Commit af61496c authored by Loïck Bonniot's avatar Loïck Bonniot

[c][p][t] Add platform seal on signature metadata

parent 65467f53
Pipeline #1682 passed with stage
package auth
import (
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/sha512"
"crypto/x509"
"fmt"
)
// SignStructure signs the provided structure with the private key.
// The used protocol is RSA PKCS#1 v1.5 with SHA-512 hash.
// The structure is serialized to a string representation using the fmt package.
func SignStructure(key *rsa.PrivateKey, structure interface{}) ([]byte, error) {
hash, err := hashStruct(structure)
if err != nil {
return nil, err
}
return rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA512, hash)
}
// VerifyStructure verifies the signed message according to the provided structure and certificate.
// See SignStructure for protocol definition.
func VerifyStructure(cert *x509.Certificate, structure interface{}, signed []byte) (bool, error) {
hash, err := hashStruct(structure)
if err != nil {
return false, err
}
err = rsa.VerifyPKCS1v15(cert.PublicKey.(*rsa.PublicKey), crypto.SHA512, hash, signed)
return err == nil, err
}
func hashStruct(structure interface{}) (hash []byte, err error) {
data := []byte(fmt.Sprintf("%v", structure))
rawHash := sha512.Sum512(data)
hash = rawHash[:]
return
}
package auth
import (
"testing"
"github.com/stretchr/testify/assert"
)
type TestStructure struct {
FieldA int64
FieldB []byte
FieldC *TestStructure
}
func TestSignStructure(t *testing.T) {
key, err := GeneratePrivateKey(1024)
assert.Nil(t, err)
res, err := SignStructure(key, TestStructure{})
assert.Nil(t, err)
assert.True(t, len(res) > 0)
}
func TestVerifyStructure(t *testing.T) {
key, err := GeneratePrivateKey(1024)
assert.Nil(t, err)
selfSigned, err := GetSelfSignedCertificate(1, 0, "", "", "", "test", key)
assert.Nil(t, err)
cert, err := PEMToCertificate(selfSigned)
assert.Nil(t, err)
s := TestStructure{
FieldA: 5,
FieldB: []byte{0x01, 0x02},
FieldC: &TestStructure{},
}
res, _ := SignStructure(key, s)
valid, err := VerifyStructure(cert, s, res)
assert.Nil(t, err)
assert.True(t, valid)
s.FieldB[1] = 0x42
valid, _ = VerifyStructure(cert, s, res)
assert.False(t, valid)
}
...@@ -51,8 +51,8 @@ type Context struct { ...@@ -51,8 +51,8 @@ type Context struct {
ContractDocumentHash []byte `protobuf:"bytes,5,opt,name=contractDocumentHash,proto3" json:"contractDocumentHash,omitempty"` ContractDocumentHash []byte `protobuf:"bytes,5,opt,name=contractDocumentHash,proto3" json:"contractDocumentHash,omitempty"`
// / The unique signature attemp ID, as provided by the platform during the ready signal // / The unique signature attemp ID, as provided by the platform during the ready signal
