ret = rs2s.getVerification(sb._security_result.get(SecurityBlock::integrity_signature));
SecurityKey::free(pkey);
if (ret > 0)
{
// success!
return;
}
else if (ret < 0)
{
throw VerificationFailedException("verification error");
}
} catch (const ElementMissingException&) {
// This PIB can not verified due to a missing integrity signature
throw VerificationFailedException("Integrity signature is missing!");
}
}
throw VerificationFailedException("verification failed");
}
void ExtensionSecurityBlock::decrypt(dtn::data::Bundle& bundle, const SecurityKey &key, const dtn::security::ExtensionSecurityBlock& block)
{
// load the rsa key
RSA *rsa_key = key.getRSA();
// get key, convert with reinterpret_cast
unsigned char keydata[ibrcommon::AES128Stream::key_size_in_bytes];
if (!getKey(block._ciphersuite_params, keydata, ibrcommon::AES128Stream::key_size_in_bytes, rsa_key))
{
IBRCOMMON_LOGGER_ex(critical) << "could not get symmetric key decrypted" << IBRCOMMON_LOGGER_ENDL;
throw ibrcommon::Exception("could not extract the key");
}
// get salt, convert with stringstream
u_int32_t salt = getSalt(block._ciphersuite_params);
SecurityBlock::decryptBlock(bundle, block, salt, keydata);
}
void PayloadIntegrityBlock::setResultSize(const SecurityKey &key)
{
EVP_PKEY *pkey = key.getEVP();
// size of integrity_signature
if ((result_size = EVP_PKEY_size(pkey)) > 0)
{
// sdnv length
result_size += dtn::data::Number(result_size).getLength();
// type
result_size++;
}
else
{
result_size = _security_result.getLength();
}
SecurityKey::free(pkey);
}
const std::string PayloadIntegrityBlock::calcHash(const dtn::data::Bundle &bundle, const SecurityKey &key, PayloadIntegrityBlock& ignore)
{
EVP_PKEY *pkey = key.getEVP();
ibrcommon::RSASHA256Stream rs2s(pkey);
// serialize the bundle in the mutable form
dtn::security::MutableSerializer ms(rs2s, &ignore);
(dtn::data::DefaultSerializer&)ms << bundle; rs2s << std::flush;
int return_code = rs2s.getSign().first;
std::string sign_string = rs2s.getSign().second;
SecurityKey::free(pkey);
if (return_code)
return sign_string;
else
{
IBRCOMMON_LOGGER_ex(critical) << "an error occured at the creation of the hash and it is invalid" << IBRCOMMON_LOGGER_ENDL;
ERR_print_errors_fp(stderr);
return std::string("");
}
}
SecurityKey MockKeyGenerator::generateKey() {
SecurityKey key;
key.loadString("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF");
return key;
}
