2019-11-22 03:57:41 +00:00
|
|
|
#include <config/key_manager.hpp>
|
|
|
|
|
|
2019-11-26 19:42:41 +00:00
|
|
|
#include <system_error>
|
2019-11-22 03:57:41 +00:00
|
|
|
#include <util/logging/logger.hpp>
|
2019-11-26 19:42:41 +00:00
|
|
|
#include "config/config.hpp"
|
|
|
|
|
#include "crypto/crypto.hpp"
|
|
|
|
|
#include "crypto/types.hpp"
|
2019-11-22 03:57:41 +00:00
|
|
|
|
2019-12-03 19:32:19 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
|
#include <curl/curl.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/// curl callback
|
|
|
|
|
static size_t
|
|
|
|
|
curl_RecvIdentKey(char *ptr, size_t, size_t nmemb, void *userdata)
|
|
|
|
|
{
|
|
|
|
|
for(size_t idx = 0; idx < nmemb; idx++)
|
|
|
|
|
static_cast< std::vector< char > * >(userdata)->push_back(ptr[idx]);
|
|
|
|
|
return nmemb;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-22 03:57:41 +00:00
|
|
|
namespace llarp
|
|
|
|
|
{
|
2019-11-26 19:42:41 +00:00
|
|
|
KeyManager::KeyManager()
|
|
|
|
|
: m_initialized(false)
|
2019-11-22 03:57:41 +00:00
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool
|
2019-12-03 19:32:19 +00:00
|
|
|
KeyManager::initialize(const llarp::Config& config, bool genIfAbsent)
|
2019-11-22 03:57:41 +00:00
|
|
|
{
|
2019-11-26 19:42:41 +00:00
|
|
|
if (m_initialized)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
m_rcPath = config.router.ourRcFile();
|
|
|
|
|
m_idKeyPath = config.router.identKeyfile();
|
|
|
|
|
m_encKeyPath = config.router.encryptionKeyfile();
|
|
|
|
|
m_transportKeyPath = config.router.transportKeyfile();
|
2019-11-22 23:11:59 +00:00
|
|
|
|
2019-12-03 19:32:19 +00:00
|
|
|
m_usingLokid = config.lokid.whitelistRouters;
|
|
|
|
|
m_lokidRPCAddr = config.lokid.lokidRPCAddr;
|
|
|
|
|
m_lokidRPCUser = config.lokid.lokidRPCUser;
|
|
|
|
|
m_lokidRPCPassword = config.lokid.lokidRPCPassword;
|
|
|
|
|
|
|
|
|
|
|
2019-11-22 23:11:59 +00:00
|
|
|
RouterContact rc;
|
2019-11-27 18:30:19 +00:00
|
|
|
bool exists = rc.Read(m_rcPath.c_str());
|
|
|
|
|
if (not exists and not genIfAbsent)
|
2019-11-22 23:11:59 +00:00
|
|
|
{
|
2019-11-27 18:30:19 +00:00
|
|
|
LogError("Could not read RouterContact at path ", m_rcPath);
|
|
|
|
|
return false;
|
2019-11-22 23:11:59 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-27 18:30:19 +00:00
|
|
|
// if our RC file can't be verified, assume it is out of date (e.g. uses
|
|
|
|
|
// older encryption) and needs to be regenerated. before doing so, backup
|
|
|
|
|
// files that will be overwritten
|
|
|
|
|
if (exists and not rc.VerifySignature())
|
|
|
|
|
{
|
|
|
|
|
if (! genIfAbsent)
|
|
|
|
|
{
|
|
|
|
|
LogError("Our RouterContact ", m_rcPath, " is invalid or out of date");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
LogWarn("Our RouterContact ", m_rcPath,
|
|
|
|
|
" seems out of date, backing up and regenerating private keys");
|
2019-11-22 23:11:59 +00:00
|
|
|
|
2019-11-27 18:30:19 +00:00
|
|
|
if (! backupKeyFilesByMoving())
|
|
|
|
|
{
|
2019-11-22 23:11:59 +00:00
|
|
|
LogError("Could not mv some key files, please ensure key files"
|
|
|
|
|
" are backed up if needed and remove");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2019-11-27 18:30:19 +00:00
|
|
|
}
|
|
|
|
|
}
|
2019-11-22 23:11:59 +00:00
|
|
|
|
2019-12-03 19:32:19 +00:00
|
|
|
if (not m_usingLokid)
|
2019-11-27 18:30:19 +00:00
|
|
|
{
|
2019-12-03 19:32:19 +00:00
|
|
|
// load identity key or create if needed
|
|
|
|
|
auto identityKeygen = [](llarp::SecretKey& key)
|
|
|
|
|
{
|
|
|
|
|
// TODO: handle generating from service node seed
|
|
|
|
|
llarp::CryptoManager::instance()->identity_keygen(key);
|
|
|
|
|
};
|
|
|
|
|
if (not loadOrCreateKey(m_idKeyPath, m_idKey, identityKeygen))
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (not loadIdentityFromLokid())
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2019-11-26 19:42:41 +00:00
|
|
|
|
2019-11-27 18:30:19 +00:00
|
|
|
// load encryption key
|
|
|
|
|
auto encryptionKeygen = [](llarp::SecretKey& key)
|
|
|
|
|
{
|
|
|
|
|
llarp::CryptoManager::instance()->encryption_keygen(key);