SignatureUUID string `protobuf:"bytes,6,opt,name=signatureUUID" json:"signatureUUID,omitempty"` SignatureUUID string `protobuf:"bytes,6,opt,name=signatureUUID" json:"signatureUUID,omitempty"`
// / The signed metadata hashb, as provided by the platform during the ready signal // / The signed metadata seal, as provided by the platform during the ready signal
SignedHash []byte `protobuf:"bytes,7,opt,name=signedHash,proto3" json:"signedHash,omitempty"` Seal []byte `protobuf:"bytes,7,opt,name=seal,proto3" json:"seal,omitempty"`
} }
func (m *Context) Reset() { *m = Context{} } func (m *Context) Reset() { *m = Context{} }
...@@ -263,28 +263,28 @@ var _Client_serviceDesc = grpc.ServiceDesc{ ...@@ -263,28 +263,28 @@ var _Client_serviceDesc = grpc.ServiceDesc{
var fileDescriptor0 = []byte{ var fileDescriptor0 = []byte{
// 380 bytes of a gzipped FileDescriptorProto // 380 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x8c, 0x52, 0x5d, 0x4f, 0xc2, 0x30, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x8c, 0x52, 0xed, 0xaa, 0xda, 0x40,
0x14, 0xe5, 0x43, 0x18, 0x5c, 0x07, 0x31, 0x0d, 0x0f, 0xcb, 0x8c, 0x06, 0x17, 0x62, 0x88, 0x0f, 0x10, 0x35, 0x7e, 0x45, 0xa7, 0x51, 0xca, 0xe2, 0x8f, 0x90, 0x52, 0xb0, 0x41, 0x8a, 0xf4, 0x47,
0x23, 0xc1, 0x9f, 0x00, 0x26, 0x18, 0x63, 0x62, 0xa6, 0xfc, 0x80, 0xda, 0x15, 0x6d, 0x32, 0xd6, 0x04, 0xfb, 0x08, 0x5a, 0xb0, 0x94, 0x42, 0x49, 0xeb, 0x03, 0x6c, 0x37, 0x63, 0xbb, 0x10, 0xb3,
0xd9, 0x16, 0x03, 0xbf, 0xc1, 0x37, 0x7f, 0xb1, 0xdd, 0x1d, 0x43, 0x88, 0x3c, 0xf8, 0xb2, 0xec, 0xe9, 0xee, 0x5a, 0xf4, 0x35, 0xee, 0x0b, 0xdf, 0xbb, 0x99, 0x18, 0xaf, 0x72, 0xfd, 0x71, 0xff,
0xdc, 0x7b, 0x7a, 0xce, 0xbd, 0xa7, 0x85, 0xf3, 0x78, 0xa1, 0xf5, 0x28, 0xff, 0xb0, 0x11, 0xcd, 0x2c, 0x7b, 0x66, 0xce, 0x9e, 0x33, 0x67, 0x58, 0x78, 0x97, 0xed, 0x8c, 0x59, 0x54, 0x87, 0x58,
0xc4, 0x88, 0x25, 0x82, 0xa7, 0x26, 0xcc, 0x94, 0x34, 0x92, 0xd4, 0x6d, 0xc5, 0xbf, 0xd8, 0x31, 0xf0, 0x52, 0x2e, 0x44, 0x2e, 0xb1, 0xb0, 0x49, 0xa9, 0x95, 0x55, 0xac, 0xe3, 0x2a, 0xd1, 0xfb,
0x32, 0x64, 0x64, 0x09, 0x35, 0x0b, 0xa9, 0x96, 0x05, 0x27, 0xf8, 0xaa, 0x81, 0x33, 0x91, 0xa9, 0x0b, 0xa3, 0x24, 0x46, 0x99, 0x73, 0xbb, 0x53, 0x7a, 0x5f, 0x73, 0xe2, 0x47, 0x0f, 0xfc, 0x95,
0xe1, 0x6b, 0x43, 0x6e, 0xe0, 0x4c, 0x71, 0x26, 0xb2, 0x5c, 0xe2, 0x81, 0x6f, 0x66, 0x54, 0xbf, 0x2a, 0x2c, 0x1e, 0x2d, 0xfb, 0x04, 0x6f, 0x35, 0x0a, 0x59, 0x56, 0x12, 0xdf, 0xf0, 0xb4, 0xe1,
0x7b, 0xd5, 0x7e, 0x75, 0xe8, 0x46, 0x7f, 0xea, 0x64, 0x00, 0x1d, 0xcd, 0xd3, 0x98, 0xab, 0x92, 0xe6, 0x6f, 0xe8, 0x4d, 0xbd, 0x79, 0x90, 0xbe, 0xa8, 0xb3, 0x19, 0x8c, 0x0c, 0x16, 0x19, 0xea,
0x58, 0x43, 0xe2, 0x61, 0x91, 0xf8, 0xd0, 0xd2, 0xfc, 0x63, 0xc5, 0x53, 0xc6, 0xbd, 0x7a, 0xbf, 0x86, 0xd8, 0x26, 0xe2, 0x6d, 0x91, 0x45, 0x30, 0x30, 0xf8, 0xef, 0x80, 0x85, 0xc0, 0xb0, 0x33,
