Skip to content

S
sgxwallet
Unverified Commit 72bb58de authored by Oleh Nikolaiev's avatar Oleh Nikolaiev
Browse files
Options

SKALE-4262 set checkKeyOwnership on start

parent 63a08c85
Hide whitespace changes
Inline Side-by-side
Showing with 50 additions and 48 deletions
ServerInit.cpp
View file @ 72bb58de
......@@ -14,7 +14,7 @@
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file ServerInit.cpp
@author Stan Kladko
......@@ -209,7 +209,7 @@ void initAll(uint32_t _logLevel, bool _checkCert,
SGXRegistrationServer::initRegistrationServer(_autoSign);
CSRManagerServer::initCSRManagerServer();
SGXInfoServer::initInfoServer(_logLevel, _checkCert, _autoSign, _generateTestKeys);
ZMQServer::initZMQServer(_checkZMQSig);
ZMQServer::initZMQServer(_checkZMQSig, useHTTPS);
sgxServerInited = true;
} catch (SGXException &_e) {
......
zmq_src/ReqMessage.cpp
View file @ 72bb58de
......@@ -31,8 +31,7 @@ Json::Value ECDSASignReqMessage::process() {
auto base = getInt64Rapid("base");
auto keyName = getStringRapid("keyName");
auto hash = getStringRapid("messageHash");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(keyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::ecdsaSignMessageHashImpl(base, keyName, hash);
......@@ -45,8 +44,7 @@ Json::Value BLSSignReqMessage::process() {
auto hash = getStringRapid("messageHash");
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(keyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::blsSignMessageHashImpl(keyName, hash, t, n);
......@@ -58,7 +56,7 @@ Json::Value importBLSReqMessage::process() {
auto keyName = getStringRapid("keyShareName");
auto keyShare = getStringRapid("keyShare");
auto result = SGXWalletServer::importBLSKeyShareImpl(keyShare, keyName);
if (result["status"] == 0) {
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(keyName, cert);
}
......@@ -70,7 +68,7 @@ Json::Value importECDSAReqMessage::process() {
auto keyName = getStringRapid("keyName");
auto key = getStringRapid("key");
auto result = SGXWalletServer::importECDSAKeyImpl(key, keyName);
if (result["status"] == 0) {
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(keyName, cert);
}
......@@ -81,7 +79,7 @@ Json::Value importECDSAReqMessage::process() {
Json::Value generateECDSAReqMessage::process() {
auto result = SGXWalletServer::generateECDSAKeyImpl();
string keyName = result["keyName"].asString();
if (result["status"] == 0) {
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(keyName, cert);
}
......@@ -91,8 +89,7 @@ Json::Value generateECDSAReqMessage::process() {
Json::Value getPublicECDSAReqMessage::process() {
auto keyName = getStringRapid("keyName");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(keyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::getPublicECDSAKeyImpl(keyName);
......@@ -104,7 +101,7 @@ Json::Value generateDKGPolyReqMessage::process() {
auto polyName = getStringRapid("polyName");
auto t = getInt64Rapid("t");
auto result = SGXWalletServer::generateDKGPolyImpl(polyName, t);
if (result["status"] == 0) {
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(polyName, cert);
}
......@@ -114,8 +111,7 @@ Json::Value generateDKGPolyReqMessage::process() {
Json::Value getVerificationVectorReqMessage::process() {
auto polyName = getStringRapid("polyName");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(polyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto t = getInt64Rapid("t");
......@@ -129,8 +125,7 @@ Json::Value getSecretShareReqMessage::process() {
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
auto pubKeys = getJsonValueRapid("publicKeys");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(polyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::getSecretShareV2Impl(polyName, pubKeys, t, n);
......@@ -145,8 +140,7 @@ Json::Value dkgVerificationReqMessage::process() {
auto idx = getInt64Rapid("index");
auto pubShares = getStringRapid("publicShares");
auto secretShare = getStringRapid("secretShare");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(ethKeyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::dkgVerificationV2Impl(pubShares, ethKeyName, secretShare, t, n, idx);
......@@ -161,13 +155,12 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
auto secretShare = getStringRapid("secretShare");
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(ethKeyName, cert) || !isKeyByOwner(polyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert")) || !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::createBLSPrivateKeyV2Impl(blsKeyName, ethKeyName, polyName, secretShare, t, n);
if (result["status"] == 0) {
addKeyByOwner(blsKeyName, cert);
if (checkKeyOwnership && result["status"] == 0) {
addKeyByOwner(blsKeyName, getStringRapid("cert"));
}
result["type"] = ZMQMessage::CREATE_BLS_PRIVATE_RSP;
return result;
......@@ -175,8 +168,7 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
Json::Value getBLSPublicReqMessage::process() {
auto blsKeyName = getStringRapid("blsKeyName");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(blsKeyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::getBLSPublicKeyShareImpl(blsKeyName);
......@@ -198,8 +190,7 @@ Json::Value complaintResponseReqMessage::process() {
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
auto idx = getInt64Rapid("ind");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(polyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::complaintResponseImpl(polyName, t, n, idx);