|
|
|
|
|
};
|
|
|
|
|
if (not loadOrCreateKey(m_encKeyPath, m_encKey, encryptionKeygen))
|
|
|
|
|
return false;
|
2019-11-26 19:42:41 +00:00
|
|
|
|
2019-11-27 18:30:19 +00:00
|
|
|
// TODO: transport key (currently done in LinkLayer)
|
2019-12-03 17:58:53 +00:00
|
|
|
auto transportKeygen = [](llarp::SecretKey& key)
|
|
|
|
|
{
|
|
|
|
|
key.Zero();
|
|
|
|
|
CryptoManager::instance()->encryption_keygen(key);
|
|
|
|
|
};
|
|
|
|
|
if (not loadOrCreateKey(m_transportKeyPath, m_transportKey, transportKeygen))
|
|
|
|
|
return false;
|
2019-11-22 23:11:59 +00:00
|
|
|
|
2019-11-26 19:42:41 +00:00
|
|
|
m_initialized = true;
|
2019-11-22 03:57:41 +00:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-03 17:58:53 +00:00
|
|
|
const llarp::SecretKey&
|
|
|
|
|
KeyManager::getIdentityKey() const
|
2019-11-22 03:57:41 +00:00
|
|
|
{
|
2019-12-03 17:58:53 +00:00
|
|
|
return m_idKey;
|
2019-11-22 03:57:41 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-04 20:13:41 +00:00
|
|
|
void
|
|
|
|
|
KeyManager::setIdentityKey(const llarp::SecretKey& key)
|
|
|
|
|
{
|
|
|
|
|
m_idKey = key;
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-03 17:58:53 +00:00
|
|
|
const llarp::SecretKey&
|
|
|
|
|
KeyManager::getEncryptionKey() const
|
2019-11-22 03:57:41 +00:00
|
|
|
{
|
2019-12-03 17:58:53 +00:00
|
|
|
return m_encKey;
|
2019-11-22 03:57:41 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-04 20:13:41 +00:00
|
|
|
void
|
|
|
|
|
KeyManager::setEncryptionKey(const llarp::SecretKey& key)
|
|
|
|
|
{
|
|
|
|
|
m_encKey = key;
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-03 17:58:53 +00:00
|
|
|
const llarp::SecretKey&
|
|
|
|
|
KeyManager::getTransportKey() const
|
2019-11-22 03:57:41 +00:00
|
|
|
{
|
2019-12-03 17:58:53 +00:00
|
|
|
return m_transportKey;
|
2019-11-22 03:57:41 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-04 20:13:41 +00:00
|
|
|
void
|
|
|
|
|
KeyManager::setTransportKey(const llarp::SecretKey& key)
|
|
|
|
|
{
|
|
|
|
|
m_transportKey = key;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-22 23:11:59 +00:00
|
|
|
bool
|
|
|
|
|
KeyManager::backupKeyFilesByMoving() const
|
|
|
|
|
{
|
|
|
|
|
auto findFreeBackupFilename = [](const fs::path& filepath) {
|
|
|
|
|
for (int i=0; i<9; i++)
|
|
|
|
|
{
|
|
|
|
|
std::string ext("." + std::to_string(i) + ".bak");
|
|
|
|
|
fs::path newPath = filepath;
|
|
|
|
|
newPath += ext;
|
|
|
|
|
|
|
|
|
|
if (not fs::exists(newPath))
|
|
|
|
|
return newPath;
|
|
|
|
|
}
|
|
|
|
|
return fs::path();
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
std::vector<std::string> files = {
|
|
|
|
|
m_rcPath,
|
|
|
|
|
m_idKeyPath,
|
|
|
|
|
m_encKeyPath,
|
|
|
|
|
m_transportKeyPath
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
for (auto& filepath : files)
|
|
|
|
|
{
|
2019-11-27 18:30:19 +00:00
|
|
|
std::error_code ec;
|
|
|
|
|
bool exists = fs::exists(filepath, ec);
|
|
|
|
|
if (ec)
|
|
|
|
|
{
|
|
|
|
|
LogError("Could not determine status of file ", filepath, ": ", ec.message());
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (not exists)
|
|
|
|
|
{
|
|
|
|
|
LogInfo("File ", filepath, " doesn't exist; no backup needed");
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-22 23:11:59 +00:00
|
|
|
fs::path newFilepath = findFreeBackupFilename(filepath);
|
|
|
|
|
if (newFilepath.empty())
|
|
|
|
|
{
|
|
|
|
|
LogWarn("Could not find an appropriate backup filename for", filepath);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-27 18:30:19 +00:00
|
|
|
LogInfo("Backing up (moving) key file ", filepath, " to ", newFilepath, "...");
|
2019-11-22 23:11:59 +00:00
|
|
|
|
|
|
|
|
fs::rename(filepath, newFilepath, ec);
|
|
|
|
|
if (ec) {
|
2019-11-27 18:30:19 +00:00
|
|
|
LogError("Failed to move key file ", ec.message());
|
2019-11-22 23:11:59 +00:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-11-26 19:42:41 +00:00
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
KeyManager::loadOrCreateKey(
|
|
|
|
|
const std::string& filepath,
|
