Compare commits

..

1 commit

Author SHA1 Message Date
435552a655
WIP: Registration 2025-02-01 01:13:13 +01:00
8 changed files with 270 additions and 56 deletions

36
Cargo.lock generated
View file

@ -481,6 +481,7 @@ dependencies = [
"digest",
"fiat-crypto",
"rustc_version",
"serde",
"subtle",
"zeroize",
]
@ -1947,13 +1948,17 @@ dependencies = [
"clap",
"dropshot",
"ed25519-dalek",
"futures",
"hex",
"hkdf",
"http",
"instrumentation",
"rand",
"schemars",
"serde",
"serde_json",
"serde_with",
"sha2",
"slog",
"slog-async",
"sqlx",
@ -1962,6 +1967,7 @@ dependencies = [
"tracing",
"tracing-slog",
"uuid",
"x25519-dalek",
]
[[package]]
@ -2638,9 +2644,9 @@ dependencies = [
[[package]]
name = "serde_json"
version = "1.0.135"
version = "1.0.138"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b0d7ba2887406110130a978386c4e1befb98c674b4fba677954e4db976630d9"
checksum = "d434192e7da787e94a6ea7e9670b26a036d0ca41e0b7efb2676dd32bae872949"
dependencies = [
"itoa",
"memchr",
@ -4167,6 +4173,18 @@ version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
[[package]]
name = "x25519-dalek"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
dependencies = [
"curve25519-dalek",
"rand_core",
"serde",
"zeroize",
]
[[package]]
name = "xtask"
version = "0.2.0"
@ -4248,6 +4266,20 @@ name = "zeroize"
version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
dependencies = [
"zeroize_derive",
]
[[package]]
name = "zeroize_derive"
version = "1.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "zerovec"

View file

@ -36,6 +36,7 @@ dropshot = "0.15.1"
ed25519-dalek = { version = "2.1.1", features = ["pem", "rand_core"] }
futures = "0.3"
hex = "0.4.3"
hkdf = "0.12.4"
http = "1.2.0"
once_cell = "1.20.2"
progenitor = "0.9"
@ -44,8 +45,10 @@ reqwest = { version = "0.12.12", features = ["json", "stream", "rustls-tls"] }
schemars = { version = "0.8.21", features = ["bytes", "chrono", "derive"] }
semver = "1.0.24"
serde = { version = "1.0.217", features = ["derive"] }
serde_json = "1.0.138"
serde_with = { version = "3.12.0", features = ["base64", "hex", "macros", "std"] }
# serde_with_macros = { version = "3.12.0", features = ["schemars_0_8"] }
sha2 = "0.10.8"
slog = "2.7.0"
slog-async = "2.8.0"
tokio = { version = "1.43.0", features = ["full"] }
@ -54,3 +57,4 @@ tracing-core = "0.1.33"
tracing-chrome = "0.7.2"
tracing-slog = { git = "https://github.com/oxidecomputer/tracing-slog", default-features = false }
uuid = { version = "1", features = [ "serde", "v4" ] }
x25519-dalek = { version = "2.0.1", features = ["serde", "static_secrets"] }

View file

@ -12,6 +12,16 @@
],
"summary": "Get registration info",
"operationId": "get_registration_info",
"parameters": [
{
"in": "query",
"name": "key",
"required": true,
"schema": {
"type": "string"
}
}
],
"responses": {
"200": {
"description": "successful operation",
@ -171,26 +181,26 @@
"RegistrationInfo": {
"type": "object",
"properties": {
"challenge": {
"type": "string"
},
"expiration": {
"type": "string",
"format": "date-time"
},
"node_id": {
"type": "string",
"format": "uuid"
},
"public_key": {
"nonce": {
"type": "string"
},
"server_dh_pub": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
}
},
"required": [
"challenge",
"expiration",
"node_id",
"public_key"
"nonce",
"server_dh_pub",
"timestamp"
]
},
"User": {

View file

@ -11,13 +11,17 @@ chrono.workspace = true
clap.workspace = true
dropshot.workspace = true
ed25519-dalek.workspace = true
futures.workspace = true
hex.workspace = true
hkdf.workspace = true
http.workspace = true
instrumentation = { path = "../instrumentation" }
rand.workspace = true
schemars.workspace = true
serde.workspace = true
serde_json.workspace = true
serde_with.workspace = true
sha2.workspace = true
slog-async.workspace = true
slog.workspace = true
sqlx = { version = "0.8.3", default-features = false, features = [
@ -28,6 +32,7 @@ trace-request = { path = "../trace-request" }
tracing-slog.workspace = true
tracing.workspace = true
uuid.workspace = true
x25519-dalek.workspace = true
[package.metadata.cargo-machete]
ignored = ["http"]

View file

@ -1,11 +1,20 @@
use sqlx::postgres::PgPool;
use crate::node::NodeController;
pub struct ControllerContext {
pub pg_pool: PgPool,
// pub node_controller: Mutex<NodeController>,
pub node_controller: NodeController,
}
impl ControllerContext {
pub fn new(pg_pool: PgPool) -> ControllerContext {
ControllerContext { pg_pool }
// let node_controller = Mutex::new(NodeController::new(pg_pool.to_owned()));
let node_controller = NodeController::new(pg_pool.to_owned());
ControllerContext {
pg_pool,
node_controller,
}
}
}

View file

@ -1,45 +1,28 @@
use chrono::DateTime;
use dropshot::{endpoint, HttpError, HttpResponseOk, RequestContext};
use dropshot::{endpoint, HttpError, HttpResponseOk, Query, RequestContext};
use dropshot::{ApiDescription, ApiDescriptionRegisterError};
use rand::RngCore;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use serde_with::base64::Base64;
use serde_with::base64::Crypt;
use serde_with::serde_as;
use trace_request::trace_request;
use uuid::Uuid;
use x25519_dalek::PublicKey;
use std::sync::Arc;
use crate::context::ControllerContext;
use crate::node::controller::RegistrationInfo;
#[serde_as]
#[derive(Clone, Debug, Default, Deserialize, JsonSchema, Serialize)]
pub struct RegistrationParams {
#[serde_as(as = "serde_with::base64::Base64<serde_with::base64::UrlSafe>")]
#[schemars(with = "String")]
key: [u8; 32],
}
pub fn register_api(
api: &mut ApiDescription<Arc<ControllerContext>>,
) -> Result<(), ApiDescriptionRegisterError> {
api.register(get_registration_info)
// api.register(register_node)
}
#[serde_as]
#[derive(Deserialize, JsonSchema, Serialize)]
struct RegistrationInfo {
node_id: Uuid,
expiration: DateTime<chrono::Utc>,
// #[serde_as(as = "Base64<serde_with::base64::BinHex, serde_with::formats::Unpadded>")]
// #[serde_as(as = "Base64<serde_with::base64::UrlSafe, serde_with::formats::Unpadded>")]
#[serde_as(as = "serde_with::base64::Base64")]
// #[serde_as(as = "serde_with::hex::Hex<serde_with::formats::Uppercase>")]
#[schemars(with = "String")]
challenge: [u8; 60],
// #[serde_as(as = "serde_with::base64::Base64")]
#[serde_as(as = "serde_with::hex::Hex")]
// #[serde_as(as = "Base64<serde_with::base64::UrlSafe, serde_with::formats::Unpadded>")]
// #[serde_as(as = "serde_with::hex::Hex<serde_with::formats::Uppercase>")]
#[schemars(with = "String")]
public_key: [u8; 32],
}
/// Get registration info
@ -51,20 +34,10 @@ struct RegistrationInfo {
#[trace_request]
async fn get_registration_info(
rqctx: RequestContext<Arc<ControllerContext>>,
params: Query<RegistrationParams>,
) -> Result<HttpResponseOk<RegistrationInfo>, HttpError> {
tracing::debug!("Registration info");
let rng = &mut rand::rngs::OsRng;
let mut challenge = [0u8; 60];
rng.fill_bytes(&mut challenge);
let key = ed25519_dalek::SigningKey::generate(rng);
let info = RegistrationInfo {
node_id: Uuid::new_v4(),
expiration: chrono::Utc::now(),
challenge,
public_key: key.verifying_key().to_bytes(),
};
let key = PublicKey::from(params.into_inner().key);
tracing::debug!("Registration info for public key: {:?}", key);
let info = rqctx.context().node_controller.new_registration(&key);
Ok(HttpResponseOk(info))
}

