Skip to content

Commit

Permalink
Add support for variable client cert serial size
Browse files Browse the repository at this point in the history
  • Loading branch information
Thomas Prévost committed Feb 9, 2024
1 parent 97b6212 commit 68d0661
Show file tree
Hide file tree
Showing 10 changed files with 83 additions and 79 deletions.
2 changes: 2 additions & 0 deletions .cargo/config.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[target.x86_64-pc-windows-msvc]
rustflags = ["-C", "target-feature=+crt-static"]
4 changes: 2 additions & 2 deletions src/config/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -132,10 +132,10 @@ mod tests {
assert_eq!(config.sae_configs.len(), 3);
assert_eq!(config.sae_configs[0].id, 1);
assert_eq!(config.sae_configs[0].kme_id, 1);
assert_eq!(config.sae_configs[0].https_client_certificate_serial, Some([0x70, 0xF4, 0x4F, 0x56, 0x0C, 0x3F, 0x27, 0xD4, 0xB2, 0x11, 0xA4, 0x78, 0x13, 0xAF, 0xD0, 0x3C, 0x03, 0x81, 0x3B, 0x8E]));
assert_eq!(config.sae_configs[0].https_client_certificate_serial, Some(vec![0x70, 0xF4, 0x4F, 0x56, 0x0C, 0x3F, 0x27, 0xD4, 0xB2, 0x11, 0xA4, 0x78, 0x13, 0xAF, 0xD0, 0x3C, 0x03, 0x81, 0x3B, 0x8E]));
assert_eq!(config.sae_configs[1].id, 2);
assert_eq!(config.sae_configs[1].kme_id, 1);
assert_eq!(config.sae_configs[1].https_client_certificate_serial, Some([0x70, 0xF4, 0x4F, 0x56, 0x0C, 0x3F, 0x27, 0xD4, 0xB2, 0x11, 0xA4, 0x78, 0x13, 0xAF, 0xD0, 0x3C, 0x03, 0x81, 0x3B, 0x92]));
assert_eq!(config.sae_configs[1].https_client_certificate_serial, Some(vec![0x70, 0xF4, 0x4F, 0x56, 0x0C, 0x3F, 0x27, 0xD4, 0xB2, 0x11, 0xA4, 0x78, 0x13, 0xAF, 0xD0, 0x3C, 0x03, 0x81, 0x3B, 0x92]));
assert_eq!(config.sae_configs[2].id, 3);
assert_eq!(config.sae_configs[2].kme_id, 2);
assert_eq!(config.sae_configs[2].https_client_certificate_serial, None);
Expand Down
9 changes: 4 additions & 5 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,6 @@ pub const MAX_QKD_KEY_SAE_IDS: usize = 0; // We don't support key multicast yet
/// How many keys can be stored in the KME for a given SAE
pub const MAX_QKD_KEYS_PER_SAE: usize = 10;

/// The size of the client certificate serial number in bytes, constant
pub const CLIENT_CERT_SERIAL_SIZE_BYTES: usize = 20; // TODO change + no proxy + shannon entropy

/// Location of the SQLite database file used by the KME to store keys, use ":memory:" for in-memory database
pub const MEMORY_SQLITE_DB_PATH: &'static str = ":memory:";

Expand All @@ -75,7 +72,7 @@ pub type KmeId = i64;
pub type QkdEncKey = [u8; QKD_KEY_SIZE_BYTES];

/// Type for SAE certificate serial number
pub type SaeClientCertSerial = [u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
pub type SaeClientCertSerial = Vec<u8>;

#[cfg(test)]
mod test {
Expand All @@ -85,4 +82,6 @@ mod test {
assert_eq!(err.kind(), std::io::ErrorKind::Other);
assert_eq!(err.to_string(), "test");
}
}
}

// TODO shannon entropy
2 changes: 1 addition & 1 deletion src/qkd_manager/config_extractor.rs
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ mod tests {
let config = Config::from_json_path("tests/data/test_kme_config.json").unwrap();
let qkd_manager = ConfigExtractor::extract_config_to_qkd_manager(&config).unwrap();
assert_eq!(qkd_manager.kme_id, 1);
assert!(qkd_manager.get_qkd_key(2, &[0x70, 0xF4, 0x4F, 0x56, 0x0C, 0x3F, 0x27, 0xD4, 0xB2, 0x11, 0xA4, 0x78, 0x13, 0xAF, 0xD0, 0x3C, 0x03, 0x81, 0x3B, 0x8E]).await.is_ok());
assert!(qkd_manager.get_qkd_key(2, &vec![0x70, 0xF4, 0x4F, 0x56, 0x0C, 0x3F, 0x27, 0xD4, 0xB2, 0x11, 0xA4, 0x78, 0x13, 0xAF, 0xD0, 0x3C, 0x03, 0x81, 0x3B, 0x8E]).await.is_ok());
}

#[test]
Expand Down
60 changes: 31 additions & 29 deletions src/qkd_manager/key_handler.rs
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ impl KeyHandler {
QkdManagerResponse::Ko
})?;
if sae_certificate_serial.is_some() {
stmt.bind((3, sae_certificate_serial.unwrap().as_bytes())).map_err(|_| {
stmt.bind((3, sae_certificate_serial.as_ref().unwrap().as_bytes())).map_err(|_| {
QkdManagerResponse::Ko
})?;
}
Expand Down Expand Up @@ -628,7 +628,7 @@ impl KeyHandler {
Ok(QkdManagerResponse::SaeInfo(SAEInfo {
sae_id,
kme_id,
sae_certificate_serial: *sae_certificate,
sae_certificate_serial: sae_certificate.clone(),
}))
}
}
Expand All @@ -654,18 +654,20 @@ mod tests {
use crate::qkd_manager::http_response_obj::HttpResponseBody;
use crate::qkd_manager::QkdManagerResponse;

const CLIENT_CERT_SERIAL_SIZE_BYTES: usize = 20;

#[test]
fn test_get_sae_id_from_certificate() {
let (_, command_channel_rx) = crossbeam_channel::unbounded();
let (response_channel_tx, _) = crossbeam_channel::unbounded();
let key_handler = super::KeyHandler::new(":memory:", command_channel_rx, response_channel_tx, 1).unwrap();
let sae_id = 1;
let kme_id = 1;
let sae_certificate_serial = [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_certificate_serial)).unwrap();
let sae_certificate_serial = vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_certificate_serial.clone())).unwrap();
assert_eq!(key_handler.get_sae_id_from_certificate(&sae_certificate_serial).unwrap(), sae_id);

let fake_sae_certificate_serial = [1u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
let fake_sae_certificate_serial = vec![1u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
assert_eq!(key_handler.get_sae_id_from_certificate(&fake_sae_certificate_serial), None);
}

Expand All @@ -688,8 +690,8 @@ mod tests {
let (response_channel_tx, _) = crossbeam_channel::unbounded();
let key_handler = super::KeyHandler::new(":memory:", command_channel_rx, response_channel_tx, 1).unwrap();
let sae_id = 1;
let sae_certificate_serial = [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, 1, &Some(sae_certificate_serial)).unwrap();
let sae_certificate_serial = vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, 1, &Some(sae_certificate_serial.clone())).unwrap();
let qkd_manager_response = key_handler.get_sae_status(&sae_certificate_serial, sae_id).unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Status(_)));
let response_status = match qkd_manager_response {
Expand All @@ -711,7 +713,7 @@ mod tests {
let qkd_manager_response = key_handler.get_sae_status(&sae_certificate_serial, 2);
assert!(matches!(qkd_manager_response, Err(QkdManagerResponse::NotFound)));

key_handler.add_sae(2, 1, &Some([1u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
key_handler.add_sae(2, 1, &Some(vec![1u8; CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
let qkd_manager_response = key_handler.get_sae_status(&sae_certificate_serial, 2).unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Status(_)));
let response_status = match qkd_manager_response {
Expand Down Expand Up @@ -747,8 +749,8 @@ mod tests {
let key_handler = super::KeyHandler::new(":memory:", command_channel_rx, response_channel_tx, 1).unwrap();
let sae_id = 1;
let kme_id = 1;
let sae_certificate_serial = [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_certificate_serial)).unwrap();
let sae_certificate_serial = vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_certificate_serial.clone())).unwrap();
let qkd_manager_response = key_handler.get_sae_keys(&sae_certificate_serial, sae_id);
assert!(matches!(qkd_manager_response, Err(QkdManagerResponse::NotFound)));

Expand All @@ -771,7 +773,7 @@ mod tests {
let qkd_manager_response = key_handler.get_sae_keys(&sae_certificate_serial, 2);
assert!(matches!(qkd_manager_response, Err(QkdManagerResponse::NotFound)));

key_handler.add_sae(2, kme_id, &Some([1u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
key_handler.add_sae(2, kme_id, &Some(vec![1u8; CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
let qkd_manager_response = key_handler.get_sae_keys(&sae_certificate_serial, 2).unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Keys(_)));
let response_keys = match qkd_manager_response {
Expand Down Expand Up @@ -809,10 +811,10 @@ mod tests {
let key_handler = super::KeyHandler::new(":memory:", command_channel_rx, response_channel_tx, 1).unwrap();
let sae_id = 1;
let kme_id = 1;
let sae_1_certificate_serial = [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
let sae_2_certificate_serial = [1u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_1_certificate_serial)).unwrap();
key_handler.add_sae(2, kme_id, &Some(sae_2_certificate_serial)).unwrap();
let sae_1_certificate_serial = vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
let sae_2_certificate_serial = vec![1u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_1_certificate_serial.clone())).unwrap();
key_handler.add_sae(2, kme_id, &Some(sae_2_certificate_serial.clone())).unwrap();
let qkd_manager_response = key_handler.get_sae_keys_with_ids(&sae_1_certificate_serial, sae_id, vec!["00000000-0000-0000-0000-000000000000".to_string()]);
assert!(matches!(qkd_manager_response, Err(QkdManagerResponse::NotFound)));

