From 52989eb1432d4ae2e1dcca44ce73115f0c123351 Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Sun, 19 Jan 2020 13:55:46 +0100 Subject: [PATCH 1/7] [all] Simplification --- Design.org | 78 +++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/Design.org b/Design.org index 00494d8..439873b 100644 --- a/Design.org +++ b/Design.org @@ -1,36 +1,32 @@ * Communication ** Frame - Header ::: content-length: u64 | message-type: u8 ::: 72 bit, fixed + Header ::: content-length: u16 | message-type: u8 ::: 3 byte, fixed Body ::: content: [u8; content-length] ::: conent-length byte, variable - Numbers are in network byte order. + Unsigned integers in network byte order. ** Message Types - | Ordinal | Type | Body Format | Direction | Transitions | Description | - |---------+-------+-----------------+-----------+------------------+----------------------------------------------| - | 0 | Hello | Public Key | C -> S | Waiting for Link | Initiates communication | - | 1 | Link | | S -> C | Put, Get | Link established, communication can start | - | 2 | Put | Coffer (sealed) | C -> S | OkPut | Merge a ~Coffer~ for the client | - | 3 | Get | Coffer (sealed) | C -> S | OkGet | Retrieve a ~Coffer~ for the client | - | 4 | OkPut | | S -> C | Put, Get | ~Coffer~ was successfully merged | - | 5 | OkGet | Coffer (sealed) | S -> C | Put, Get | Return a sealed ~Coffer~ for a ~Get~ request | - | 63 | Bye | | C -> S | | Close connection | - | 127 | Error | | S -> C | | Generic server error | + | Ordinal | Type | Body Format | Direction | Transitions | Description | + |---------+-------------+-----------------+-----------+--------------------------+-------------------------------------------| + | 0x00 | Hello | Client PK | C -> S | Link, KeyNotFound, Error | Initiates communication | + | 0x01 | Link | | S -> C | Get, Bye | Link established, communication can start | + | 0x02 | Get | | C -> S | OkGet, Error | Retrieve a secrets for the client | + | 0x03 | OkGet | Coffer (sealed) | S -> C | Bye | Send secrets to the client | + | 0x99 | Bye | Client PK | C -> S | • | Close connection | + | 0xaa | KeyNotFound | Client PK | S -> C | • | PK unknown to server | + | 0xff | Error | UTF-8 String | S -> C | • | Generic server error with reason | - - Error can be returned at any stage - - Communication can end at any stage. Communication ends when connection is closed by either side. - Seal is determined by communication direction: C -> S: sealed by server public key, client private key S -> C: sealed by client public key, server private key + - Secrets returned as sealed cbor * Coffer - - Multitree with each leave terminating in a Vec - - Nodes (except leaves = key path) are utf8 strings - - A ~Put~ request must contain a fully determined ~Coffer~ (all leaves are values) - - A ~Get~ request contains a partially determined ~Coffer~ (values are ignored) - - If a node resolves to a parent, the subtree (which is also a ~Coffer~) is returned - - If a node resolves to a leave, the partial ~Coffer~ terminating in the leave and its value are returned + - Sharded KV-Store + - Keys are UTF-8 Strings + - Typed values as defined by TOML: String, Integer, Float, Boolean, Date + * Coffer Server A ~coffer-server~ can support multiple clients by means of /sharding/ the keyspace. Clients are uniquely identified by their public key. @@ -43,26 +39,30 @@ key. No tampered requests can be sent or communication data collected except the private keys are compromised. -* Coffer YAML -** Secrets Definition - Encrypted with: SK of coffer-companion, PK of coffer-server +* Coffer Definition (TOML) + Encrypted Authentication: SK of coffer-companion, PK of coffer-server - #+BEGIN_SRC yaml - # Names for ids (public keys) of clients - [clients] - file = "AAAA-AAAA-AAAA-AAAA" - bin = "FFFF-FFFF-FFFF-FFFF" + #+BEGIN_SRC yaml + # Names for ids (public keys) of clients + [clients] + file = "AAAA-AAAA-AAAA-AAAA" + bin = "FFFF-FFFF-FFFF-FFFF" - # Secrets for a named client (defined in clients) - [file] - secretkey = "secret value" - secretkey2 = "secret value2" - #+END_SRC + # Secrets for a named client (defined in clients) + [file] + secretkey = "secret value" + secretkey2 = "secret value2" + #+END_SRC -** Secret Response - file client executes GET to server +* Coffer Response + Encrypted Authentication: SK of coffer-server, PK of coffer-client + Format: cbor + + CofferResponse = List + + CofferSecret { + key: UTF-8 String, + value: CofferValue + } - #+BEGIN_SRC yaml - secretkey = "secret value" - secretkey2 = "secret value2" - #+END_SRC + CofferValue = String | Integer | Float | Boolean | Date -- 2.45.2 From 2a90f993ee1f318e84b0c53fc82be99cddee758d Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Sun, 26 Jan 2020 01:05:12 +0100 Subject: [PATCH 2/7] [all] Read from toml, simplify protocol, export key ids --- Cargo.lock | 49 ++------ Design.org | 12 +- Makefile | 4 +- coffer-client/Cargo.toml | 2 +- coffer-common/Cargo.toml | 11 +- coffer-common/src/certificate.rs | 15 +++ coffer-common/src/coffer.rs | 118 ++++++++++++++---- coffer-common/src/keyring.rs | 10 ++ coffer-companion/Cargo.toml | 3 +- .../src/{generate.rs => certificate.rs} | 7 +- coffer-companion/src/encrypt.rs | 11 +- coffer-companion/src/main.rs | 19 +-- coffer-server/Cargo.toml | 2 +- coffer-server/src/coffer_map.rs | 82 +++++++++--- coffer-server/src/main.rs | 24 ++-- coffer-server/src/protocol.rs | 82 +++--------- coffer-server/src/server.rs | 56 ++------- 17 files changed, 281 insertions(+), 226 deletions(-) rename coffer-companion/src/{generate.rs => certificate.rs} (64%) diff --git a/Cargo.lock b/Cargo.lock index 0be444c..285b344 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -36,13 +36,13 @@ dependencies = [ ] [[package]] -name = "bitflags" -version = "1.2.1" +name = "base64" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] -name = "bumpalo" -version = "3.1.1" +name = "bitflags" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] @@ -81,7 +81,7 @@ dependencies = [ [[package]] name = "coffer-client" -version = "0.2.0" +version = "0.4.0" dependencies = [ "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "exec 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", @@ -94,26 +94,26 @@ dependencies = [ [[package]] name = "coffer-common" -version = "0.1.0" +version = "0.4.0" dependencies = [ - "bumpalo 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)", + "base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)", "seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)", "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)", "serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)", - "serde_json 1.0.44 (registry+https://github.com/rust-lang/crates.io-index)", "sodiumoxide 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)", "toml 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)", ] [[package]] name = "coffer-companion" -version = "0.2.0" +version = "0.4.0" dependencies = [ - "coffer-common 0.1.0", + "coffer-common 0.4.0", "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", + "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)", "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)", @@ -125,10 +125,10 @@ dependencies = [ [[package]] name = "coffer-server" -version = "0.2.0" +version = "0.4.0" dependencies = [ "bytes 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", - "coffer-common 0.1.0", + "coffer-common 0.4.0", "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "futures 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", @@ -365,11 +365,6 @@ dependencies = [ "libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "itoa" -version = "0.4.4" -source = "registry+https://github.com/rust-lang/crates.io-index" - [[package]] name = "kernel32-sys" version = "0.2.2" @@ -612,11 +607,6 @@ name = "rle-decode-fast" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -[[package]] -name = "ryu" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" - [[package]] name = "seckey" version = "0.9.1" @@ -653,16 +643,6 @@ dependencies = [ "syn 1.0.8 (registry+https://github.com/rust-lang/crates.io-index)", ] -[[package]] -name = "serde_json" -version = "1.0.44" -source = "registry+https://github.com/rust-lang/crates.io-index" -dependencies = [ - "itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)", - "ryu 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)", - "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)", -] - [[package]] name = "serde_yaml" version = "0.8.11" @@ -932,8 +912,8 @@ dependencies = [ "checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b" "checksum arc-swap 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "d7b8a9123b8027467bce0099fe556c628a53c8d83df0507084c31e9ba2e39aff" "checksum atty 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)" = "1803c647a3ec87095e7ae7acfca019e98de5ec9a7d01343f611cf3152ed71a90" +"checksum base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7" "checksum bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" -"checksum bumpalo 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8fe2567a8d8a3aedb4e39aa39e186d5673acfd56393c6ac83b2bc5bd82f4369c" "checksum byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a7c3dd8985a7111efc5c80b44e23ecdd8c007de8ade3b96595387e812b957cf5" "checksum bytes 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "10004c15deb332055f7a4a208190aed362cf9a7c2f6ab70a305fba50e1105f38" "checksum cc 1.0.47 (registry+https://github.com/rust-lang/crates.io-index)" = "aa87058dce70a3ff5621797f1506cb837edd02ac4c0ae642b4542dce802908b8" @@ -966,7 +946,6 @@ dependencies = [ "checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e" "checksum humantime 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f" "checksum iovec 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "b2b3ea6ff95e175473f8ffe6a7eb7c00d054240321b84c57051175fe3c1e075e" -"checksum itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "501266b7edd0174f8530248f87f99c88fbe60ca4ef3dd486835b8d8d53136f7f" "checksum kernel32-sys 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d" "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" "checksum libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)" = "1a31a0627fdf1f6a39ec0dd577e101440b7db22672c0901fe00a9a6fbb5c24e8" @@ -997,12 +976,10 @@ dependencies = [ "checksum regex 1.