2019-11-27 18:30:19 +00:00
|
|
|
llarp::SecretKey& key,
|
2019-11-26 19:42:41 +00:00
|
|
|
std::function<void(llarp::SecretKey& key)> keygen)
|
|
|
|
|
{
|
|
|
|
|
fs::path path(filepath);
|
|
|
|
|
std::error_code ec;
|
|
|
|
|
if (! fs::exists(path, ec))
|
|
|
|
|
{
|
|
|
|
|
if (ec)
|
|
|
|
|
{
|
|
|
|
|
LogError("Error checking key", filepath, ec.message());
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LogInfo("Generating new key", filepath);
|
|
|
|
|
keygen(key);
|
|
|
|
|
|
|
|
|
|
if (! key.SaveToFile(filepath.c_str()))
|
|
|
|
|
{
|
|
|
|
|
LogError("Failed to save new key");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-27 18:30:19 +00:00
|
|
|
LogDebug("Loading key from file ", filepath);
|
2019-11-26 19:42:41 +00:00
|
|
|
return key.LoadFromFile(filepath.c_str());
|
2019-11-22 23:11:59 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-03 19:32:19 +00:00
|
|
|
bool
|
|
|
|
|
KeyManager::loadIdentityFromLokid()
|
|
|
|
|
{
|
|
|
|
|
CURL *curl = curl_easy_init();
|
|
|
|
|
if(curl)
|
|
|
|
|
{
|
|
|
|
|
bool ret = false;
|
|
|
|
|
std::stringstream ss;
|
|
|
|
|
ss << "http://" << m_lokidRPCAddr << "/json_rpc";
|
|
|
|
|
const auto url = ss.str();
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_ANY);
|
|
|
|
|
const auto auth = m_lokidRPCUser + ":" + m_lokidRPCPassword;
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_USERPWD, auth.c_str());
|
|
|
|
|
curl_slist *list = nullptr;
|
|
|
|
|
list = curl_slist_append(list, "Content-Type: application/json");
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, list);
|
|
|
|
|
|
|
|
|
|
nlohmann::json request = {{"id", "0"},
|
|
|
|
|
{"jsonrpc", "2.0"},
|
|
|
|
|
{"method", "get_service_node_privkey"}};
|
|
|
|
|
const auto data = request.dump();
|
|
|
|
|
std::vector< char > resp;
|
|
|
|
|
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, data.size());
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data.c_str());
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &resp);
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &curl_RecvIdentKey);
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
resp.clear();
|
|
|
|
|
LogInfo("Getting Identity Keys from lokid...");
|
|
|
|
|
if(curl_easy_perform(curl) == CURLE_OK)
|
|
|
|
|
{
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
auto j = nlohmann::json::parse(resp);
|
|
|
|
|
if(not j.is_object())
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
const auto itr = j.find("result");
|
|
|
|
|
if(itr == j.end())
|
|
|
|
|
continue;
|
|
|
|
|
if(not itr->is_object())
|
|
|
|
|
continue;
|
|
|
|
|
const auto k =
|
|
|
|
|
(*itr)["service_node_ed25519_privkey"].get< std::string >();
|
|
|
|
|
if(k.size() != (m_idKey.size() * 2))
|
|
|
|
|
{
|
|
|
|
|
if(k.empty())
|
|
|
|
|
{
|
|
|
|
|
LogError("lokid gave no identity key");
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
LogError("lokid gave invalid identity key");
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
if(not HexDecode(k.c_str(), m_idKey.data(), m_idKey.size()))
|
|
|
|
|
continue;
|
|
|
|
|
if(CryptoManager::instance()->check_identity_privkey(m_idKey))
|
|
|
|
|
{
|
|
|
|
|
ret = true;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
LogError("lokid gave bogus identity key");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
catch(nlohmann::json::exception &ex)
|
|
|
|
|
{
|
|
|
|
|
LogError("Bad response from lokid: ", ex.what());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
LogError("failed to get identity keys");
|
|
|
|
|
}
|
|
|
|
|
if(ret)
|
|
|
|
|
{
|
|
|
|
|
LogInfo("Got Identity Keys from lokid: ", RouterID(seckey_topublic(m_idKey)));
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
std::this_thread::sleep_for(std::chrono::milliseconds(100));
|
|
|
|
|
}
|
|
|
|
|
} while(true);
|
|
|
|
|
curl_easy_cleanup(curl);
|
|
|
|
|
curl_slist_free_all(list);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
LogError("failed to init curl");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-22 03:57:41 +00:00
|
|
|
} // namespace llarp
|
