tangd.c 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
  1. /* vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: */
  2. /*
  3. * Copyright (c) 2016 Red Hat, Inc.
  4. * Author: Nathaniel McCallum <npmccallum@redhat.com>
  5. *
  6. * This program is free software: you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation, either version 3 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  18. */
  19. #include "http.h"
  20. #include <sys/types.h>
  21. #include <sys/stat.h>
  22. #include <limits.h>
  23. #include <stdio.h>
  24. #include <stdlib.h>
  25. #include <string.h>
  26. #include <unistd.h>
  27. #include <getopt.h>
  28. #include <jose/jose.h>
  29. #include "keys.h"
  30. #include "socket.h"
  31. static const struct option long_options[] = {
  32. {"port", 1, 0, 'p'},
  33. {"listen", 0, 0, 'l'},
  34. {"version", 0, 0, 'v'},
  35. {"help", 0, 0, 'h'},
  36. {NULL, 0, 0, 0}
  37. };
  38. static void
  39. print_help(const char *name)
  40. {
  41. fprintf(stderr, "Usage: %s [OPTIONS] <jwkdir>\n", name);
  42. fprintf(stderr, " -p, --port=PORT Specify the port to listen (default 9090)\n");
  43. fprintf(stderr, " -l, --listen Run as a service and wait for connections\n");
  44. fprintf(stderr, " -v, --version Display program version\n");
  45. fprintf(stderr, " -h, --help Show this help message\n");
  46. }
  47. static void
  48. print_version(void)
  49. {
  50. fprintf(stderr, "tangd %s\n", VERSION);
  51. }
  52. static void
  53. str_cleanup(char **str)
  54. {
  55. if (str)
  56. free(*str);
  57. }
  58. static int
  59. adv(enum http_method method, const char *path, const char *body,
  60. regmatch_t matches[], void *misc)
  61. {
  62. __attribute__((cleanup(str_cleanup))) char *adv = NULL;
  63. __attribute__((cleanup(str_cleanup))) char *thp = NULL;
  64. __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info *tki = NULL;
  65. json_auto_t *jws = NULL;
  66. const char *jwkdir = misc;
  67. tki = read_keys(jwkdir);
  68. if (!tki || tki->m_keys_count == 0) {
  69. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  70. }
  71. if (matches[1].rm_so < matches[1].rm_eo) {
  72. size_t size = matches[1].rm_eo - matches[1].rm_so;
  73. thp = strndup(&path[matches[1].rm_so], size);
  74. if (!thp)
  75. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  76. }
  77. jws = find_jws(tki, thp);
  78. if (!jws) {
  79. return http_reply(HTTP_STATUS_NOT_FOUND, NULL);
  80. }
  81. adv = json_dumps(jws, 0);
  82. if (!adv)
  83. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  84. return http_reply(HTTP_STATUS_OK,
  85. "Content-Type: application/jose+json\r\n"
  86. "Content-Length: %zu\r\n"
  87. "\r\n%s", strlen(adv), adv);
  88. }
  89. static int
  90. rec(enum http_method method, const char *path, const char *body,
  91. regmatch_t matches[], void *misc)
  92. {
  93. __attribute__((cleanup(str_cleanup))) char *enc = NULL;
  94. __attribute__((cleanup(str_cleanup))) char *thp = NULL;
  95. __attribute__((cleanup(cleanup_tang_keys_info))) struct tang_keys_info *tki = NULL;
  96. size_t size = matches[1].rm_eo - matches[1].rm_so;
  97. const char *jwkdir = misc;
  98. json_auto_t *jwk = NULL;
  99. json_auto_t *req = NULL;
  100. json_auto_t *rep = NULL;
  101. const char *alg = NULL;
  102. const char *kty = NULL;
  103. const char *d = NULL;
  104. /*
  105. * Parse and validate the request JWK
  106. */
  107. req = json_loads(body, 0, NULL);
  108. if (!req)
  109. return http_reply(HTTP_STATUS_BAD_REQUEST, NULL);
  110. if (!jose_jwk_prm(NULL, req, false, "deriveKey"))
  111. return http_reply(HTTP_STATUS_FORBIDDEN, NULL);
  112. if (json_unpack(req, "{s:s,s?s}", "kty", &kty, "alg", &alg) < 0)
  113. return http_reply(HTTP_STATUS_BAD_REQUEST, NULL);
  114. if (strcmp(kty, "EC") != 0)
  115. return http_reply(HTTP_STATUS_BAD_REQUEST, NULL);
  116. if (alg && strcmp(alg, "ECMR") != 0)
  117. return http_reply(HTTP_STATUS_BAD_REQUEST, NULL);
  118. /*