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "dc220bd33bdce8f093101afe22a037b8eb0e5af33592e6a9caafff0d4cb81cbd" "checksum regex-syntax 0.6.12 (registry+https://github.com/rust-lang/crates.io-index)" = "11a7e20d1cce64ef2fed88b66d347f88bd9babb82845b2b858f3edbf59a4f716" "checksum rle-decode-fast 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cabe4fa914dec5870285fa7f71f602645da47c486e68486d2b4ceb4a343e90ac" -"checksum ryu 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "bfa8506c1de11c9c4e4c38863ccbe02a305c8188e85a05a784c9e11e1c3910c8" "checksum seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c819d0a699db7622e4ee55a651f992242f754481f97de3024dc548adcce13237" "checksum serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)" = "0c4b39bd9b0b087684013a792c59e3e07a46a01d2322518d8a1104641a0b1be0" "checksum serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f7081ed758ec726a6ed8ee7e92f5d3f6e6f8c3901b1f972e3a4a2f2599fad14f" "checksum serde_derive 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)" = "ca13fc1a832f793322228923fbb3aba9f3f44444898f835d31ad1b74fa0a2bf8" -"checksum serde_json 1.0.44 (registry+https://github.com/rust-lang/crates.io-index)" = "48c575e0cc52bdd09b47f330f646cf59afc586e9c4e3ccd6fc1f625b8ea1dad7" "checksum serde_yaml 0.8.11 (registry+https://github.com/rust-lang/crates.io-index)" = "691b17f19fc1ec9d94ec0b5864859290dff279dbd7b03f017afda54eb36c3c35" "checksum signal-hook-registry 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "94f478ede9f64724c5d173d7bb56099ec3e2d9fc2774aac65d34b8b890405f41" "checksum slab 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c111b5bd5695e56cffe5129854aa230b39c93a305372fdbb2668ca2394eea9f8" diff --git a/Design.org b/Design.org index 439873b..6e6c42d 100644 --- a/Design.org +++ b/Design.org @@ -25,7 +25,10 @@ * Coffer - Sharded KV-Store - Keys are UTF-8 Strings - - Typed values as defined by TOML: String, Integer, Float, Boolean, Date + - Typed values as defined by TOML: String, Integer, Float, Boolean + - No Dates support + - No binary data support + - Floats and Integers are 32 bit * Coffer Server A ~coffer-server~ can support multiple clients by means of /sharding/ the @@ -43,10 +46,9 @@ Encrypted Authentication: SK of coffer-companion, PK of coffer-server #+BEGIN_SRC yaml - # Names for ids (public keys) of clients - [clients] - file = "AAAA-AAAA-AAAA-AAAA" - bin = "FFFF-FFFF-FFFF-FFFF" + # IDs (public keys) of clients + file.id = "AAAA-AAAA-AAAA-AAAA" + bin.id = "FFFF-FFFF-FFFF-FFFF" # Secrets for a named client (defined in clients) [file] diff --git a/Makefile b/Makefile index dcc5a86..63e7d5b 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ release: cargo build --release publish: - docker pull clux/muslrust - docker run -v $(CURDIR):/volume --rm -t clux/muslrust cargo build --release + podman pull clux/muslrust + podman run -v .:/volume --rm -t clux/muslrust cargo build --release .PHONY: default release publish diff --git a/coffer-client/Cargo.toml b/coffer-client/Cargo.toml index db653cd..03fcf1c 100644 --- a/coffer-client/Cargo.toml +++ b/coffer-client/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "coffer-client" -version = "0.2.0" +version = "0.4.0" authors = ["Armin Friedl "] edition = "2018" diff --git a/coffer-common/Cargo.toml b/coffer-common/Cargo.toml index a22ad42..6901d04 100644 --- a/coffer-common/Cargo.toml +++ b/coffer-common/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "coffer-common" -version = "0.1.0" +version = "0.4.0" authors = ["armin"] edition = "2018" @@ -15,13 +15,12 @@ export = [] # Base tools log = "^0.4" env_logger = "^0.7" +quick-error = "^1.2" +# Serialization serde = { version = "^1.0", features = ["derive"]} serde_cbor = "^0.10" -serde_json = "^1.0" toml = "^0.5" -quick-error = "^1.2" +base64 = "^0.11" # Key management/Cryptography sodiumoxide = "^0.2" -seckey = "^0.9" -# Memory management -bumpalo = { version = "^3.1", features = ["collections"]} \ No newline at end of file +seckey = "^0.9" \ No newline at end of file diff --git a/coffer-common/src/certificate.rs b/coffer-common/src/certificate.rs index e73274b..893d653 100644 --- a/coffer-common/src/certificate.rs +++ b/coffer-common/src/certificate.rs @@ -83,6 +83,15 @@ impl Certificate { Ok(cbor) } + pub fn public_key(&self) -> Vec { + self.inner.read().public_key.as_ref().to_owned() + } + + #[cfg(feature = "export")] + pub fn secret_key(&self) -> Vec { + self.inner.read().private_key.as_ref().to_owned() + } + pub fn open(&self, c: &[u8]) -> Result, CertificateError> { let pk = &self.inner.read().public_key; let sk = &self.inner.read().private_key; @@ -90,6 +99,12 @@ impl Certificate { sealedbox::open(c, pk, sk) .map_err(|_| CertificateError::Crypto) } + + pub fn seal(&self, message: &[u8]) -> Result, CertificateError> { + let pk = &self.inner.read().public_key; + + Ok(sealedbox::seal(message, pk)) + } } impl > From for Certificate { diff --git a/coffer-common/src/coffer.rs b/coffer-common/src/coffer.rs index 010245c..dc14a53 100644 --- a/coffer-common/src/coffer.rs +++ b/coffer-common/src/coffer.rs @@ -1,8 +1,13 @@ //! A storage container for client data - #[allow(unused_imports)] use log::{debug, error, info, trace, warn}; +use std::path::Path; +use std::fs::File; +use std::io::{BufReader, Read}; + +use toml::Value as TomlValue; + use serde::{Serialize, Deserialize}; use quick_error::quick_error; @@ -29,39 +34,104 @@ pub enum CofferValue { String(String), /// A 32-bit integer Integer(i32), - /// An opaque blob of data - Blob(Vec) + /// A 32-bit float + Float(f32), + // A boolean + Boolean(bool) } -/// A path to a value -#[derive(Clone, Eq, PartialEq, Hash, Debug, Serialize, Deserialize)] -pub struct CofferPath(pub Vec); +#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq, Hash)] +pub struct CofferKey { + pub shard: String, + pub key: String +} + +#[derive(Debug, Serialize, Deserialize)] +pub struct CofferShard(pub Vec<(String, CofferValue)>); /// Interface for interacting with a `Coffer` pub trait Coffer { /// Put `value` at `path`. Errors if there is already a value at `path`. - fn put(&mut self, path: CofferPath, value: CofferValue) -> CofferResult<()>; + fn put(&mut self, key: CofferKey, value: CofferValue) -> CofferResult<()>; /// Push `value` to `path`. Replaces existing values. - fn push(&mut self, path: CofferPath, value: CofferValue); + fn push(&mut self, key: CofferKey, value: CofferValue); /// Retrieve `value` at path. Errors if there is no `value` at path. - fn get(&self, path: CofferPath) -> CofferResult; -} + fn get(&self, key: &CofferKey) -> CofferResult; -impl From> for CofferPath -where T: AsRef -{ - fn from(val: Vec) -> Self { - CofferPath::from(&val) - } -} - -impl From<&Vec> for CofferPath -where T: AsRef -{ - fn from(val: &Vec) -> Self { - let col = val.iter().map(|p| {(*p).as_ref().to_owned()}).collect(); - CofferPath(col) + /// Retrieve `value` at path. Errors if there is no `value` at path. + fn get_shard(&self, shard: T) -> CofferResult + where T: AsRef; + + fn from_toml_file(toml_path: &Path) -> Self + where Self: Coffer + Default + { + // read the secrets file into a temporary string + let mut file = BufReader::new(File::open(toml_path).unwrap()); + let mut secrets_buf = String::new(); + file.read_to_string(&mut secrets_buf).unwrap(); + + Coffer::from_toml(&secrets_buf) + } + + fn from_toml(toml: &str) -> Self + where Self: Coffer + Default + { + // call implementation to create an empty coffer + let mut coffer = Self::default(); + + // parse the string into a toml Table + let clients: toml::value::Table = match toml.parse::().unwrap() { + TomlValue::Table(t) => t, + _ => panic!{"Invalid secrets file"} + }; + + /* + * Walk through the table of clients, where each client is a table which + * is either empty, or contains a table with at least an id and any + * number of secrets + * + * # Example: + * + * files.id = "AAAA-BBBB-CCCC" + * pad.id = "FFFF-EEEE-DDDD" + * + * [files] + * secret_string = "secret value1" + * secret_int = 12345 + * secret_bool = true + */ + for (_k, v) in clients { + + let client = match v { + TomlValue::Table(t) => t, + _ => panic!{"Invalid secrets file"} + }; + + for (k, v) in client.iter() { + + if "id" == k { continue } // ids are for sharding + + let value = match v { + TomlValue::String(s) => CofferValue::String(s.to_owned()), + TomlValue::Integer(i) => CofferValue::Integer(*i as i32), + TomlValue::Float(f) => CofferValue::Float(*f as f32), + TomlValue::Boolean(b) => CofferValue::Boolean(*b), + _ => panic!