void
zcert_test (bool verbose)
{
printf (" * zcert: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcert"
zsys_dir_create (TESTDIR);
// Create a simple certificate with metadata
zcert_t *cert = zcert_new ();
# if defined (HAVE_LIBSODIUM)
zcert_set_meta (cert, "email", "*****@*****.**");
zcert_set_meta (cert, "name", "Pieter Hintjens");
zcert_set_meta (cert, "organization", "iMatix Corporation");
zcert_set_meta (cert, "version", "%d", 1);
assert (streq (zcert_meta (cert, "email"), "*****@*****.**"));
zlist_t *keys = zcert_meta_keys (cert);
assert (zlist_size (keys) == 4);
zlist_destroy (&keys);
// Check the dup and eq methods
zcert_t *shadow = zcert_dup (cert);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Check we can save and load certificate
zcert_save (cert, TESTDIR "/mycert.txt");
assert (zsys_file_exists (TESTDIR "/mycert.txt"));
assert (zsys_file_exists (TESTDIR "/mycert.txt_secret"));
// Load certificate, will in fact load secret one
shadow = zcert_load (TESTDIR "/mycert.txt");
assert (shadow);
assert (zcert_eq (cert, shadow));
zcert_destroy (&shadow);
// Delete secret certificate, load public one
int rc = zsys_file_delete (TESTDIR "/mycert.txt_secret");
assert (rc == 0);
shadow = zcert_load (TESTDIR "/mycert.txt");
// 32-byte null key encodes as 40 '0' characters
assert (streq (zcert_secret_txt (shadow),
"0000000000000000000000000000000000000000"));
zcert_destroy (&shadow);
zcert_destroy (&cert);
# else
// Libsodium isn't installed; should have returned NULL
assert (cert == NULL);
# endif
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
}
int main (int argc, char *argv [])
{
int argn = 1;
char *filename = "mycert.txt";
if (argn < argc)
filename = argv [argn++];
zsys_info ("Creating new CURVE certificate in %s", filename);
zcert_t *cert = zcert_new ();
if (s_get_meta (cert, "Enter your full name:", "name")
|| s_get_meta (cert, "Enter your email address:", "email")
|| s_get_meta (cert, "Enter your organization:", "organization"))
return -1;
char *timestr = zclock_timestr ();
zcert_set_meta (cert, "created-by", "CZMQ zmakecert");
zcert_set_meta (cert, "date-created", "%s", timestr);
free (timestr);
zcert_dump (cert);
zcert_save (cert, filename);
zsys_info ("CURVE certificate created in %s and %s_secret", filename, filename);
zcert_destroy (&cert);
return 0;
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
int main (void)
{
puts ("Creating new CURVE certificate");
zcert_t *cert = zcert_new ();
if (s_get_meta (cert, "Enter your full name:", "name")
|| s_get_meta (cert, "Enter your email address:", "email")
|| s_get_meta (cert, "Enter your organization:", "organization"))
return -1;
char *timestr = zclock_timestr ();
zcert_set_meta (cert, "created-by", "CZMQ makecert");
zcert_set_meta (cert, "date-created", timestr);
free (timestr);
zcert_dump (cert);
zcert_save (cert, "mycert.txt");
puts ("I: CURVE certificate created in mycert.txt and mycert.txt_secret");
zcert_destroy (&cert);
return 0;
}
static int
s_get_meta (zcert_t *cert, char *prompt, char *name)
{
printf ("%s ", prompt);
char value [256];
if (fgets (value, 256, stdin) == NULL)
return -1;
if (strlen (value) && value [strlen (value) - 1] == '\n')
value [strlen (value) - 1] = 0;
if (*value)
zcert_set_meta (cert, name, value);
return 0;
}
zcert_t *
zcert_load (char *format, ...)
{
#if (ZMQ_VERSION_MAJOR == 4)
assert (format);
va_list argptr;
va_start (argptr, format);
char *filename = zsys_vprintf (format, argptr);
va_end (argptr);
// Try first to load secret certificate, which has both keys
// Then fallback to loading public certificate
char filename_secret [256];
snprintf (filename_secret, 256, "%s_secret", filename);
zconfig_t *root = zconfig_load (filename_secret);
if (!root)
root = zconfig_load (filename);
zcert_t *self = NULL;
if (root) {
char *public_text = zconfig_resolve (root, "/curve/public-key", NULL);
char *secret_text = zconfig_resolve (root, "/curve/secret-key", NULL);
if (public_text && strlen (public_text) == 40) {
byte public_key [32] = { 0 };
byte secret_key [32] = { 0 };
zmq_z85_decode (public_key, public_text);
if (secret_text && strlen (secret_text) == 40)
zmq_z85_decode (secret_key, secret_text);
// Load metadata into certificate
self = zcert_new_from (public_key, secret_key);
zconfig_t *metadata = zconfig_locate (root, "/metadata");
zconfig_t *item = metadata? zconfig_child (metadata): NULL;
while (item) {
zcert_set_meta (self, zconfig_name (item), zconfig_value (item));
item = zconfig_next (item);
}
}
}
zconfig_destroy (&root);
zstr_free (&filename);
return self;
#else
return NULL;
#endif
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
printf ("OK\n");
}
///
// Set certificate metadata from formatted string.
