git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
tang
1
0
Fork 0
Files
Tree: a7d19acff0
Branches Tags
tang
/
debian
/
patches
/
cherry-pick
/
1606525324.v7-8-g7119454.move-key-handling-to-tang-itself.patch

1606525324.v7-8-g7119454.move-key-handling-to-tang-itself.patch 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381 
  1. Subject: Move key handling to tang itself
    2. 

  2. Origin: v7-8-g7119454 <https://github.com/latchset/tang/commit/v7-8-g7119454>
    3. 

  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
    4. 

  4. Date: Fri Nov 27 22:02:04 2020 -0300
    5. 

  5. 

  6.     Use the key manipulation functions added in src/keys.{c|h} in tangd.
    7. 

  7. 

  8.     This effectively removes the need for a cache directory -- usually
    9. 

  9.     /var/cache/tang --, which contained pre-computed files with signed
    10. 

  10.     advertisements and JWK with keys for deriving new keys.
    11. 

  11. 

  12.     This computation was done by the tangd-update script, which has also
    13. 

  13.     been removed in this commit.
    14. 

  14. 

  15.     We relied on systemd to run this script whenever the JWK dir -- usually
    16. 

  16.     /var/db/tang, which is where the actual keys are located -- changed, to
    17. 

  17.     keep the cache directory updated, but this is sometimes unreliable,
    18. 

  18.     causing issues like the ones reported in #23 and #24.
    19. 

  19. 

  20.     As of now, tang performs these computations itself and does not depend
    21. 

  21.     on external scripts to make sure it has reliable information regarding
    22. 

  22.     its keys.
    23. 

  23. 

  24.     Additionally, tang also creates a new pair of keys if none exist.
    25. 

  25. 

  26. --- a/meson.build
    27. 

  27. +++ b/meson.build
    28. 

  28. @@ -16,14 +16,12 @@
    29. 

  29.  bindir = join_paths(get_option('prefix'), get_option('bindir'))
    30. 

  30.  systemunitdir = join_paths(get_option('prefix'), '../lib/systemd/system')
    31. 

  31.  licensedir = join_paths(get_option('prefix'), 'share', 'licenses', meson.project_name())
    32. 

  32. -cachedir = join_paths(get_option('localstatedir'), 'cache', meson.project_name())
    33. 

  33.  jwkdir = join_paths(get_option('localstatedir'), 'db', meson.project_name())
    34. 

  34.  
    35. 

  35.  data = configuration_data()
    36. 

  36.  data.set('libexecdir', libexecdir)
    37. 

  37.  data.set('sysconfdir', sysconfdir)
    38. 

  38.  data.set('systemunitdir', systemunitdir)
    39. 

  39. -data.set('cachedir', cachedir)
    40. 

  40.  data.set('jwkdir', jwkdir)
    41. 

  41.  
    42. 

  42.  add_project_arguments(
    43. 

  43. --- a/src/meson.build
    44. 

  44. +++ b/src/meson.build
    45. 

  45. @@ -1,6 +1,6 @@
    46. 

  46.  tangd = executable('tangd',
    47. 

  47. -  'http.h',
    48. 

  48.    'http.c',
    49. 

  49. +  'keys.c',
    50. 

  50.    'tangd.c',
    51. 

  51.    dependencies: [jose, http_parser],
    52. 

  52.    install: true,
    53. 

  53. @@ -9,6 +9,5 @@
    54. 

  54.  
    55. 

  55.  bins += join_paths(meson.current_source_dir(), 'tang-show-keys')
    56. 

  56.  libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen')
    57. 

  57. -libexecbins += join_paths(meson.current_source_dir(), 'tangd-update')
    58. 

  58.  
    59. 

  59.  # vim:set ts=2 sw=2 et:
    60. 

  60. --- a/src/tangd-update
    61. 

  61. +++ /dev/null
    62. 

  62. @@ -1,83 +0,0 @@
    63. 

  63. -#!/bin/bash
    64. 

  64. -# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
    65. 

  65. -#
    66. 

  66. -# Copyright (c) 2016 Red Hat, Inc.
    67. 

  67. -# Author: Nathaniel McCallum <npmccallum@redhat.com>
    68. 

  68. -#
    69. 

  69. -# This program is free software: you can redistribute it and/or modify
    70. 

  70. -# it under the terms of the GNU General Public License as published by
    71. 

  71. -# the Free Software Foundation, either version 3 of the License, or
    72. 

  72. -# (at your option) any later version.
    73. 

  73. -#
    74. 

  74. -# This program is distributed in the hope that it will be useful,
    75. 

  75. -# but WITHOUT ANY WARRANTY; without even the implied warranty of
    76. 

  76. -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    77. 

  77. -# GNU General Public License for more details.
    78. 

  78. -#
    79. 

  79. -# You should have received a copy of the GNU General Public License
    80. 

  80. -# along with this program.  If not, see <http://www.gnu.org/licenses/>.
    81. 

  81. -#
    82. 

  82. -
    83. 

  83. -TMP='{"protected":{"cty":"jwk-set+json"}}'
    84. 

  84. -
    85. 

  85. -trap 'exit' ERR
    86. 

  86. -
    87. 

  87. -shopt -s nullglob
    88. 

  88. -
    89. 

  89. -HASHES=`jose alg -k hash`
    90. 

  90. -
    91. 

  91. -if [ $# -ne 2 ] || [ ! -d "$1" ]; then
    92. 

  92. -    echo "Usage: $0 <jwkdir> <cachedir>" >&2
    93. 

  93. -    exit 1
    94. 

  94. -fi
    95. 

  95. -
    96. 

  96. -[ ! -d "$2" ] && mkdir -p -m 0700 "$2"
    97. 

  97. -
    98. 

  98. -src=`realpath "$1"`
    99. 

  99. -dst=`realpath "$2"`
    100. 

  100. -
    101. 

  101. -payl=()
    102. 

  102. -sign=()
    103. 

  103. -
    104. 

  104. -for jwk in $src/*.jwk; do
    105. 

  105. -    if jose jwk use -i "$jwk" -r -u sign -u verify; then
    106. 

  106. -        sign+=("-s" "$TMP" "-k" "$jwk")
    107. 

  107. -        payl+=("-i" "$jwk")
    108. 

  108. -    elif jose jwk use -i "$jwk" -r -u deriveKey; then
    109. 

  109. -        payl+=("-i" "$jwk")
    110. 

  110. -    else
    111. 

  111. -        echo "Skipping invalid key: $jwk" >&2
    112. 

  112. -    fi
    113. 

  113. -done
    114. 

  114. -
    115. 

  115. -if [ ${#sign[@]} -gt 0 ]; then
    116. 

  116. -    jose jwk pub -s "${payl[@]}" \
    117. 

  117. -        | jose jws sig -I- "${sign[@]}" -o "$dst/.default.jws"
    118. 

  118. -    mv -f "$dst/.default.jws" "$dst/default.jws"
    119. 

  119. -    new=default.jws
    120. 

  120. -fi
    121. 

  121. -
    122. 

  122. -shopt -s dotglob
    123. 

  123. -
    124. 

  124. -for jwk in $src/*.jwk; do
    125. 

  125. -    for hsh in $HASHES; do
    126. 

  126. -        thp=`jose jwk thp -i "$jwk" -a $hsh`
    127. 

  127. -
    128. 

  128. -        if jose jwk use -i "$jwk" -r -u deriveKey; then
    129. 

  129. -            ln -sf "$jwk" "$dst/.$thp.jwk"
    130. 

  130. -            mv -f "$dst/.$thp.jwk" "$dst/$thp.jwk"
    131. 

  131. -            new="$new\n$thp.jwk"
    132. 

  132. -        elif jose jwk use -i "$jwk" -r -u sign; then
    133. 

  133. -            keys=("${sign[@]}" -s "$TMP" -k "$jwk")
    134. 

  134. -            jose jwk pub -s "${payl[@]}" \
    135. 

  135. -                | jose jws sig -I- "${keys[@]}" -o "$dst/.$thp.jws"
    136. 

  136. -            mv -f "$dst/.$thp.jws" "$dst/$thp.jws"
    137. 

  137. -            new="$new\n$thp.jws"
    138. 

  138. -        fi
    139. 

  139. -    done
    140. 