{"Value {:?} unsupported", v} + }; + + match client.get("id") { + Some(TomlValue::String(shard)) => { + let shard = shard.to_owned(); + let key = k.to_owned(); + coffer.put(CofferKey{shard, key}, value).unwrap(); + }, + _ => panic!{"Invalid secrets file"} + } + } + } + + return coffer; } } diff --git a/coffer-common/src/keyring.rs b/coffer-common/src/keyring.rs index 1c4722a..67aa277 100644 --- a/coffer-common/src/keyring.rs +++ b/coffer-common/src/keyring.rs @@ -1,6 +1,7 @@ #[allow(unused_imports)] use log::{debug, error, info, trace, warn}; +use std::path::Path; use std::collections::HashMap; use quick_error::quick_error; @@ -40,6 +41,15 @@ impl Keyring { } } + pub fn new_from_path(certificate_path: T) -> Keyring + where T: AsRef + { + Keyring { + certificate: Certificate::from(certificate_path), + known_keys: HashMap::new() + } + } + pub fn add_known_key(&mut self, key: &[u8]) -> Result<(), KeyringError> { let public_key = box_::PublicKey::from_slice(key) .ok_or(KeyringError::InvalidClientKey)?; diff --git a/coffer-companion/Cargo.toml b/coffer-companion/Cargo.toml index 6fa99b3..3430d4a 100644 --- a/coffer-companion/Cargo.toml +++ b/coffer-companion/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "coffer-companion" -version = "0.2.0" +version = "0.4.0" authors = ["Armin Friedl "] edition = "2018" @@ -14,6 +14,7 @@ structopt = "0.3" quick-error = "1.2" # Key management/Cryptography sodiumoxide = "0.2.5" +hex = "^0.4" # Communication serde = { version = "1.0", features = ["derive"]} serde_cbor = "0.10.2" diff --git a/coffer-companion/src/generate.rs b/coffer-companion/src/certificate.rs similarity index 64% rename from coffer-companion/src/generate.rs rename to coffer-companion/src/certificate.rs index 3f2452c..5838aaa 100644 --- a/coffer-companion/src/generate.rs +++ b/coffer-companion/src/certificate.rs @@ -13,5 +13,10 @@ pub fn generate_key(out: PathBuf) { .expect(&format!{"Could not create out file {}", &out.display()}); writer.write_all(&cert).unwrap(); - +} + +pub fn info(out: PathBuf) { + let cert = Certificate::new_from_cbor(out).unwrap(); + println!{"Public Key: {}", hex::encode_upper(cert.public_key())} + println!{"Secret Key: {}", hex::encode_upper(cert.secret_key())} } diff --git a/coffer-companion/src/encrypt.rs b/coffer-companion/src/encrypt.rs index a1ef249..01b8869 100644 --- a/coffer-companion/src/encrypt.rs +++ b/coffer-companion/src/encrypt.rs @@ -2,13 +2,16 @@ use coffer_common::certificate::Certificate; use std::path::PathBuf; use std::fs::File; +use std::io::Read; use std::io::Write; -use serde::Deserialize; -use serde_yaml; - +#[allow(unused)] pub fn encrypt_yaml(yaml:PathBuf, out: PathBuf, certificate: PathBuf) { let cert = Certificate::new_from_cbor(certificate).unwrap(); + let mut secrets = Vec::new(); + File::open(yaml).unwrap().read_to_end(&mut secrets).unwrap(); - let + let sealed = cert.seal(&secrets).unwrap(); + let mut out_file = File::create(out).unwrap(); + out_file.write_all(&sealed); } diff --git a/coffer-companion/src/main.rs b/coffer-companion/src/main.rs index b885924..13db6e4 100644 --- a/coffer-companion/src/main.rs +++ b/coffer-companion/src/main.rs @@ -1,22 +1,24 @@ use std::path::PathBuf; use structopt::StructOpt; -mod generate; +mod certificate; mod encrypt; #[derive(StructOpt, Debug)] enum Args { Certificate { #[structopt(short, long, parse(from_os_str))] - out: PathBuf + out: PathBuf, + #[structopt(short, long)] + info: bool }, Encrypt { + #[structopt(short, long, parse(from_os_str))] + certificate: PathBuf, #[structopt(short, long, parse(from_os_str))] yaml: PathBuf, #[structopt(short, long, parse(from_os_str))] - out: PathBuf, - #[structopt(short, long, parse(from_os_str))] - certificate: PathBuf, + out: PathBuf } } @@ -24,7 +26,10 @@ fn main() { let args: Args = Args::from_args(); match args { - Args::Certificate {out} => generate::generate_key(out), - Args::Encrypt {yaml, out, certificate} => {} + Args::Certificate {out, info} => { + if info { certificate::info(out) } + else { certificate::generate_key(out) } + } + _ => unimplemented![] } } diff --git a/coffer-server/Cargo.toml b/coffer-server/Cargo.toml index cc36e39..1c422de 100644 --- a/coffer-server/Cargo.toml +++ b/coffer-server/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "coffer-server" -version = "0.2.0" +version = "0.4.0" authors = ["Armin Friedl "] edition = "2018" diff --git a/coffer-server/src/coffer_map.rs b/coffer-server/src/coffer_map.rs index cd07a28..cc0c444 100644 --- a/coffer-server/src/coffer_map.rs +++ b/coffer-server/src/coffer_map.rs @@ -1,47 +1,89 @@ -//! A simple, thread-safe coffer implementation backed by a hash map +//! Thread-safe coffer implementation backed by hash map #[allow(unused_imports)] use log::{debug, error, info, trace, warn}; use std::sync::RwLock; +use std::sync::RwLockReadGuard; +use std::sync::RwLockWriteGuard; + use std::collections::HashMap; use coffer_common::coffer::*; -pub struct CofferMap { - coffer: RwLock> -} +type ShardedCoffer = HashMap>; +pub struct CofferMap(RwLock); impl CofferMap { pub fn new() -> CofferMap { - CofferMap { - coffer: RwLock::new(HashMap::new()) - } + CofferMap(RwLock::new(HashMap::new())) + } + + fn read(&self) -> RwLockReadGuard<'_, ShardedCoffer> { + self.0.read().unwrap() + } + + fn write(&self) -> RwLockWriteGuard<'_, ShardedCoffer> { + self.0.write().unwrap() } } impl Coffer for CofferMap { - fn put(&mut self, path: CofferPath, value: CofferValue) -> CofferResult<()> { - let mut lock = self.coffer.write().unwrap(); + fn put(&mut self, key: CofferKey, value: CofferValue) -> CofferResult<()> { + let mut lock = self.write(); - match (*lock).contains_key(&path) { - true => Err(CofferError::Msg("test")), - false => {(*lock).insert(path, value); Ok(())} + match lock.get_mut(&key.shard) { + Some(shard) => { + if shard.contains_key(&key.key) { Err(CofferError::Msg("Key exists")) } + else { shard.insert(key.key, value); Ok(()) } + } + None => { + lock.insert(key.shard.clone(), HashMap::new()); + lock.get_mut(&key.shard).unwrap().insert(key.key, value); + Ok(()) + } } } - fn push(&mut self, path: CofferPath, value: CofferValue) { - let mut lock = self.coffer.write().unwrap(); + fn push(&mut self, key: CofferKey, value: CofferValue) { + let mut lock = self.write(); - (*lock).insert(path, value); + match lock.get_mut(&key.shard) { + Some(shard) => { + shard.insert(key.key, value); + } + None => { + lock.insert(key.shard.clone(), HashMap::new()); + lock.get_mut(&key.shard).unwrap().insert(key.key, value); + } + } } - fn get(&self, path: CofferPath) -> CofferResult { - let lock = self.coffer.read().unwrap(); + fn get(&self, key: &CofferKey) -> CofferResult { + let lock = self.read(); - (*lock).get(&path) - .and_then(|v| Some(v.clone())) - .ok_or(CofferError::Msg("Key not found")) + let res = lock.get(&key.shard) + .and_then( |shard| { shard.get(&key.key) } ) + .ok_or(CofferError::Msg("Key not found"))?; + + Ok(res.clone()) + } + + fn get_shard(&self, shard: T) -> CofferResult + where T: AsRef + { + let lock = self.read(); + + let coffer_shard = lock.get(shard.as_ref()) + .ok_or(CofferError::Msg("Shard {} not found"))?; + + let mut res = CofferShard(Vec::new()); + + for (k,v) in coffer_shard { + res.0.push((k.clone(), v.clone())); + } + + Ok(res) } } diff --git a/coffer-server/src/main.rs b/coffer-server/src/main.rs index 9a80847..0da28e2 100644 --- a/coffer-server/src/main.rs +++ b/coffer-server/src/main.rs @@ -4,29 +4,31 @@ use log::{debug, error, info, trace, warn}; use env_logger; use std::path::PathBuf; +use std::fs::File; +use std::io::{Read}; use structopt::StructOpt; use std::net::SocketAddr; -use coffer_common::certificate::Certificate; use coffer_common::keyring::Keyring; +use coffer_common::coffer::Coffer; mod server; mod coffer_map; mod protocol; -use server::ServerBuilder; +use server::Server; use coffer_map::CofferMap; #[derive(StructOpt, Debug)] struct Args { /// Path to the server certificate. Will be deleted after processing. #[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_CERTIFICATE", hide_env_values = true)] - certificate: Option, + certificate: PathBuf, /// Path to secrets file. Will be deleted after processing. /// Must be sealed by the public key of the server certificate #[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_SECRETS", hide_env_values = true)] - secrets: Option, + secrets: PathBuf, /// Address, the coffer server should bind to #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] @@ -40,12 +42,16 @@ async fn main() { _print_banner(); - let server = ServerBuilder::new() - .with_keyring(args.certificate.and_then(|cert_path| Some(Keyring::new(Certificate::from(cert_path))))) - .with_coffer(Some(CofferMap::new())) - .build() - .expect("Couldn't build server"); + let keyring = Keyring::new_from_path(&args.certificate); + // decrypt secrets file and put into coffer + let mut secrets_file = File::open(&args.secrets).unwrap(); + let mut secrets_buf = Vec::new(); + secrets_file.read_to_end(&mut secrets_buf).unwrap(); + let secrets_buf_clear = String::from_utf8(keyring.open(&secrets_buf).unwrap()).unwrap(); + let coffer = CofferMap::from_toml(&secrets_buf_clear); + + let server = Server::new(keyring, coffer); server.run(args.address).await; } diff --git a/coffer-server/src/protocol.rs b/coffer-server/src/protocol.rs index 7134724..81d8fd2 100644 --- a/coffer-server/src/protocol.rs +++ b/coffer-server/src/protocol.rs @@ -9,15 +9,12 @@ use tokio::io::{AsyncRead, AsyncReadExt, AsyncWriteExt}; use tokio::net::TcpStream; -use tokio::sync::RwLock; use serde_cbor; use quick_error::quick_error; -use coffer_common::coffer::{CofferValue, - CofferPath, - Coffer}; +use coffer_common::coffer::Coffer; use coffer_common::keyring::Keyring; use hex; @@ -38,25 +35,23 @@ quick_error! { enum State { Start, Link, - Error, + Bye, End } #[derive(Debug)] enum Request { Hello(Vec), - Put(Vec), - Get(Vec), - Bye, - Error + Get, + Bye } pub struct Protocol where C: Coffer { stream: TcpStream, - coffer: Arc>, - keyring: Arc>, + coffer: Arc, + keyring: Arc, client: Option>, state: State } @@ -64,11 +59,7 @@ where C: Coffer impl Protocol where C: Coffer { - pub fn new( - stream: TcpStream, - coffer: Arc>, - keyring: Arc> - ) -> Protocol + pub fn new(stream: TcpStream, coffer: Arc, keyring: Arc) -> Protocol { let state = State::Start; let client = None; @@ -104,11 +95,9 @@ where C: Coffer match msg_type { 0x00 => Request::Hello(message), - 0x02 => Request::Put(message), - 0x03 => Request::Get(message), - 0x63 => Request::Bye, - 0xff => Request::Error, - _ => Request::Error + 0x02 => Request::Get, + 0x99 => Request::Bye, + _ => panic!