Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3514175
D6925.id23426.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
10 KB
Referenced Files
None
Subscribers
None
D6925.id23426.diff
View Options
diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs
--- a/services/identity/src/main.rs
+++ b/services/identity/src/main.rs
@@ -10,6 +10,7 @@
mod interceptor;
mod keygen;
mod nonce;
+mod pake_grpc;
mod service;
mod token;
diff --git a/services/identity/src/pake_grpc.rs b/services/identity/src/pake_grpc.rs
new file mode 100644
--- /dev/null
+++ b/services/identity/src/pake_grpc.rs
@@ -0,0 +1,104 @@
+use comm_opaque::Cipher;
+use opaque_ke::CredentialFinalization;
+use opaque_ke::CredentialRequest;
+use opaque_ke::RegistrationRequest;
+use opaque_ke::RegistrationUpload;
+use opaque_ke::ServerLogin;
+use opaque_ke::ServerLoginFinishResult;
+use opaque_ke::ServerLoginStartParameters;
+use opaque_ke::ServerLoginStartResult;
+use opaque_ke::ServerRegistration;
+use opaque_ke::ServerRegistrationStartResult;
+use rand::rngs::OsRng;
+use tonic::Status;
+use tracing::error;
+
+use crate::config::CONFIG;
+
+/// This file is meant to expose the opaque_ke actions, but
+/// returning tonic::Status as the error type to reduce boilerplate
+/// around describing PAKE failures to grpc.
+
+pub fn server_registration_start(
+ pake_registration_request: &Vec<u8>,
+) -> Result<ServerRegistrationStartResult<Cipher>, Status> {
+ let registration_bytes = RegistrationRequest::deserialize(
+ &pake_registration_request[..],
+ )
+ .map_err(|e| {
+ error!("Unsuccessfully deserialized registration bytes: {}", e);
+ Status::invalid_argument("Invalid Registration response")
+ })?;
+ ServerRegistration::<Cipher>::start(
+ &mut OsRng,
+ registration_bytes,
+ CONFIG.server_keypair.public(),
+ )
+ .map_err(|e| {
+ error!("Unsuccessfully started PAKE server response: {}", e);
+ Status::aborted("server error")
+ })
+}
+
+pub fn server_registration_finish(
+ server_registration: ServerRegistration<Cipher>,
+ registration_upload_bytes: &Vec<u8>,
+) -> Result<ServerRegistration<Cipher>, Status> {
+ let upload_payload = RegistrationUpload::deserialize(
+ registration_upload_bytes,
+ )
+ .map_err(|e| {
+ error!("Failed to deserialize registration upload bytes: {}", e);
+ Status::invalid_argument("invalid registration")
+ })?;
+ server_registration.finish(upload_payload).map_err(|e| {
+ error!(
+ "Encountered a PAKE protocol error when finishing registration: {}",
+ e
+ );
+ Status::aborted("server error")
+ })
+}
+
+pub fn server_login_start(
+ server_registration: ServerRegistration<Cipher>,
+ pake_credential_request: &[u8],
+) -> Result<ServerLoginStartResult<Cipher>, Status> {
+ let credential_request =
+ CredentialRequest::deserialize(pake_credential_request).map_err(|e| {
+ error!("Failed to deserialize credential request: {}", e);
+ Status::invalid_argument("invalid message")
+ })?;
+ ServerLogin::start(
+ &mut OsRng,
+ server_registration,
+ CONFIG.server_keypair.private(),
+ credential_request,
+ ServerLoginStartParameters::default(),
+ )
+ .map_err(|e| {
+ error!(
+ "Encountered a PAKE protocol error when starting login: {}",
+ e
+ );
+ Status::aborted("server error")
+ })
+}
+pub fn server_login_finish(
+ server_login: ServerLogin<Cipher>,
+ pake_credential_finalization: &Vec<u8>,
+) -> Result<ServerLoginFinishResult<Cipher>, Status> {
+ let finalization_payload =
+ CredentialFinalization::deserialize(&pake_credential_finalization[..])