  140. -done
    141. 

  141. -
    142. 

  142. -for f in "$dst"/*; do
    143. 

  143. -    b=`basename "$f"`
    144. 

  144. -    echo -e "$new" | grep -q "^$b\$" || rm -f "$f"
    145. 

  145. -done
    146. 

  146. --- a/src/tangd.c
    147. 

  147. +++ b/src/tangd.c
    148. 

  148. @@ -28,6 +28,7 @@
    149. 

  149.  #include <unistd.h>
    150. 

  150.  
    151. 

  151.  #include <jose/jose.h>
    152. 

  152. +#include "keys.h"
    153. 

  153.  
    154. 

  154.  static void
    155. 

  155.  str_cleanup(char **str)
    156. 

  156. @@ -36,23 +37,20 @@
    157. 

  157.          free(*str);
    158. 

  158.  }
    159. 

  159.  
    160. 

  160. -static void
    161. 

  161. -FILE_cleanup(FILE **file)
    162. 

  162. -{
    163. 

  163. -    if (file && *file)
    164. 

  164. -        fclose(*file);
    165. 

  165. -}
    166. 

  166. -
    167. 

  167.  static int
    168. 

  168.  adv(enum http_method method, const char *path, const char *body,
    169. 

  169.      regmatch_t matches[], void *misc)
    170. 

  170.  {
    171. 

  171. -    __attribute__((cleanup(FILE_cleanup))) FILE *file = NULL;
    172. 

  172.      __attribute__((cleanup(str_cleanup))) char *adv = NULL;
    173. 

  173.      __attribute__((cleanup(str_cleanup))) char *thp = NULL;
    174. 

  174. -    char filename[PATH_MAX] = {};
    175. 

  175. -    const char *cachedir = misc;
    176. 

  176. -    struct stat st = {};
    177. 

  177. +    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info *tki = NULL;
    178. 

  178. +    json_auto_t *jws = NULL;
    179. 

  179. +    const char *jwkdir = misc;
    180. 

  180. +
    181. 

  181. +    tki = read_keys(jwkdir);
    182. 

  182. +    if (!tki || tki->m_keys_count == 0) {
    183. 

  183. +        return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    184. 

  184. +    }
    185. 

  185.  
    186. 

  186.      if (matches[1].rm_so < matches[1].rm_eo) {
    187. 

  187.          size_t size = matches[1].rm_eo - matches[1].rm_so;
    188. 

  188. @@ -61,24 +59,15 @@
    189. 

  189.              return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    190. 

  190.      }
    191. 

  191.  
    192. 

  192. -    if (snprintf(filename, sizeof(filename),
    193. 

  193. -                 "%s/%s.jws", cachedir, thp ? thp : "default") < 0)
    194. 

  194. -        return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    195. 

  195. -
    196. 

  196. -    file = fopen(filename, "r");
    197. 

  197. -    if (!file)
    198. 

  198. +    jws = find_jws(tki, thp);
    199. 

  199. +    if (!jws) {
    200. 

  200.          return http_reply(HTTP_STATUS_NOT_FOUND, NULL);
    201. 

  201. +    }
    202. 

  202.  
    203. 

  203. -    if (fstat(fileno(file), &st) != 0)
    204. 

  204. -        return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    205. 

  205. -
    206. 

  206. -    adv = calloc(st.st_size + 1, 1);
    207. 

  207. +    adv = json_dumps(jws, 0);
    208. 

  208.      if (!adv)
    209. 

  209.          return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    210. 

  210.  
    211. 

  211. -    if (fread(adv, st.st_size, 1, file) != 1)
    212. 

  212. -        return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    213. 

  213. -
    214. 

  214.      return http_reply(HTTP_STATUS_OK,
    215. 

  215.                        "Content-Type: application/jose+json\r\n"
    216. 

  216.                        "Content-Length: %zu\r\n"
    217. 

  217. @@ -91,9 +80,9 @@
    218. 

  218.  {
    219. 

  219.      __attribute__((cleanup(str_cleanup))) char *enc = NULL;
    220. 

  220.      __attribute__((cleanup(str_cleanup))) char *thp = NULL;
    221. 

  221. +    __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info *tki = NULL;
    222. 

