Change data type of auth challenge from string to byte array, add message verifier that will use private/public keypair directly

4 files changed, 128 insertions, 24 deletions

diff --git a/src/main/java/org/openslx/encryption/AsymEncryptionHandler.java b/src/main/java/org/openslx/encryption/AsymEncryptionHandler.java
new file mode 100644
index 0000000..98109f2
--- /dev/null
+++ b/src/main/java/org/openslx/encryption/AsymEncryptionHandler.java
@@ -0,0 +1,89 @@
+package org.openslx.encryption;
+
+import java.security.InvalidKeyException;
+import java.security.InvalidParameterException;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+
+import org.apache.log4j.Logger;
+
+public class AsymEncryptionHandler
+{
+	private static final Logger LOG = Logger.getLogger( AsymEncryptionHandler.class );
+
+	private final Key key;
+
+	/**
+	 * Create a handler.
+	 */
+	public AsymEncryptionHandler( Key key )
+	{
+		this.key = key;
+	}
+
+	/**
+	 * Encrypt given plain text message with the key this class was
+	 * instantiated with.
+	 * 
+	 * @param cleartext a clear text message
+	 * @return The encrypted message
+	 */
+	public byte[] encryptMessage( byte[] cleartext )
+	{
+		try {
+			Cipher cipher = Cipher.getInstance( "RSA" );
+			cipher.init( Cipher.ENCRYPT_MODE, key );
+			return cipher.doFinal( cleartext );
+		} catch ( NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e ) {
+			LOG.warn( "Cannot encrypt message", e );
+		}
+		return null;
+	}
+
+	/**
+	 * Verify an encrypted message, where we know the plain text.
+	 * 
+	 * @param encryptedMessage
+	 * @param expectedCleartext
+	 * @return true if the message matches the expected plain text after decrypting
+	 */
+	public boolean verifyMessage( byte[] encryptedMessage, byte[] expectedCleartext )
+	{
+		try {
+			Cipher cipher = Cipher.getInstance( "RSA" );
+			cipher.init( Cipher.DECRYPT_MODE, key );
+			byte[] result = cipher.doFinal( encryptedMessage );
+			return Arrays.equals( expectedCleartext, result );
+		} catch ( NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e ) {
+			LOG.warn( "Cannot verify message", e );
+		}
+		return false;
+	}
+
+	/**
+	 * Generate a fresh RSA key pair.
+	 * 
+	 * @param bits length of key
+	 * @return key pair, or null on error
+	 */
+	public static KeyPair generateKeyPair( int bits )
+	{
+		try {
+			KeyPairGenerator kpg = KeyPairGenerator.getInstance( "RSA" );
+			kpg.initialize( bits );
+			return kpg.genKeyPair();
+		} catch ( NoSuchAlgorithmException | InvalidParameterException e ) {
+			LOG.warn( "Cannot generate RSA Keypair", e );
+			return null;
+		}
+	}
+
+}
diff --git a/src/main/java/org/openslx/imagemaster/thrift/iface/ImageServer.java b/src/main/java/org/openslx/imagemaster/thrift/iface/ImageServer.java
index ff9c288..cd7f02b 100644
--- a/src/main/java/org/openslx/imagemaster/thrift/iface/ImageServer.java
+++ b/src/main/java/org/openslx/imagemaster/thrift/iface/ImageServer.java
@@ -42,7 +42,7 @@ public class ImageServer {
 
     public UserInfo getUserFromToken(String token) throws InvalidTokenException, org.apache.thrift.TException;
 
-    public String startServerAuthentication(String organization) throws ServerAuthenticationException, org.apache.thrift.TException;
+    public ByteBuffer startServerAuthentication(String organization) throws ServerAuthenticationException, org.apache.thrift.TException;
 
     public boolean isServerAuthenticated(String serverSessionId) throws org.apache.thrift.TException;
 
@@ -169,7 +169,7 @@ public class ImageServer {
       throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "getUserFromToken failed: unknown result");
     }
 
-    public String startServerAuthentication(String organization) throws ServerAuthenticationException, org.apache.thrift.TException
+    public ByteBuffer startServerAuthentication(String organization) throws ServerAuthenticationException, org.apache.thrift.TException
     {
       send_startServerAuthentication(organization);
       return recv_startServerAuthentication();
@@ -182,7 +182,7 @@ public class ImageServer {
       sendBase("startServerAuthentication", args);
     }
 
