static AJ_Status DecodeCertificateName(DER_Element* der, uint8_t type, AJ_GUID* ou, AJ_GUID* cn)
{
AJ_Status status = AJ_OK;
DER_Element set;
DER_Element seq;
DER_Element oid;
DER_Element tmp;
while ((AJ_OK == status) && (der->size)) {
status = AJ_ASN1DecodeElement(der, ASN_SET_OF, &set);
if (AJ_OK != status) {
return status;
}
status = AJ_ASN1DecodeElement(&set, ASN_SEQ, &seq);
if (AJ_OK != status) {
return status;
}
status = AJ_ASN1DecodeElement(&seq, ASN_OID, &oid);
if (AJ_OK != status) {
return status;
}
status = AJ_ASN1DecodeElement(&seq, ASN_UTF8, &tmp);
if (AJ_OK != status) {
return status;
}
if (CompareOID(&oid, OID_DN_OU, sizeof (OID_DN_OU))) {
status = AJ_GUID_FromString(ou, (const char*) tmp.data);
if (AJ_OK != status) {
return status;
}
} else if (CompareOID(&oid, OID_DN_CN, sizeof (OID_DN_CN))) {
status = AJ_GUID_FromString(cn, (const char*) tmp.data);
if (AJ_OK != status) {
return status;
}
}
}
return status;
}
AJ_Status AJ_PeerHandleExchangeGUIDs(AJ_Message* msg, AJ_Message* reply)
{
char guidStr[33];
uint32_t version;
char* str;
AJ_GUID remoteGuid;
AJ_GUID localGuid;
AJ_UnmarshalArgs(msg, "su", &str, &version);
AJ_GUID_FromString(&remoteGuid, str);
AJ_GUID_AddNameMapping(&remoteGuid, msg->sender, NULL);
/*
* We are not currently negotiating versions so we tell the peer what version we require.
*/
version = REQUIRED_AUTH_VERSION;
AJ_MarshalReplyMsg(msg, reply);
AJ_GetLocalGUID(&localGuid);
AJ_GUID_ToString(&localGuid, guidStr, sizeof(guidStr));
return AJ_MarshalArgs(reply, "su", guidStr, version);
}
AJ_Status AJ_PeerHandleGenSessionKey(AJ_Message* msg, AJ_Message* reply)
{
AJ_Status status;
char* remGuid;
char* locGuid;
char* nonce;
AJ_GUID guid;
AJ_GUID localGuid;
/*
* For 12 bytes of verifier, we need at least 12 * 2 characters
* to store its representation in hex (24 octets + 1 octet for \0).
* However, the KeyGen function demands a bigger buffer
* (to store 16 bytes key in addition to the 12 bytes verifier).
* Hence we allocate, the maximum of (12 * 2 + 1) and (16 + 12).
*/
char verifier[AES_KEY_LEN + VERIFIER_LEN];
/*
* Remote peer GUID, Local peer GUID and Remote peer's nonce
*/
AJ_UnmarshalArgs(msg, "sss", &remGuid, &locGuid, &nonce);
/*
* We expect arg[1] to be the local GUID
*/
status = AJ_GUID_FromString(&guid, locGuid);
if (AJ_OK == status) {
status = AJ_GetLocalGUID(&localGuid);
}
if ((status != AJ_OK) || (memcmp(&guid, &localGuid, sizeof(AJ_GUID)) != 0)) {
return AJ_MarshalErrorMsg(msg, reply, AJ_ErrRejected);
}
AJ_RandHex(authContext.nonce, sizeof(authContext.nonce), NONCE_LEN);
status = KeyGen(msg->sender, AJ_ROLE_KEY_RESPONDER, nonce, authContext.nonce, (uint8_t*)verifier, sizeof(verifier));
if (status == AJ_OK) {
AJ_MarshalReplyMsg(msg, reply);
status = AJ_MarshalArgs(reply, "ss", authContext.nonce, verifier);
} else {
status = AJ_MarshalErrorMsg(msg, reply, AJ_ErrRejected);
}
return status;
}
AJ_Status AJ_PeerHandleExchangeGUIDsReply(AJ_Message* msg)
{
AJ_Status status;
const char* guidStr;
AJ_GUID remoteGuid;
uint32_t version;
char nul = '\0';
status = AJ_UnmarshalArgs(msg, "su", &guidStr, &version);
if (status != AJ_OK) {
return status;
}
if (version != REQUIRED_AUTH_VERSION) {
PeerAuthComplete(AJ_ERR_SECURITY);
return AJ_OK;
}
AJ_GUID_FromString(&remoteGuid, guidStr);
/*
* Two name mappings to add, the well known name, and the unique name from the message.