{"Invalid message type {}", msg_type} } } @@ -171,30 +160,19 @@ where C: Coffer match (&self.state, event) { (State::Start, Request::Hello(pk)) => { debug!{"Reading public key"} - self.keyring.write().await - .add_known_key(&pk) - .unwrap(); self.client = Some(pk); self.state = State::Link; } - (State::Link, Request::Get(req)) => { + (State::Link, Request::Get) => { debug!{"Writing response"} - let mut req: CofferPath = - serde_cbor::from_slice( - &self.keyring.read().await - .open(&req) - .unwrap() - ).unwrap(); + let shard_id = hex::encode(self.client.as_ref().unwrap()); - req.0.insert(0, hex::encode(self.client.as_ref().unwrap())); - - let res = self.coffer.read().await - .get(req) + let res = self.coffer + .get_shard(shard_id) .unwrap(); - let response = self.keyring.read().await - .seal( + let response = self.keyring.seal( &self.client.as_ref().unwrap(), &serde_cbor::to_vec(&res).unwrap() ).unwrap(); @@ -205,35 +183,11 @@ where C: Coffer // TODO Proper result handling self.stream.write_all(&frame).await.unwrap(); - self.state = State::Link; + self.state = State::Bye; } - (State::Link, Request::Put(put)) => { - debug!{"Putting secrets"} - let mut put: Vec<(CofferPath, CofferValue)> = - serde_cbor::from_slice( - &self.keyring.read().await - .open(&put) - .unwrap() - ).unwrap(); - - let key_string = hex::encode(self.client.as_ref().unwrap()); - - put.iter_mut().map( |(cp, _cv)| &mut cp.0) - .for_each(|cp| cp.insert(0, key_string.clone())); - - for (coffer_path, coffer_value) in put { - self.coffer.write().await - .put(coffer_path, coffer_value) - .unwrap(); - } - - self.state = State::Link; - } - - (_, Request::Bye) => self.state = State::End, - - (_, Request::Error) => self.state = State::End, + (State::Link, Request::Bye) => self.state = State::End, + (State::Bye, Request::Bye) => self.state = State::End, _ => self.state = State::End } diff --git a/coffer-server/src/server.rs b/coffer-server/src/server.rs index 40ce3cf..3139bcb 100644 --- a/coffer-server/src/server.rs +++ b/coffer-server/src/server.rs @@ -5,14 +5,13 @@ use quick_error::quick_error; use tokio::net::{TcpListener}; use tokio::stream::StreamExt; -use tokio::sync::RwLock; use std::net::{ToSocketAddrs, SocketAddr}; use std::sync::Arc; use coffer_common::keyring::Keyring; use coffer_common::coffer::Coffer; -use coffer_common::certificate::{Certificate, CertificateError}; +use coffer_common::certificate::CertificateError; use crate::protocol::Protocol; @@ -35,13 +34,19 @@ quick_error! { pub struct Server where C: Coffer { - keyring: Arc>, - coffer: Arc> + keyring: Arc, + coffer: Arc } -impl Server +impl Server where C: Coffer + Send + Sync + 'static { + + pub fn new(keyring: Keyring, coffer: C) -> Self { + Server { keyring: Arc::new(keyring), + coffer: Arc::new(coffer) } + } + pub async fn run(self, addr: T) where T: ToSocketAddrs { @@ -70,6 +75,7 @@ where C: Coffer + Send + Sync + 'static let coffer = self.coffer.clone(); let protocol = Protocol::new(tcp_stream, coffer, keyring); + tokio::spawn(async move { protocol.run().await; }); @@ -84,43 +90,3 @@ where C: Coffer + Send + Sync + 'static server.await } } - -pub struct ServerBuilder -where C: Coffer -{ - keyring: Option, - coffer: Option -} - -impl <'a, C> ServerBuilder -where C: Coffer + Default -{ - pub fn new() -> ServerBuilder { - ServerBuilder { - keyring: None, - coffer: None - } - } - - pub fn with_keyring(mut self, keyring: Option) -> ServerBuilder { - self.keyring = keyring; - self - } - - pub fn with_coffer(mut self, coffer: Option) -> ServerBuilder { - self.coffer = coffer; - self - } - - pub fn build(self) -> Result, ServerError> { - let keyring = match self.keyring { - Some(k) => Arc::new(RwLock::new(k)), - None => {let cert = Certificate::new()?; - Arc::new(RwLock::new(Keyring::new(cert)))} - }; - - let coffer = Arc::new(RwLock::new(self.coffer.unwrap_or_else(|| { C::default() } ))); - - Ok(Server {keyring, coffer}) - } -} -- 2.45.2 From 40905d647a25174f7af4d1c7b33a88a3d114b4e3 Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Sun, 26 Jan 2020 09:33:50 +0100 Subject: [PATCH 3/7] [client] Adapted to new protocol --- .gitignore | 230 +++++++++++++++++++++++++++- Cargo.lock | 3 + coffer-client/Cargo.toml | 7 +- coffer-client/src/main.rs | 159 +++++++++++++------ coffer-common/Cargo.toml | 4 +- coffer-companion/src/certificate.rs | 1 + coffer-companion/src/client.rs | 110 +++++++++++++ coffer-companion/src/main.rs | 14 +- coffer-server/src/coffer_map.rs | 4 +- coffer-server/src/main.rs | 10 +- coffer-server/src/protocol.rs | 102 ++++++------ testcoffer/client.cert | 1 + testcoffer/coffer.enc | 1 + testcoffer/coffer.yaml | 4 + testcoffer/server.cert | 1 + 15 files changed, 552 insertions(+), 99 deletions(-) create mode 100644 coffer-companion/src/client.rs create mode 100644 testcoffer/client.cert create mode 100644 testcoffer/coffer.enc create mode 100644 testcoffer/coffer.yaml create mode 100644 testcoffer/server.cert diff --git a/.gitignore b/.gitignore index e51fd85..b77eab8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,228 @@ -**target/ +# Created by https://www.gitignore.io/api/vim,rust,linux,emacs,windows,intellij+all,visualstudiocode +# Edit at https://www.gitignore.io/?templates=vim,rust,linux,emacs,windows,intellij+all,visualstudiocode + +### Emacs ### +# -*- mode: gitignore; -*- +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* + +# Org-mode +.org-id-locations +*_archive + +# flymake-mode +*_flymake.* + +# eshell files +/eshell/history +/eshell/lastdir + +# elpa packages +/elpa/ + +# reftex files +*.rel + +# AUCTeX auto folder +/auto/ + +# cask packages +.cask/ +dist/ + +# Flycheck +flycheck_*.el + +# server auth directory +/server/ + +# projectiles files +.projectile + +# directory configuration +.dir-locals.el + +# network security +/network-security.data + + +### Intellij+all ### +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# Generated files +.idea/**/contentModel.xml + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/modules.xml +# .idea/*.iml +# .idea/modules +# *.iml +# *.ipr + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests + +# Android studio 3.1+ serialized cache file +.idea/caches/build_file_checksums.ser + +### Intellij+all Patch ### +# Ignores the whole .idea folder and all .iml files +# See https://github.com/joeblau/gitignore.io/issues/186 and https://github.com/joeblau/gitignore.io/issues/360 + +.idea/ + +# Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-249601023 + +*.iml +modules.xml +.idea/misc.xml +*.ipr + +# Sonarlint plugin +.idea/sonarlint + +### Linux ### + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### Rust ### +# Generated by Cargo +# will have compiled files and executables +/target/ + +# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries +# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html +Cargo.lock + +# These are backup files generated by rustfmt **/*.rs.bk -*.cbor -*.yaml \ No newline at end of file + +### Vim ### +# Swap +[._]*.s[a-v][a-z] +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist + +# Auto-generated tag files +tags + +# Persistent undo +[._]*.un~ + +# Coc configuration directory +.vim + +### VisualStudioCode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json + +### VisualStudioCode Patch ### +# Ignore all local history of files +.history + +### Windows ### +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# End of https://www.gitignore.io/api/vim,rust,linux,emacs,windows,intellij+all,visualstudiocode \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index 285b344..d935883 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -83,8 +83,10 @@ dependencies = [ name = "coffer-client" version = "0.4.0" dependencies = [ + "coffer-common 0.4.0", "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "exec 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", + "futures 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)", "serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)", @@ -104,6 +106,7 @@ dependencies = [ "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)", "serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)", "sodiumoxide 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)", + "tokio 0.2.9 (registry+https://github.com/rust-lang/crates.io-index)", "toml 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)", ] diff --git a/coffer-client/Cargo.toml b/coffer-client/Cargo.toml index 03fcf1c..a4989f3 100644 --- a/coffer-client/Cargo.toml +++ b/coffer-client/Cargo.toml @@ -16,4 +16,9 @@ serde = { version = "1.0", features = ["derive"]} serde_yaml = "0.8" serde_cbor = "0.10.2" # Executing subcommand -exec = "0.3.1" \ No newline at end of file +exec = "0.3.1" +# Lighter alternative to tokio for +# driving shared frame creation +futures = "0.3.1" + +coffer-common = { path = "../coffer-common" } \ No newline at end of file diff --git a/coffer-client/src/main.rs b/coffer-client/src/main.rs index b7f9728..e443729 100644 --- a/coffer-client/src/main.rs +++ b/coffer-client/src/main.rs @@ -1,17 +1,19 @@ #[allow(unused_imports)] use log::{debug, error, info, trace, warn}; - -use std::net::SocketAddr; - use env_logger; + use structopt::StructOpt; -use std::fs::File; -use std::error::Error; -use std::net::TcpStream; -use std::path::PathBuf; -use std::io::BufRead; -use std::io::BufReader; -use std::io::Write; + +use std:: { + net::{SocketAddr, TcpStream}, + error::Error, + path::PathBuf, + io::{Write, Read}, + convert::{TryInto, TryFrom} +}; + +use coffer_common::certificate::Certificate; +use coffer_common::coffer::{CofferShard, CofferValue}; #[derive(StructOpt, Debug)] struct Args { @@ -19,9 +21,8 @@ struct Args { #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] server_address: SocketAddr, - /// Path to the request file sent to the server - #[structopt(parse(from_os_str), env = "COFFER_REQUEST", hide_env_values = true)] - secrets: PathBuf, + #[structopt(short, long, parse(from_os_str), env = "COFFER_CLIENT_CERTIFICATE", hide_env_values = true)] + certificate: PathBuf, /// The subcommand spawned by coffer-client cmd: String, @@ -34,14 +35,39 @@ fn main() -> Result<(), Box> { env_logger::init(); let args = Args::from_args(); - info!{"Connecting to coffer server"} - let stream: TcpStream = TcpStream::connect(args.server_address)?; + debug!{"Reading certificate"} + let cert = Certificate::new_from_cbor(&args.certificate)?; - info!{"Parsing key requests"} - let keys = parse_from_path(&args.secrets)?; + debug!{"Connecting to coffer server"} + let mut stream: TcpStream = TcpStream::connect(&args.server_address)?; - info!{"Reading secrets"} - retrieve_secrets(&keys, stream)?; + debug!{"Sending hello"} + let hello = framed(0x00, cert.public_key()); + stream.write_all(&hello)?; + + debug!{"Sending get"} + let get = framed(0x02, Vec::new()); + stream.write_all(&get)?; + + debug!{"Reading shard"} + let header = read_header(&mut stream).unwrap(); + let shard = read_message(header.0, &mut stream).unwrap(); + debug!{"Got encrypted shard {:?}", shard} + + debug!{"Sending bye"} + let bye = framed(0x99, Vec::new()); + stream.write_all(&bye)?; + + debug!{"Decrypting shard"} + let shard_clear = cert.open(&shard).unwrap(); + let shard_de = serde_cbor::from_slice::(&shard_clear).unwrap(); + + debug!{"Setting environment"} + for (key, val) in shard_de.0 { + if let CofferValue::String(val_s) = val { + std::env::set_var(key.trim(), val_s.trim()); + } + } info!{"Spawning coffer'ed command, reaping coffer"} reap_coffer(&args.cmd, &args.cmd_args); @@ -49,27 +75,6 @@ fn main() -> Result<(), Box> { Err("Could not spawn sub-command".into()) } -fn retrieve_secrets(keys: &Vec, mut stream: TcpStream) -> Result<(), Box>{ - for k in keys { - let buf = serde_cbor::to_vec(&k)?; - info!{"Sending key request {} as {:?}", k, buf} - stream.write_all(&buf.len().to_be_bytes())?; - stream.write_all(&buf)?; - - info!{"Reading response"} - let mut reader = BufReader::new(&stream); // get buffered reader for line-wise reading from stream - - // read line - let mut resp = String::new(); - reader.read_line(&mut resp)?; - - info!{"Retrieved secret. Setting environment"} - std::env::set_var(k.trim(), resp.trim()); - } - - Ok(()) -} - fn reap_coffer(cmd: &str, args: &Vec) { let mut cmd = exec::Command::new(cmd); @@ -80,8 +85,76 @@ fn reap_coffer(cmd: &str, args: &Vec) { error!{"Could not execute sub-command {}", err}; } -fn parse_from_path(path: &PathBuf) -> Result, Box> { - let sec_file = File::open(path)?; +pub fn read_header(reader: &mut T) -> Option<(u64, u8)> +where T: Read +{ + let mut header: [u8; 9] = [0u8;9]; // header buffer + match reader.read_exact(&mut header) + { + Ok(_) => debug!{"Read {} bytes for header", 9}, + Err(err) => { + error!{"Error while reading header: {}", err} + return None; + } + } - Ok(serde_yaml::from_reader::<_, Vec>(sec_file)?) + trace!{"Header buffer {:?}", header} + + let msg_size: u64 = u64::from_be_bytes( + header[0..8] + .try_into() + .unwrap()); + + let msg_type: u8 = u8::from_be_bytes( + header[8..9] + .try_into() + .unwrap()); + + debug!{"Message size: {}, Message type: {}", msg_size, msg_type} + Some((msg_size, msg_type)) +} + +pub fn read_message(msg_size: u64, reader: &mut T) -> Option> +where T: Read +{ + // TODO: possible to use unallocated memory instead? + // -> https://doc.rust-lang.org/beta/std/mem/union.MaybeUninit.html + // TODO: 32 bit usize? Can't allocate a 64 bit length buffer anyway? + let mut message = Vec::with_capacity(msg_size.try_into().unwrap()); + // need to set the size, because otherwise it is assumed to be 0, since + // the vec is allocated but uninitialized at this point, we don't want to + // pre-allocate a potentially huge buffer with 0x00, so unsafe set size. + unsafe {message.set_len(msg_size.try_into().unwrap());} + + match reader.read_exact(&mut message) + { + Ok(_) => debug!{"Read {} bytes for message", msg_size}, + Err(err) => { + error!{"Error while reading message: {}", err} + return None; + } + } + trace!{"Read message {:?}", message} + + Some(message) +} + +pub fn framed(msg_type: u8, data: Vec) -> Vec +{ + trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data} + + // TODO magic number + let mut frame: Vec = Vec::with_capacity(data.len() + 72); + unsafe {frame.set_len(8);} + + frame.splice(0..8, u64::try_from(data.len()) + .unwrap() + .to_be_bytes() + .iter() + .cloned()); + + frame.push(msg_type); + frame.extend(&data); + + frame } diff --git a/coffer-common/Cargo.toml b/coffer-common/Cargo.toml index 6901d04..232a590 100644 --- a/coffer-common/Cargo.toml +++ b/coffer-common/Cargo.toml @@ -23,4 +23,6 @@ toml = "^0.5" base64 = "^0.11" # Key management/Cryptography sodiumoxide = "^0.2" -seckey = "^0.9" \ No newline at end of file +seckey = "^0.9" +#Communication +tokio = { version="^0.2.9", features = ["full"]} \ No newline at end of file diff --git a/coffer-companion/src/certificate.rs b/coffer-companion/src/certificate.rs index 5838aaa..32f4826 100644 --- a/coffer-companion/src/certificate.rs +++ b/coffer-companion/src/certificate.rs @@ -17,6 +17,7 @@ pub fn generate_key(out: PathBuf) { pub fn info(out: PathBuf) { let cert = Certificate::new_from_cbor(out).unwrap(); + println!{"Public Key: {}", hex::encode_upper(cert.public_key())} println!{"Secret Key: {}", hex::encode_upper(cert.secret_key())} } diff --git a/coffer-companion/src/client.rs b/coffer-companion/src/client.rs new file mode 100644 index 0000000..824f4e2 --- /dev/null +++ b/coffer-companion/src/client.rs @@ -0,0 +1,110 @@ +#[allow(unused_imports)] +use log::{debug, error, info, trace, warn}; + +use std::path::PathBuf; +use std::convert::{TryFrom, TryInto}; +use std::net::{TcpStream}; +use std::io::{Write, Read}; + +use coffer_common::certificate::Certificate; +use coffer_common::coffer::CofferShard; + +use serde_cbor; + +pub fn print_get(out: PathBuf) { + let cert = Certificate::new_from_cbor(out).unwrap(); + + let hello = framed(0x00, cert.public_key()); + let get = framed(0x02, Vec::new()); + let bye = framed(0x99, Vec::new()); + + let mut listener = TcpStream::connect("127.0.0.1:9187").unwrap(); + listener.write_all(&hello).unwrap(); + + listener.write_all(&get).unwrap(); + + let header = read_header(&mut listener).unwrap(); + let shard = read_message(header.0, &mut listener).unwrap(); + debug!{"Got encrypted shard {:?}", shard} + + listener.write_all(&bye).unwrap(); + + let shard_clear = cert.open(&shard).unwrap(); + let shard_de = serde_cbor::from_slice::(&shard_clear).unwrap(); + + println!{"{:?}", shard_de} +} + +fn framed(msg_type: u8, data: Vec) -> Vec +{ + trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data} + + // TODO magic number + let mut frame: Vec = Vec::with_capacity(data.len() + 72); + unsafe {frame.set_len(8);} + + frame.splice(0..8, u64::try_from(data.len()) + .unwrap() + .to_be_bytes() + .iter() + .cloned()); + + frame.push(msg_type); + frame.extend(&data); + + frame +} + +fn read_header(reader: &mut T) -> Option<(u64, u8)> +where T: Read +{ + let mut header: [u8; 9] = [0u8;9]; // header buffer + match reader.read_exact(&mut header) + { + Ok(_) => debug!{"Read {} bytes for header", 9}, + Err(err) => { + error!{"Error while reading header: {}", err} + return None; + } + } + + trace!{"Header buffer {:?}", header} + + let msg_size: u64 = u64::from_be_bytes( + header[0..8] + .try_into() + .unwrap()); + + let msg_type: u8 = u8::from_be_bytes( + header[8..9] + .try_into() + .unwrap()); + + debug!