feat: APKAM enrollmentId support and atkeys_file refactor #400
Conversation
JeremyTubongbanua
changed the title
JeremyTubongbanua
changed the title
JeremyTubongbanua
requested review from
XavierChanth,
sitaram-kalluri,
cconstab,
realvarx and
srieteja
|
@gkc @srieteja Can I get your confirmation this is how the PKAM command with an enrollmentId looks like? |
|
@sitaram-kalluri @murali-shris see above question from @JeremyTubongbanua |
|
@JeremyTubongbanua : Yes, It is correct. Also, PKAM command optionally accepts signing algo and hashing algo
|
There was a problem hiding this comment.
@JeremyTubongbanua there are changes in atclient.c regarding host and port which seem to be unrelated to the main purpose of this PR ... can you add explanation of those changes to the PR description please?
There was a problem hiding this comment.
@JeremyTubongbanua also monitor's message parsing has changed, can you add description of those changes also please?
| int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atserver_host, const int atserver_port, | ||
| const atclient_atkeys *atkeys, const char *atsign); | ||
| int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atsign, const atclient_atkeys *atkeys, | ||
| atclient_pkam_authenticate_options *options); |
There was a problem hiding this comment.
Same introduction of options to monitor specific pkam authenticate implementation
| if(options == NULL){ | ||
| atclient_pkam_authenticate_options options; | ||
| atclient_pkam_authenticate_options_init(&options); | ||
| } |
There was a problem hiding this comment.
options is allowed to be NULL now
| /* | ||
| * 1.1 If atserver_host and atserver_port are null and 0 respectively, then fetch the server host and port. | ||
| */ | ||
| if (options->atserver_host == NULL && options->atserver_port == 0) { | ||
| if (atclient_utils_find_atserver_address(options->at_directory_host, options->at_directory_port, atsign, | ||
| &(options->atserver_host), &(options->atserver_port)) != 0) { | ||
| return ret; | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
This scenario is readdressed below
| if (options != NULL) { | ||
| if (atclient_pkam_authenticate_options_is_atdirectory_host_initialized(options) && | ||
| atclient_pkam_authenticate_options_is_atdirectory_port_initialized(options)) { | ||
| atserver_host = options->atdirectory_host; | ||
| atserver_port = options->atdirectory_port; | ||
| } | ||
| } |
There was a problem hiding this comment.
Try to populate host and port if provided.
| if (atserver_host == NULL || atserver_port == 0) { | ||
| atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_INFO, | ||
| "Missing atServer host or port. Using production atDirectory to look up atServer host and port\n"); | ||
| if ((ret = atclient_utils_find_atserver_address(ATCLIENT_ATDIRECTORY_PRODUCTION_HOST, | ||
| ATCLIENT_ATDIRECTORY_PRODUCTION_PORT, atsign, &atserver_host, | ||
| &atserver_port)) != 0) { | ||
| atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "atclient_utils_find_atserver_address: %d\n", ret); | ||
| goto exit; | ||
| } | ||
| // only free this memory if it was allocated internally (by atclient_utils_find_atserver_address) | ||
| should_free_atserver_host = true; | ||
| } |
There was a problem hiding this comment.
If host and port weren't populated from options, look them up.
| const size_t pkam_cmd_size = strlen("pkam:") + signature_base64_len + strlen("\r\n") + 1; | ||
| size_t pkam_cmd_size = strlen("pkam:"); | ||
| if (atclient_atkeys_is_enrollment_id_initialized((atclient_atkeys *)atkeys) && atkeys->enrollment_id != NULL) { | ||
| pkam_cmd_size += strlen("enrollmentId:") + strlen(atkeys->enrollment_id) + strlen(":"); | ||
| } | ||
| pkam_cmd_size += signature_base64_len + strlen("\r\n") + 1; | ||
| if ((pkam_cmd = malloc(sizeof(char) * pkam_cmd_size)) == NULL) { | ||
| atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to allocate memory for pkam_cmd\n"); | ||
| goto exit; | ||
| } | ||
| snprintf(pkam_cmd, pkam_cmd_size, "pkam:%s\r\n", signature_base64); | ||
| size_t pos = 0; | ||
| pos += snprintf(pkam_cmd + pos, pkam_cmd_size - pos, "pkam:"); | ||
|
|
||
| if (atclient_atkeys_is_enrollment_id_initialized((atclient_atkeys *)atkeys) && atkeys->enrollment_id != NULL) { | ||
| pos += snprintf(pkam_cmd + pos, pkam_cmd_size - pos, "enrollmentId:%s:", atkeys->enrollment_id); | ||
| } | ||
|
|
||
| pos += snprintf(pkam_cmd + pos, pkam_cmd_size - pos, "%s\r\n", signature_base64); |
There was a problem hiding this comment.
modify pkam verb to conditionally include the enrollment id
| if (should_free_atserver_host) { | ||
| free(atserver_host); | ||
| } |
There was a problem hiding this comment.
free the atserver_host if it was allocated during automatic lookup (wasn't provided by options)
packages/atclient/src/atkey.c
Outdated
There was a problem hiding this comment.
formatting and compiler warnings
There was a problem hiding this comment.
added enrollment id to atkeys struct and appropriate accessors/mutators (just following the same patterns we have been)
| // 6. enrollment id, if it exists | ||
| if (enrollment_id_str != NULL && enrollment_id_str_len > 0) { | ||
| if ((ret = atclient_atkeys_set_enrollment_id(atkeys, enrollment_id_str, enrollment_id_str_len)) != 0) { | ||
| atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "atclient_atkeys_set_enrollment_id: %d\n", ret); | ||
| goto exit; | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
populate from strings if enrollment_id_str isn't NULL or empty
| if (atclient_atkeysfile_is_enrollment_id_str_initialized((atclient_atkeysfile *)atkeys_file)) { | ||
| if ((ret = atclient_atkeys_populate_from_strings( | ||
| atkeys, atkeys_file->aes_pkam_public_key_str, strlen(atkeys_file->aes_pkam_public_key_str), | ||
| atkeys_file->aes_pkam_private_key_str, strlen(atkeys_file->aes_pkam_private_key_str), | ||
| atkeys_file->aes_encrypt_public_key_str, strlen(atkeys_file->aes_encrypt_public_key_str), | ||
| atkeys_file->aes_encrypt_private_key_str, strlen(atkeys_file->aes_encrypt_private_key_str), | ||
| atkeys_file->self_encryption_key_str, strlen(atkeys_file->self_encryption_key_str), | ||
| atkeys_file->enrollment_id_str, strlen(atkeys_file->enrollment_id_str))) != 0) { | ||
| atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, | ||
| "atclient_atkeys_populate_from_strings: %d | failed to populate from strings\n", ret); | ||
| goto exit; | ||
| } |
There was a problem hiding this comment.
conditionally add the enrollment id if it is initialized when populating from atkeys file
| } | ||
| } | ||
|
|
||
| int atclient_atkeys_populate_from_string(atclient_atkeys *atkeys, const char *file_string) { |
There was a problem hiding this comment.
new populate variant, similar to populate from path, but is canonical to the atclient_atkeys_file_from_string variant for atkeys_file
| static void unset_enrollment_id(atclient_atkeys *atkeys) { | ||
| if (is_enrollment_id_initialized(atkeys)) { | ||
| free(atkeys->enrollment_id); | ||
| } | ||
| atkeys->enrollment_id = NULL; | ||
| set_enrollment_id_initialized(atkeys, false); | ||
| } | ||
|
|
There was a problem hiding this comment.
unset enrollment id, wiping value and removing from initialization vector
| return ret; | ||
| } | ||
|
|
||
| static int set_enrollment_id(atclient_atkeys *atkeys, const char *enrollment_id, const size_t enrollment_id_len) { |
| int atclient_atkeysfile_from_string(atclient_atkeysfile *atkeys_file, const char *file_string) { | ||
| int ret = 1; | ||
|
|
||
| cJSON *root = cJSON_Parse(file_string); |
There was a problem hiding this comment.
atclient_atkeysfile_from_string variant: we cJSON_Parse the file at file_string, then do all the same, using cjson to extract the atkeys file contents.
There was a problem hiding this comment.
formatting and compiler warnings
packages/atclient/src/connection.c
Outdated
There was a problem hiding this comment.
formatting and compiler warnings
| int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atserver_host, const int atserver_port, | ||
| const atclient_atkeys *atkeys, const char *atsign) { | ||
| int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atsign, const atclient_atkeys *atkeys, | ||
| atclient_pkam_authenticate_options *options) { |
There was a problem hiding this comment.
same signature change as mentioned before
| atclient_pkam_authenticate_options_init(&options); | ||
| ret = atclient_pkam_authenticate(monitor_conn, atsign, atkeys, &options); | ||
| if (ret != 0) { | ||
| if ((ret = atclient_pkam_authenticate(monitor_conn, atsign, atkeys, options)) != 0) { |
There was a problem hiding this comment.
defer to the other pkam_authenticate method - monitor's variant is just a wrapper around the normal pkam auth
| int i = 0; | ||
| while (buffer[i] != ':') { | ||
| i++; | ||
| } |
There was a problem hiding this comment.
this was a hack to align the monitor messages, which should be resolved by the parse_message changes below
| return ret; | ||
| } | ||
|
|
||
| static int test1_pkam_no_options() { |
There was a problem hiding this comment.
Test pkam when options = NULL
| return ret; | ||
| } | ||
|
|
||
| static int test2_pkam_with_options() { |
There was a problem hiding this comment.
Test pkam auth when we've cached atServer connection info in options
|
Tested here using C sshnpd: https://asciinema.org/a/n5MWtuUxF2lAGD0oSk7E0Wsc3 |
closes #287
closes #387
closes #393
closes #375
closes #155
- What I did
enrollment_idsupport toatkeys_file.h/.candatkeys.h/.cenrollmentId:, if it existsatkeysfiletoatkeys_fileto be consistent with conventionsatclient_pkam_authenticate_optionsusage inatclient_pkam_authenticateandatclient_monitor_pkam_authenticateoptions = NULLand predefined options work with pkam authentication- How to verify it
The PKAM Authenticate example using keys that were APKAM'd
- Description for the changelog
feat: APKAM enrollment support