Commit 85635921 authored by Renato Figueiro Maia's avatar Renato Figueiro Maia
Browse files

[OPENBUS-2361] Impedir o registro de certificados de login com chave de...

[OPENBUS-2361] Impedir o registro de certificados de login com chave de tamanho diferente de 256 bytes (2048 bits)



git-svn-id: https://subversion.tecgraf.puc-rio.br/engdist/openbus/core/branches/02_00_00@144445 ae0415b3-e90b-0410-900d-d0be9363c56b
parent 16965011
......@@ -69,11 +69,24 @@ local CertificateRegistryType = mngtyp.CertificateRegistry
local msg = require "openbus.core.services.messages"
local Logins = require "openbus.core.services.LoginDB"
local MaxEncryptedData = strrep("\255", EncryptedBlockSize-11)
------------------------------------------------------------------------------
-- Faceta CertificateRegistry
------------------------------------------------------------------------------
local function getkeyerror(key)
local result, errmsg = key:encrypt(MaxEncryptedData)
if result == nil then
return msg.UnableToEncryptWithKey:tag{error=errmsg}
end
if #result ~= EncryptedBlockSize then
return msg.WrongKeySize:tag{actual=#result,expected=EncryptedBlockSize}
end
end
local CertificateRegistry = { __type = CertificateRegistryType }
-- local operations
......@@ -110,6 +123,10 @@ function CertificateRegistry:registerCertificate(entity, certificate)
if not pubkey then
InvalidCertificate{entity=entity,message=errmsg}
end
errmsg = getkeyerror(pubkey)
if errmsg ~= nil then
InvalidCertificate{entity=entity,message=errmsg}
end
log:admin(msg.RegisterEntityCertificate:tag{entity=entity})
assert(self.certificateDB:setentry(entity, certificate))
end
......@@ -151,15 +168,14 @@ local function renewLogin(self, login)
login.deadline = time() + self.leaseTime + self.expirationGap
end
local MaxEncryptedData = strrep("\255", EncryptedBlockSize-11)
local function checkkey(pubkey)
local function checkaccesskey(pubkey)
local result, errmsg = decodepublickey(pubkey)
if result == nil then
InvalidPublicKey{message=msg.UnableToDecodeKey:tag{error=errmsg}}
end
result, errmsg = result:encrypt(MaxEncryptedData)
if result == nil then
InvalidPublicKey{message=msg.UnableToEncryptWithKey:tag{error=errmsg}}
errmsg = getkeyerror(result)
if errmsg ~= nil then
InvalidPublicKey{message=errmsg}
end
end
......@@ -175,7 +191,7 @@ end
function LoginProcess:login(pubkey, encrypted)
self:cancel()
checkkey(pubkey)
checkaccesskey(pubkey)
local entity = self.entity
local manager = self.manager
local access = manager.access
......@@ -320,7 +336,7 @@ end
function AccessControl:loginByPassword(entity, pubkey, encrypted)
if entity ~= self.login.entity then
checkkey(pubkey)
checkaccesskey(pubkey)
local decrypted, errmsg = self.access.prvkey:decrypt(encrypted)
if decrypted == nil then
WrongEncoding{entity=entity,message=errmsg or "no error message"}
......
......@@ -33,6 +33,7 @@ local ac = bus.AccessControl
local prvkey = newkey(EncryptedBlockSize)
local pubkey = prvkey:encode("public")
local shortkey = newkey(EncryptedBlockSize-1):encode("public")
local longkey = newkey(EncryptedBlockSize+1):encode("public")
local otherkey = newkey(EncryptedBlockSize)
-- login by password -----------------------------------------------------------
......@@ -83,6 +84,14 @@ do -- login with key too short
assert(ex._repid == logintypes.InvalidPublicKey)
end
do -- login with key too long
local pubkey = longkey
local encrypted = encodeLogin(bus.key, password, pubkey)
local ok, ex = pcall(ac.loginByPassword, ac, user, pubkey, encrypted)
assert(ok == false)
assert(ex._repid == logintypes.InvalidPublicKey)
end
do -- login successfull
local encrypted = encodeLogin(bus.key, password, pubkey)
local login, lease = ac:loginByPassword(user, pubkey, encrypted)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment