Page MenuHomePhabricator
Files F3512961

D6925.id23388.diff
No OneTemporary
Actions

D6925.id23388.diff
View Options

diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs
--- a/services/identity/src/main.rs
+++ b/services/identity/src/main.rs
@@ -10,6 +10,7 @@
mod interceptor;
mod keygen;
mod nonce;
+mod pake_grpc;
mod service;
mod token;
diff --git a/services/identity/src/pake_grpc.rs b/services/identity/src/pake_grpc.rs
new file mode 100644
--- /dev/null
+++ b/services/identity/src/pake_grpc.rs
@@ -0,0 +1,102 @@
+use comm_opaque::Cipher;
+use opaque_ke::CredentialFinalization;
+use opaque_ke::CredentialRequest;
+use opaque_ke::RegistrationRequest;
+use opaque_ke::RegistrationUpload;
+use opaque_ke::ServerLogin;
+use opaque_ke::ServerLoginFinishResult;
+use opaque_ke::ServerLoginStartParameters;
+use opaque_ke::ServerLoginStartResult;
+use opaque_ke::ServerRegistration;
+use opaque_ke::ServerRegistrationStartResult;
+use rand::rngs::OsRng;
+use tonic::Status;
+use tracing::error;
+
+use crate::config::CONFIG;
+
+/// This file is meant to expose the opaque_ke actions, but
+/// returning tonic::Status as the error type to reduce boilerplate
+/// around describing PAKE failures to grpc.
+
+pub fn server_registration_start(
+ pake_registration_request: &Vec<u8>,
+) -> Result<ServerRegistrationStartResult<Cipher>, Status> {
+ let registration_bytes = RegistrationRequest::deserialize(
+ &pake_registration_request[..],
+ )
+ .map_err(|_| {
+ Status::invalid_argument("Unsuccessfully converted registration to bytes")
+ })?;
+ ServerRegistration::<Cipher>::start(
+ &mut OsRng,
+ registration_bytes,
+ CONFIG.server_keypair.public(),
+ )
+ .map_err(|_| {
+ Status::invalid_argument("Unsuccessfully started PAKE server response")
+ })
+}
+
+pub fn server_registration_finish(
+ server_registration: ServerRegistration<Cipher>,
+ registration_upload_bytes: &Vec<u8>,
+) -> Result<ServerRegistration<Cipher>, Status> {
+ let upload_payload = RegistrationUpload::deserialize(
+ registration_upload_bytes,
+ )
+ .map_err(|e| {
+ error!("Failed to deserialize registration upload bytes: {}", e);
+ Status::aborted("registration failed")
+ })?;
+ server_registration.finish(upload_payload).map_err(|e| {
+ error!(
+ "Encountered a PAKE protocol error when finishing registration: {}",
+ e
+ );
+ Status::aborted("server error")
+ })
+}
+
+pub fn server_login_start(
+ server_registration: ServerRegistration<Cipher>,
+ pake_credential_request: &[u8],
+) -> Result<ServerLoginStartResult<Cipher>, Status> {
+ let credential_request =
+ CredentialRequest::deserialize(pake_credential_request).map_err(|e| {
+ error!("Failed to deserialize credential request: {}", e);
+ Status::invalid_argument("invalid message")
+ })?;
+ ServerLogin::start(
+ &mut OsRng,
+ server_registration,
+ CONFIG.server_keypair.private(),
+ credential_request,
+ ServerLoginStartParameters::default(),
+ )
+ .map_err(|e| {
+ error!(
+ "Encountered a PAKE protocol error when starting login: {}",
+ e
+ );
+ Status::aborted("server error")
+ })
+}
+pub fn server_login_finish(
+ server_login: ServerLogin<Cipher>,
+ pake_credential_finalization: &Vec<u8>,
+) -> Result<ServerLoginFinishResult<Cipher>, Status> {
+ let finalization_payload =
+ CredentialFinalization::deserialize(&pake_credential_finalization[..])
+ .map_err(|e| {
+ error!("Failed to deserialize credential finalization bytes: {}", e);
+ Status::aborted("Could not deserialize login credentials")
+ })?;
+ server_login.finish(finalization_payload).map_err(|e| {
+ error!(
+ "Encountered a PAKE protocol error when finishing login: {}",
+ e
+ );
+ Status::aborted("server error")
+ })
+}
diff --git a/services/identity/src/service.rs b/services/identity/src/service.rs
--- a/services/identity/src/service.rs
+++ b/services/identity/src/service.rs
@@ -4,12 +4,7 @@
use comm_opaque::Cipher;
use constant_time_eq::constant_time_eq;
use futures_core::Stream;
-use opaque_ke::{
- CredentialFinalization, CredentialRequest,
- RegistrationRequest as PakeRegistrationRequest, ServerLogin,
- ServerLoginStartParameters,
-};
-use opaque_ke::{RegistrationUpload, ServerRegistration};
+use opaque_ke::{ServerLogin, ServerRegistration};
use rand::rngs::OsRng;
use rand::{CryptoRng, Rng};
use siwe::Message;
@@ -20,10 +15,10 @@
use tonic::{Request, Response, Status};
use tracing::{error, info, instrument};
-use crate::config::CONFIG;
use crate::constants::MPSC_CHANNEL_BUFFER_CAPACITY;
use crate::database::{DatabaseClient, Error as DBError};
use crate::nonce::generate_nonce_data;
+use crate::pake_grpc;
use crate::token::{AccessTokenData, AuthType};
pub use proto::identity_service_server::IdentityServiceServer;
@@ -436,37 +431,21 @@
}
Err(e) => return Err(handle_db_error(e)),
};
- let credential_request =
- CredentialRequest::deserialize(pake_credential_request).map_err(|e| {
- error!("Failed to deserialize credential request: {}", e);
- Status::invalid_argument("invalid message")
- })?;
- match ServerLogin::start(
- &mut OsRng,
+ let server_login_start_result = pake_grpc::server_login_start(
server_registration,
- CONFIG.server_keypair.private(),
- credential_request,
- ServerLoginStartParameters::default(),
- ) {
- Ok(server_login_start_result) => Ok(LoginResponseAndPakeState {
- response: PakeLoginResponseStruct {
- data: Some(PakeCredentialResponse(
- server_login_start_result.message.serialize().map_err(|e| {
- error!("Failed to serialize PAKE message: {}", e);
- Status::failed_precondition("internal error")
- })?,
- )),
- },
- pake_state: server_login_start_result.state,
- }),
- Err(e) => {
- error!(
- "Encountered a PAKE protocol error when starting login: {}",
- e
- );
- Err(Status::aborted("server error"))
- }
- }
+ pake_credential_request,
+ )?;
+ let credential_response =
+ server_login_start_result.message.serialize().map_err(|e| {
+ error!("Failed to serialize PAKE message: {}", e);
+ Status::failed_precondition("internal error")
+ })?;
+ Ok(LoginResponseAndPakeState {
+ response: PakeLoginResponseStruct {
+ data: Some(PakeCredentialResponse(credential_response)),
+ },
+ pake_state: server_login_start_result.state,
+ })
}
async fn pake_login_finish(
@@ -474,7 +453,7 @@
signing_public_key: &str,
client: &DatabaseClient,
server_login: ServerLogin<Cipher>,
- pake_credential_finalization: &[u8],
+ pake_credential_finalization: &Vec<u8>,
rng: &mut (impl Rng + CryptoRng),
pake_workflow: PakeWorkflow,
session_initialization_info: &HashMap<String, String>,
@@ -486,21 +465,8 @@
);
return Err(Status::aborted("user not found"));
}
- server_login
- .finish(
- CredentialFinalization::deserialize(pake_credential_finalization)
- .map_err(|e| {
- error!("Failed to deserialize credential finalization bytes: {}", e);
- Status::aborted("login failed")
- })?,
- )
- .map_err(|e| {
- error!(
- "Encountered a PAKE protocol error when finishing login: {}",
- e
- );
- Status::aborted("server error")
- })?;
+