0x3e, 0xec, 0x44, 0x3b, 0x4c, 0x3c, 0x70, 0xb4, 0x78, 0x4b, 0xb9, 0xd2, 0xde, 0x89, 0x6d, 0xb9, 0xed, 0xcc, 0x47, 0xe9, 0x05, 0xb3, 0x10, 0x7c, 0x23, 0xff, 0x14, 0xa8, 0x4d, 0xd8, 0x75, 0xad,
0x51, 0x09, 0xc9, 0x18, 0x7a, 0xcc, 0x8e, 0xa4, 0x28, 0x33, 0x53, 0xc9, 0x56, 0x4b, 0x6b, 0x8b, 0x20, 0x6d, 0x20, 0x5b, 0xc2, 0x44, 0xb8, 0x91, 0x34, 0x17, 0x76, 0xad, 0xc4, 0x61, 0xef, 0x6c,
0x16, 0x0d, 0xb4, 0x38, 0xda, 0xc3, 0x79, 0xec, 0x71, 0x6a, 0x56, 0x8a, 0xcf, 0xe7, 0xf7, 0x53, 0xc9, 0xa2, 0x47, 0x16, 0x77, 0x7b, 0x34, 0x8f, 0x7b, 0xce, 0xed, 0x41, 0xe3, 0x76, 0xfb, 0x75,
0xaf, 0x69, 0xc9, 0xed, 0xe8, 0xb0, 0x48, 0x2e, 0x01, 0xd0, 0x24, 0x46, 0x3d, 0x07, 0xf5, 0xf6, 0x1d, 0xf6, 0x1d, 0x79, 0x98, 0xde, 0x16, 0x19, 0x83, 0xae, 0x41, 0x9e, 0x87, 0x3e, 0x29, 0xd1,
0x2a, 0x01, 0x05, 0xe7, 0x49, 0xc9, 0xa5, 0xd0, 0x9c, 0x5c, 0x83, 0xc3, 0x8a, 0x5c, 0x30, 0x83, 0x3d, 0xe6, 0xe0, 0xff, 0xd0, 0x6a, 0x2f, 0x0d, 0xb2, 0x8f, 0xe0, 0x8b, 0x7a, 0x17, 0x94, 0xfb,
0xd3, 0xb1, 0x1b, 0xda, 0xf8, 0xc2, 0x6d, 0x56, 0x51, 0xd9, 0x24, 0x3d, 0x68, 0x08, 0xbb, 0xf2, 0xcd, 0x32, 0x48, 0xdc, 0xca, 0x92, 0xf3, 0x7e, 0xd2, 0xa6, 0xc9, 0x26, 0xd0, 0x93, 0x2e, 0xe6,
0x1a, 0x03, 0xe8, 0x44, 0x05, 0xc8, 0x97, 0xcb, 0xe8, 0x26, 0x91, 0x34, 0xb6, 0x7b, 0xe7, 0x2e, 0x91, 0x42, 0x8f, 0xd2, 0x1a, 0x54, 0x81, 0x4a, 0x7e, 0xca, 0x15, 0xcf, 0x5c, 0xd6, 0x4a, 0xbf,
0x25, 0x0c, 0x1e, 0xa1, 0xfd, 0x5c, 0xce, 0xf4, 0x6f, 0x93, 0x3d, 0xb9, 0xda, 0xa1, 0xdc, 0x15, 0x81, 0xf1, 0x77, 0x18, 0xfe, 0x6c, 0xe6, 0x78, 0xb5, 0xc9, 0x95, 0x5c, 0xfb, 0x56, 0xee, 0x03,
0x34, 0x66, 0x3c, 0x49, 0x64, 0x4e, 0xf9, 0xb4, 0xe1, 0x09, 0x99, 0xa2, 0x54, 0x3b, 0x2a, 0xe1, 0xf4, 0x36, 0x98, 0xe7, 0xaa, 0xa2, 0xfc, 0x77, 0x0b, 0x93, 0xaa, 0x20, 0xa9, 0x61, 0xda, 0xc0,
0xf8, 0xbb, 0x0a, 0xcd, 0x09, 0xbe, 0x0b, 0x12, 0x82, 0xfb, 0xa2, 0x38, 0x35, 0xe5, 0x92, 0x85, 0xe5, 0x83, 0x07, 0xfd, 0x15, 0xfd, 0x05, 0x96, 0x40, 0xf0, 0x4b, 0x23, 0xb7, 0x4d, 0xc8, 0xda,
0xdd, 0x16, 0xf9, 0x5d, 0x44, 0x77, 0x4a, 0x49, 0x35, 0x91, 0x31, 0x0f, 0x2a, 0xf6, 0x26, 0xba, 0xee, 0x8c, 0xa2, 0x31, 0xa1, 0x2f, 0x5a, 0x2b, 0xbd, 0x52, 0x19, 0xc6, 0x2d, 0xb7, 0xfd, 0x31,
0xc8, 0xff, 0x9d, 0xb8, 0xe0, 0xec, 0xf0, 0x91, 0x33, 0x03, 0x68, 0x4d, 0x85, 0x66, 0xd2, 0xda, 0xf1, 0x9f, 0x27, 0xae, 0x39, 0x17, 0x7c, 0xe7, 0xcd, 0x0c, 0x06, 0x6b, 0x69, 0x84, 0x72, 0xf6,
0x13, 0xc0, 0x2e, 0x0e, 0xe8, 0xef, 0xfd, 0x07, 0x95, 0xd7, 0x26, 0x3e, 0xbf, 0xdb, 0x9f, 0x00, 0x0c, 0xa8, 0x4b, 0x03, 0x46, 0x57, 0xf7, 0xb8, 0xf5, 0xbb, 0x4f, 0x5f, 0xee, 0xf3, 0x53, 0x00,
0x00, 0x00, 0xff, 0xff, 0xb4, 0xf1, 0xe7, 0x80, 0xc1, 0x02, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xfe, 0x4f, 0xca, 0xea, 0xb5, 0x02, 0x00, 0x00,
} }