View file

@ -0,0 +1,179 @@
use chrono::DateTime;
use ed25519_dalek::ed25519::signature::SignerMut;
use hkdf::Hkdf;
use rand::Rng;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use serde_with::serde_as;
use sha2::Sha256;
use sqlx::postgres::PgPool;
use uuid::Uuid;
use x25519_dalek::{PublicKey, StaticSecret};
use std::sync::{Arc, RwLock};
#[serde_as]
#[derive(Debug, Deserialize, JsonSchema, Serialize)]
pub struct RegistrationInfo {
node_id: Uuid,
challenge: Challenge,
#[serde_as(as = "serde_with::base64::Base64")]
#[schemars(with = "String")]
challenge_signature: [u8; 64],
}
#[serde_as]
#[derive(Debug, Deserialize, JsonSchema, Serialize)]
pub struct Challenge {
timestamp: DateTime<chrono::Utc>,
#[serde_as(as = "serde_with::base64::Base64")]
#[schemars(with = "String")]
nonce: [u8; 32],
#[serde_as(as = "serde_with::base64::Base64")]
#[schemars(with = "String")]
server_dh_pub: [u8; 32],
params: ArgonParams,
}
#[serde_as]
#[derive(Debug, Deserialize, JsonSchema, Serialize)]
struct ArgonParams {
iterations: u32,
memory_kb: u32,
threads: u32,
}
pub struct NodeController {
_pg_pool: PgPool,
signing_key: RwLock<Option<Arc<SecretKey>>>,
}
type SecretKey = [u8; 32];
type Nonce256 = [u8; 32];
trait SecretKeyExt {
fn derive_dh_secret(&self, nonce: &Nonce256) -> StaticSecret;
}
impl SecretKeyExt for SecretKey {
fn derive_dh_secret(&self, nonce: &Nonce256) -> StaticSecret {
let hk = Hkdf::<Sha256>::new(Some(nonce), self);
let mut out = [0u8; 32];
hk.expand(b"x25519-secret", &mut out).unwrap();
StaticSecret::from(out)
}
}
impl RegistrationInfo {
pub fn from(server_secret: &SecretKey, client_dh_public_key: &PublicKey) -> RegistrationInfo {
let mut rng = rand::thread_rng();
let nonce = rng.gen();
let server_dh_secret = server_secret.derive_dh_secret(&nonce);
let _shared_secret = server_dh_secret.diffie_hellman(client_dh_public_key);
let server_dh_public_key = PublicKey::from(&server_dh_secret);
let timestamp = chrono::Utc::now();
let params = ArgonParams {
iterations: 10,
memory_kb: 220 * 1024, // 220 MiB
threads: 4,
};
let challenge = Challenge {
timestamp,
nonce,
server_dh_pub: server_dh_public_key.to_bytes(),
params,
};
let challenge_json = serde_json::to_vec(&challenge).unwrap();
let mut sk = ed25519_dalek::SigningKey::from_bytes(server_secret);
let sig = sk.sign(challenge_json.as_slice());
let info = RegistrationInfo {
node_id: Uuid::new_v4(),
challenge,
challenge_signature: sig.to_bytes(),
};
tracing::debug!("Info: {:?}", info);
info
}
}
impl NodeController {
pub fn new(pg_pool: PgPool) -> NodeController {
NodeController {
_pg_pool: pg_pool,
signing_key: RwLock::new(None),
}
}
pub fn new_registration(&self, client_dh_public_key: &PublicKey) -> RegistrationInfo {
let server_secret = self.master_key();
RegistrationInfo::from(&server_secret, client_dh_public_key)
}
fn master_key(&self) -> Arc<SecretKey> {
self.signing_key
.write()
.unwrap()
.get_or_insert_with(|| {
tracing::debug!("Generating key");
Arc::new(rand::rngs::OsRng.gen())
})
.clone()
}
}
#[cfg(test)]
mod tests {
use super::*;
#[tokio::test]
async fn test_registration_info() {
let client_key: SecretKey = rand::rngs::OsRng.gen();
let server_key = rand::rngs::OsRng.gen();
let client_public_key = PublicKey::from(client_key);
let info = RegistrationInfo::from(&server_key, &client_public_key);
let info2 = RegistrationInfo::from(&server_key, &client_public_key);
// Randomness
assert_ne!(info.node_id, info2.node_id, "Node ID should be unique");
assert_ne!(
info.challenge.nonce, info2.challenge.nonce,
"Nonce should be unique"
);
assert_ne!(
info.challenge.server_dh_pub, info2.challenge.server_dh_pub,
"Server public key derived from nonce should be unique"
);
// Timestamp
let now = chrono::Utc::now();
assert!(
info.challenge.timestamp <= now,
"Timestamp is in the future"
);
assert!(
info.challenge.timestamp >= now - chrono::Duration::milliseconds(5),
"Timestamp is too old"
);
// Public key
let server_dh_secret = server_key.derive_dh_secret(&info.challenge.nonce);
let server_dh_public_key = PublicKey::from(&server_dh_secret).to_bytes();
assert_eq!(
info.challenge.server_dh_pub, server_dh_public_key,
"Server public key should be derived from nonce"
);
}
}

View file

@ -1,3 +1,5 @@
mod api;
mod controller;
pub use self::api::register_api;
pub(crate) use self::controller::NodeController;