+ pake_grpc::server_login_finish(server_login, pake_credential_finalization)?;
if matches!(pake_workflow, PakeWorkflow::Login) {
client
.update_users_table(
@@ -527,40 +493,26 @@
})
}
-async fn pake_registration_start(
- rng: &mut (impl Rng + CryptoRng),
- registration_request_bytes: &[u8],
+async fn server_register_response(
+ registration_request_bytes: &Vec<u8>,
) -> Result<RegistrationResponseAndPakeState, Status> {
- match ServerRegistration::<Cipher>::start(
- rng,
- PakeRegistrationRequest::deserialize(registration_request_bytes).unwrap(),
- CONFIG.server_keypair.public(),
- ) {
- Ok(server_registration_start_result) => {
- Ok(RegistrationResponseAndPakeState {
- response: RegistrationResponse {
- data: Some(PakeRegistrationResponse(
- server_registration_start_result.message.serialize(),
- )),
- },
- pake_state: server_registration_start_result.state,
- })
- }
- Err(e) => {
- error!(
- "Encountered a PAKE protocol error when starting registration: {}",
- e
- );
- Err(Status::aborted("server error"))
- }
- }
+ let server_registration_start_result =
+ pake_grpc::server_registration_start(registration_request_bytes)?;
+ Ok(RegistrationResponseAndPakeState {
+ response: RegistrationResponse {
+ data: Some(PakeRegistrationResponse(
+ server_registration_start_result.message.serialize(),
+ )),
+ },
+ pake_state: server_registration_start_result.state,
+ })
}
async fn pake_registration_finish(
user_id: &str,
client: &DatabaseClient,
- registration_upload_bytes: &[u8],
- server_registration: Option<ServerRegistration<Cipher>>,
+ registration_upload_bytes: &Vec<u8>,
+ server_registration: ServerRegistration<Cipher>,
username: &str,
signing_public_key: &str,
session_initialization_info: &HashMap<String, String>,
@@ -569,23 +521,11 @@
error!("Incomplete data: user ID not provided");
return Err(Status::aborted("user not found"));
}
- let server_registration_finish_result = server_registration
- .ok_or_else(|| Status::aborted("registration failed"))?
- .finish(
- RegistrationUpload::deserialize(registration_upload_bytes).map_err(
- |e| {
- error!("Failed to deserialize registration upload bytes: {}", e);
- Status::aborted("registration failed")
- },
- )?,
- )
- .map_err(|e| {
- error!(
- "Encountered a PAKE protocol error when finishing registration: {}",
- e
- );
- Status::aborted("server error")
- })?;
+ let server_registration_finish_result =
+ pake_grpc::server_registration_finish(
+ server_registration,
+ registration_upload_bytes,
+ )?;
match client
.add_user_to_users_table(
diff --git a/services/identity/src/service/registration.rs b/services/identity/src/service/registration.rs
--- a/services/identity/src/service/registration.rs
+++ b/services/identity/src/service/registration.rs
@@ -37,8 +37,7 @@
Err(e) => return Err(handle_db_error(e)),
_ => {}
};
- let response_and_state = pake_registration_start(
- &mut OsRng,
+ let response_and_state = server_register_response(
&pake_registration_request_and_user_id.pake_registration_request,
)
.await?;
@@ -81,7 +80,7 @@
client,
&pake_registration_upload_and_credential_request
.pake_registration_upload,
- Some(pake_state),
+ pake_state,
&registration_state.username,
&registration_state.signing_public_key,
&registration_state.session_initialization_info,

File Metadata

Mime Type
text/plain
Expires
Sun, Dec 22, 9:20 PM (18 h, 30 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2692676
Default Alt Text
D6925.id23388.diff (10 KB)

Event Timeline