...@@ -30,8 +30,8 @@ message Context { ...@@ -30,8 +30,8 @@ message Context {
bytes contractDocumentHash = 5; bytes contractDocumentHash = 5;
/// The unique signature attemp ID, as provided by the platform during the ready signal /// The unique signature attemp ID, as provided by the platform during the ready signal
string signatureUUID = 6; string signatureUUID = 6;
/// The signed metadata hashb, as provided by the platform during the ready signal /// The signed metadata seal, as provided by the platform during the ready signal
bytes signedHash = 7; bytes seal = 7;
} }
message Promise { message Promise {
......
...@@ -21,6 +21,7 @@ func (m *SignatureManager) createContext(from, to uint32) (*cAPI.Context, error) ...@@ -21,6 +21,7 @@ func (m *SignatureManager) createContext(from, to uint32) (*cAPI.Context, error)
Signers: m.keyHash, Signers: m.keyHash,
ContractDocumentHash: []byte(m.contract.File.Hash), ContractDocumentHash: []byte(m.contract.File.Hash),
SignatureUUID: m.uuid, SignatureUUID: m.uuid,
Seal: m.seal,
}, nil }, nil
} }
......
...@@ -42,6 +42,7 @@ type SignatureManager struct { ...@@ -42,6 +42,7 @@ type SignatureManager struct {
keyHash [][]byte keyHash [][]byte
mail string mail string
archives *Archives archives *Archives
seal []byte
// Callbacks // Callbacks
OnSignerStatusUpdate func(mail string, status SignerStatus, data string) OnSignerStatusUpdate func(mail string, status SignerStatus, data string)
...@@ -215,6 +216,7 @@ func (m *SignatureManager) SendReadySign() (signatureUUID string, err error) { ...@@ -215,6 +216,7 @@ func (m *SignatureManager) SendReadySign() (signatureUUID string, err error) {
m.sequence = launch.Sequence m.sequence = launch.Sequence
m.uuid = launch.SignatureUuid m.uuid = launch.SignatureUuid
m.keyHash = launch.KeyHash m.keyHash = launch.KeyHash
m.seal = launch.Seal
signatureUUID = m.uuid signatureUUID = m.uuid
return return
} }
......
...@@ -265,8 +265,10 @@ type LaunchSignature struct { ...@@ -265,8 +265,10 @@ type LaunchSignature struct {
KeyHash [][]byte `protobuf:"bytes,3,rep,name=keyHash,proto3" json:"keyHash,omitempty"` KeyHash [][]byte `protobuf:"bytes,3,rep,name=keyHash,proto3" json:"keyHash,omitempty"`
// / The signing sequence generated on-the-fly by the platform // / The signing sequence generated on-the-fly by the platform
Sequence []uint32 `protobuf:"varint,4,rep,name=sequence" json:"sequence,omitempty"` Sequence []uint32 `protobuf:"varint,4,rep,name=sequence" json:"sequence,omitempty"`
// / The cryptographic object of the signature of this structure (hash excepted) by the platform, for data certification. // / The cryptographic object of the signature of this structure (hash and errorCode excepted) by the platform, for data certification.