  119. * Parse and validate the server-side JWK
  120. */
  121. tki = read_keys(jwkdir);
  122. if (!tki || tki->m_keys_count == 0) {
  123. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  124. }
  125. thp = strndup(&path[matches[1].rm_so], size);
  126. if (!thp)
  127. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  128. jwk = find_jwk(tki, thp);
  129. if (!jwk)
  130. return http_reply(HTTP_STATUS_NOT_FOUND, NULL);
  131. if (!jose_jwk_prm(NULL, jwk, true, "deriveKey"))
  132. return http_reply(HTTP_STATUS_FORBIDDEN, NULL);
  133. if (json_unpack(jwk, "{s:s,s?s}", "d", &d, "alg", &alg) < 0)
  134. return http_reply(HTTP_STATUS_FORBIDDEN, NULL);
  135. if (alg && strcmp(alg, "ECMR") != 0)
  136. return http_reply(HTTP_STATUS_FORBIDDEN, NULL);
  137. /*
  138. * Perform the exchange and return
  139. */
  140. rep = jose_jwk_exc(NULL, jwk, req);
  141. if (!rep)
  142. return http_reply(HTTP_STATUS_BAD_REQUEST, NULL);
  143. if (json_object_set_new(rep, "alg", json_string("ECMR")) < 0)
  144. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  145. if (json_object_set_new(rep, "key_ops", json_pack("[s]", "deriveKey")) < 0)
  146. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  147. enc = json_dumps(rep, JSON_SORT_KEYS | JSON_COMPACT);
  148. if (!enc)
  149. return http_reply(HTTP_STATUS_INTERNAL_SERVER_ERROR, NULL);
  150. return http_reply(HTTP_STATUS_OK,
  151. "Content-Type: application/jwk+json\r\n"
  152. "Content-Length: %zu\r\n"
  153. "\r\n%s", strlen(enc), enc);
  154. }
  155. static struct http_dispatch dispatch[] = {
  156. { adv, 1 << HTTP_GET, 2, "^/+adv/+([0-9A-Za-z_-]+)$" },
  157. { adv, 1 << HTTP_GET, 2, "^/+adv/*$" },
  158. { rec, 1 << HTTP_POST, 2, "^/+rec/+([0-9A-Za-z_-]+)$" },
  159. {}
  160. };
  161. #define DEFAULT_PORT 9090
  162. static int
  163. process_request(const char *jwkdir, int in_fileno)
  164. {
  165. struct http_state state = { .dispatch = dispatch, .misc = (char*)jwkdir };
  166. struct http_parser parser = { .data = &state };
  167. struct stat st = {};
  168. char req[4096] = {};
  169. size_t rcvd = 0;
  170. int r = 0;
  171. http_parser_init(&parser, HTTP_REQUEST);
  172. if (stat(jwkdir, &st) != 0) {
  173. fprintf(stderr, "Error calling stat() on path: %s: %m\n", jwkdir);
  174. return EXIT_FAILURE;
  175. }
  176. if (!S_ISDIR(st.st_mode)) {
  177. fprintf(stderr, "Path is not a directory: %s\n", jwkdir);
  178. return EXIT_FAILURE;
  179. }
  180. for (;;) {
  181. r = read(in_fileno, &req[rcvd], sizeof(req) - rcvd - 1);
  182. if (r == 0)
  183. return rcvd > 0 ? EXIT_FAILURE : EXIT_SUCCESS;
  184. if (r < 0)
  185. return EXIT_FAILURE;
  186. rcvd += r;
  187. r = http_parser_execute(&parser, &http_settings, req, rcvd);
  188. if (parser.http_errno != 0) {
  189. fprintf(stderr, "HTTP Parsing Error: %s\n",
  190. http_errno_description(parser.http_errno));
  191. return EXIT_SUCCESS;
  192. }
  193. memmove(req, &req[r], rcvd - r);
  194. rcvd -= r;
  195. }
  196. return EXIT_SUCCESS;
  197. }
  198. int
  199. main(int argc, char *argv[])
  200. {
  201. int listen = 0;
  202. int port = DEFAULT_PORT;
  203. const char *jwkdir = NULL;
  204. while (1) {
  205. int c = getopt_long(argc, argv, "lp:vh", long_options, NULL);
  206. if (c == -1)
  207. break;
  208. switch(c) {
  209. case 'v':
  210. print_version();
  211. return EXIT_SUCCESS;
  212. case 'h':
  213. print_help(argv[0]);
  214. return EXIT_SUCCESS;
  215. case 'p':
  216. port = atoi(optarg);
  217. break;
  218. case 'l':
  219. listen = 1;
  220. break;
  221. }
  222. }
  223. if (optind >= argc) {
  224. fprintf(stderr, "Usage: %s [OPTION] <jwkdir>\n", argv[0]);
  225. return EXIT_FAILURE;
  226. }
  227. jwkdir = argv[optind++];
  228. if (listen == 0) { /* process one-shot query from stdin */
  229. return process_request(jwkdir, STDIN_FILENO);
  230. } else { /* listen and process all incoming connections */
  231. return run_service(jwkdir, port, process_request);
  232. }
  233. }