-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: APKAM enrollmentId support and atkeys_file refactor #400
Conversation
@gkc @srieteja Can I get your confirmation this is how the PKAM command with an enrollmentId looks like?
|
@sitaram-kalluri @murali-shris see above question from @JeremyTubongbanua |
@JeremyTubongbanua : Yes, It is correct. Also, PKAM command optionally accepts signing algo and hashing algo
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JeremyTubongbanua there are changes in atclient.c regarding host and port which seem to be unrelated to the main purpose of this PR ... can you add explanation of those changes to the PR description please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JeremyTubongbanua also monitor's message parsing has changed, can you add description of those changes also please?
int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atserver_host, const int atserver_port, | ||
const atclient_atkeys *atkeys, const char *atsign); | ||
int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atsign, const atclient_atkeys *atkeys, | ||
atclient_pkam_authenticate_options *options); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same introduction of options to monitor specific pkam authenticate implementation
if(options == NULL){ | ||
atclient_pkam_authenticate_options options; | ||
atclient_pkam_authenticate_options_init(&options); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
options is allowed to be NULL now
/* | ||
* 1.1 If atserver_host and atserver_port are null and 0 respectively, then fetch the server host and port. | ||
*/ | ||
if (options->atserver_host == NULL && options->atserver_port == 0) { | ||
if (atclient_utils_find_atserver_address(options->at_directory_host, options->at_directory_port, atsign, | ||
&(options->atserver_host), &(options->atserver_port)) != 0) { | ||
return ret; | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This scenario is readdressed below
if (options != NULL) { | ||
if (atclient_pkam_authenticate_options_is_atdirectory_host_initialized(options) && | ||
atclient_pkam_authenticate_options_is_atdirectory_port_initialized(options)) { | ||
atserver_host = options->atdirectory_host; | ||
atserver_port = options->atdirectory_port; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try to populate host and port if provided.
if (atserver_host == NULL || atserver_port == 0) { | ||
atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_INFO, | ||
"Missing atServer host or port. Using production atDirectory to look up atServer host and port\n"); | ||
if ((ret = atclient_utils_find_atserver_address(ATCLIENT_ATDIRECTORY_PRODUCTION_HOST, | ||
ATCLIENT_ATDIRECTORY_PRODUCTION_PORT, atsign, &atserver_host, | ||
&atserver_port)) != 0) { | ||
atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "atclient_utils_find_atserver_address: %d\n", ret); | ||
goto exit; | ||
} | ||
// only free this memory if it was allocated internally (by atclient_utils_find_atserver_address) | ||
should_free_atserver_host = true; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If host and port weren't populated from options, look them up.
const size_t pkam_cmd_size = strlen("pkam:") + signature_base64_len + strlen("\r\n") + 1; | ||
size_t pkam_cmd_size = strlen("pkam:"); | ||
if (atclient_atkeys_is_enrollment_id_initialized((atclient_atkeys *)atkeys) && atkeys->enrollment_id != NULL) { | ||
pkam_cmd_size += strlen("enrollmentId:") + strlen(atkeys->enrollment_id) + strlen(":"); | ||
} | ||
pkam_cmd_size += signature_base64_len + strlen("\r\n") + 1; | ||
if ((pkam_cmd = malloc(sizeof(char) * pkam_cmd_size)) == NULL) { | ||
atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to allocate memory for pkam_cmd\n"); | ||
goto exit; | ||
} | ||
snprintf(pkam_cmd, pkam_cmd_size, "pkam:%s\r\n", signature_base64); | ||
size_t pos = 0; | ||
pos += snprintf(pkam_cmd + pos, pkam_cmd_size - pos, "pkam:"); | ||
|
||
if (atclient_atkeys_is_enrollment_id_initialized((atclient_atkeys *)atkeys) && atkeys->enrollment_id != NULL) { | ||
pos += snprintf(pkam_cmd + pos, pkam_cmd_size - pos, "enrollmentId:%s:", atkeys->enrollment_id); | ||
} | ||
|
||
pos += snprintf(pkam_cmd + pos, pkam_cmd_size - pos, "%s\r\n", signature_base64); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
modify pkam verb to conditionally include the enrollment id
if (should_free_atserver_host) { | ||
free(atserver_host); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
free the atserver_host if it was allocated during automatic lookup (wasn't provided by options)
packages/atclient/src/atkey.c
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
formatting and compiler warnings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added enrollment id to atkeys struct and appropriate accessors/mutators (just following the same patterns we have been)
// 6. enrollment id, if it exists | ||
if (enrollment_id_str != NULL && enrollment_id_str_len > 0) { | ||
if ((ret = atclient_atkeys_set_enrollment_id(atkeys, enrollment_id_str, enrollment_id_str_len)) != 0) { | ||
atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "atclient_atkeys_set_enrollment_id: %d\n", ret); | ||
goto exit; | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
populate from strings if enrollment_id_str isn't NULL or empty
if (atclient_atkeysfile_is_enrollment_id_str_initialized((atclient_atkeysfile *)atkeys_file)) { | ||
if ((ret = atclient_atkeys_populate_from_strings( | ||
atkeys, atkeys_file->aes_pkam_public_key_str, strlen(atkeys_file->aes_pkam_public_key_str), | ||
atkeys_file->aes_pkam_private_key_str, strlen(atkeys_file->aes_pkam_private_key_str), | ||
atkeys_file->aes_encrypt_public_key_str, strlen(atkeys_file->aes_encrypt_public_key_str), | ||
atkeys_file->aes_encrypt_private_key_str, strlen(atkeys_file->aes_encrypt_private_key_str), | ||
atkeys_file->self_encryption_key_str, strlen(atkeys_file->self_encryption_key_str), | ||
atkeys_file->enrollment_id_str, strlen(atkeys_file->enrollment_id_str))) != 0) { | ||
atlogger_log(TAG, ATLOGGER_LOGGING_LEVEL_ERROR, | ||
"atclient_atkeys_populate_from_strings: %d | failed to populate from strings\n", ret); | ||
goto exit; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conditionally add the enrollment id if it is initialized when populating from atkeys file
} | ||
} | ||
|
||
int atclient_atkeys_populate_from_string(atclient_atkeys *atkeys, const char *file_string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
new populate variant, similar to populate from path, but is canonical to the atclient_atkeys_file_from_string variant for atkeys_file
static void unset_enrollment_id(atclient_atkeys *atkeys) { | ||
if (is_enrollment_id_initialized(atkeys)) { | ||
free(atkeys->enrollment_id); | ||
} | ||
atkeys->enrollment_id = NULL; | ||
set_enrollment_id_initialized(atkeys, false); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unset enrollment id, wiping value and removing from initialization vector
return ret; | ||
} | ||
|
||
static int set_enrollment_id(atclient_atkeys *atkeys, const char *enrollment_id, const size_t enrollment_id_len) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
enrollment id setter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
renamed from atkeysfile.c
int atclient_atkeysfile_from_string(atclient_atkeysfile *atkeys_file, const char *file_string) { | ||
int ret = 1; | ||
|
||
cJSON *root = cJSON_Parse(file_string); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
atclient_atkeysfile_from_string variant: we cJSON_Parse the file at file_string, then do all the same, using cjson to extract the atkeys file contents.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
formatting and compiler warnings
packages/atclient/src/connection.c
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
formatting and compiler warnings
int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atserver_host, const int atserver_port, | ||
const atclient_atkeys *atkeys, const char *atsign) { | ||
int atclient_monitor_pkam_authenticate(atclient *monitor_conn, const char *atsign, const atclient_atkeys *atkeys, | ||
atclient_pkam_authenticate_options *options) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same signature change as mentioned before
atclient_pkam_authenticate_options_init(&options); | ||
ret = atclient_pkam_authenticate(monitor_conn, atsign, atkeys, &options); | ||
if (ret != 0) { | ||
if ((ret = atclient_pkam_authenticate(monitor_conn, atsign, atkeys, options)) != 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
defer to the other pkam_authenticate method - monitor's variant is just a wrapper around the normal pkam auth
int i = 0; | ||
while (buffer[i] != ':') { | ||
i++; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was a hack to align the monitor messages, which should be resolved by the parse_message changes below
return ret; | ||
} | ||
|
||
static int test1_pkam_no_options() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test pkam when options = NULL
return ret; | ||
} | ||
|
||
static int test2_pkam_with_options() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test pkam auth when we've cached atServer connection info in options
Tested here using C sshnpd: https://asciinema.org/a/n5MWtuUxF2lAGD0oSk7E0Wsc3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
closes #287
closes #387
closes #393
closes #375
closes #155
- What I did
enrollment_id
support toatkeys_file.h/.c
andatkeys.h/.c
enrollmentId:
, if it existsatkeysfile
toatkeys_file
to be consistent with conventionsatclient_pkam_authenticate_options
usage inatclient_pkam_authenticate
andatclient_monitor_pkam_authenticate
options = NULL
and predefined options work with pkam authentication- How to verify it
The PKAM Authenticate example using keys that were APKAM'd
- Description for the changelog
feat: APKAM enrollment support