diff options
| author | forsyth <forsyth@vitanuova.com> | 2011-01-17 11:10:35 +0000 |
|---|---|---|
| committer | forsyth <forsyth@vitanuova.com> | 2011-01-17 11:10:35 +0000 |
| commit | d6b4eae8eb0a5ca3119414005e483fedd63a62d6 (patch) | |
| tree | 4959b04b1ae02ce5ccb4b3c0a8c459ff46587eb7 /appl/cmd/auth | |
| parent | 9e6910dc0c747c8f30b87f6482f4eadb48ad6654 (diff) | |
20110117-1110
Diffstat (limited to 'appl/cmd/auth')
| -rw-r--r-- | appl/cmd/auth/dsagen.b | 14 | ||||
| -rw-r--r-- | appl/cmd/auth/factotum/proto/rsa.b | 64 | ||||
| -rw-r--r-- | appl/cmd/auth/getpk.b | 32 | ||||
| -rw-r--r-- | appl/cmd/auth/rsagen.b | 44 | ||||
| -rw-r--r-- | appl/cmd/auth/signer.b | 83 | ||||
| -rw-r--r-- | appl/cmd/auth/verify.b | 13 |
6 files changed, 105 insertions, 145 deletions
diff --git a/appl/cmd/auth/dsagen.b b/appl/cmd/auth/dsagen.b index 51b50a12..3e24df2f 100644 --- a/appl/cmd/auth/dsagen.b +++ b/appl/cmd/auth/dsagen.b @@ -5,12 +5,9 @@ include "sys.m"; include "draw.m"; -include "ipints.m"; - ipints: IPints; - IPint: import ipints; - -include "crypt.m"; - crypt: Crypt; +include "keyring.m"; + kr: Keyring; + IPint, DSAsk, DSApk, DSAsig: import kr; include "arg.m"; @@ -22,8 +19,7 @@ Dsagen: module init(nil: ref Draw->Context, args: list of string) { sys = load Sys Sys->PATH; - ipints = load IPints IPints->PATH; - crypt = load Crypt Crypt->PATH; + kr = load Keyring Keyring->PATH; arg := load Arg Arg->PATH; arg->init(args); @@ -41,7 +37,7 @@ init(nil: ref Draw->Context, args: list of string) arg->usage(); arg = nil; - sk := crypt->dsagen(nil); + sk := DSAsk.gen(nil); if(tag != nil) tag = " "+tag; s := add("p", sk.pk.p); diff --git a/appl/cmd/auth/factotum/proto/rsa.b b/appl/cmd/auth/factotum/proto/rsa.b index 8af64578..24dcef43 100644 --- a/appl/cmd/auth/factotum/proto/rsa.b +++ b/appl/cmd/auth/factotum/proto/rsa.b @@ -1,10 +1,6 @@ implement Authproto; -# SSH RSA authentication -# -# this version is compatible with Plan 9 factotum -# Plan 9 port's factotum works differently, and eventually -# we'll support both (the role= attribute distinguishes the cases), but not today +# SSH RSA authentication. # # Client protocol: # read public key @@ -20,38 +16,35 @@ include "sys.m"; include "draw.m"; -include "ipints.m"; - ipints: IPints; - IPint: import ipints; -include "crypt.m"; - crypt: Crypt; - SK, PK: import crypt; +include "keyring.m"; + kr: Keyring; + IPint, RSAsk, RSApk: import kr; include "../authio.m"; authio: Authio; Aattr, Aval, Aquery: import Authio; - Attr, IO, Key: import authio; + Attr, IO, Key, Authinfo: import authio; eqbytes, memrandom: import authio; - findattrval: import authio; + lookattrval: import authio; init(f: Authio): string { authio = f; sys = load Sys Sys->PATH; - ipints = load IPints IPints->PATH; - crypt = load Crypt Crypt->PATH; + kr = load Keyring Keyring->PATH; +# base16 = load Encoding Encoding->BASE16PATH; return nil; } interaction(attrs: list of ref Attr, io: ref IO): string { - role := findattrval(attrs, "role"); + role := lookattrval(attrs, "role"); if(role == nil) return "role not specified"; if(role != "client") return "only client role supported"; - sk: ref SK.RSA; + sk: ref RSAsk; keys: list of ref Key; err: string; for(;;){ @@ -74,7 +67,7 @@ interaction(attrs: list of ref Attr, io: ref IO): string io.error("invalid challenge value"); continue; } - m := crypt->rsadecrypt(sk, chal); + m := sk.decrypt(chal); b := array of byte m.iptostr(16); io.write(b, len b); io.done(nil); @@ -96,33 +89,30 @@ waitread(io: ref IO) Badkey: exception(string); -kv(key: ref Key, name: string): ref IPint raises Badkey +ipint(attrs: list of ref Attr, name: string): ref IPint raises Badkey { - if(name[0] == '!') - a := authio->findattrval(key.secrets, name); - else - a = authio->findattrval(key.attrs, name); - if(a == nil) + s := lookattrval(attrs, name); + if(s == nil) raise Badkey("missing attribute "+name); - m := IPint.strtoip(a, 16); + m := IPint.strtoip(s, 16); if(m == nil) - raise Badkey("bad value for "+name); + raise Badkey("invalid value for "+name); return m; } -keytorsa(k: ref Key): (ref SK.RSA, string) +keytorsa(k: ref Key): (ref RSAsk, string) { - sk := ref SK.RSA; - sk.pk = ref PK.RSA; + sk := ref RSAsk; + sk.pk = ref RSApk; { - sk.pk.ek = kv(k, "ek"); - sk.pk.n = kv(k, "n"); - sk.dk = kv(k, "!dk"); - sk.p = kv(k, "!p"); - sk.q = kv(k, "!q"); - sk.kp = kv(k, "!kp"); - sk.kq = kv(k, "!kq"); - sk.c2 = kv(k, "!c2"); + sk.pk.ek = ipint(k.attrs, "ek"); + sk.pk.n = ipint(k.attrs, "n"); + sk.dk = ipint(k.secrets, "!dk"); + sk.p = ipint(k.secrets, "!p"); + sk.q = ipint(k.secrets, "!q"); + sk.kp = ipint(k.secrets, "!kp"); + sk.kq = ipint(k.secrets, "!kq"); + sk.c2 = ipint(k.secrets, "!c2"); }exception e{ Badkey => return (nil, "rsa key "+e); diff --git a/appl/cmd/auth/getpk.b b/appl/cmd/auth/getpk.b index e2273d17..24283340 100644 --- a/appl/cmd/auth/getpk.b +++ b/appl/cmd/auth/getpk.b @@ -3,14 +3,10 @@ include "sys.m"; sys: Sys; include "draw.m"; include "arg.m"; -include "ipints.m"; -include "crypt.m"; - crypt: Crypt; -include "oldauth.m"; - oldauth: Oldauth; +include "keyring.m"; + keyring: Keyring; -Getpk: module -{ +Getpk: module { init: fn(nil: ref Draw->Context, argv: list of string); }; @@ -23,18 +19,14 @@ badmodule(p: string) init(nil: ref Draw->Context, argv: list of string) { sys = load Sys Sys->PATH; - crypt = load Crypt Crypt->PATH; - if(crypt == nil) - badmodule(Crypt->PATH); - oldauth = load Oldauth Oldauth->PATH; - if(oldauth == nil) - badmodule(Oldauth->PATH); - oldauth->init(); + keyring = load Keyring Keyring->PATH; + if(keyring == nil) + badmodule(Keyring->PATH); arg := load Arg Arg->PATH; if(arg == nil) badmodule(Arg->PATH); arg->init(argv); - arg->setusage("getpk [-asu] file..."); + arg->setusage("usage: getpk [-asu] file..."); aflag := 0; sflag := 0; uflag := 0; @@ -55,7 +47,7 @@ init(nil: ref Draw->Context, argv: list of string) arg->usage(); multi := len argv > 1; for(; argv != nil; argv = tl argv){ - info := oldauth->readauthinfo(hd argv); + info := keyring->readauthinfo(hd argv); if(info == nil){ sys->fprint(sys->fildes(2), "getpk: cannot read %s: %r\n", hd argv); continue; @@ -63,13 +55,13 @@ init(nil: ref Draw->Context, argv: list of string) pk := info.mypk; if(sflag) pk = info.spk; - s := oldauth->pktostr(pk, info.owner); + s := keyring->pktostr(pk); if(!aflag) s = hex(hash(s)); if(multi) s = hd argv + ": " + s; if(uflag) - s += " " + info.owner; + s += " " + pk.owner; sys->print("%s\n", s); } } @@ -77,8 +69,8 @@ init(nil: ref Draw->Context, argv: list of string) hash(s: string): array of byte { d := array of byte s; - digest := array[Crypt->SHA1dlen] of byte; - crypt->sha1(d, len d, digest, nil); + digest := array[Keyring->SHA1dlen] of byte; + keyring->sha1(d, len d, digest, nil); return digest; } diff --git a/appl/cmd/auth/rsagen.b b/appl/cmd/auth/rsagen.b index 48fcba6d..a1a4477c 100644 --- a/appl/cmd/auth/rsagen.b +++ b/appl/cmd/auth/rsagen.b @@ -5,12 +5,8 @@ include "sys.m"; include "draw.m"; -include "ipints.m"; - ipints: IPints; - IPint: import ipints; - -include "crypt.m"; - crypt: Crypt; +include "keyring.m"; + kr: Keyring; include "arg.m"; @@ -22,8 +18,7 @@ Rsagen: module init(nil: ref Draw->Context, args: list of string) { sys = load Sys Sys->PATH; - ipints = load IPints IPints->PATH; - crypt = load Crypt Crypt->PATH; + kr = load Keyring Keyring->PATH; arg := load Arg Arg->PATH; arg->init(args); @@ -48,31 +43,34 @@ init(nil: ref Draw->Context, args: list of string) arg->usage(); arg = nil; - sk := crypt->rsagen(nbits, 6, 0); + sk := kr->genSK("rsa", "", nbits); if(sk == nil) error("unable to generate key"); + s := kr->sktoattr(sk); + # need to fix the attr interface so the following isn't needed: + s = skip(s, "alg"); + s = skip(s, "owner"); if(tag != nil) tag = " "+tag; - s := add("ek", sk.pk.ek); - s += add("n", sk.pk.n); - s += add("!dk", sk.dk); - s += add("!p", sk.p); - s += add("!q", sk.q); - s += add("!kp", sk.kp); - s += add("!kq", sk.kq); - s += add("!c2", sk.c2); - a := sys->aprint("key proto=rsa%s size=%d%s\n", tag, sk.pk.n.bits(), s); + a := sys->aprint("key proto=rsa%s size=%d %s\n", tag, nbits, s); if(sys->write(sys->fildes(1), a, len a) != len a) error(sys->sprint("error writing key: %r")); } -error(s: string) +skip(s: string, attr: string): string { - sys->fprint(sys->fildes(2), "rsagen: %s\n", s); - raise "fail:error"; + for(i := 0; i < len s && s[i] != ' '; i++) + {} + if(i >= len s) + return s; + (nf, fld) := sys->tokenize(s[0:i], "="); + if(nf == 2 && hd fld == attr) + s = s[i+1:]; + return s; } -add(name: string, b: ref IPint): string +error(s: string) { - return " "+name+"="+b.iptostr(16); + sys->fprint(sys->fildes(2), "rsagen: %s\n", s); + raise "fail:error"; } diff --git a/appl/cmd/auth/signer.b b/appl/cmd/auth/signer.b index b27a719c..b3f4669d 100644 --- a/appl/cmd/auth/signer.b +++ b/appl/cmd/auth/signer.b @@ -5,20 +5,10 @@ include "sys.m"; include "draw.m"; -include "ipints.m"; - ipints: IPints; - IPint: import ipints; - -include "crypt.m"; - crypt: Crypt; - -include "oldauth.m"; - oldauth: Oldauth; - -include "msgio.m"; - msgio: Msgio; - include "keyring.m"; + kr: Keyring; + IPint: import kr; + include "security.m"; random: Random; @@ -39,12 +29,7 @@ init(nil: ref Draw->Context, nil: list of string) { sys = load Sys Sys->PATH; random = load Random Random->PATH; - ipints = load IPints IPints->PATH; - crypt = load Crypt Crypt->PATH; - oldauth = load Oldauth Oldauth->PATH; - oldauth->init(); - msgio = load Msgio Msgio->PATH; - msgio->init(); + kr = load Keyring Keyring->PATH; stdin = sys->fildes(0); stdout = sys->fildes(1); @@ -70,75 +55,75 @@ sign(): string return "can't read key"; # send public part to client - mypkbuf := array of byte oldauth->pktostr(crypt->sktopk(info.mysk), info.owner); - msgio->sendmsg(stdout, mypkbuf, len mypkbuf); + mypkbuf := array of byte kr->pktostr(kr->sktopk(info.mysk)); + kr->sendmsg(stdout, mypkbuf, len mypkbuf); alphabuf := array of byte info.alpha.iptob64(); - msgio->sendmsg(stdout, alphabuf, len alphabuf); + kr->sendmsg(stdout, alphabuf, len alphabuf); pbuf := array of byte info.p.iptob64(); - msgio->sendmsg(stdout, pbuf, len pbuf); + kr->sendmsg(stdout, pbuf, len pbuf); # get client's public key - hisPKbuf := msgio->getmsg(stdin); + hisPKbuf := kr->getmsg(stdin); if(hisPKbuf == nil) return "caller hung up"; - (hisPK, hisname) := oldauth->strtopk(string hisPKbuf); + hisPK := kr->strtopk(string hisPKbuf); if(hisPK == nil) return "illegal caller PK"; # hash, sign, and blind - state := crypt->sha1(hisPKbuf, len hisPKbuf, nil, nil); - cert := oldauth->sign(info.mysk, info.owner, 0, state, "sha1"); + state := kr->sha1(hisPKbuf, len hisPKbuf, nil, nil); + cert := kr->sign(info.mysk, 0, state, "sha1"); # sanity clause - state = crypt->sha1(hisPKbuf, len hisPKbuf, nil, nil); - if(oldauth->verify(info.mypk, cert, state) == 0) + state = kr->sha1(hisPKbuf, len hisPKbuf, nil, nil); + if(kr->verify(info.mypk, cert, state) == 0) return "bad signer certificate"; - certbuf := array of byte oldauth->certtostr(cert); + certbuf := array of byte kr->certtostr(cert); blind := random->randombuf(random->ReallyRandom, len certbuf); for(i := 0; i < len blind; i++) certbuf[i] = certbuf[i] ^ blind[i]; # sum PKs and blinded certificate - state = crypt->md5(mypkbuf, len mypkbuf, nil, nil); - crypt->md5(hisPKbuf, len hisPKbuf, nil, state); + state = kr->md5(mypkbuf, len mypkbuf, nil, nil); + kr->md5(hisPKbuf, len hisPKbuf, nil, state); digest := array[Keyring->MD5dlen] of byte; - crypt->md5(certbuf, len certbuf, digest, state); + kr->md5(certbuf, len certbuf, digest, state); # save sum and blinded cert in a file - file := "signed/"+hisname; + file := "signed/"+hisPK.owner; fd := sys->create(file, Sys->OWRITE, 