{"Message size: {}, Message type: {}", msg_size, msg_type} + Some((msg_size, msg_type)) +} + +fn read_message(msg_size: u64, reader: &mut T) -> Option> +where T: Read +{ + // TODO: possible to use unallocated memory instead? + // -> https://doc.rust-lang.org/beta/std/mem/union.MaybeUninit.html + // TODO: 32 bit usize? Can't allocate a 64 bit length buffer anyway? + let mut message = Vec::with_capacity(msg_size.try_into().unwrap()); + // need to set the size, because otherwise it is assumed to be 0, since + // the vec is allocated but uninitialized at this point, we don't want to + // pre-allocate a potentially huge buffer with 0x00, so unsafe set size. + unsafe {message.set_len(msg_size.try_into().unwrap());} + + match reader.read_exact(&mut message) + { + Ok(_) => debug!{"Read {} bytes for message", msg_size}, + Err(err) => { + error!{"Error while reading message: {}", err} + return None; + } + } + trace!{"Read message {:?}", message} + + Some(message) +} diff --git a/coffer-companion/src/main.rs b/coffer-companion/src/main.rs index 13db6e4..818229b 100644 --- a/coffer-companion/src/main.rs +++ b/coffer-companion/src/main.rs @@ -3,6 +3,7 @@ use structopt::StructOpt; mod certificate; mod encrypt; +mod client; #[derive(StructOpt, Debug)] enum Args { @@ -10,7 +11,7 @@ enum Args { #[structopt(short, long, parse(from_os_str))] out: PathBuf, #[structopt(short, long)] - info: bool + info: bool, }, Encrypt { #[structopt(short, long, parse(from_os_str))] @@ -19,6 +20,10 @@ enum Args { yaml: PathBuf, #[structopt(short, long, parse(from_os_str))] out: PathBuf + }, + Client { + #[structopt(short, long, parse(from_os_str))] + certificate: PathBuf, } } @@ -30,6 +35,11 @@ fn main() { if info { certificate::info(out) } else { certificate::generate_key(out) } } - _ => unimplemented![] + Args::Encrypt {certificate, yaml, out} => { + encrypt::encrypt_yaml(yaml, out, certificate) + } + Args::Client {certificate} => { + client::print_get(certificate) + } } } diff --git a/coffer-server/src/coffer_map.rs b/coffer-server/src/coffer_map.rs index cc0c444..46acd8a 100644 --- a/coffer-server/src/coffer_map.rs +++ b/coffer-server/src/coffer_map.rs @@ -74,8 +74,10 @@ impl Coffer for CofferMap { { let lock = self.read(); + debug!{"Coffer {:?}", *lock} + let coffer_shard = lock.get(shard.as_ref()) - .ok_or(CofferError::Msg("Shard {} not found"))?; + .ok_or(CofferError::Msg("Shard not found"))?; let mut res = CofferShard(Vec::new()); diff --git a/coffer-server/src/main.rs b/coffer-server/src/main.rs index 0da28e2..69125ff 100644 --- a/coffer-server/src/main.rs +++ b/coffer-server/src/main.rs @@ -33,6 +33,9 @@ struct Args { /// Address, the coffer server should bind to #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] address: SocketAddr, + + #[structopt(long, parse(from_os_str))] + client: PathBuf } #[tokio::main] @@ -42,7 +45,12 @@ async fn main() { _print_banner(); - let keyring = Keyring::new_from_path(&args.certificate); + let mut keyring = Keyring::new_from_path(&args.certificate); + + // read in client key + let mut client_key = Vec::new(); + File::open(&args.client).unwrap().read_to_end(&mut client_key).unwrap(); + keyring.add_known_key(&client_key).unwrap(); // decrypt secrets file and put into coffer let mut secrets_file = File::open(&args.secrets).unwrap(); diff --git a/coffer-server/src/protocol.rs b/coffer-server/src/protocol.rs index 81d8fd2..e10453a 100644 --- a/coffer-server/src/protocol.rs +++ b/coffer-server/src/protocol.rs @@ -2,12 +2,9 @@ use log::{debug, error, info, trace, warn}; use std::sync::Arc; -use std::convert::{TryFrom, TryInto}; use std::net::Shutdown; -use tokio::io::{AsyncRead, - AsyncReadExt, - AsyncWriteExt}; +use tokio::io::AsyncWriteExt; use tokio::net::TcpStream; use serde_cbor; @@ -16,6 +13,7 @@ use quick_error::quick_error; use coffer_common::coffer::Coffer; use coffer_common::keyring::Keyring; + use hex; quick_error! { @@ -84,13 +82,13 @@ where C: Coffer // TODO restrict msg_size more, otherwise bad client could bring server // to allocate vast amounts of memory - let (msg_size, msg_type) = Self::read_header(&mut reader).await + let (msg_size, msg_type) = frame::read_header(&mut reader).await .unwrap(); // TODO only read message if message expected by message type // currently relies on client sending good message // (0x00 message size) - let message = Self::read_message(msg_size, &mut reader).await + let message = frame::read_message(msg_size, &mut reader).await .unwrap(); match msg_type { @@ -101,7 +99,54 @@ where C: Coffer } } - async fn read_header(reader: &mut T) -> Option<(u64, u8)> + async fn transit(&mut self, event: Request) + { + match (&self.state, event) { + (State::Start, Request::Hello(pk)) => { + debug!{"Reading public key"} + self.client = Some(pk); + self.state = State::Link; + } + + (State::Link, Request::Get) => { + debug!{"Writing response"} + let shard_id = hex::encode_upper(self.client.as_ref().unwrap()); + + let res = self.coffer + .get_shard(shard_id) + .unwrap(); + + let response = self.keyring.seal( + &self.client.as_ref().unwrap(), + &serde_cbor::to_vec(&res).unwrap() + ).unwrap(); + + // TODO magic number + let frame = frame::framed(0x05u8, response).await; + trace!{"OkGet Frame: {:?}", frame} + // TODO Proper result handling + self.stream.write_all(&frame).await.unwrap(); + self.stream.flush().await.unwrap(); + + self.state = State::Bye; + } + + (State::Link, Request::Bye) => self.state = State::End, + (State::Bye, Request::Bye) => self.state = State::End, + + _ => self.state = State::End + } + } +} + +mod frame { + #[allow(unused_imports)] + use log::{debug, error, info, trace, warn}; + + use std::convert::{TryFrom, TryInto}; + use tokio::io::{AsyncRead, AsyncReadExt}; + + pub async fn read_header(reader: &mut T) -> Option<(u64, u8)> where T: AsyncRead + Unpin { let mut header: [u8; 9] = [0u8;9]; // header buffer @@ -130,7 +175,7 @@ where C: Coffer Some((msg_size, msg_type)) } - async fn read_message(msg_size: u64, reader: &mut T) -> Option> + pub async fn read_message(msg_size: u64, reader: &mut T) -> Option> where T: AsyncRead + Unpin { // TODO: possible to use unallocated memory instead? @@ -155,45 +200,7 @@ where C: Coffer Some(message) } - async fn transit(&mut self, event: Request) - { - match (&self.state, event) { - (State::Start, Request::Hello(pk)) => { - debug!{"Reading public key"} - self.client = Some(pk); - self.state = State::Link; - } - - (State::Link, Request::Get) => { - debug!{"Writing response"} - let shard_id = hex::encode(self.client.as_ref().unwrap()); - - let res = self.coffer - .get_shard(shard_id) - .unwrap(); - - let response = self.keyring.seal( - &self.client.as_ref().unwrap(), - &serde_cbor::to_vec(&res).unwrap() - ).unwrap(); - - // TODO magic number - let frame = Self::framed(0x05u8, response).await; - trace!{"OkGet Frame: {:?}", frame} - // TODO Proper result handling - self.stream.write_all(&frame).await.unwrap(); - - self.state = State::Bye; - } - - (State::Link, Request::Bye) => self.state = State::End, - (State::Bye, Request::Bye) => self.state = State::End, - - _ => self.state = State::End - } - } - - async fn framed(msg_type: u8, data: Vec) -> Vec + pub async fn framed(msg_type: u8, data: Vec) -> Vec { trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data} @@ -212,4 +219,5 @@ where C: Coffer frame } + } diff --git a/testcoffer/client.cert b/testcoffer/client.cert new file mode 100644 index 0000000..355073c --- /dev/null +++ b/testcoffer/client.cert @@ -0,0 +1 @@ +jpublic_keyX *p}o9sL@$hG[HAkprivate_keyX ϫrhDI\Jp \ No newline at end of file diff --git a/testcoffer/coffer.enc b/testcoffer/coffer.enc new file mode 100644 index 0000000..a137035 --- /dev/null +++ b/testcoffer/coffer.enc @@ -0,0 +1 @@ +܅ۈs;AG8LehzVB&VLf~B.5K*X~B`@,J\}GC2Kd0Ƈv"IAZ6OR KWjxohv{ɲcCD ]Շ?b/h $7p|9A$? \ No newline at end of file diff --git a/testcoffer/coffer.yaml b/testcoffer/coffer.yaml new file mode 100644 index 0000000..939159d --- /dev/null +++ b/testcoffer/coffer.yaml @@ -0,0 +1,4 @@ +[test] +id = "F11C86D52A70977D866F813903BC73DB4CB8AC40249DF668475B1BFE48AD1E41" +key1 = "secret1" +key2 = "secret2" diff --git a/testcoffer/server.cert b/testcoffer/server.cert new file mode 100644 index 0000000..077a185 --- /dev/null +++ b/testcoffer/server.cert @@ -0,0 +1 @@ +jpublic_keyX N%[#{P-jfPdx 4[kprivate_keyX Mٙgk{CM>;~3d+ \ No newline at end of file -- 2.45.2 From 9ae5a72fceff276017acb32260175cd0e38d34c7 Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Mon, 27 Jan 2020 17:53:36 +0100 Subject: [PATCH 4/7] [server] Read known client ids from secrets file Remove explicit client id file --- Cargo.lock | 1 + Makefile | 5 ++++- coffer-common/Cargo.toml | 1 + coffer-common/src/keyring.rs | 34 ++++++++++++++++++++++++++++++++++ coffer-server/src/main.rs | 15 +++++++-------- 5 files changed, 47 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d935883..a0befe1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -100,6 +100,7 @@ version = "0.4.0" dependencies = [ "base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", + "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)", "seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/Makefile b/Makefile index 63e7d5b..cd9fccf 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,9 @@ release: publish: podman pull clux/muslrust - podman run -v .:/volume --rm -t clux/muslrust cargo build --release + podman run -v .:/volume:Z --rm -t clux/muslrust cargo build --release + strip target/x86_64-unknown-linux-musl/release/coffer-server + strip target/x86_64-unknown-linux-musl/release/coffer-client + strip target/x86_64-unknown-linux-musl/release/coffer-companion .PHONY: default release publish diff --git a/coffer-common/Cargo.toml b/coffer-common/Cargo.toml index 232a590..af959f1 100644 --- a/coffer-common/Cargo.toml +++ b/coffer-common/Cargo.toml @@ -21,6 +21,7 @@ serde = { version = "^1.0", features = ["derive"]} serde_cbor = "^0.10" toml = "^0.5" base64 = "^0.11" +hex = "^0.4" # Key management/Cryptography sodiumoxide = "^0.2" seckey = "^0.9" diff --git a/coffer-common/src/keyring.rs b/coffer-common/src/keyring.rs index 67aa277..61dd4e7 100644 --- a/coffer-common/src/keyring.rs +++ b/coffer-common/src/keyring.rs @@ -8,6 +8,8 @@ use quick_error::quick_error; use sodiumoxide::crypto::box_; use sodiumoxide::crypto::sealedbox; +use toml::Value as TomlValue; + use crate::certificate::{Certificate, CertificateError}; quick_error! { @@ -18,6 +20,12 @@ quick_error! { Certificate(err: CertificateError) { from() } + HexDecodeError(err: hex::FromHexError) { + from() + } + IoError(err: std::io::Error) { + from() + } Msg(err: &'static str) { from(err) display("{}", err) @@ -50,6 +58,32 @@ impl Keyring { } } + pub fn add_known_keys_toml(&mut self, toml: &str) -> Result<(), KeyringError> { + // parse the string into a toml Table + let clients: toml::value::Table = match toml.parse::().unwrap() { + TomlValue::Table(t) => t, + _ => panic!{"Invalid secrets file"} + }; + + for (_k, v) in clients { + + let client = match v { + TomlValue::Table(client) => client, + _ => panic!{"Invalid secrets file"} + }; + + match client.get("id") { + Some(TomlValue::String(id)) => { + let id = id.to_owned(); + self.add_known_key(&hex::decode(id)?)?; + }, + _ => panic!{"Invalid id, only hex encoded ids supported"} + } + } + + Ok(()) + } + pub fn add_known_key(&mut self, key: &[u8]) -> Result<(), KeyringError> { let public_key = box_::PublicKey::from_slice(key) .ok_or(KeyringError::InvalidClientKey)?; diff --git a/coffer-server/src/main.rs b/coffer-server/src/main.rs index 69125ff..2da71fa 100644 --- a/coffer-server/src/main.rs +++ b/coffer-server/src/main.rs @@ -33,9 +33,6 @@ struct Args { /// Address, the coffer server should bind to #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] address: SocketAddr, - - #[structopt(long, parse(from_os_str))] - client: PathBuf } #[tokio::main] @@ -45,20 +42,22 @@ async fn main() { _print_banner(); + // create keyring from server certificate let mut keyring = Keyring::new_from_path(&args.certificate); - // read in client key - let mut client_key = Vec::new(); - File::open(&args.client).unwrap().read_to_end(&mut client_key).unwrap(); - keyring.add_known_key(&client_key).unwrap(); - // decrypt secrets file and put into coffer let mut secrets_file = File::open(&args.secrets).unwrap(); let mut secrets_buf = Vec::new(); secrets_file.read_to_end(&mut secrets_buf).unwrap(); let secrets_buf_clear = String::from_utf8(keyring.open(&secrets_buf).unwrap()).unwrap(); + + // read known client ids from secrets file + keyring.add_known_keys_toml(&secrets_buf_clear).unwrap(); + + // read secrets from secrets file let coffer = CofferMap::from_toml(&secrets_buf_clear); + // start server let server = Server::new(keyring, coffer); server.run(args.address).await; } -- 2.45.2 From 90142ec5c15f3710d2686cd158325c3c316e498c Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Sun, 2 Feb 2020 05:40:07 +0100 Subject: [PATCH 5/7] [server] Allow nested clients Tables can be nested arbitrary, only tables with `id` attribute are considered --- .gitattributes | 2 + coffer-client/src/main.rs | 2 +- coffer-common/src/coffer.rs | 77 +++++++++++++++++----------------- coffer-common/src/keyring.rs | 38 ++++++++++------- testcoffer/client.cert | 4 +- testcoffer/client1.cert | 3 ++ testcoffer/client2.cert | 3 ++ testcoffer/coffer.enc | 4 +- testcoffer/coffer.yaml | 11 +++++ testcoffer/no_keys_client.cert | 3 ++ testcoffer/server.cert | 4 +- 11 files changed, 94 insertions(+), 57 deletions(-) create mode 100644 .gitattributes create mode 100644 testcoffer/client1.cert create mode 100644 testcoffer/client2.cert create mode 100644 testcoffer/no_keys_client.cert diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..2c752ed --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +*.enc filter=lfs diff=lfs merge=lfs -text +*.cert filter=lfs diff=lfs merge=lfs -text diff --git a/coffer-client/src/main.rs b/coffer-client/src/main.rs index e443729..309cde4 100644 --- a/coffer-client/src/main.rs +++ b/coffer-client/src/main.rs @@ -75,7 +75,7 @@ fn main() -> Result<(), Box> { Err("Could not spawn sub-command".into()) } -fn reap_coffer(cmd: &str, args: &Vec) { +fn reap_coffer(cmd: &str, args: &[String]) { let mut cmd = exec::Command::new(cmd); // TODO Push cmd as first arg if not already set? diff --git a/coffer-common/src/coffer.rs b/coffer-common/src/coffer.rs index dc14a53..b43ac17 100644 --- a/coffer-common/src/coffer.rs +++ b/coffer-common/src/coffer.rs @@ -2,6 +2,7 @@ #[allow(unused_imports)] use log::{debug, error, info, trace, warn}; +use std::fmt::Debug; use std::path::Path; use std::fs::File; use std::io::{BufReader, Read}; @@ -87,51 +88,51 @@ pub trait Coffer { _ => panic!{"Invalid secrets file"} }; - /* - * Walk through the table of clients, where each client is a table which - * is either empty, or contains a table with at least an id and any - * number of secrets - * - * # Example: - * - * files.id = "AAAA-BBBB-CCCC" - * pad.id = "FFFF-EEEE-DDDD" - * - * [files] - * secret_string = "secret value1" - * secret_int = 12345 - * secret_bool = true - */ - for (_k, v) in clients { + coffer.from_toml_table(&clients); - let client = match v { - TomlValue::Table(t) => t, - _ => panic!{"Invalid secrets file"} - }; + coffer + } - for (k, v) in client.iter() { - - if "id" == k { continue } // ids are for sharding - - let value = match v { - TomlValue::String(s) => CofferValue::String(s.to_owned()), - TomlValue::Integer(i) => CofferValue::Integer(*i as i32), - TomlValue::Float(f) => CofferValue::Float(*f as f32), - TomlValue::Boolean(b) => CofferValue::Boolean(*b), - _ => panic!{"Value {:?} unsupported", v} - }; - - match client.get("id") { - Some(TomlValue::String(shard)) => { - let shard = shard.to_owned(); - let key = k.to_owned(); - coffer.put(CofferKey{shard, key}, value).unwrap(); + fn from_toml_table(&mut self, toml_table: &toml::value::Table) { + // table has an no id, recourse into subtables + if toml_table.get("id").is_none() { + for (_key, val) in toml_table.iter() { + match val { + TomlValue::Table(subtable) => { + self.from_toml_table(subtable); }, _ => panic!{"Invalid secrets file"} } } + + return; } - return coffer; + /* + * Parse a single shard/table, this is known to have an id + * + * [files] + * id = "ABC-DEF-GHE" + * secret_string = "secret value1" + * secret_int = 12345 + * secret_bool = true + */ + let shard = toml_table.get("id").and_then(|id| id.as_str()).unwrap(); + + for (key, val) in toml_table { + if "id" == key { continue } // ids are for sharding + + let value = match val { + TomlValue::String(s) => CofferValue::String(s.to_owned()), + TomlValue::Integer(i) => CofferValue::Integer(*i as i32), + TomlValue::Float(f) => CofferValue::Float(*f as f32), + TomlValue::Boolean(b) => CofferValue::Boolean(*b), + _ => panic!{"Value {:?} unsupported", val} + }; + + let key = key.to_owned(); + let shard = shard.to_string(); + self.put(CofferKey{shard, key}, value).unwrap(); + } } } diff --git a/coffer-common/src/keyring.rs b/coffer-common/src/keyring.rs index 61dd4e7..7179b15 100644 --- a/coffer-common/src/keyring.rs +++ b/coffer-common/src/keyring.rs @@ -65,25 +65,33 @@ impl Keyring { _ => panic!{"Invalid secrets file"} }; - for (_k, v) in clients { + self.add_known_keys_toml_table(&clients)?; - let client = match v { - TomlValue::Table(client) => client, - _ => panic!{"Invalid secrets file"} - }; - - match client.get("id") { - Some(TomlValue::String(id)) => { - let id = id.to_owned(); - self.add_known_key(&hex::decode(id)?)?; - }, - _ => panic!{"Invalid id, only hex encoded ids supported"} - } - } + debug!{"Known keys {:?}", self.known_keys} Ok(()) } + fn add_known_keys_toml_table(&mut self, toml_table: &toml::value::Table) -> Result<(), KeyringError> { + // table has an no id, recourse into subtables + if toml_table.get("id").is_none() { + debug!{"{:?}", toml_table} + for (_key, val) in toml_table.iter() { + match val { + TomlValue::Table(subtable) => { + self.add_known_keys_toml_table(subtable)?; + }, + _ => panic!