+ .map_err(|e| {
+ error!("Failed to deserialize credential finalization bytes: {}", e);
+ Status::invalid_argument("Could not deserialize login credentials")
+ })?;
+ server_login.finish(finalization_payload).map_err(|e| {
+ error!(
+ "Encountered a PAKE protocol error when finishing login: {}",
+ e
+ );
+ Status::aborted("server error")
+ })
+}
diff --git a/services/identity/src/service.rs b/services/identity/src/service.rs
--- a/services/identity/src/service.rs
+++ b/services/identity/src/service.rs
@@ -4,12 +4,7 @@
use comm_opaque::Cipher;
use constant_time_eq::constant_time_eq;
use futures_core::Stream;
-use opaque_ke::{
- CredentialFinalization, CredentialRequest,
- RegistrationRequest as PakeRegistrationRequest, ServerLogin,
- ServerLoginStartParameters,
-};
-use opaque_ke::{RegistrationUpload, ServerRegistration};
+use opaque_ke::{ServerLogin, ServerRegistration};
use rand::rngs::OsRng;
use rand::{CryptoRng, Rng};
use siwe::Message;
@@ -20,10 +15,10 @@
use tonic::{Request, Response, Status};
use tracing::{error, info, instrument};
-use crate::config::CONFIG;
use crate::constants::MPSC_CHANNEL_BUFFER_CAPACITY;
use crate::database::{DatabaseClient, Error as DBError};
use crate::nonce::generate_nonce_data;
+use crate::pake_grpc;
use crate::token::{AccessTokenData, AuthType};
pub use proto::identity_service_server::IdentityServiceServer;
@@ -436,37 +431,21 @@
}
Err(e) => return Err(handle_db_error(e)),
};
- let credential_request =
- CredentialRequest::deserialize(pake_credential_request).map_err(|e| {
- error!("Failed to deserialize credential request: {}", e);
- Status::invalid_argument("invalid message")
- })?;
- match ServerLogin::start(
- &mut OsRng,
+ let server_login_start_result = pake_grpc::server_login_start(
server_registration,
- CONFIG.server_keypair.private(),
- credential_request,
- ServerLoginStartParameters::default(),
- ) {
- Ok(server_login_start_result) => Ok(LoginResponseAndPakeState {
- response: PakeLoginResponseStruct {
- data: Some(PakeCredentialResponse(
- server_login_start_result.message.serialize().map_err(|e| {
- error!("Failed to serialize PAKE message: {}", e);
- Status::failed_precondition("internal error")
- })?,
- )),
- },
- pake_state: server_login_start_result.state,
- }),
- Err(e) => {
- error!(
- "Encountered a PAKE protocol error when starting login: {}",
- e
- );
- Err(Status::aborted("server error"))
- }
- }
+ pake_credential_request,
+ )?;
+ let credential_response =
+ server_login_start_result.message.serialize().map_err(|e| {
+ error!("Failed to serialize PAKE message: {}", e);
+ Status::failed_precondition("internal error")
+ })?;
+ Ok(LoginResponseAndPakeState {
+ response: PakeLoginResponseStruct {
+ data: Some(PakeCredentialResponse(credential_response)),
+ },
+ pake_state: server_login_start_result.state,
+ })
}
async fn pake_login_finish(
@@ -474,7 +453,7 @@
signing_public_key: &str,
client: &DatabaseClient,
server_login: ServerLogin<Cipher>,
- pake_credential_finalization: &[u8],
+ pake_credential_finalization: &Vec<u8>,
rng: &mut (impl Rng + CryptoRng),
pake_workflow: PakeWorkflow,
session_initialization_info: &HashMap<String, String>,
@@ -486,21 +465,8 @@
);
return Err(Status::aborted("user not found"));
}
- server_login
- .finish(
- CredentialFinalization::deserialize(pake_credential_finalization)
- .map_err(|e| {
- error!("Failed to deserialize credential finalization bytes: {}", e);
- Status::aborted("login failed")
- })?,
- )
- .map_err(|e| {
- error!(
- "Encountered a PAKE protocol error when finishing login: {}",
- e
- );
- Status::aborted("server error")
- })?;
+
+ pake_grpc::server_login_finish(server_login, pake_credential_finalization)?;
if matches!(pake_workflow, PakeWorkflow::Login) {
client
.update_users_table(
@@ -527,40 +493,26 @@
})
}
-async fn pake_registration_start(
- rng: &mut (impl Rng + CryptoRng),
- registration_request_bytes: &[u8],
+async fn server_register_response(
+ registration_request_bytes: &Vec<u8>,
) -> Result<RegistrationResponseAndPakeState, Status> {
- match ServerRegistration::<Cipher>::start(
- rng,
- PakeRegistrationRequest::deserialize(registration_request_bytes).unwrap(),
- CONFIG.server_keypair.public(),
- ) {
- Ok(server_registration_start_result) => {
- Ok(RegistrationResponseAndPakeState {
- response: RegistrationResponse {
- data: Some(PakeRegistrationResponse(
- server_registration_start_result.message.serialize(),
- )),
- },
- pake_state: server_registration_start_result.state,
- })
- }
- Err(e) => {
- error!(
- "Encountered a PAKE protocol error when starting registration: {}",
- e
- );
- Err(Status::aborted("server error"))
- }
- }
+ let server_registration_start_result =
+ pake_grpc::server_registration_start(registration_request_bytes)?;
+ Ok(RegistrationResponseAndPakeState {
+ response: RegistrationResponse {
+ data: Some(PakeRegistrationResponse(
+ server_registration_start_result.message.serialize(),
+ )),
+ },
+ pake_state: server_registration_start_result.state,
+ })
}
async fn pake_registration_finish(
user_id: &str,
client: &DatabaseClient,
- registration_upload_bytes: &[u8],
- server_registration: Option<ServerRegistration<Cipher>>,
+ registration_upload_bytes: &Vec<u8>,
+ server_registration: ServerRegistration<Cipher>,
username: &str,
signing_public_key: &str,
session_initialization_info: &HashMap<String, String>,
@@ -569,23 +521,11 @@
error!("Incomplete data: user ID not provided");
return Err(Status::aborted("user not found"));
}
- let server_registration_finish_result = server_registration
- .ok_or_else(|| Status::aborted("registration failed"))?
- .finish(
- RegistrationUpload::deserialize(registration_upload_bytes).map_err(
- |e| {
- error!("Failed to deserialize registration upload bytes: {}", e);
- Status::aborted("registration failed")
- },
- )?,
- )
- .map_err(|e| {
- error!(
- "Encountered a PAKE protocol error when finishing registration: {}",
- e
- );
- Status::aborted("server error")
- })?;
+ let server_registration_finish_result =
+ pake_grpc::server_registration_finish(
+ server_registration,
+ registration_upload_bytes,
+ )?;
match client
.add_user_to_users_table(
diff --git a/services/identity/src/service/registration.rs b/services/identity/src/service/registration.rs
--- a/services/identity/src/service/registration.rs
+++ b/services/identity/src/service/registration.rs
@@ -37,8 +37,7 @@
Err(e) => return Err(handle_db_error(e)),
_ => {}
};
- let response_and_state = pake_registration_start(
- &mut OsRng,
+ let response_and_state = server_register_response(
&pake_registration_request_and_user_id.pake_registration_request,
)
.await?;
@@ -81,7 +80,7 @@
client,
&pake_registration_upload_and_credential_request
.pake_registration_upload,
- Some(pake_state),
+ pake_state,
®istration_state.username,
®istration_state.signing_public_key,
®istration_state.session_initialization_info,
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Dec 23, 3:45 AM (16 h, 3 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2693418
Default Alt Text
D6925.id23426.diff (10 KB)
Attached To
Mode
D6925: [Identity] Refactor opaque_ke usage to dedicated file
Attached
Detach File
Event Timeline
Log In to Comment