Hash []byte `protobuf:"bytes,5,opt,name=hash,proto3" json:"hash,omitempty"` // / The signature is computed using auth.SignStructure function:
// / PKCS1v15 + SHA512 hash of the string representation of the structure
Seal []byte `protobuf:"bytes,5,opt,name=seal,proto3" json:"seal,omitempty"`
} }
func (m *LaunchSignature) Reset() { *m = LaunchSignature{} } func (m *LaunchSignature) Reset() { *m = LaunchSignature{} }
...@@ -616,7 +618,7 @@ var _Platform_serviceDesc = grpc.ServiceDesc{ ...@@ -616,7 +618,7 @@ var _Platform_serviceDesc = grpc.ServiceDesc{
} }
var fileDescriptor0 = []byte{ var fileDescriptor0 = []byte{
// 706 bytes of a gzipped FileDescriptorProto // 710 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x94, 0x55, 0x5f, 0x6f, 0x12, 0x4b, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x94, 0x55, 0x5f, 0x6f, 0x12, 0x4b,
0x14, 0x67, 0x81, 0x16, 0x38, 0x14, 0xba, 0x19, 0x7a, 0xef, 0xe5, 0x92, 0xd4, 0x34, 0x13, 0x13, 0x14, 0x67, 0x81, 0x16, 0x38, 0x14, 0xba, 0x19, 0x7a, 0xef, 0xe5, 0x92, 0xd4, 0x34, 0x13, 0x13,
0x1b, 0x63, 0xa0, 0xc1, 0x44, 0xa3, 0x6f, 0x14, 0x49, 0x5b, 0x53, 0xb1, 0x19, 0x40, 0x13, 0xdf, 0x1b, 0x63, 0xa0, 0xc1, 0x44, 0xa3, 0x6f, 0x14, 0x49, 0x5b, 0x53, 0xb1, 0x19, 0x40, 0x13, 0xdf,
...@@ -651,15 +653,15 @@ var fileDescriptor0 = []byte{ ...@@ -651,15 +653,15 @@ var fileDescriptor0 = []byte{
0x1a, 0xb4, 0x46, 0xe4, 0x2a, 0x6b, 0xaf, 0x9c, 0x6b, 0xef, 0x19, 0xd8, 0x84, 0x3a, 0xde, 0x9d, 0x1a, 0xb4, 0x46, 0xe4, 0x2a, 0x6b, 0xaf, 0x9c, 0x6b, 0xef, 0x19, 0xd8, 0x84, 0x3a, 0xde, 0x9d,
0xe2, 0xeb, 0x1e, 0x54, 0xe1, 0xef, 0x16, 0xec, 0x5f, 0x3a, 0xcb, 0xd0, 0x9d, 0x67, 0x4c, 0xdf, 0xe2, 0xeb, 0x1e, 0x54, 0xe1, 0xef, 0x16, 0xec, 0x5f, 0x3a, 0xcb, 0xd0, 0x9d, 0x67, 0x4c, 0xdf,
0x93, 0x98, 0x87, 0xd0, 0xe0, 0xe6, 0x68, 0x8e, 0x99, 0x75, 0x67, 0xbe, 0x67, 0x35, 0x79, 0xb9, 0x93, 0x98, 0x87, 0xd0, 0xe0, 0xe6, 0x68, 0x8e, 0x99, 0x75, 0x67, 0xbe, 0x67, 0x35, 0x79, 0xb9,
0x9e, 0xe5, 0xb8, 0x72, 0x55, 0x70, 0xe8, 0x52, 0xd9, 0x51, 0x49, 0x76, 0x94, 0xd9, 0xd9, 0x78, 0x9e, 0xe5, 0xb8, 0x72, 0x55, 0x70, 0xe8, 0x52, 0xd9, 0x51, 0x49, 0x76, 0x94, 0xd9, 0xaa, 0x53,
0xef, 0xac, 0xc6, 0xbb, 0xff, 0xad, 0x04, 0xd5, 0xab, 0xf4, 0x8d, 0x84, 0xfa, 0x50, 0x35, 0x8a, 0x4e, 0x9d, 0x45, 0x7b, 0x27, 0x19, 0x0c, 0xb5, 0xee, 0x7f, 0x2b, 0x41, 0xf5, 0x2a, 0x7d, 0x23,
0x42, 0x07, 0xba, 0xc6, 0x8d, 0xb7, 0x52, 0x67, 0xa3, 0x72, 0x5c, 0x40, 0x3d, 0x28, 0x2b, 0x01, 0xa1, 0x3e, 0x54, 0x8d, 0xa2, 0xd0, 0x81, 0xae, 0x71, 0xe3, 0xad, 0xd4, 0xd9, 0xa8, 0x1c, 0x17,
0x23, 0x5b, 0xef, 0xe4, 0xb4, 0xdc, 0x69, 0xad, 0x21, 0x24, 0x12, 0x95, 0x07, 0x1e, 0x03, 0xcc, 0x50, 0x0f, 0xca, 0x4a, 0xc0, 0xc8, 0xd6, 0x3b, 0x39, 0x2d, 0x77, 0x5a, 0x6b, 0x08, 0x89, 0x44,
0x42, 0x66, 0xd2, 0x40, 0x02, 0xa8, 0x54, 0xb9, 0x05, 0xfc, 0x25, 0xec, 0xe5, 0x75, 0x8a, 0xda, 0xe5, 0x81, 0xc7, 0x00, 0xb3, 0x90, 0x99, 0x34, 0x90, 0x00, 0x2a, 0x55, 0x6e, 0x01, 0x7f, 0x09,
0x3a, 0x62, 0x8b, 0x74, 0xb7, 0x9c, 0x7d, 0x0e, 0xf5, 0x9c, 0xd4, 0xd0, 0x7f, 0x3a, 0xe0, 0x4f, 0x7b, 0x79, 0x9d, 0xa2, 0xb6, 0x8e, 0xd8, 0x22, 0xdd, 0x2d, 0x67, 0x9f, 0x43, 0x3d, 0x27, 0x35,
0xf1, 0x75, 0x1a, 0x7a, 0xc3, 0x78, 0xe5, 0xc1, 0x53, 0x68, 0xac, 0x69, 0x05, 0xfd, 0xaf, 0x23, 0xf4, 0x9f, 0x0e, 0xf8, 0x53, 0x7c, 0x9d, 0x86, 0xde, 0x30, 0x5e, 0x79, 0xf0, 0x14, 0x1a, 0x6b,
0xb6, 0xe9, 0xa7, 0x83, 0xb2, 0xa9, 0xcc, 0x94, 0x80, 0x0b, 0x27, 0x96, 0x2c, 0xbc, 0x96, 0x0d, 0x5a, 0x41, 0xff, 0xeb, 0x88, 0x6d, 0xfa, 0xe9, 0xa0, 0x6c, 0x2a, 0x33, 0x25, 0xe0, 0xc2, 0x89,
0x10, 0xfa, 0x27, 0x25, 0x62, 0x7d, 0xa0, 0x3a, 0x09, 0xc3, 0x1b, 0xe3, 0x82, 0x0b, 0x1f, 0x77, 0x25, 0x0b, 0xaf, 0x65, 0x03, 0x84, 0xfe, 0x49, 0x89, 0x58, 0x1f, 0xa8, 0x4e, 0xc2, 0xf0, 0xc6,
0xf5, 0x87, 0xe1, 0xe9, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0xc5, 0x4c, 0xa0, 0x21, 0x39, 0x06, 0xb8, 0xe0, 0xc2, 0xc7, 0x5d, 0xfd, 0x61, 0x78, 0xfa, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xc9, 0x55,
0x00, 0x00, 0xd0, 0xdf, 0x39, 0x06, 0x00, 0x00,
} }
...@@ -140,6 +140,8 @@ message LaunchSignature { ...@@ -140,6 +140,8 @@ message LaunchSignature {
repeated bytes keyHash = 3; repeated bytes keyHash = 3;
/// The signing sequence generated on-the-fly by the platform /// The signing sequence generated on-the-fly by the platform
repeated uint32 sequence = 4; repeated uint32 sequence = 4;
/// The cryptographic object of the signature of this structure (hash excepted) by the platform, for data certification. /// The cryptographic object of the signature of this structure (hash and errorCode excepted) by the platform, for data certification.