Expand Down Expand Up @@ -854,7 +856,7 @@ mod tests {
let key_handler = super::KeyHandler::new(":memory:", command_channel_rx, response_channel_tx, 1).unwrap();
let sae_id = 1;
let kme_id = 1;
let sae_1_certificate_serial = [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
let sae_1_certificate_serial = vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
key_handler.add_sae(sae_id, kme_id, &Some(sae_1_certificate_serial)).unwrap();
let kme_id = key_handler.get_kme_id_from_sae_id(sae_id).unwrap();
assert_eq!(kme_id, 1);
Expand All @@ -870,16 +872,16 @@ mod tests {
let sae_id = 1;
let kme_id = 1;

let sae_info = key_handler.get_sae_infos_from_certificate(&[0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES]);
let sae_info = key_handler.get_sae_infos_from_certificate(&vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES]);
assert!(matches!(sae_info, Err(QkdManagerResponse::NotFound)));

key_handler.add_sae(sae_id, kme_id, &Some([0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
let sae_info = key_handler.get_sae_infos_from_certificate(&[0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES]).unwrap();
key_handler.add_sae(sae_id, kme_id, &Some(vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
let sae_info = key_handler.get_sae_infos_from_certificate(&vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES]).unwrap();
assert!(matches!(sae_info, QkdManagerResponse::SaeInfo(_)));
assert_eq!(sae_info, QkdManagerResponse::SaeInfo(super::SAEInfo {
sae_id,
kme_id,
sae_certificate_serial: [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES],
sae_certificate_serial: vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES],
}));
}

Expand All @@ -905,15 +907,15 @@ mod tests {
let mut key_handler = super::KeyHandler::new(":memory:", command_channel_rx, response_channel_tx, 1).unwrap();
let sae_id = 1;
let kme_id = 1;
let sae_certificate_serial = [0u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES];
let sae_certificate_serial = vec![0u8; CLIENT_CERT_SERIAL_SIZE_BYTES];
let _ = thread::spawn(move || {
key_handler.run();
});
command_tx.send(super::QkdManagerCommand::AddSae(sae_id, kme_id, Some(sae_certificate_serial))).unwrap();
command_tx.send(super::QkdManagerCommand::AddSae(sae_id, kme_id, Some(sae_certificate_serial.clone()))).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Ok));

command_tx.send(super::QkdManagerCommand::GetKeys(sae_certificate_serial, sae_id)).unwrap();
command_tx.send(super::QkdManagerCommand::GetKeys(sae_certificate_serial.clone(), sae_id)).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::NotFound));

Expand All @@ -927,23 +929,23 @@ mod tests {
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Ok));

command_tx.send(super::QkdManagerCommand::GetKeysWithIds(sae_certificate_serial, 1, vec!["00000000-0000-0000-0000-000000000000".to_string()])).unwrap();
command_tx.send(super::QkdManagerCommand::GetKeysWithIds(sae_certificate_serial.clone(), 1, vec!["00000000-0000-0000-0000-000000000000".to_string()])).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::NotFound));

command_tx.send(super::QkdManagerCommand::GetStatus(sae_certificate_serial, 2)).unwrap();
command_tx.send(super::QkdManagerCommand::GetStatus(sae_certificate_serial.clone(), 2)).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::NotFound));

command_tx.send(super::QkdManagerCommand::AddSae(2, kme_id, Some([1u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES]))).unwrap();
command_tx.send(super::QkdManagerCommand::AddSae(2, kme_id, Some(vec![1u8; CLIENT_CERT_SERIAL_SIZE_BYTES]))).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Ok));

command_tx.send(super::QkdManagerCommand::GetStatus(sae_certificate_serial, 2)).unwrap();
command_tx.send(super::QkdManagerCommand::GetStatus(sae_certificate_serial.clone(), 2)).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Status(_)));

command_tx.send(super::QkdManagerCommand::GetSaeInfoFromCertificate(sae_certificate_serial)).unwrap();
command_tx.send(super::QkdManagerCommand::GetSaeInfoFromCertificate(sae_certificate_serial.clone())).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::SaeInfo(_)));
assert_eq!(qkd_manager_response, QkdManagerResponse::SaeInfo(super::SAEInfo {
Expand All @@ -952,7 +954,7 @@ mod tests {
sae_certificate_serial,
}));

command_tx.send(super::QkdManagerCommand::GetSaeInfoFromCertificate([2u8; crate::CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
command_tx.send(super::QkdManagerCommand::GetSaeInfoFromCertificate(vec![2u8; CLIENT_CERT_SERIAL_SIZE_BYTES])).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::NotFound));

Expand Down
Loading

0 comments on commit 68d0661

Please sign in to comment.