*/
AJ_GUID_AddNameMapping(&remoteGuid, msg->sender, authContext.peerName);
/*
* Remember which peer is being authenticated
*/
authContext.peerGuid = AJ_GUID_Find(msg->sender);
/*
* Initialize SASL state machine
*/
AJ_SASL_InitContext(&authContext.sasl, authMechanisms, AJ_AUTH_RESPONDER, msg->bus->pwdCallback);
/*
* Start the authentication conversation
*/
status = AuthResponse(msg, &nul);
if (status != AJ_OK) {
PeerAuthComplete(status);
}
return status;
}
AJ_Status TestCreds()
{
AJ_Status status = AJ_OK;
AJ_GUID localGuid;
AJ_GUID remoteGuid;
char str[33];
AJ_PeerCred*peerCredRead;
int i = 0;
AJ_GUID peerGuid;
uint8_t secretLen = 24;
uint8_t secret[24];
uint32_t expiration = 50898;
char hex[100];
AJ_AlwaysPrintf(("Start TestCreds\n"));
status = AJ_GetLocalGUID(&localGuid);
if (AJ_OK != status) {
return status;
}
AJ_GUID_FromString(&localGuid, str);
AJ_InfoPrintf(("TestCreds() Layout Print\n"));
AJ_NVRAM_Layout_Print();
memset(&peerGuid, 1, sizeof(AJ_GUID));
for (i = 0; i < secretLen; i++) {
secret[i] = i;
}
AJ_GUID_ToString(&peerGuid, hex, 100);
AJ_AlwaysPrintf(("AJ_StorePeerSecret guid %s\n", hex));
status = AJ_StorePeerSecret(&peerGuid, secret, secretLen, expiration);
memcpy(&remoteGuid, &peerGuid, sizeof(AJ_GUID)); // backup the GUID
if (AJ_OK != status) {
AJ_AlwaysPrintf(("AJ_StorePeerSecret failed = %d\n", status));
return status;
}
AJ_NVRAM_Layout_Print();
AJ_InfoPrintf(("TestCreds() StoreCred() Layout Print\n"));
AJ_NVRAM_Layout_Print();
AJ_GUID_ToString(&remoteGuid, hex, 100);
AJ_AlwaysPrintf(("AJ_GetPeerCredential guid %s\n", hex));
status = AJ_GetPeerCredential(&remoteGuid, &peerCredRead);
if (AJ_OK != status) {
AJ_AlwaysPrintf(("AJ_GetPeerCredential failed = %d\n", status));
return status;
}
if (0 != memcmp(peerCredRead->id, &peerGuid, peerCredRead->idLen)) {
AJ_AlwaysPrintf(("The retrieved credential does not match\n"));
AJ_FreeCredential(peerCredRead);
return AJ_ERR_FAILURE;
}
if (peerCredRead->dataLen != secretLen) {
AJ_AlwaysPrintf(("no match for secretLen got %d expected %d\n",
peerCredRead->dataLen, secretLen));
AJ_FreeCredential(peerCredRead);
return AJ_ERR_FAILURE;
}
if (secretLen > 0) {
if (0 != memcmp(peerCredRead->data, secret, secretLen)) {
AJ_AlwaysPrintf(("no match for secret\n"));
AJ_FreeCredential(peerCredRead);
return AJ_ERR_FAILURE;
}
}
if (peerCredRead->expiration != expiration) {
AJ_AlwaysPrintf(("no match for expiration got %d expected %d\n",
peerCredRead->expiration, expiration));
AJ_FreeCredential(peerCredRead);
return AJ_ERR_FAILURE;
}
status = AJ_DeletePeerCredential(&remoteGuid);
if (AJ_OK != status) {
AJ_AlwaysPrintf(("AJ_DeleteCredential failed = %d\n", status));
AJ_FreeCredential(peerCredRead);
return status;
}
AJ_FreeCredential(peerCredRead);
if (AJ_ERR_FAILURE == AJ_GetPeerCredential(&remoteGuid, NULL)) {
status = AJ_OK;
} else {
return AJ_ERR_FAILURE;
}
AJ_InfoPrintf(("TestCreds() Layout Print\n"));
AJ_NVRAM_Layout_Print();
AJ_ClearCredentials();
if (AJ_ERR_FAILURE == AJ_GetPeerCredential(&remoteGuid, NULL)) {
status = AJ_OK;
} else {
return AJ_ERR_FAILURE;
}
AJ_InfoPrintf(("TestCreds() Layout Print\n"));
AJ_NVRAM_Layout_Print();
AJ_AlwaysPrintf(("TestCreds done.\n"));
return status;
}
AJ_Status TestCreds()
{
AJ_Status status = AJ_OK;
AJ_GUID localGuid;
AJ_GUID remoteGuid;
char str[33];
AJ_PeerCred peerCred;
AJ_PeerCred peerCredRead;
int i = 0;
status = AJ_GetLocalGUID(&localGuid);
if (AJ_OK != status) {
goto TEST_CREDS_EXIT;
}
AJ_GUID_FromString(&localGuid, str);
AJ_NVRAM_Layout_Print();
memset(&peerCred.guid, 1, sizeof(AJ_GUID));
memcpy(&remoteGuid, &peerCred.guid, sizeof(AJ_GUID)); // backup the GUID
for (i = 0; i < 24; i++) {
peerCred.secret[i] = i;
}
status = AJ_StoreCredential(&peerCred);
if (AJ_OK != status) {
AJ_Printf("AJ_StoreCredential failed = %d\n", status);
goto TEST_CREDS_EXIT;
}
status = AJ_GetRemoteCredential(&remoteGuid, &peerCredRead);
if (AJ_OK != status) {
AJ_Printf("AJ_StoreCredential failed = %d\n", status);
goto TEST_CREDS_EXIT;
}
if (0 != memcmp(&peerCredRead, &peerCred, sizeof(AJ_PeerCred))) {
AJ_Printf("The retrieved credential does not match\n");
status = AJ_ERR_FAILURE;
goto TEST_CREDS_EXIT;
}
status = AJ_DeleteCredential(&remoteGuid);
if (AJ_OK != status) {
AJ_Printf("AJ_DeleteCredential failed = %d\n", status);
goto TEST_CREDS_EXIT;
}
if (AJ_ERR_FAILURE == AJ_GetRemoteCredential(&remoteGuid, &peerCredRead)) {
status = AJ_OK;
} else {
status = AJ_ERR_FAILURE;
goto TEST_CREDS_EXIT;
}
AJ_NVRAM_Layout_Print();
status = AJ_StoreCredential(&peerCred);
if (AJ_OK != status) {
AJ_Printf("AJ_StoreCredential failed = %d\n", status);
goto TEST_CREDS_EXIT;
}
AJ_ClearCredentials();
if (AJ_ERR_FAILURE == AJ_GetRemoteCredential(&remoteGuid, &peerCredRead)) {
status = AJ_OK;
} else {
status = AJ_ERR_FAILURE;
goto TEST_CREDS_EXIT;
}
AJ_NVRAM_Layout_Print();
TEST_CREDS_EXIT:
return status;
}