bytes hash = 5; /// The signature is computed using auth.SignStructure function:
/// PKCS1v15 + SHA512 hash of the string representation of the structure
bytes seal = 5;
} }
...@@ -5,8 +5,7 @@ import ( ...@@ -5,8 +5,7 @@ import (
"fmt" "fmt"
"os" "os"
"github.com/spf13/viper" "dfss/auth"
"dfss/dfssp/api" "dfss/dfssp/api"
"dfss/dfssp/authority" "dfss/dfssp/authority"
"dfss/dfssp/common" "dfss/dfssp/common"
...@@ -14,7 +13,7 @@ import ( ...@@ -14,7 +13,7 @@ import (
"dfss/dfssp/user" "dfss/dfssp/user"
"dfss/mgdb" "dfss/mgdb"
"dfss/net" "dfss/net"
"github.com/spf13/viper"
"golang.org/x/net/context" "golang.org/x/net/context"
"google.golang.org/grpc" "google.golang.org/grpc"
) )
...@@ -96,7 +95,20 @@ func (s *platformServer) ReadySign(ctx context.Context, in *api.ReadySignRequest ...@@ -96,7 +95,20 @@ func (s *platformServer) ReadySign(ctx context.Context, in *api.ReadySignRequest
if len(cn) == 0 { if len(cn) == 0 {
return &api.LaunchSignature{ErrorCode: &api.ErrorCode{Code: api.ErrorCode_BADAUTH}}, nil return &api.LaunchSignature{ErrorCode: &api.ErrorCode{Code: api.ErrorCode_BADAUTH}}, nil
} }
return contract.ReadySign(s.DB, s.Rooms, &ctx, in), nil
signal := contract.ReadySign(s.DB, s.Rooms, &ctx, in)
if signal.ErrorCode.Code == api.ErrorCode_SUCCESS {
sealedSignal := *signal
sealedSignal.ErrorCode = nil
sealedSignal.Seal = nil
var err error
signal.Seal, err = auth.SignStructure(s.Pid.Pkey, sealedSignal)
if err != nil {
return &api.LaunchSignature{ErrorCode: &api.ErrorCode{Code: api.ErrorCode_INTERR}}, nil
}
}
return signal, nil
} }
// GetServer returns the GRPC server associated with the platform // GetServer returns the GRPC server associated with the platform
......
...@@ -29,7 +29,7 @@ func (manager *ArchivesManager) InitializeArchives(promise *cAPI.Promise, signat ...@@ -29,7 +29,7 @@ func (manager *ArchivesManager) InitializeArchives(promise *cAPI.Promise, signat
present, archives := manager.ContainsSignature(signatureUUID) present, archives := manager.ContainsSignature(signatureUUID)
if !present { if !present {
archives = NewSignatureArchives(signatureUUID, promise.Context.Sequence, *signers, promise.Context.ContractDocumentHash, promise.Context.SignedHash) archives = NewSignatureArchives(signatureUUID, promise.Context.Sequence, *signers, promise.Context.ContractDocumentHash, promise.Context.Seal)
} }
manager.Archives = archives manager.Archives = archives
......
...@@ -23,7 +23,7 @@ var ( ...@@ -23,7 +23,7 @@ var (
signatureUUID string signatureUUID string
signatureUUIDBson bson.ObjectId signatureUUIDBson bson.ObjectId
signedHash []byte seal []byte
signersEntities []Signer signersEntities []Signer
...@@ -48,7 +48,7 @@ func init() { ...@@ -48,7 +48,7 @@ func init() {
signatureUUIDBson = bson.NewObjectId() signatureUUIDBson = bson.NewObjectId()
signatureUUID = signatureUUIDBson.Hex() signatureUUID = signatureUUIDBson.Hex()
signedHash = []byte{} seal = []byte{}
signersEntities = make([]Signer, 0) signersEntities = make([]Signer, 0)
for _, s := range signers { for _, s := range signers {
...@@ -85,15 +85,15 @@ func TestInitializeArchives(t *testing.T) { ...@@ -85,15 +85,15 @@ func TestInitializeArchives(t *testing.T) {
Sequence: sequence, Sequence: sequence,
Signers: signers, Signers: signers,
SignatureUUID: signatureUUID, SignatureUUID: signatureUUID,
SignedHash: signedHash, Seal: seal,
}, },
} }
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
} }
arch := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) arch := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager.InitializeArchives(promise, signatureUUIDBson, &signersEntities) manager.InitializeArchives(promise, signatureUUIDBson, &signersEntities)
arch.Signers = manager.Archives.Signers arch.Signers = manager.Archives.Signers
...@@ -114,7 +114,7 @@ func TestInitializeArchives(t *testing.T) { ...@@ -114,7 +114,7 @@ func TestInitializeArchives(t *testing.T) {