void QmlZcert::setMeta (const QString &name, const QString &format) {
zcert_set_meta (self, name.toUtf8().data(), "%s", format.toUtf8().data());
};
void ZeroMQEngine::Initialize(const string endPoint, const string instanceName, const string instanceID)
{
zcert_t* localCertificate = nullptr;
// Handle common security initialization for server and client instances
if (SecurityEnabled())
{
if (!zsys_has_curve())
throw runtime_error("Failed to locate needed curve security libraries, cannot initialize ZeroMQ security");
string localCertDirectory = CURVECERTLOCALDIR "/";
string publicCertFileName;
string privateCertFileName;
// Make sure certificate store directories exist
if (zsys_dir_create(CURVECERTLOCALDIR) != 0)
throw runtime_error("Failed to create local curve security store, cannot initialize ZeroMQ security");
if (zsys_dir_create(CURVECERTREMOTEDIR) != 0)
throw runtime_error("Failed to create remote curve security store, cannot initialize ZeroMQ security");
// Derive certificate file names based on engine mode
if (ServerMode())
{
publicCertFileName = localCertDirectory + SVRPUBCERTFILENAME;
privateCertFileName = localCertDirectory + SVRPVTCERTFILENAME;
}
else
{
publicCertFileName = localCertDirectory + instanceName + PUBCERTFILENAMEEXT;
privateCertFileName = localCertDirectory + instanceName + PVTCERTFILENAMEEXT;
}
// See if private certificate already exists
if (zsys_file_exists(privateCertFileName.c_str()))
{
// Load existing local certificate
localCertificate = zcert_load(privateCertFileName.c_str());
if (localCertificate == nullptr)
throw runtime_error("Failed to load local curve certificate, cannot initialize ZeroMQ security");
}
else
{
// Create a new full certificate (public + private)
localCertificate = zcert_new();
if (localCertificate == nullptr)
throw runtime_error("Failed to create local curve certificate, cannot initialize ZeroMQ security");
zcert_set_meta(localCertificate, "name", instanceName.c_str());
zcert_set_meta(localCertificate, "id", instanceID.c_str());
zcert_set_meta(localCertificate, "type", ServerMode() ? "server" : "client");
// Persist certificates for future runs
if (zcert_save_public(localCertificate, publicCertFileName.c_str()) != 0)
throw runtime_error("Failed to save local curve public certificate, cannot initialize ZeroMQ security");
if (zcert_save_secret(localCertificate, privateCertFileName.c_str()) != 0)
throw runtime_error("Failed to save local curve private certificate, cannot initialize ZeroMQ security");
}
}
// Create new ZeroMQ engine instance
if (ServerMode())
m_instance = new ZeroMQServer(m_bufferReceivedCallback, SecurityEnabled(), InactiveClientTimeout(), VerboseOutput(), ConnectionID(), localCertificate);
else
m_instance = new ZeroMQClient(m_bufferReceivedCallback, SecurityEnabled(), InactiveClientTimeout(), VerboseOutput(), ConnectionID(), localCertificate);
m_instance->Initialize(endPoint, instanceName, instanceID);
log_info("\nEstablished ZeroMQ socket [%s]\n", ConnectionID().ToString().c_str());
}
///
// Set certificate metadata from formatted string.
void QZcert::setMeta (const QString &name, const QString ¶m)
{
zcert_set_meta (self, name.toUtf8().data(), "%s", param.toUtf8().data());
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
const char *SELFTEST_DIR_RW = "src/selftest-rw";
const char *testbasedir = ".test_zcertstore";
const char *testfile = "mycert.txt";
char *basedirpath = NULL; // subdir in a test, under SELFTEST_DIR_RW
char *filepath = NULL; // pathname to testfile in a test, in dirpath
basedirpath = zsys_sprintf ("%s/%s", SELFTEST_DIR_RW, testbasedir);
assert (basedirpath);
filepath = zsys_sprintf ("%s/%s", basedirpath, testfile);
assert (filepath);
// Make sure old aborted tests do not hinder us
zdir_t *dir = zdir_new (basedirpath, NULL);
if (dir) {
zdir_remove (dir, true);
zdir_destroy (&dir);
}
zsys_file_delete (filepath);
zsys_dir_delete (basedirpath);
// Create temporary directory for test files
zsys_dir_create (basedirpath);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (basedirpath);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, filepath);
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// Iterate through certs
zlistx_t *certs = zcertstore_certs(certstore);
cert = (zcert_t *) zlistx_first(certs);
int cert_count = 0;
while (cert) {
assert (streq (zcert_meta (cert, "name"), "John Doe"));
cert = (zcert_t *) zlistx_next(certs);
cert_count++;
}
assert(cert_count==1);
zlistx_destroy(&certs);
#endif
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
freen (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
dir = zdir_new (basedirpath, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
zstr_free (&basedirpath);
zstr_free (&filepath);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
void HHVM_METHOD(ZMQCert, setMeta, const String& name, const String& fmt) {
zcert_set_meta(Native::data<ZMQCert>(this_)->zcert, name.c_str(), fmt.c_str());
}
void certificate::set_meta(const std::string& name, const std::string& value)
{
zcert_set_meta(self_, name.c_str(), value.c_str());
}