......@@ -235,8 +226,7 @@ Json::Value getServerVersionReqMessage::process() {
Json::Value deleteBLSKeyReqMessage::process() {
auto blsKeyName = getStringRapid("blsKeyName");
auto cert = getStringRapid("cert");
if (!isKeyByOwner(blsKeyName, cert)) {
if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::deleteBlsKeyImpl(blsKeyName);
......
zmq_src/ZMQClient.cpp
View file @ 72bb58de
......@@ -67,7 +67,7 @@ shared_ptr <ZMQMessage> ZMQClient::doRequestReply(Json::Value &_req) {
CHECK_STATE(resultStr.front() == '{')
CHECK_STATE(resultStr.back() == '}')
return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false);
return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false, false);
} catch (std::exception &e) {
spdlog::error(string("Error in doRequestReply:") + e.what());
throw;
......
zmq_src/ZMQMessage.cpp
View file @ 72bb58de
......@@ -76,7 +76,7 @@ string ZMQMessage::getStringRapid(const char *_name) {
shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
size_t _size, bool _isRequest,
bool _verifySig) {
bool _verifySig, bool _checkKeyOwnership) {
CHECK_STATE(_msg);
CHECK_STATE2(_size > 5, ZMQ_INVALID_MESSAGE_SIZE);
......@@ -150,16 +150,15 @@ shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
}
}
shared_ptr <ZMQMessage> result;
if (_isRequest) {
return buildRequest(type, d);
return buildRequest(type, d, _checkKeyOwnership);
} else {
return buildResponse(type, d);
return buildResponse(type, d, _checkKeyOwnership);
}
}
shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d) {
shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d,
bool _checkKeyOwnership) {
Requests r;
try {
int t = requests.at( _type );
......@@ -232,10 +231,13 @@ shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapi
break;
}
ret->setCheckKeyOwnership(_checkKeyOwnership);
return ret;
}
shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d) {
shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d,
bool _checkKeyOwnership) {
Responses r;
try {
int t = responses.at( _type );
......@@ -310,6 +312,8 @@ shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rap
break;
}
ret->setCheckKeyOwnership(_checkKeyOwnership);
return ret;
}
......
zmq_src/ZMQMessage.h
View file @ 72bb58de
......@@ -52,6 +52,7 @@ class ZMQMessage {
static cache::lru_cache<string, pair<EVP_PKEY*, X509*>> verifiedCerts;
protected:
bool checkKeyOwnership = true;
static std::map<string, string> keysByOwners;
......@@ -135,11 +136,15 @@ public:
}
static shared_ptr <ZMQMessage> parse(const char* _msg, size_t _size, bool _isRequest,
bool _verifySig);
bool _verifySig, bool _checkKeyOwnership);
static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d);
static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d);
static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d,
bool _checkKeyOwnership);
static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d,
bool _checkKeyOwnership);
virtual Json::Value process() = 0;
void setCheckKeyOwnership(bool _check) { checkKeyOwnership = _check; }
};
zmq_src/ZMQServer.cpp
View file @ 72bb58de
......@@ -38,8 +38,8 @@ using namespace std;
shared_ptr <ZMQServer> ZMQServer::zmqServer = nullptr;
ZMQServer::ZMQServer(bool _checkSignature, const string &_caCertFile)
: checkSignature(_checkSignature),
ZMQServer::ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string &_caCertFile)
: checkSignature(_checkSignature), checkKeyOwnership(_checkKeyOwnership),
caCertFile(_caCertFile), ctx(make_shared<zmq::context_t>(1)) {
socket = make_shared<zmq::socket_t>(*ctx, ZMQ_ROUTER);
......@@ -94,12 +94,13 @@ void ZMQServer::exitZMQServer() {
spdlog::info("Exited zmq server.");
}
void ZMQServer::initZMQServer(bool _checkSignature) {
void ZMQServer::initZMQServer(bool _checkSignature, bool _checkKeyOwnership) {
static bool initedServer = false;
CHECK_STATE(!initedServer)
initedServer = true;
spdlog::info("Initing zmq server. checkSignature is set to {}", _checkSignature);
spdlog::info("Initing zmq server.\n checkSignature is set to {}.\n checkKeyOwnership is set to {}",
_checkSignature, _checkKeyOwnership);
string rootCAPath = "";
......@@ -109,7 +110,7 @@ void ZMQServer::initZMQServer(bool _checkSignature) {
CHECK_STATE(access(rootCAPath.c_str(), F_OK) == 0);
};
zmqServer = make_shared<ZMQServer>(_checkSignature, rootCAPath);
zmqServer = make_shared<ZMQServer>(_checkSignature, _checkKeyOwnership, rootCAPath);
CHECK_STATE(zmqServer)
......@@ -179,7 +180,7 @@ void ZMQServer::doOneServerLoop() {
CHECK_STATE(stringToParse.back() == '}')
auto parsedMsg = ZMQMessage::parse(
stringToParse.c_str(), stringToParse.size(), true, checkSignature);
stringToParse.c_str(), stringToParse.size(), true, checkSignature, checkKeyOwnership);
CHECK_STATE2(parsedMsg, ZMQ_COULD_NOT_PARSE);
......
zmq_src/ZMQServer.h
View file @ 72bb58de
......@@ -14,7 +14,7 @@
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file ZMQServer.h
@author Stan Kladko
......@@ -52,16 +52,18 @@ public:
static shared_ptr<std::thread> serverThread;
ZMQServer(bool _checkSignature, const string& _caCertFile);
ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string& _caCertFile);
~ZMQServer();
void run();
static void initZMQServer(bool _checkSignature);
static void initZMQServer(bool _checkSignature, bool _checkKeyOwnership);
static void exitZMQServer();
private:
bool checkKeyOwnership = true;
shared_ptr<zmq::context_t> ctx;
shared_ptr<zmq::socket_t> socket;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment