diff options
author | Yehuda Sadeh <yehuda@inktank.com> | 2012-11-02 13:13:38 -0700 |
---|---|---|
committer | Yehuda Sadeh <yehuda@inktank.com> | 2012-11-02 13:13:38 -0700 |
commit | f7412fe37e15b024eb69dcb56327e51496dbf334 (patch) | |
tree | 75bd94f448b8e102134bb8aa3778ee67ee6a06f3 | |
parent | 29a03f0775c6df740f03976e3f934f8179959459 (diff) | |
download | ceph-f7412fe37e15b024eb69dcb56327e51496dbf334.tar.gz |
crypto: add cms utility function
Taken from a libnss tool (cmsutil), stripped code so that we
only get the decode functionality that we need.
Signed-off-by: Yehuda Sadeh <yehuda@inktank.com>
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/common/ceph_crypto.cc | 12 | ||||
-rw-r--r-- | src/common/ceph_crypto.h | 4 | ||||
-rw-r--r-- | src/common/ceph_crypto_cms.cc | 361 | ||||
-rw-r--r-- | src/common/ceph_crypto_cms.h | 8 | ||||
-rw-r--r-- | src/common/common_init.cc | 2 | ||||
-rw-r--r-- | src/common/config_opts.h | 3 |
7 files changed, 386 insertions, 6 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 5ee003f2877..ce0f0a753e1 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1209,6 +1209,7 @@ libcommon_files = \ common/hex.cc \ common/entity_name.cc \ common/ceph_crypto.cc \ + common/ceph_crypto_cms.cc \ common/ipaddr.cc \ common/pick_address.cc \ include/addr_parsing.c \ @@ -1430,6 +1431,7 @@ noinst_HEADERS = \ common/config_obs.h\ common/config_opts.h\ common/ceph_crypto.h\ + common/ceph_crypto_cms.h\ common/utf8.h\ common/mime.h\ common/pick_address.h\ diff --git a/src/common/ceph_crypto.cc b/src/common/ceph_crypto.cc index 95909d07e74..3f04349c20b 100644 --- a/src/common/ceph_crypto.cc +++ b/src/common/ceph_crypto.cc @@ -12,6 +12,8 @@ * */ +#include "common/config.h" +#include "common/ceph_context.h" #include "ceph_crypto.h" #include "auth/Crypto.h" @@ -21,7 +23,7 @@ void ceph::crypto::shutdown(); #ifdef USE_CRYPTOPP -void ceph::crypto::init() +void ceph::crypto::init(CephContext *cct) { } @@ -36,10 +38,14 @@ ceph::crypto::HMACSHA1::~HMACSHA1() #elif USE_NSS -void ceph::crypto::init() +void ceph::crypto::init(CephContext *cct) { SECStatus s; - s = NSS_NoDB_Init(NULL); + if (cct->_conf->nss_db_path.empty()) { + s = NSS_NoDB_Init(NULL); + } else { + s = NSS_Init(cct->_conf->nss_db_path.c_str()); + } assert(s == SECSuccess); } diff --git a/src/common/ceph_crypto.h b/src/common/ceph_crypto.h index 52b98b83a63..c55359431d4 100644 --- a/src/common/ceph_crypto.h +++ b/src/common/ceph_crypto.h @@ -21,7 +21,7 @@ namespace ceph { namespace crypto { void assert_init(); - void init(); + void init(CephContext *cct); void shutdown(); using CryptoPP::Weak::MD5; @@ -56,7 +56,7 @@ typedef unsigned char byte; namespace ceph { namespace crypto { void assert_init(); - void init(); + void init(CephContext *cct); void shutdown(); class Digest { private: diff --git a/src/common/ceph_crypto_cms.cc b/src/common/ceph_crypto_cms.cc new file mode 100644 index 00000000000..2c4312ca57c --- /dev/null +++ b/src/common/ceph_crypto_cms.cc @@ -0,0 +1,361 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + + +#include "common/config.h" + +#ifdef USE_NSS + +#include <nspr.h> +#include <cert.h> +#include <nss.h> +#include <smime.h> + +#endif + +#include <string.h> +#include <errno.h> + + +#include "include/buffer.h" + +#include "common/debug.h" + +#include "ceph_crypto_cms.h" + +#define dout_subsys ceph_subsys_crypto + + +#ifndef USE_NSS + +int decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl) +{ + return -ENOTSUP; +} + +#else + + +static int cms_verbose = 0; + +static SECStatus +DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input, + SECAlgorithmID **algids) +{ + NSSCMSDigestContext *digcx; + SECStatus rv; + + digcx = NSS_CMSDigestContext_StartMultiple(algids); + if (digcx == NULL) + return SECFailure; + + NSS_CMSDigestContext_Update(digcx, input->data, input->len); + + rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests); + return rv; +} + + +struct optionsStr { + SECCertUsage certUsage; + CERTCertDBHandle *certHandle; +}; + +struct decodeOptionsStr { + struct optionsStr *options; + SECItem content; + int headerLevel; + PRBool suppressContent; + NSSCMSGetDecryptKeyCallback dkcb; + PK11SymKey *bulkkey; + PRBool keepCerts; +}; + +static NSSCMSMessage * +decode(SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out) +{ + NSSCMSDecoderContext *dcx; + SECStatus rv; + NSSCMSMessage *cmsg; + int nlevels, i; + SECItem sitem; + bufferptr bp; + SECItem *item; + + memset(&sitem, 0, sizeof(sitem)); + + PORT_SetError(0); + dcx = NSS_CMSDecoder_Start(NULL, + NULL, NULL, /* content callback */ + NULL, NULL, /* password callback */ + decodeOptions->dkcb, /* decrypt key callback */ + decodeOptions->bulkkey); + if (dcx == NULL) { + dout(0) << "ERROR: failed to set up message decoder" << dendl; + return NULL; + } + rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len); + if (rv != SECSuccess) { + dout(0) << "ERROR: failed to decode message" << dendl; + NSS_CMSDecoder_Cancel(dcx); + return NULL; + } + cmsg = NSS_CMSDecoder_Finish(dcx); + if (cmsg == NULL) { + dout(0) << "ERROR: failed to decode message" << dendl; + return NULL; + } + + if (decodeOptions->headerLevel >= 0) { + dout(20) << "SMIME: " << dendl; + } + + nlevels = NSS_CMSMessage_ContentLevelCount(cmsg); + for (i = 0; i < nlevels; i++) { + NSSCMSContentInfo *cinfo; + SECOidTag typetag; + + cinfo = NSS_CMSMessage_ContentLevel(cmsg, i); + typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + + dout(20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl; + + switch (typetag) { + case SEC_OID_PKCS7_SIGNED_DATA: + { + NSSCMSSignedData *sigd = NULL; + SECItem **digests; + int nsigners; + int j; + + if (decodeOptions->headerLevel >= 0) + dout(20) << "type=signedData; " << dendl; + sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo); + if (sigd == NULL) { + dout(0) << "ERROR: signedData component missing" << dendl; + goto loser; + } + + /* if we have a content file, but no digests for this signedData */ + if (decodeOptions->content.data != NULL && + !NSS_CMSSignedData_HasDigests(sigd)) { + PLArenaPool *poolp; + SECAlgorithmID **digestalgs; + + /* detached content: grab content file */ + sitem = decodeOptions->content; + + if ((poolp = PORT_NewArena(1024)) == NULL) { + dout(0) << "ERROR: Out of memory" << dendl; + goto loser; + } + digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd); + if (DigestFile (poolp, &digests, &sitem, digestalgs) + != SECSuccess) { + dout(0) << "ERROR: problem computing message digest" << dendl; + PORT_FreeArena(poolp, PR_FALSE); + goto loser; + } + if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) + != SECSuccess) { + dout(0) << "ERROR: problem setting message digests" << dendl; + PORT_FreeArena(poolp, PR_FALSE); + goto loser; + } + PORT_FreeArena(poolp, PR_FALSE); + } + + /* import the certificates */ + if (NSS_CMSSignedData_ImportCerts(sigd, + decodeOptions->options->certHandle, + decodeOptions->options->certUsage, + decodeOptions->keepCerts) + != SECSuccess) { + dout(0) << "ERROR: cert import failed" << dendl; + goto loser; + } + + /* find out about signers */ + nsigners = NSS_CMSSignedData_SignerInfoCount(sigd); + if (decodeOptions->headerLevel >= 0) + dout(20) << "nsigners=" << nsigners << dendl; + if (nsigners == 0) { + /* Might be a cert transport message + ** or might be an invalid message, such as a QA test message + ** or a message from an attacker. + */ + SECStatus rv; + rv = NSS_CMSSignedData_VerifyCertsOnly(sigd, + decodeOptions->options->certHandle, + decodeOptions->options->certUsage); + if (rv != SECSuccess) { + dout(0) << "ERROR: Verify certs-only failed!" << dendl; + goto loser; + } + return cmsg; + } + + /* still no digests? */ + if (!NSS_CMSSignedData_HasDigests(sigd)) { + dout(0) << "ERROR: no message digests" << dendl; + goto loser; + } + + for (j = 0; j < nsigners; j++) { + const char * svs; + NSSCMSSignerInfo *si; + NSSCMSVerificationStatus vs; + SECStatus bad; + + si = NSS_CMSSignedData_GetSignerInfo(sigd, j); + if (decodeOptions->headerLevel >= 0) { + char *signercn; + static char empty[] = { "" }; + + signercn = NSS_CMSSignerInfo_GetSignerCommonName(si); + if (signercn == NULL) + signercn = empty; + dout(20) << "\t\tsigner" << j << ".id=" << signercn << dendl; + if (signercn != empty) + PORT_Free(signercn); + } + bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j, + decodeOptions->options->certHandle, + decodeOptions->options->certUsage); + vs = NSS_CMSSignerInfo_GetVerificationStatus(si); + svs = NSS_CMSUtil_VerificationStatusToString(vs); + if (decodeOptions->headerLevel >= 0) { + dout(20) << "signer" << j << "status=" << svs << dendl; + /* goto loser ? */ + } else if (bad) { + dout(0) << "ERROR: signer " << j << " status = " << svs << dendl; + goto loser; + } + } + } + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + { + NSSCMSEnvelopedData *envd; + if (decodeOptions->headerLevel >= 0) + dout(20) << "type=envelopedData; " << dendl; + envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo); + if (envd == NULL) { + dout(0) << "ERROR: envelopedData component missing" << dendl; + goto loser; + } + } + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + { + NSSCMSEncryptedData *encd; + if (decodeOptions->headerLevel >= 0) + dout(20) << "type=encryptedData; " << dendl; + encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo); + if (encd == NULL) { + dout(0) << "ERROR: encryptedData component missing" << dendl; + goto loser; + } + } + break; + case SEC_OID_PKCS7_DATA: + if (decodeOptions->headerLevel >= 0) + dout(20) << "type=data; " << dendl; + break; + default: + break; + } + } + + item = (sitem.data ? &sitem : NSS_CMSMessage_GetContent(cmsg)); + out.append((char *)item->data, item->len); + return cmsg; + +loser: + if (cmsg) + NSS_CMSMessage_Destroy(cmsg); + return NULL; +} + +int decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl) +{ + NSSCMSMessage *cmsg = NULL; + struct decodeOptionsStr decodeOptions = { 0 }; + struct optionsStr options; + SECItem input; + + memset(&options, 0, sizeof(options)); + memset(&input, 0, sizeof(input)); + + input.data = (unsigned char *)cms_bl.c_str(); + input.len = cms_bl.length(); + + decodeOptions.content.data = NULL; + decodeOptions.content.len = 0; + decodeOptions.suppressContent = PR_FALSE; + decodeOptions.headerLevel = -1; + decodeOptions.keepCerts = PR_FALSE; + options.certUsage = certUsageEmailSigner; + + options.certHandle = CERT_GetDefaultCertDB(); + if (!options.certHandle) { + dout(0) << "ERROR: No default cert DB" << dendl; + return -EIO; + } + if (cms_verbose) { + fprintf(stderr, "Got default certdb\n"); + } + + decodeOptions.options = &options; + + int ret = 0; + + cmsg = decode(&input, &decodeOptions, decoded_bl); + if (!cmsg) { + dout(0) << "ERROR: problem decoding" << dendl; + ret = -EINVAL; + } + + if (cmsg) + NSS_CMSMessage_Destroy(cmsg); + + SECITEM_FreeItem(&decodeOptions.content, PR_FALSE); + SECITEM_FreeItem(&input, PR_FALSE); + + return ret; +} + +#endif diff --git a/src/common/ceph_crypto_cms.h b/src/common/ceph_crypto_cms.h new file mode 100644 index 00000000000..4152d473af7 --- /dev/null +++ b/src/common/ceph_crypto_cms.h @@ -0,0 +1,8 @@ +#ifndef CEPH_CRYPTO_CMS_H +#define CEPH_CRYPTO_CMS_H + +#include "include/buffer.h" + +int decode_cms(bufferlist& cms_bl, bufferlist& decoded_bl); + +#endif diff --git a/src/common/common_init.cc b/src/common/common_init.cc index 76b50e714a5..3f7d501eb26 100644 --- a/src/common/common_init.cc +++ b/src/common/common_init.cc @@ -109,7 +109,7 @@ void complain_about_parse_errors(CephContext *cct, * same application. */ void common_init_finish(CephContext *cct) { - ceph::crypto::init(); + ceph::crypto::init(cct); cct->start_service_thread(); if (cct->_conf->lockdep) { diff --git a/src/common/config_opts.h b/src/common/config_opts.h index 8d924c69514..6a3117947c6 100644 --- a/src/common/config_opts.h +++ b/src/common/config_opts.h @@ -76,6 +76,7 @@ SUBSYS(monc, 0, 5) SUBSYS(paxos, 0, 5) SUBSYS(tp, 0, 5) SUBSYS(auth, 1, 5) +SUBSYS(crypto, 1, 5) SUBSYS(finisher, 1, 5) SUBSYS(heartbeatmap, 1, 5) SUBSYS(perfcounter, 1, 5) @@ -410,6 +411,8 @@ OPTION(rbd_cache_max_dirty, OPT_LONGLONG, 24<<20) // dirty limit in bytes - s OPTION(rbd_cache_target_dirty, OPT_LONGLONG, 16<<20) // target dirty limit in bytes OPTION(rbd_cache_max_dirty_age, OPT_FLOAT, 1.0) // seconds in cache before writeback starts +OPTION(nss_db_path, OPT_STR, "") // path to nss db + OPTION(rgw_data, OPT_STR, "/var/lib/ceph/radosgw/$cluster-$id") OPTION(rgw_enable_apis, OPT_STR, "s3, swift, swift_auth, admin") OPTION(rgw_cache_enabled, OPT_BOOL, true) // rgw cache enabled |