-    public String recv_startServerAuthentication() throws ServerAuthenticationException, org.apache.thrift.TException
+    public ByteBuffer recv_startServerAuthentication() throws ServerAuthenticationException, org.apache.thrift.TException
     {
       startServerAuthentication_result result = new startServerAuthentication_result();
       receiveBase(result, "startServerAuthentication");
@@ -445,7 +445,7 @@ public class ImageServer {
         prot.writeMessageEnd();
       }
 
-      public String getResult() throws ServerAuthenticationException, org.apache.thrift.TException {
+      public ByteBuffer getResult() throws ServerAuthenticationException, org.apache.thrift.TException {
         if (getState() != org.apache.thrift.async.TAsyncMethodCall.State.RESPONSE_READ) {
           throw new IllegalStateException("Method call not finished!");
         }
@@ -1001,7 +1001,7 @@ public class ImageServer {
       }
     }
 
-    public static class startServerAuthentication<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, startServerAuthentication_args, String> {
+    public static class startServerAuthentication<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, startServerAuthentication_args, ByteBuffer> {
       public startServerAuthentication() {
         super("startServerAuthentication");
       }
@@ -1010,10 +1010,10 @@ public class ImageServer {
         return new startServerAuthentication_args();
       }
 
-      public AsyncMethodCallback<String> getResultHandler(final AsyncFrameBuffer fb, final int seqid) {
+      public AsyncMethodCallback<ByteBuffer> getResultHandler(final AsyncFrameBuffer fb, final int seqid) {
         final org.apache.thrift.AsyncProcessFunction fcall = this;
-        return new AsyncMethodCallback<String>() { 
-          public void onComplete(String o) {
+        return new AsyncMethodCallback<ByteBuffer>() { 
+          public void onComplete(ByteBuffer o) {
             startServerAuthentication_result result = new startServerAuthentication_result();
             result.success = o;
             try {
@@ -1053,7 +1053,7 @@ public class ImageServer {
         return false;
       }
 
-      public void start(I iface, startServerAuthentication_args args, org.apache.thrift.async.AsyncMethodCallback<String> resultHandler) throws TException {
+      public void start(I iface, startServerAuthentication_args args, org.apache.thrift.async.AsyncMethodCallback<ByteBuffer> resultHandler) throws TException {
         iface.startServerAuthentication(args.organization,resultHandler);
       }
     }
@@ -3994,7 +3994,7 @@ public class ImageServer {
       schemes.put(TupleScheme.class, new startServerAuthentication_resultTupleSchemeFactory());
     }
 
-    public String success; // required
+    public ByteBuffer success; // required
     public ServerAuthenticationException failure; // required
 
     /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
@@ -4063,7 +4063,7 @@ public class ImageServer {
     static {
       Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
       tmpMap.put(_Fields.SUCCESS, new org.apache.thrift.meta_data.FieldMetaData("success", org.apache.thrift.TFieldRequirementType.DEFAULT, 
-          new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+          new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING          , true)));
       tmpMap.put(_Fields.FAILURE, new org.apache.thrift.meta_data.FieldMetaData("failure", org.apache.thrift.TFieldRequirementType.DEFAULT, 
           new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRUCT)));
       metaDataMap = Collections.unmodifiableMap(tmpMap);
@@ -4074,7 +4074,7 @@ public class ImageServer {
     }
 
     public startServerAuthentication_result(
-      String success,
+      ByteBuffer success,
       ServerAuthenticationException failure)
     {
       this();
@@ -4087,7 +4087,8 @@ public class ImageServer {
      */
     public startServerAuthentication_result(startServerAuthentication_result other) {
       if (other.isSetSuccess()) {
-        this.success = other.success;
+        this.success = org.apache.thrift.TBaseHelper.copyBinary(other.success);
+;
       }
       if (other.isSetFailure()) {
         this.failure = new ServerAuthenticationException(other.failure);
@@ -4104,11 +4105,21 @@ public class ImageServer {
       this.failure = null;
     }
 
-    public String getSuccess() {
-      return this.success;
+    public byte[] getSuccess() {
+      setSuccess(org.apache.thrift.TBaseHelper.rightSize(success));
+      return success == null ? null : success.array();
+    }
+
+    public ByteBuffer bufferForSuccess() {
+      return success;
     }
 