8r600); if(fd == nil) return "can't create "+file+sys->sprint(": %r"); - if(msgio->sendmsg(fd, blind, len blind) < 0 || - msgio->sendmsg(fd, digest, len digest) < 0){ + if(kr->sendmsg(fd, blind, len blind) < 0 || + kr->sendmsg(fd, digest, len digest) < 0){ sys->remove(file); return "can't write "+file+sys->sprint(": %r"); } # send blinded cert to client - msgio->sendmsg(stdout, certbuf, len certbuf); + kr->sendmsg(stdout, certbuf, len certbuf); return nil; } -signerkey(filename: string): ref Oldauth->Authinfo +signerkey(filename: string): ref Keyring->Authinfo { - info := oldauth->readauthinfo(filename); + info := kr->readauthinfo(filename); if(info != nil) return info; # generate a local key - info = ref Oldauth->Authinfo; - info.mysk = crypt->genSK("elgamal", PKmodlen); - info.mypk = crypt->sktopk(info.mysk); - info.spk = crypt->sktopk(info.mysk); - myPKbuf := array of byte oldauth->pktostr(info.mypk, "*"); - state := crypt->sha1(myPKbuf, len myPKbuf, nil, nil); - info.cert = oldauth->sign(info.mysk, "*", 0, state, "sha1"); - (info.alpha, info.p) = crypt->dhparams(DHmodlen); - - if(oldauth->writeauthinfo(filename, info) < 0){ + info = ref Keyring->Authinfo; + info.mysk = kr->genSK("elgamal", "*", PKmodlen); + info.mypk = kr->sktopk(info.mysk); + info.spk = kr->sktopk(info.mysk); + myPKbuf := array of byte kr->pktostr(info.mypk); + state := kr->sha1(myPKbuf, len myPKbuf, nil, nil); + info.cert = kr->sign(info.mysk, 0, state, "sha1"); + (info.alpha, info.p) = kr->dhparams(DHmodlen); + + if(kr->writeauthinfo(filename, info) < 0){ sys->fprint(stderr, "can't write signerkey file: %r\n"); return nil; } diff --git a/appl/cmd/auth/verify.b b/appl/cmd/auth/verify.b index 91fe1a86..d829a76c 100644 --- a/appl/cmd/auth/verify.b +++ b/appl/cmd/auth/verify.b @@ -3,8 +3,8 @@ implement Verify; include "sys.m"; sys: Sys; -include "msgio.m"; - msgio: Msgio; +include "keyring.m"; + kr: Keyring; include "draw.m"; @@ -25,8 +25,7 @@ pro := array[] of { init(nil: ref Draw->Context, args: list of string) { sys = load Sys Sys->PATH; - msgio = load Msgio Msgio->PATH; - msgio->init(); + kr = load Keyring Keyring->PATH; stdin = sys->fildes(0); stderr = sys->fildes(2); @@ -51,8 +50,8 @@ init(nil: ref Draw->Context, args: list of string) sys->fprint(stderr, "signer: can't open %s: %r\n", file); raise "fail:no certificate"; } - certbuf := msgio->getmsg(fd); - digest := msgio->getmsg(fd); + certbuf := kr->getmsg(fd); + digest := kr->getmsg(fd); if(digest == nil || certbuf == nil){ sys->fprint(stderr, "signer: can't read %s: %r\n", file); raise "fail:bad certificate"; @@ -79,7 +78,7 @@ init(nil: ref Draw->Context, args: list of string) sys->fprint(stderr, "signer: can't create %s: %r\n", nfile); raise "fail:create"; } - if(msgio->sendmsg(fd, certbuf, len certbuf) < 0){ + if(kr->sendmsg(fd, certbuf, len certbuf) < 0){ sys->fprint(stderr, "signer: can't write %s: %r\n", nfile); raise "fail:write"; } |