github.com/Psiphon-Labs/psiphon-tunnel-core@v2.0.28+incompatible/psiphon/common/authPackage.go (about) 1 /* 2 * Copyright (c) 2016, Psiphon Inc. 3 * All rights reserved. 4 * 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation, either version 3 of the License, or 8 * (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package common 21 22 import ( 23 "bufio" 24 "bytes" 25 "compress/zlib" 26 "crypto" 27 "crypto/rand" 28 "crypto/rsa" 29 "crypto/sha256" 30 "crypto/x509" 31 "encoding/base64" 32 "encoding/json" 33 "io" 34 "io/ioutil" 35 "sync" 36 37 "github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/errors" 38 ) 39 40 // AuthenticatedDataPackage is a JSON record containing some Psiphon data 41 // payload, such as list of Psiphon server entries. As it may be downloaded 42 // from various sources, it is digitally signed so that the data may be 43 // authenticated. 44 type AuthenticatedDataPackage struct { 45 Data string `json:"data"` 46 SigningPublicKeyDigest []byte `json:"signingPublicKeyDigest"` 47 Signature []byte `json:"signature"` 48 } 49 50 // GenerateAuthenticatedDataPackageKeys generates a key pair 51 // be used to sign and verify AuthenticatedDataPackages. 52 func GenerateAuthenticatedDataPackageKeys() (string, string, error) { 53 54 rsaKey, err := rsa.GenerateKey(rand.Reader, 4096) 55 if err != nil { 56 return "", "", errors.Trace(err) 57 } 58 59 publicKeyBytes, err := x509.MarshalPKIXPublicKey(rsaKey.Public()) 60 if err != nil { 61 return "", "", errors.Trace(err) 62 } 63 64 privateKeyBytes := x509.MarshalPKCS1PrivateKey(rsaKey) 65 66 return base64.StdEncoding.EncodeToString(publicKeyBytes), 67 base64.StdEncoding.EncodeToString(privateKeyBytes), 68 nil 69 } 70 71 func sha256sum(data string) []byte { 72 digest := sha256.Sum256([]byte(data)) 73 return digest[:] 74 } 75 76 // WriteAuthenticatedDataPackage creates an AuthenticatedDataPackage 77 // containing the specified data and signed by the given key. The output 78 // conforms with the legacy format here: 79 // https://bitbucket.org/psiphon/psiphon-circumvention-system/src/c25d080f6827b141fe637050ce0d5bd0ae2e9db5/Automation/psi_ops_crypto_tools.py 80 func WriteAuthenticatedDataPackage( 81 data string, signingPublicKey, signingPrivateKey string) ([]byte, error) { 82 83 derEncodedPrivateKey, err := base64.StdEncoding.DecodeString(signingPrivateKey) 84 if err != nil { 85 return nil, errors.Trace(err) 86 } 87 rsaPrivateKey, err := x509.ParsePKCS1PrivateKey(derEncodedPrivateKey) 88 if err != nil { 89 return nil, errors.Trace(err) 90 } 91 92 signature, err := rsa.SignPKCS1v15( 93 rand.Reader, 94 rsaPrivateKey, 95 crypto.SHA256, 96 sha256sum(data)) 97 if err != nil { 98 return nil, errors.Trace(err) 99 } 100 101 packageJSON, err := json.Marshal( 102 &AuthenticatedDataPackage{ 103 Data: data, 104 SigningPublicKeyDigest: sha256sum(signingPublicKey), 105 Signature: signature, 106 }) 107 if err != nil { 108 return nil, errors.Trace(err) 109 } 110 111 return Compress(packageJSON), nil 112 } 113 114 // ReadAuthenticatedDataPackage extracts and verifies authenticated 115 // data from an AuthenticatedDataPackage. The package must have been 116 // signed with the given key. 117 // 118 // Set isCompressed to false to read packages that are not compressed. 119 func ReadAuthenticatedDataPackage( 120 dataPackage []byte, isCompressed bool, signingPublicKey string) (string, error) { 121 122 var packageJSON []byte 123 var err error 124 125 if isCompressed { 126 packageJSON, err = Decompress(dataPackage) 127 if err != nil { 128 return "", errors.Trace(err) 129 } 130 } else { 131 packageJSON = dataPackage 132 } 133 134 var authenticatedDataPackage *AuthenticatedDataPackage 135 err = json.Unmarshal(packageJSON, &authenticatedDataPackage) 136 if err != nil { 137 return "", errors.Trace(err) 138 } 139 140 derEncodedPublicKey, err := base64.StdEncoding.DecodeString(signingPublicKey) 141 if err != nil { 142 return "", errors.Trace(err) 143 } 144 publicKey, err := x509.ParsePKIXPublicKey(derEncodedPublicKey) 145 if err != nil { 146 return "", errors.Trace(err) 147 } 148 rsaPublicKey, ok := publicKey.(*rsa.PublicKey) 149 if !ok { 150 return "", errors.TraceNew("unexpected signing public key type") 151 } 152 153 if !bytes.Equal( 154 authenticatedDataPackage.SigningPublicKeyDigest, 155 sha256sum(signingPublicKey)) { 156 157 return "", errors.TraceNew("unexpected signing public key digest") 158 } 159 160 err = rsa.VerifyPKCS1v15( 161 rsaPublicKey, 162 crypto.SHA256, 163 sha256sum(authenticatedDataPackage.Data), 164 authenticatedDataPackage.Signature) 165 if err != nil { 166 return "", errors.Trace(err) 167 } 168 169 return authenticatedDataPackage.Data, nil 170 } 171 172 // NewAuthenticatedDataPackageReader extracts and verifies authenticated 173 // data from an AuthenticatedDataPackage stored in the specified file. The 174 // package must have been signed with the given key. 175 // NewAuthenticatedDataPackageReader does not load the entire package nor 176 // the entire data into memory. It streams the package while verifying, and 177 // returns an io.Reader that the caller may use to stream the authenticated 178 // data payload. 179 func NewAuthenticatedDataPackageReader( 180 dataPackage io.ReadSeeker, signingPublicKey string) (io.Reader, error) { 181 182 // The file is streamed in 2 passes. The first pass verifies the package 183 // signature. No payload data should be accepted/processed until the signature 184 // check is complete. The second pass repositions to the data payload and returns 185 // a reader the caller will use to stream the authenticated payload. 186 // 187 // Note: No exclusive file lock is held between passes, so it's possible to 188 // verify the data in one pass, and read different data in the second pass. 189 // For Psiphon's use cases, this will not happen in practise -- the packageFileName 190 // will not change while the returned io.Reader is used -- unless the client host 191 // is compromised; a compromised client host is outside of our threat model. 192 193 var payload io.Reader 194 195 for pass := 0; pass < 2; pass++ { 196 197 _, err := dataPackage.Seek(0, io.SeekStart) 198 if err != nil { 199 return nil, errors.Trace(err) 200 } 201 202 decompressor, err := zlib.NewReader(dataPackage) 203 if err != nil { 204 return nil, errors.Trace(err) 205 } 206 // TODO: need to Close decompressor to ensure zlib checksum is verified? 207 208 hash := sha256.New() 209 210 var jsonData io.Reader 211 var jsonSigningPublicKey []byte 212 var jsonSignature []byte 213 214 jsonReadBase64Value := func(value io.Reader) ([]byte, error) { 215 base64Value, err := ioutil.ReadAll(value) 216 if err != nil { 217 return nil, errors.Trace(err) 218 } 219 decodedValue, err := base64.StdEncoding.DecodeString(string(base64Value)) 220 if err != nil { 221 return nil, errors.Trace(err) 222 } 223 return decodedValue, nil 224 } 225 226 jsonHandler := func(key string, value io.Reader) (bool, error) { 227 switch key { 228 229 case "data": 230 if pass == 0 { 231 232 _, err := io.Copy(hash, value) 233 if err != nil { 234 return false, errors.Trace(err) 235 } 236 return true, nil 237 238 } else { // pass == 1 239 240 jsonData = value 241 242 // The JSON stream parser must halt at this position, 243 // leaving the reader to be returned to the caller positioned 244 // at the start of the data payload. 245 return false, nil 246 } 247 248 case "signingPublicKeyDigest": 249 jsonSigningPublicKey, err = jsonReadBase64Value(value) 250 if err != nil { 251 return false, errors.Trace(err) 252 } 253 return true, nil 254 255 case "signature": 256 jsonSignature, err = jsonReadBase64Value(value) 257 if err != nil { 258 return false, errors.Trace(err) 259 } 260 return true, nil 261 } 262 263 return false, errors.Tracef("unexpected key '%s'", key) 264 } 265 266 // Using a buffered reader to consume zlib output in batches 267 // yields a significant speed up in the BenchmarkAuthenticatedPackage. 268 jsonStreamer := &limitedJSONStreamer{ 269 reader: bufio.NewReader(decompressor), 270 handler: jsonHandler, 271 } 272 273 err = jsonStreamer.Stream() 274 if err != nil { 275 return nil, errors.Trace(err) 276 } 277 278 if pass == 0 { 279 280 if jsonSigningPublicKey == nil || jsonSignature == nil { 281 return nil, errors.TraceNew("missing expected field") 282 } 283 284 derEncodedPublicKey, err := base64.StdEncoding.DecodeString(signingPublicKey) 285 if err != nil { 286 return nil, errors.Trace(err) 287 } 288 publicKey, err := x509.ParsePKIXPublicKey(derEncodedPublicKey) 289 if err != nil { 290 return nil, errors.Trace(err) 291 } 292 rsaPublicKey, ok := publicKey.(*rsa.PublicKey) 293 if !ok { 294 return nil, errors.TraceNew("unexpected signing public key type") 295 } 296 297 if !bytes.Equal(jsonSigningPublicKey, sha256sum(signingPublicKey)) { 298 return nil, errors.TraceNew("unexpected signing public key digest") 299 } 300 301 err = rsa.VerifyPKCS1v15( 302 rsaPublicKey, 303 crypto.SHA256, 304 hash.Sum(nil), 305 jsonSignature) 306 if err != nil { 307 return nil, errors.Trace(err) 308 } 309 310 } else { // pass == 1 311 312 if jsonData == nil { 313 return nil, errors.TraceNew("missing expected field") 314 } 315 316 payload = jsonData 317 } 318 } 319 320 return payload, nil 321 } 322 323 // limitedJSONStreamer is a streaming JSON parser that supports just the 324 // JSON required for the AuthenticatedDataPackage format and expected data payloads. 325 // 326 // Unlike other common streaming JSON parsers, limitedJSONStreamer streams the JSON 327 // _values_, as the AuthenticatedDataPackage "data" value may be too large to fit into 328 // memory. 329 // 330 // limitedJSONStreamer is not intended for use outside of AuthenticatedDataPackage 331 // and supports only a small subset of JSON: one object with string values only, 332 // no escaped characters, no nested objects, no arrays, no numbers, etc. 333 // 334 // limitedJSONStreamer does support any JSON spec (http://www.json.org/) format 335 // for its limited subset. So, for example, any whitespace/formatting should be 336 // supported and the creator of AuthenticatedDataPackage should be able to use 337 // any valid JSON that results in a AuthenticatedDataPackage object. 338 // 339 // For each key/value pair, handler is invoked with the key name and a reader 340 // to stream the value. The handler _must_ read value to EOF (or return an error). 341 type limitedJSONStreamer struct { 342 reader io.Reader 343 handler func(key string, value io.Reader) (bool, error) 344 } 345 346 const ( 347 stateJSONSeekingObjectStart = iota 348 stateJSONSeekingKeyStart 349 stateJSONSeekingKeyEnd 350 stateJSONSeekingColon 351 stateJSONSeekingStringValueStart 352 stateJSONSeekingStringValueEnd 353 stateJSONSeekingNextPair 354 stateJSONObjectEnd 355 ) 356 357 func (streamer *limitedJSONStreamer) Stream() error { 358 359 // TODO: validate that strings are valid Unicode? 360 361 isWhitespace := func(b byte) bool { 362 return b == ' ' || b == '\t' || b == '\r' || b == '\n' 363 } 364 365 nextByte := make([]byte, 1) 366 keyBuffer := new(bytes.Buffer) 367 state := stateJSONSeekingObjectStart 368 369 for { 370 n, readErr := streamer.reader.Read(nextByte) 371 372 if n > 0 { 373 374 b := nextByte[0] 375 376 switch state { 377 378 case stateJSONSeekingObjectStart: 379 if b == '{' { 380 state = stateJSONSeekingKeyStart 381 } else if !isWhitespace(b) { 382 return errors.Tracef("unexpected character %#U while seeking object start", b) 383 } 384 385 case stateJSONSeekingKeyStart: 386 if b == '"' { 387 state = stateJSONSeekingKeyEnd 388 keyBuffer.Reset() 389 } else if !isWhitespace(b) { 390 return errors.Tracef("unexpected character %#U while seeking key start", b) 391 } 392 393 case stateJSONSeekingKeyEnd: 394 if b == '\\' { 395 return errors.TraceNew("unsupported escaped character") 396 } else if b == '"' { 397 state = stateJSONSeekingColon 398 } else { 399 keyBuffer.WriteByte(b) 400 } 401 402 case stateJSONSeekingColon: 403 if b == ':' { 404 state = stateJSONSeekingStringValueStart 405 } else if !isWhitespace(b) { 406 return errors.Tracef("unexpected character %#U while seeking colon", b) 407 } 408 409 case stateJSONSeekingStringValueStart: 410 if b == '"' { 411 state = stateJSONSeekingStringValueEnd 412 413 key := keyBuffer.String() 414 415 // Wrap the main reader in a reader that will read up to the end 416 // of the value and then EOF. The handler is expected to consume 417 // the full value, and then stream parsing will resume after the 418 // end of the value. 419 valueStreamer := &limitedJSONValueStreamer{ 420 reader: streamer.reader, 421 } 422 423 continueStreaming, err := streamer.handler(key, valueStreamer) 424 if err != nil { 425 return errors.Trace(err) 426 } 427 428 // The handler may request that streaming halt at this point; no 429 // further changes are made to streamer.reader, leaving the value 430 // exactly where the hander leaves it. 431 if !continueStreaming { 432 return nil 433 } 434 435 state = stateJSONSeekingNextPair 436 437 } else if !isWhitespace(b) { 438 return errors.Tracef("unexpected character %#U while seeking value start", b) 439 } 440 441 case stateJSONSeekingNextPair: 442 if b == ',' { 443 state = stateJSONSeekingKeyStart 444 } else if b == '}' { 445 state = stateJSONObjectEnd 446 } else if !isWhitespace(b) { 447 return errors.Tracef("unexpected character %#U while seeking next name/value pair", b) 448 } 449 450 case stateJSONObjectEnd: 451 if !isWhitespace(b) { 452 return errors.Tracef("unexpected character %#U after object end", b) 453 } 454 455 default: 456 return errors.TraceNew("unexpected state") 457 458 } 459 } 460 461 if readErr != nil { 462 if readErr == io.EOF { 463 if state != stateJSONObjectEnd { 464 return errors.TraceNew("unexpected EOF before object end") 465 } 466 return nil 467 } 468 return errors.Trace(readErr) 469 } 470 } 471 } 472 473 // limitedJSONValueStreamer wraps the limitedJSONStreamer reader 474 // with a reader that reads to the end of a string value and then 475 // terminates with EOF. 476 type limitedJSONValueStreamer struct { 477 mutex sync.Mutex 478 eof bool 479 reader io.Reader 480 } 481 482 // Read implements the io.Reader interface. 483 func (streamer *limitedJSONValueStreamer) Read(p []byte) (int, error) { 484 streamer.mutex.Lock() 485 defer streamer.mutex.Unlock() 486 487 if streamer.eof { 488 return 0, io.EOF 489 } 490 491 var i int 492 var err error 493 494 for i = 0; i < len(p); i++ { 495 496 var n int 497 n, err = streamer.reader.Read(p[i : i+1]) 498 499 // process n == 1 before handling err, in case err is io.EOF 500 if n == 1 { 501 if p[i] == '"' { 502 streamer.eof = true 503 err = io.EOF 504 } else if p[i] == '\\' { 505 if err == nil { 506 // Psiphon server list string values contain '\n', so support 507 // that required case. 508 n, err = streamer.reader.Read(p[i : i+1]) 509 if n == 1 && p[i] == 'n' { 510 p[i] = '\n' 511 } else { 512 err = errors.TraceNew("unsupported escaped character") 513 } 514 } 515 } 516 } 517 518 if err != nil { 519 break 520 } 521 } 522 523 return i, err 524 }