} }
func TestContainsSignature(t *testing.T) { func TestContainsSignature(t *testing.T) {
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
...@@ -138,7 +138,7 @@ func TestContainsSignature(t *testing.T) { ...@@ -138,7 +138,7 @@ func TestContainsSignature(t *testing.T) {
} }
func TestHasReceivedAbortToken(t *testing.T) { func TestHasReceivedAbortToken(t *testing.T) {
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
...@@ -164,7 +164,7 @@ func TestHasReceivedAbortToken(t *testing.T) { ...@@ -164,7 +164,7 @@ func TestHasReceivedAbortToken(t *testing.T) {
} }
func TestWasContractSigned(t *testing.T) { func TestWasContractSigned(t *testing.T) {
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
...@@ -182,7 +182,7 @@ func TestWasContractSigned(t *testing.T) { ...@@ -182,7 +182,7 @@ func TestWasContractSigned(t *testing.T) {
} }
func TestHasSignerPromised(t *testing.T) { func TestHasSignerPromised(t *testing.T) {
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
...@@ -226,7 +226,7 @@ func TestHasSignerPromised(t *testing.T) { ...@@ -226,7 +226,7 @@ func TestHasSignerPromised(t *testing.T) {
func TestAddToAbort(t *testing.T) { func TestAddToAbort(t *testing.T) {
// TODO // TODO
// Test the abortedIndex field, when promises will be implemented // Test the abortedIndex field, when promises will be implemented
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
...@@ -258,7 +258,7 @@ func TestAddToAbort(t *testing.T) { ...@@ -258,7 +258,7 @@ func TestAddToAbort(t *testing.T) {
} }
func TestAddToDishonest(t *testing.T) { func TestAddToDishonest(t *testing.T) {
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
...@@ -290,7 +290,7 @@ func TestAddToDishonest(t *testing.T) { ...@@ -290,7 +290,7 @@ func TestAddToDishonest(t *testing.T) {
} }
func TestAddPromise(t *testing.T) { func TestAddPromise(t *testing.T) {
archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, signedHash) archives := NewSignatureArchives(signatureUUIDBson, sequence, signersEntities, contractDocumentHash, seal)
manager := &ArchivesManager{ manager := &ArchivesManager{
DB: dbManager, DB: dbManager,
Archives: archives, Archives: archives,
......
package entities
import (
"dfss/dfssc/security"
)
// AuthContainer is global for performance reasons; singleton is not a problem.
// This variable should be loaded by dfsst/server package.
var AuthContainer *security.AuthContainer
...@@ -7,6 +7,7 @@ import ( ...@@ -7,6 +7,7 @@ import (
"crypto/sha512" "crypto/sha512"
"dfss/auth" "dfss/auth"
cAPI "dfss/dfssc/api" cAPI "dfss/dfssc/api"
pAPI "dfss/dfssp/api"
tAPI "dfss/dfsst/api" tAPI "dfss/dfsst/api"
"dfss/net" "dfss/net"
"golang.org/x/net/context" "golang.org/x/net/context"
...@@ -68,7 +69,7 @@ func IsPromiseSignedByPlatform(promise *cAPI.Promise) (bool, bson.ObjectId, []Si ...@@ -68,7 +69,7 @@ func IsPromiseSignedByPlatform(promise *cAPI.Promise) (bool, bson.ObjectId, []Si
return false, signatureUUID, nil return false, signatureUUID, nil
} }
ok = IsPlatformSignedHashValid(promise) ok = IsPlatformSealValid(promise)
if !ok { if !ok {
return false, signatureUUID, nil return false, signatureUUID, nil
} }
...@@ -137,9 +138,18 @@ func IsSignerHashValid(hash []byte) (bool, *Signer) { ...@@ -137,9 +138,18 @@ func IsSignerHashValid(hash []byte) (bool, *Signer) {
return true, NewSigner(hash) return true, NewSigner(hash)
} }
// IsPlatformSignedHashValid : verifies that the specified promise contains the expected information signed by the platform. // IsPlatformSealValid : verifies that the specified promise contains the expected information signed by the platform.
func IsPlatformSignedHashValid(promise *cAPI.Promise) bool { func IsPlatformSealValid(promise *cAPI.Promise) bool {
// TODO if AuthContainer == nil {
// This requires the implementation of promise sending by the clients return false
return true }
theoric := pAPI.LaunchSignature{