  222.      size_t size = matches[1].rm_eo - matches[1].rm_so;
    223. 

  223. -    char filename[PATH_MAX] = {};
    224. 

  224. -    const char *cachedir = misc;
    225. 

  225. +    const char *jwkdir = misc;
    226. 

  226.      json_auto_t *jwk = NULL;
    227. 

  227.      json_auto_t *req = NULL;
    228. 

  228.      json_auto_t *rep = NULL;
    229. 

  229. @@ -124,15 +113,16 @@
    230. 

  230.      /*
    231. 

  231.       * Parse and validate the server-side JWK
    232. 

  232.       */
    233. 

  233. +    tki = read_keys(jwkdir);
    234. 

  234. +    if (!tki || tki->m_keys_count == 0) {
    235. 

  235. +        return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    236. 

  236. +    }
    237. 

  237.  
    238. 

  238.      thp = strndup(&path[matches[1].rm_so], size);
    239. 

  239.      if (!thp)
    240. 

  240.          return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    241. 

  241.  
    242. 

  242. -    if (snprintf(filename, sizeof(filename), "%s/%s.jwk", cachedir, thp) < 0)
    243. 

  243. -        return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
    244. 

  244. -
    245. 

  245. -    jwk = json_load_file(filename, 0, NULL);
    246. 

  246. +    jwk = find_jwk(tki, thp);
    247. 

  247.      if (!jwk)
    248. 

  248.          return http_reply(HTTP_STATUS_NOT_FOUND, NULL);
    249. 

  249.  
    250. 

  250. @@ -188,7 +178,7 @@
    251. 

  251.      http_parser_init(&parser, HTTP_REQUEST);
    252. 

  252.  
    253. 

  253.      if (argc != 2) {
    254. 

  254. -        fprintf(stderr, "Usage: %s <cachedir>\n", argv[0]);
    255. 

  255. +        fprintf(stderr, "Usage: %s <jwkdir>\n", argv[0]);
    256. 

  256.          return EXIT_FAILURE;
    257. 

  257.      }
    258. 

  258.  
    259. 

  259. --- a/tests/adv
    260. 

  260. +++ b/tests/adv
    261. 

  261. @@ -36,15 +36,13 @@
    262. 

  262.  
    263. 

  263.  export TMP=`mktemp -d`
    264. 

  264.  mkdir -p $TMP/db
    265. 

  265. -mkdir -p $TMP/cache
    266. 

  266.  
    267. 

  267.  tangd-keygen $TMP/db sig exc
    268. 

  268.  jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
    269. 

  269.  jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
    270. 

  270. -tangd-update $TMP/db $TMP/cache
    271. 

  271.  
    272. 

  272.  export PORT=`shuf -i 1024-65536 -n 1`
    273. 

  273. -$SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/cache &
    274. 

  274. +$SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/db &
    275. 

  275.  export PID=$!
    276. 

  276.  sleep 0.5
    277. 

  277.  
    278. 

  278. @@ -84,4 +82,4 @@
    279. 

  279.                 -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
    280. 

  280.                 -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
    281. 

  281.  
    282. 

  282. -test $(tang-show-keys $PORT) == $(jose jwk thp -i $TMP/db/sig.jwk)
    283. 

  283. +test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
    284. 

  284. --- a/tests/rec
    285. 

  285. +++ b/tests/rec
    286. 

  286. @@ -28,11 +28,9 @@
    287. 

  287.  
    288. 

  288.  export TMP=`mktemp -d`
    289. 

  289.  mkdir -p $TMP/db
    290. 

  290. -mkdir -p $TMP/cache
    291. 

  291.  
    292. 

  292.  # Generate the server keys
    293. 

  293.  tangd-keygen $TMP/db sig exc
    294. 

  294. -tangd-update $TMP/db $TMP/cache
    295. 

  295.  
    296. 

  296.  # Generate the client keys
    297. 

  297.  exc_kid=`jose jwk thp -i $TMP/db/exc.jwk`
    298. 

  298. @@ -42,7 +40,7 @@
    299. 

  299.  
    300. 

  300.  # Start the server
    301. 

  301.  port=`shuf -i 1024-65536 -n 1`
    302. 

  302. -$SD_ACTIVATE -l 127.0.0.1:$port -a $VALGRIND tangd $TMP/cache &
    303. 

  303. +$SD_ACTIVATE -l 127.0.0.1:$port -a $VALGRIND tangd $TMP/db &
    304. 

  304.  export PID=$!
    305. 

  305.  sleep 0.5
    306. 

  306.  
    307. 

  307. --- a/units/meson.build
    308. 

  308. +++ b/units/meson.build
    309. 

  309. @@ -1,31 +1,10 @@
    310. 

  310. -tangd_keygen_service = configure_file(
    311. 

  311. -  input: 'tangd-keygen.service.in',
    312. 

  312. -  output: 'tangd-keygen.service',
    313. 

  313. -  configuration: data
    314. 

  314. -)
    315. 

  315. -
    316. 

  316.  tangd_service = configure_file(
    317. 

  317.    input: 'tangd@.service.in',
    318. 

  318.    output: 'tangd@.service',
    319. 

  319.    configuration: data
    320. 

  320.  )
    321. 

  321.  
    322. 

  322. -tangd_update_path = configure_file(
    323. 

  323. -  input: 'tangd-update.path.in',
    324. 

  324. -  output: 'tangd-update.path',
    325. 

  325. -  configuration: data
    326. 

  326. -)
    327. 

  327. -
    328. 

  328. -tangd_update_service = configure_file(
    329. 

  329. -  input: 'tangd-update.service.in',
    330. 

  330. -  output: 'tangd-update.service',
    331. 

  331. -  configuration: data
    332. 

  332. -)
    333. 

  333. -
    334. 

  334.  units += join_paths(meson.current_source_dir(), 'tangd.socket')
    335. 

  335. -units += tangd_keygen_service
    336. 

  336.  units += tangd_service
    337. 

  337. -units += tangd_update_path
    338. 

  338. -units += tangd_update_service
    339. 

  339.  
    340. 

  340.  # vim:set ts=2 sw=2 et:
    341. 

  341. --- a/units/tangd-keygen.service.in
    342. 

  342. +++ /dev/null
    343. 

  343. @@ -1,8 +0,0 @@
    344. 

  344. -[Unit]
    345. 

  345. -Description=Tang Server key generation script
    346. 

  346. -ConditionDirectoryNotEmpty=|!@jwkdir@
    347. 

  347. -Requires=tangd-update.path
    348. 

  348. -
    349. 

  349. -[Service]
    350. 

  350. -Type=oneshot
    351. 

  351. -ExecStart=@libexecdir@/tangd-keygen @jwkdir@
    352. 

  352. --- a/units/tangd-update.path.in
    353. 

  353. +++ /dev/null
    354. 

  354. @@ -1,4 +0,0 @@
    355. 

  355. -[Path]
    356. 

  356. -PathChanged=@jwkdir@
    357. 

  357. -MakeDirectory=true
    358. 

  358. -DirectoryMode=0700
    359. 

  359. --- a/units/tangd-update.service.in
    360. 

  360. +++ /dev/null
    361. 

  361. @@ -1,6 +0,0 @@
    362. 

  362. -[Unit]
    363. 

  363. -Description=Tang Server key update script
    364. 

  364. -
    365. 

  365. -[Service]
    366. 

  366. -Type=oneshot
    367. 

  367. -ExecStart=@libexecdir@/tangd-update @jwkdir@ @cachedir@
    368. 

  368. --- a/units/tangd@.service.in
    369. 

  369. +++ b/units/tangd@.service.in
    370. 

  370. @@ -1,10 +1,8 @@
    371. 

  371.  [Unit]
    372. 

  372.  Description=Tang Server
    373. 

  373. -Requires=tangd-keygen.service
    374. 

  374. -After=tangd-keygen.service
    375. 

  375.  
    376. 

  376.  [Service]
    377. 

  377.  StandardInput=socket
    378. 

  378.  StandardOutput=socket
    379. 

  379.  StandardError=journal
    380. 

  380. -ExecStart=@libexecdir@/tangd @cachedir@
    381. 

  381. +ExecStart=@libexecdir@/tangd @jwkdir@
    382.