{"Invalid secrets file"} + } + } + + return Ok(()); + } + + let shard = toml_table.get("id").and_then(|id| id.as_str()).ok_or(KeyringError::Msg("Invalid key parsing state"))?; + self.add_known_key(&hex::decode(shard)?) + } + pub fn add_known_key(&mut self, key: &[u8]) -> Result<(), KeyringError> { let public_key = box_::PublicKey::from_slice(key) .ok_or(KeyringError::InvalidClientKey)?; @@ -94,7 +102,7 @@ impl Keyring { pub fn open(&self, message: &[u8]) -> Result, KeyringError> { self.certificate.open(message) - .map_err(|e| KeyringError::from(e)) + .map_err(KeyringError::from) } pub fn seal(&self, client: &[u8], message: &[u8]) -> Result, KeyringError> { diff --git a/testcoffer/client.cert b/testcoffer/client.cert index 355073c..cc4b979 100644 --- a/testcoffer/client.cert +++ b/testcoffer/client.cert @@ -1 +1,3 @@ -jpublic_keyX *p}o9sL@$hG[HAkprivate_keyX ϫrhDI\Jp \ No newline at end of file +version https://git-lfs.github.com/spec/v1 +oid sha256:6274c811440245c8859ff78edfdf8c4d9f93c1022242707bd966ecf226836b45 +size 92 diff --git a/testcoffer/client1.cert b/testcoffer/client1.cert new file mode 100644 index 0000000..2ece5ee --- /dev/null +++ b/testcoffer/client1.cert @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a6d7be75d0f208b19a606a1af56a8d319656b81112e8f4d2b8a3824958eeedd4 +size 92 diff --git a/testcoffer/client2.cert b/testcoffer/client2.cert new file mode 100644 index 0000000..ed06da3 --- /dev/null +++ b/testcoffer/client2.cert @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:422ca500dfbff53bf557f5ccbcd3326ed0622017f0e14800ecc062585e1d1ce5 +size 92 diff --git a/testcoffer/coffer.enc b/testcoffer/coffer.enc index a137035..f1e75a7 100644 --- a/testcoffer/coffer.enc +++ b/testcoffer/coffer.enc @@ -1 +1,3 @@ -܅ۈs;AG8LehzVB&VLf~B.5K*X~B`@,J\}GC2Kd0Ƈv"IAZ6OR KWjxohv{ɲcCD ]Շ?b/h $7p|9A$? \ No newline at end of file +version https://git-lfs.github.com/spec/v1 +oid sha256:76f742d88686e14e9db713bb38f2da1fea6ce20c8003b9bda136c778f992a550 +size 461 diff --git a/testcoffer/coffer.yaml b/testcoffer/coffer.yaml index 939159d..28d61cb 100644 --- a/testcoffer/coffer.yaml +++ b/testcoffer/coffer.yaml @@ -2,3 +2,14 @@ id = "F11C86D52A70977D866F813903BC73DB4CB8AC40249DF668475B1BFE48AD1E41" key1 = "secret1" key2 = "secret2" + +[clients] +[client.1] +id = "00E4A58C6905C2932F73F4D3AB449507E0166E53ED52F769721618F8C836E736" +client1key1 = "client1secret" +client1key2 = "client1secret2" + +[client.2] +id = "D4A39CD8C4695A70F758252E9D877ACE24BD3DE98BC09E90C37C06F99061CD5B" +client2key1 = "client2secret" +client2key2 = "client2secret2" diff --git a/testcoffer/no_keys_client.cert b/testcoffer/no_keys_client.cert new file mode 100644 index 0000000..d0677b3 --- /dev/null +++ b/testcoffer/no_keys_client.cert @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e260e5e7bca479436ec22d449a5a255fb4971b4edc36f3f8f7c407a7ca92313d +size 92 diff --git a/testcoffer/server.cert b/testcoffer/server.cert index 077a185..4c32a64 100644 --- a/testcoffer/server.cert +++ b/testcoffer/server.cert @@ -1 +1,3 @@ -jpublic_keyX N%[#{P-jfPdx 4[kprivate_keyX Mٙgk{CM>;~3d+ \ No newline at end of file +version https://git-lfs.github.com/spec/v1 +oid sha256:a3b9724fd3dff9248bba5ff40f63d63eda6d705b810e65882648bbc9876615c3 +size 92 -- 2.45.2 From 62b9d544f23c13036dc675f3432f20ab670d570d Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Sun, 2 Feb 2020 08:35:57 +0100 Subject: [PATCH 6/7] [server][client] Parse hostnames --- coffer-client/src/main.rs | 6 +++--- coffer-server/src/main.rs | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/coffer-client/src/main.rs b/coffer-client/src/main.rs index 309cde4..6d215bd 100644 --- a/coffer-client/src/main.rs +++ b/coffer-client/src/main.rs @@ -18,8 +18,8 @@ use coffer_common::coffer::{CofferShard, CofferValue}; #[derive(StructOpt, Debug)] struct Args { /// Address of the coffer server - #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] - server_address: SocketAddr, + #[structopt(short, long, env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] + server_address: String, #[structopt(short, long, parse(from_os_str), env = "COFFER_CLIENT_CERTIFICATE", hide_env_values = true)] certificate: PathBuf, @@ -39,7 +39,7 @@ fn main() -> Result<(), Box> { let cert = Certificate::new_from_cbor(&args.certificate)?; debug!{"Connecting to coffer server"} - let mut stream: TcpStream = TcpStream::connect(&args.server_address)?; + let mut stream: TcpStream = TcpStream::connect(args.server_address)?; debug!{"Sending hello"} let hello = framed(0x00, cert.public_key()); diff --git a/coffer-server/src/main.rs b/coffer-server/src/main.rs index 2da71fa..2aff25f 100644 --- a/coffer-server/src/main.rs +++ b/coffer-server/src/main.rs @@ -7,7 +7,6 @@ use std::path::PathBuf; use std::fs::File; use std::io::{Read}; use structopt::StructOpt; -use std::net::SocketAddr; use coffer_common::keyring::Keyring; use coffer_common::coffer::Coffer; @@ -31,8 +30,10 @@ struct Args { secrets: PathBuf, /// Address, the coffer server should bind to - #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] - address: SocketAddr, + #[structopt(short, long, env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] + address: String, // unfortunately we have to take a opaque string here, + // since we can't parse a hostname otherwise. + // Parsers are not customizable yet in structopt } #[tokio::main] -- 2.45.2 From 6b7e5b9d05850edc80ebfe442ebd2ab021a9737e Mon Sep 17 00:00:00 2001 From: Armin Friedl Date: Tue, 4 Feb 2020 05:10:36 +0100 Subject: [PATCH 7/7] [companion] Clean up CLI --- coffer-companion/src/client.rs | 110 --------------------------------- coffer-companion/src/main.rs | 22 +++---- 2 files changed, 9 insertions(+), 123 deletions(-) delete mode 100644 coffer-companion/src/client.rs diff --git a/coffer-companion/src/client.rs b/coffer-companion/src/client.rs deleted file mode 100644 index 824f4e2..0000000 --- a/coffer-companion/src/client.rs +++ /dev/null @@ -1,110 +0,0 @@ -#[allow(unused_imports)] -use log::{debug, error, info, trace, warn}; - -use std::path::PathBuf; -use std::convert::{TryFrom, TryInto}; -use std::net::{TcpStream}; -use std::io::{Write, Read}; - -use coffer_common::certificate::Certificate; -use coffer_common::coffer::CofferShard; - -use serde_cbor; - -pub fn print_get(out: PathBuf) { - let cert = Certificate::new_from_cbor(out).unwrap(); - - let hello = framed(0x00, cert.public_key()); - let get = framed(0x02, Vec::new()); - let bye = framed(0x99, Vec::new()); - - let mut listener = TcpStream::connect("127.0.0.1:9187").unwrap(); - listener.write_all(&hello).unwrap(); - - listener.write_all(&get).unwrap(); - - let header = read_header(&mut listener).unwrap(); - let shard = read_message(header.0, &mut listener).unwrap(); - debug!{"Got encrypted shard {:?}", shard} - - listener.write_all(&bye).unwrap(); - - let shard_clear = cert.open(&shard).unwrap(); - let shard_de = serde_cbor::from_slice::(&shard_clear).unwrap(); - - println!{"{:?}", shard_de} -} - -fn framed(msg_type: u8, data: Vec) -> Vec -{ - trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data} - - // TODO magic number - let mut frame: Vec = Vec::with_capacity(data.len() + 72); - unsafe {frame.set_len(8);} - - frame.splice(0..8, u64::try_from(data.len()) - .unwrap() - .to_be_bytes() - .iter() - .cloned()); - - frame.push(msg_type); - frame.extend(&data); - - frame -} - -fn read_header(reader: &mut T) -> Option<(u64, u8)> -where T: Read -{ - let mut header: [u8; 9] = [0u8;9]; // header buffer - match reader.read_exact(&mut header) - { - Ok(_) => debug!{"Read {} bytes for header", 9}, - Err(err) => { - error!{"Error while reading header: {}", err} - return None; - } - } - - trace!{"Header buffer {:?}", header} - - let msg_size: u64 = u64::from_be_bytes( - header[0..8] - .try_into() - .unwrap()); - - let msg_type: u8 = u8::from_be_bytes( - header[8..9] - .try_into() - .unwrap()); - - debug!{"Message size: {}, Message type: {}", msg_size, msg_type} - Some((msg_size, msg_type)) -} - -fn read_message(msg_size: u64, reader: &mut T) -> Option> -where T: Read -{ - // TODO: possible to use unallocated memory instead? - // -> https://doc.rust-lang.org/beta/std/mem/union.MaybeUninit.html - // TODO: 32 bit usize? Can't allocate a 64 bit length buffer anyway? - let mut message = Vec::with_capacity(msg_size.try_into().unwrap()); - // need to set the size, because otherwise it is assumed to be 0, since - // the vec is allocated but uninitialized at this point, we don't want to - // pre-allocate a potentially huge buffer with 0x00, so unsafe set size. - unsafe {message.set_len(msg_size.try_into().unwrap());} - - match reader.read_exact(&mut message) - { - Ok(_) => debug!{"Read {} bytes for message", msg_size}, - Err(err) => { - error!{"Error while reading message: {}", err} - return None; - } - } - trace!{"Read message {:?}", message} - - Some(message) -} diff --git a/coffer-companion/src/main.rs b/coffer-companion/src/main.rs index 818229b..6de507f 100644 --- a/coffer-companion/src/main.rs +++ b/coffer-companion/src/main.rs @@ -3,15 +3,12 @@ use structopt::StructOpt; mod certificate; mod encrypt; -mod client; #[derive(StructOpt, Debug)] enum Args { Certificate { - #[structopt(short, long, parse(from_os_str))] - out: PathBuf, - #[structopt(short, long)] - info: bool, + #[structopt(parse(from_os_str))] + path: PathBuf, }, Encrypt { #[structopt(short, long, parse(from_os_str))] @@ -21,9 +18,9 @@ enum Args { #[structopt(short, long, parse(from_os_str))] out: PathBuf }, - Client { - #[structopt(short, long, parse(from_os_str))] - certificate: PathBuf, + Info { + #[structopt(parse(from_os_str))] + path: PathBuf } } @@ -31,15 +28,14 @@ fn main() { let args: Args = Args::from_args(); match args { - Args::Certificate {out, info} => { - if info { certificate::info(out) } - else { certificate::generate_key(out) } + Args::Certificate {path} => { + certificate::generate_key(path) } Args::Encrypt {certificate, yaml, out} => { encrypt::encrypt_yaml(yaml, out, certificate) } - Args::Client {certificate} => { - client::print_get(certificate) + Args::Info {path} => { + certificate::info(path) } } } -- 2.45.2