Commit 1fc0ae14 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Include keyshare public key in irma_configuration signing

parent 131697df
package irma
import (
"crypto/rsa"
"encoding/base64"
"encoding/xml"
"io/ioutil"
......@@ -51,6 +52,7 @@ type Configuration struct {
Warnings []string
kssPublicKeys map[SchemeManagerIdentifier]map[int]*rsa.PublicKey
publicKeys map[IssuerIdentifier]map[int]*gabi.PublicKey
reverseHashes map[string]CredentialTypeIdentifier
initialized bool
......@@ -118,6 +120,7 @@ func (conf *Configuration) clear() {
conf.CredentialTypes = make(map[CredentialTypeIdentifier]*CredentialType)
conf.Attributes = make(map[AttributeTypeIdentifier]*AttributeType)
conf.DisabledSchemeManagers = make(map[SchemeManagerIdentifier]*SchemeManagerError)
conf.kssPublicKeys = make(map[SchemeManagerIdentifier]map[int]*rsa.PublicKey)
conf.publicKeys = make(map[IssuerIdentifier]map[int]*gabi.PublicKey)
conf.reverseHashes = make(map[string]CredentialTypeIdentifier)
}
......@@ -283,6 +286,29 @@ func (conf *Configuration) PublicKey(id IssuerIdentifier, counter int) (*gabi.Pu
return conf.publicKeys[id][counter], nil
}
func (conf *Configuration) KeyshareServerPublicKey(scheme SchemeManagerIdentifier, i int) (*rsa.PublicKey, error) {
if _, contains := conf.kssPublicKeys[scheme]; !contains {
conf.kssPublicKeys[scheme] = make(map[int]*rsa.PublicKey)
}
if _, contains := conf.kssPublicKeys[scheme][i]; !contains {
pkbts, err := ioutil.ReadFile(filepath.Join(conf.Path, scheme.Name(), fmt.Sprintf("kss-%d.pem", i)))
if err != nil {
return nil, err
}
pkblk, _ := pem.Decode(pkbts)
genericPk, err := x509.ParsePKIXPublicKey(pkblk.Bytes)
if err != nil {
return nil, err
}
pk, ok := genericPk.(*rsa.PublicKey)
if !ok {
return nil, errors.New("Invalid keyshare server public key")
}
conf.kssPublicKeys[scheme][i] = pk
}
return conf.kssPublicKeys[scheme][i], nil
}
func (conf *Configuration) addReverseHash(credid CredentialTypeIdentifier) {
hash := sha256.Sum256([]byte(credid.String()))
conf.reverseHashes[base64.StdEncoding.EncodeToString(hash[:16])] = credid
......@@ -1079,6 +1105,12 @@ func (conf *Configuration) checkScheme(scheme *SchemeManager, dir string) error
scheme.Status = SchemeManagerStatusParsingError
return errors.Errorf("Scheme %s has wrong directory name %s", scheme.ID, filepath.Base(dir))
}
if scheme.KeyshareServer != "" {
if err := fs.AssertPathExists(filepath.Join(dir, "kss-0.pem")); err != nil {
scheme.Status = SchemeManagerStatusParsingError
return errors.Errorf("Scheme %s has keyshare URL but no keyshare public key kss-0.pem", scheme.ID)
}
}
conf.checkTranslations(fmt.Sprintf("Scheme %s", scheme.ID), scheme)
return nil
}
......
......@@ -3,6 +3,7 @@ package cmd
import (
"fmt"
"os"
"regexp"
"strconv"
"time"
......@@ -61,7 +62,6 @@ func signManager(args []string) {
var index irma.SchemeManagerIndex = make(map[string]irma.ConfigurationFileHash)
err = filepath.Walk(confpath, func(path string, info os.FileInfo, err error) error {
return calculateFileHash(path, info, err, confpath, index)
})
if err != nil {
die("Failed to calculate file index:", err)
......@@ -109,11 +109,18 @@ func calculateFileHash(path string, info os.FileInfo, err error, confpath string
if err != nil {
return err
}
// Skip stuff we don't want
if info.IsDir() || // Can only sign files
strings.HasSuffix(path, "index") || // Skip the index file itself
strings.Contains(path, "/.git/") || // No need to traverse .git dirs
strings.Contains(path, "/PrivateKeys/") || // Don't sign private keys
(!strings.HasSuffix(path, ".xml") && !strings.HasSuffix(path, ".png") && !strings.HasSuffix(path, "timestamp")) {
strings.Contains(path, "/.git/") || // No need to traverse .git dirs, can take quite long
strings.Contains(path, "/PrivateKeys/") { // Don't sign private keys
return nil
}
// Skip everything except the stuff we do want
if !strings.HasSuffix(path, ".xml") &&
!strings.HasSuffix(path, ".png") &&
!regexp.MustCompile("kss-\\d+\\.pem$").Match([]byte(filepath.Base(path))) &&
filepath.Base(path) != "timestamp" {
return nil
}
......
684bf07929aa5227c65318ee3573e175c56ffe6c8dba817fadcbf3517952493a test/description.xml
64b84af1784434e9cab367a208f8b750fffd8505c76084a296ec5eaaad0c47f2 test/kss-0.pem
61aa81ab57c7e4812955d77e00aeb0afefa4c88a90bee5cd75fe9aaea9d4effb test/test/Issues/email/description.xml
61a1fc7f161e43f8fc5b0c6ac2997cfe6bc0da7d27009b9914a04dca79ec6718 test/test/Issues/email/logo.png
32de560adea94257989b4d8fd688304919d365b13b5f4ad83114d21f6f728ddc test/test/Issues/mijnirma/description.xml
......@@ -9,4 +10,4 @@ db0fdbe65ee9519290b756198a0d10b47c2af417e37843a2e790f5cc0e82d282 test/test/Publi
a7f792bd702d6d97fd34d4104ddcf56bb3a0995e77fb36784099d4bd05c2df27 test/test/PublicKeys/3.xml
adc18a59954caeb907b999ab09b710c652665a0b150e5e4a7aff55199a4908dd test/test/description.xml
48f04181af6874a2f63f97d0a1a79b95f274da3e4d0efd9e5936b0ec0858b1cc test/test/logo.png
6608ddc0a56e0f2545dfed922254ae679e0aee8243a2e4924623c72c927eb101 test/timestamp
e7461f6aebf56fa77df6e7b68d3dd03eecd4b25667a0edf63c42d796584c42a0 test/timestamp
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3afG0L1zuU/sNRym8uA
hI90u3KsHuwsAuuunzipN5AIaUjtw7AltEf+AdGD0ybjak1g/dXz5BirOYmd7l2R
ifgoF42cxWnV0Ft6AL2D52LMbFwHElYs+mSfJszuMi+XNB2qJtUMrKxzSBlvVXGp
U0ScAIG3bWQrughMsprpMwvuHIsZ7aL/Jg+EK37nxWkl6afTfRhC4unK4vADq3qb
X4hWPvoq6gmO7yz6130bAaB5ZFb7F1Z6wD/n9qHOu70H9MB/HPE1XDblooxMrmr6
11GcW5GIDgM2ShD90ZQzE2QYiY4LX4XYd+Su1sGAjgdTQtO7LCK+ze7YSwQMA2NM
bQIDAQAB
-----END PUBLIC KEY-----
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment