diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile.am | 10 | ||||
-rw-r--r-- | include/webauth/keys.h | 54 | ||||
-rw-r--r-- | lib/keys.c | 49 | ||||
-rw-r--r-- | lib/libwebauth.map | 1 | ||||
-rw-r--r-- | lib/libwebauth.sym | 1 | ||||
-rw-r--r-- | tests/TESTS | 1 | ||||
-rw-r--r-- | tests/lib/keys-t.c | 53 |
8 files changed, 166 insertions, 4 deletions
@@ -41,6 +41,7 @@ /tests/lib/base64-t /tests/lib/hex-t /tests/lib/key-t +/tests/lib/keys-t /tests/lib/krb5-t /tests/lib/krb5-tgt-t /tests/lib/random-t diff --git a/Makefile.am b/Makefile.am index 09e87311..0dad8457 100644 --- a/Makefile.am +++ b/Makefile.am @@ -73,11 +73,12 @@ endif lib_LTLIBRARIES = lib/libwebauth.la include_HEADERS = include/webauth.h webauthincludedir = $(includedir)/webauth -webauthinclude_HEADERS = include/webauth/basic.h include/webauth/tokens.h +webauthinclude_HEADERS = include/webauth/basic.h include/webauth/keys.h \ + include/webauth/tokens.h nodist_webauthinclude_HEADERS = include/webauth/defines.h lib_libwebauth_la_SOURCES = include/webauth.h lib/attrs.c lib/base64.c \ - lib/context.c lib/key.c lib/krb5.c lib/misc.c lib/random.c \ - lib/token-decode.c lib/token-encode.c lib/token.c + lib/context.c lib/key.c lib/keys.c lib/krb5.c lib/misc.c \ + lib/random.c lib/token-decode.c lib/token-encode.c lib/token.c EXTRA_lib_libwebauth_la_SOURCES = lib/krb5-heimdal.c lib/krb5-mit.c lib_libwebauth_la_CPPFLAGS = $(AM_CPPFLAGS) $(APR_CPPFLAGS) \ $(APRUTIL_CPPFLAGS) $(KRB5_CPPFLAGS) $(CRYPTO_CPPFLAGS) @@ -247,7 +248,7 @@ warnings: # The bits below are for the test suite, not for the main package. check_PROGRAMS = tests/runtests tests/lib/attrs-t tests/lib/base64-t \ - tests/lib/hex-t tests/lib/key-t tests/lib/krb5-t \ + tests/lib/hex-t tests/lib/key-t tests/lib/keys-t tests/lib/krb5-t \ tests/lib/krb5-tgt-t tests/lib/random-t tests/lib/token-decode-t \ tests/lib/token-encode-t tests/lib/token-t \ tests/portable/asprintf-t tests/portable/mkstemp-t \ @@ -267,6 +268,7 @@ tests_lib_attrs_t_LDADD = tests/tap/libtap.a lib/libwebauth.la tests_lib_base64_t_LDADD = tests/tap/libtap.a lib/libwebauth.la tests_lib_hex_t_LDADD = tests/tap/libtap.a lib/libwebauth.la tests_lib_key_t_LDADD = tests/tap/libtap.a lib/libwebauth.la +tests_lib_keys_t_LDADD = tests/tap/libtap.a lib/libwebauth.la tests_lib_krb5_t_LDADD = tests/tap/libtap.a lib/libwebauth.la tests_lib_krb5_tgt_t_LDFLAGS = $(KRB5_LDFLAGS) tests_lib_krb5_tgt_t_LDADD = tests/tap/libtap.a lib/libwebauth.la \ diff --git a/include/webauth/keys.h b/include/webauth/keys.h new file mode 100644 index 00000000..06e6a440 --- /dev/null +++ b/include/webauth/keys.h @@ -0,0 +1,54 @@ +/* + * WebAuth key and keyring manipulation functions. + * + * These interfaces handle WebAuth keys and keyrings. A key is used for token + * encryption and decryption. A keyring is a collection of keys with various + * use-by dates to allow key rollover while decrypting tokens encrypted with + * older keys. + * + * Written by Russ Allbery <rra@stanford.edu> + * Copyright 2011 + * The Board of Trustees of the Leland Stanford Junior University + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef WEBAUTH_KEYS_H +#define WEBAUTH_KEYS_H 1 + +#include <webauth/defines.h> + +/* FIXME: Most key functions have not yet been migrated to APR. */ +#include <webauth.h> + +BEGIN_DECLS + +/* + * Given a key, form a single-element keyring around it. Used to convert keys + * to keyrings for functions that want a keyring. Stores the new keyring in + * the ring argument and returns a WebAuth error code. The key will currently + * be copied into the ring. On failure, ring will be set to NULL. + */ +int webauth_keyring_from_key(struct webauth_context *, const WEBAUTH_KEY *, + WEBAUTH_KEYRING **) + __attribute__((__nonnull__)); + +END_DECLS + +#endif /* !WEBAUTH_KEYS_H */ diff --git a/lib/keys.c b/lib/keys.c new file mode 100644 index 00000000..b5ac9f25 --- /dev/null +++ b/lib/keys.c @@ -0,0 +1,49 @@ +/* + * Handling of keys and keyrings. + * + * Written by Russ Allbery <rra@stanford.edu> + * Copyright 2011 + * The Board of Trustees of the Leland Stanford Junior University + * + * See LICENSE for licensing terms. + */ + +#include <config.h> +#include <portable/system.h> + +#include <apr_pools.h> + +#include <lib/internal.h> +#include <webauth/basic.h> +#include <webauth/keys.h> + + +/* + * Given a key, wrap a keyring around it. The keyring and its data structures + * are allocated from the pool. + * + * FIXME: Resizing this keyring will do horrible things since it's + * pool-allocated memory that can't be resized without using APR. + */ +int +webauth_keyring_from_key(struct webauth_context *ctx, const WEBAUTH_KEY *key, + WEBAUTH_KEYRING **ring) +{ + WEBAUTH_KEY *copy; + WEBAUTH_KEYRING_ENTRY *entry; + + copy = apr_palloc(ctx->pool, sizeof(WEBAUTH_KEY)); + copy->type = key->type; + copy->data = apr_palloc(ctx->pool, key->length); + memcpy(copy->data, key->data, key->length); + copy->length = key->length; + entry = apr_palloc(ctx->pool, sizeof(WEBAUTH_KEYRING_ENTRY)); + entry->creation_time = 0; + entry->valid_after = 0; + entry->key = copy; + *ring = apr_palloc(ctx->pool, sizeof(WEBAUTH_KEYRING)); + (*ring)->num_entries = 1; + (*ring)->capacity = 1; + (*ring)->entries = entry; + return WA_ERR_NONE; +} diff --git a/lib/libwebauth.map b/lib/libwebauth.map index e3e7f328..645d5fa9 100644 --- a/lib/libwebauth.map +++ b/lib/libwebauth.map @@ -39,6 +39,7 @@ WEBAUTH_2.0 { webauth_keyring_decode; webauth_keyring_encode; webauth_keyring_free; + webauth_keyring_from_key; webauth_keyring_new; webauth_keyring_read_file; webauth_keyring_remove; diff --git a/lib/libwebauth.sym b/lib/libwebauth.sym index 5a81ac7c..4729d8d5 100644 --- a/lib/libwebauth.sym +++ b/lib/libwebauth.sym @@ -37,6 +37,7 @@ webauth_keyring_best_key webauth_keyring_decode webauth_keyring_encode webauth_keyring_free +webauth_keyring_from_key webauth_keyring_new webauth_keyring_read_file webauth_keyring_remove diff --git a/tests/TESTS b/tests/TESTS index 265141a1..2033fdf2 100644 --- a/tests/TESTS +++ b/tests/TESTS @@ -2,6 +2,7 @@ lib/attrs lib/base64 lib/hex lib/key +lib/keys lib/krb5 lib/krb5-tgt lib/random diff --git a/tests/lib/keys-t.c b/tests/lib/keys-t.c new file mode 100644 index 00000000..893bcbfb --- /dev/null +++ b/tests/lib/keys-t.c @@ -0,0 +1,53 @@ +/* + * Test key and keyring handling. + * + * Written by Russ Allbery <rra@stanford.edu> + * Copyright 2011 + * The Board of Trustees of the Leland Stanford Junior University + * + * See LICENSE for licensing terms. + */ + +#include <config.h> +#include <portable/system.h> + +#include <tests/tap/basic.h> +#include <webauth.h> +#include <webauth/basic.h> +#include <webauth/keys.h> + + +int +main(void) +{ + struct webauth_context *ctx; + int status; + char bytes[WA_AES_128]; + WEBAUTH_KEY *key; + WEBAUTH_KEYRING *ring; + + plan(10); + + if (webauth_context_init(&ctx, NULL) != WA_ERR_NONE) + bail("cannot initialize WebAuth context"); + + /* Create a key to use for testing. */ + if (webauth_random_key(bytes, sizeof(bytes)) != WA_ERR_NONE) + bail("cannot generate random key"); + key = webauth_key_create(WA_AES_KEY, bytes, sizeof(bytes)); + ok(key != NULL, "Key created successfully"); + status = webauth_keyring_from_key(ctx, key, &ring); + is_int(WA_ERR_NONE, status, "Creating keyring worked"); + is_int(1, ring->num_entries, "...with one entry"); + is_int(1, ring->capacity, "...and one capacity"); + is_int(0, ring->entries->creation_time, "Key has 0 creation time"); + is_int(0, ring->entries->valid_after, "...and 0 valid after"); + ok(ring->entries->key != key, "Key in the ring is a copy"); + is_int(key->type, ring->entries->key->type, "...with correct type"); + is_int(key->length, ring->entries->key->length, "...and length"); + ok(memcmp(key->data, ring->entries->key->data, key->length) == 0, + "...and correct data"); + + webauth_context_free(ctx); + return 0; +} |