-    public startServerAuthentication_result setSuccess(String success) {
+    public startServerAuthentication_result setSuccess(byte[] success) {
+      setSuccess(success == null ? (ByteBuffer)null : ByteBuffer.wrap(success));
+      return this;
+    }
+
+    public startServerAuthentication_result setSuccess(ByteBuffer success) {
       this.success = success;
       return this;
     }
@@ -4158,7 +4169,7 @@ public class ImageServer {
         if (value == null) {
           unsetSuccess();
         } else {
-          setSuccess((String)value);
+          setSuccess((ByteBuffer)value);
         }
         break;
 
@@ -4291,7 +4302,7 @@ public class ImageServer {
       if (this.success == null) {
         sb.append("null");
       } else {
-        sb.append(this.success);
+        org.apache.thrift.TBaseHelper.toString(this.success, sb);
       }
       first = false;
       if (!first) sb.append(", ");
@@ -4347,7 +4358,7 @@ public class ImageServer {
           switch (schemeField.id) {
             case 0: // SUCCESS
               if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
-                struct.success = iprot.readString();
+                struct.success = iprot.readBinary();
                 struct.setSuccessIsSet(true);
               } else { 
                 org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
@@ -4379,7 +4390,7 @@ public class ImageServer {
         oprot.writeStructBegin(STRUCT_DESC);
         if (struct.success != null) {
           oprot.writeFieldBegin(SUCCESS_FIELD_DESC);
-          oprot.writeString(struct.success);
+          oprot.writeBinary(struct.success);
           oprot.writeFieldEnd();
         }
         if (struct.failure != null) {
@@ -4413,7 +4424,7 @@ public class ImageServer {
         }
         oprot.writeBitSet(optionals, 2);
         if (struct.isSetSuccess()) {
-          oprot.writeString(struct.success);
+          oprot.writeBinary(struct.success);
         }
         if (struct.isSetFailure()) {
           struct.failure.write(oprot);
@@ -4425,7 +4436,7 @@ public class ImageServer {
         TTupleProtocol iprot = (TTupleProtocol) prot;
         BitSet incoming = iprot.readBitSet(2);
         if (incoming.get(0)) {
-          struct.success = iprot.readString();
+          struct.success = iprot.readBinary();
           struct.setSuccessIsSet(true);
         }
         if (incoming.get(1)) {
diff --git a/src/main/java/org/openslx/imagemaster/thrift/iface/ServerAuthenticationError.java b/src/main/java/org/openslx/imagemaster/thrift/iface/ServerAuthenticationError.java
index df3f9b6..8c3f1d3 100644
--- a/src/main/java/org/openslx/imagemaster/thrift/iface/ServerAuthenticationError.java
+++ b/src/main/java/org/openslx/imagemaster/thrift/iface/ServerAuthenticationError.java
@@ -15,7 +15,8 @@ public enum ServerAuthenticationError implements org.apache.thrift.TEnum {
   GENERIC_ERROR(0),
   INVALID_ORGANIZATION(1),
   INVALID_KEY(2),
-  BANNED_NETWORK(3);
+  CHALLENGE_FAILED(3),
+  BANNED_NETWORK(4);
 
   private final int value;
 
@@ -43,6 +44,8 @@ public enum ServerAuthenticationError implements org.apache.thrift.TEnum {
       case 2:
         return INVALID_KEY;
       case 3:
+        return CHALLENGE_FAILED;
+      case 4:
         return BANNED_NETWORK;
       default:
         return null;
diff --git a/src/main/thrift/imagemaster.thrift b/src/main/thrift/imagemaster.thrift
index b03cb0e..c6bd3cb 100644
--- a/src/main/thrift/imagemaster.thrift
+++ b/src/main/thrift/imagemaster.thrift
@@ -27,6 +27,7 @@ enum ServerAuthenticationError {
 	GENERIC_ERROR,
 	INVALID_ORGANIZATION,
 	INVALID_KEY,
+	CHALLENGE_FAILED,
 	BANNED_NETWORK
 }
 
@@ -127,7 +128,7 @@ service ImageServer {
 
 	UserInfo getUserFromToken(1:Token token) throws (1:InvalidTokenException failure),
 	
-	string startServerAuthentication(1:string organization) throws (1: ServerAuthenticationException failure),
+	binary startServerAuthentication(1:string organization) throws (1: ServerAuthenticationException failure),
 	
 	bool isServerAuthenticated(1:string serverSessionId),