Merge pull request #54 from nasa/KMCCryptographicInterfaceImplementation

Kmc cryptographic interface implementation
nasa · Jan 12, 2022 · c922caf · c922caf
2 parents a8a6ec2 + 543a36d
commit c922caf
Show file tree

Hide file tree

Showing 18 changed files with 2,417 additions and 74 deletions.
diff --git a/include/crypto.h b/include/crypto.h
@@ -82,8 +82,9 @@ Note:               MySQL server MUST be configured for encrypted connections:
  *                  https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
 ==========================================================*/
 extern int32_t Crypto_Config_MariaDB(char* mysql_username, char* mysql_password, char* mysql_hostname, char* mysql_database, uint16_t mysql_port, uint8_t encrypted_connection, char* ssl_cert, char* ssl_key, char* ssl_ca, char* ssl_capath);
-extern int32_t Crypto_Config_Kmc_Crypto_Service(char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *mtls_cert_path,
-                                                char *mtls_key_path, uint8_t ignore_ssl_hostname_validation);
+extern int32_t Crypto_Config_Kmc_Crypto_Service(char *protocol, char *kmc_crypto_hostname, uint16_t kmc_crypto_port, char *kmc_crypto_app_uri, char *mtls_client_cert_path, char *mtls_client_cert_type,
+                                                char *mtls_client_key_path,char *mtls_client_key_pass, char *mtls_ca_bundle, char *mtls_ca_path,
+                                                char *mtls_issuer_cert, uint8_t ignore_ssl_hostname_validation);
 extern int32_t Crypto_Config_Add_Gvcid_Managed_Parameter(uint8_t tfvn, uint16_t scid, uint8_t vcid, uint8_t has_fecf,
                                                          uint8_t has_segmentation_hdr);
 

diff --git a/include/crypto_config_structs.h b/include/crypto_config_structs.h
@@ -151,14 +151,21 @@ typedef struct
 #define SADB_MARIADB_CONFIG_SIZE (sizeof(SadbMariaDBConfig_t))
 
 /*
-** SaDB MariaDB Configuration Block
+** KMC Cryptography Service Configuration Block
 */
 typedef struct
 {
-    char *kmc_crypto_hostname;
+    char* kmc_crypto_hostname;
+    char* protocol;
     uint16_t kmc_crypto_port;
-    char *mtls_cert_path;
-    char *mtls_key_path;
+    char* kmc_crypto_app_uri;
+    char* mtls_client_cert_path;
+    char* mtls_client_cert_type; // default "PEM", supports "P12" and "DER"
+    char* mtls_client_key_path;
+    char* mtls_client_key_pass;
+    char* mtls_ca_bundle;
+    char* mtls_ca_path;
+    char* mtls_issuer_cert;
     uint8_t ignore_ssl_hostname_validation;
 
 } CryptographyKmcCryptoServiceConfig_t;

diff --git a/include/crypto_error.h b/include/crypto_error.h
@@ -31,9 +31,18 @@
 #define SADB_INSERT_FAILED 303
 
 #define CRYPTOGRAPHY_INVALID_CRYPTO_INTERFACE_TYPE  400
-#define CRYPTOGRAPHY_KMC_CRYPTO_SERVICE_CONFIGURATION_NOT_COMPLETE 401
-#define CRYPTOGRAPHY_UNSUPPORTED_OPERATION_FOR_KEY_RING 402
-#define CRYPTOGRAPHY_LIBRARY_INITIALIZIATION_ERROR 403
+#define CRYPTOGRAPHY_UNSUPPORTED_OPERATION_FOR_KEY_RING 401
+#define CRYPTOGRAPHY_LIBRARY_INITIALIZIATION_ERROR 402
+
+#define CRYPTOGRAPHY_KMC_CRYPTO_SERVICE_CONFIGURATION_NOT_COMPLETE 501
+#define CRYPTOGRAPHY_KMC_CURL_INITIALIZATION_FAILURE 502
+#define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_CONNECTION_ERROR 503
+#define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_AEAD_ENCRYPT_ERROR 504
+#define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_AEAD_DECRYPT_ERROR 505
+#define CRYPTOGRAHPY_KMC_CRYPTO_JSON_PARSE_ERROR 506
+#define CRYPTOGRAHPY_KMC_CIPHER_TEXT_NOT_FOUND_IN_JSON_RESPONSE 507
+#define CRYPTOGRAHPY_KMC_CRYPTO_SERVICE_GENERIC_FAILURE 508
+
 
 #define CRYPTO_LIB_SUCCESS (0)
 #define CRYPTO_LIB_ERROR (-1)

diff --git a/include/crypto_structs.h b/include/crypto_structs.h
@@ -54,8 +54,9 @@ typedef struct
     // Status
     uint16_t spi;  // Security Parameter Index
     uint16_t ekid; // Encryption Key ID  (Used with numerically indexed keystores, EG inmemory keyring)
-    char*    ek_ref; // Encryption Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto)
     uint16_t akid; // Authentication Key ID
+    char*    ek_ref; // Encryption Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto)
+    char*    ak_ref; // Authentication Key Reference (Used with string-referenced keystores,EG-PKCS12 keystores, KMC crypto)
     uint8_t sa_state : 2;
     crypto_gvcid_t gvcid_tc_blk;
     crypto_gvcid_t gvcid_tm_blk[NUM_GVCID];

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -54,6 +54,14 @@ else() #standalone build
     add_library(Crypto SHARED ${LIB_SRC_FILES})
 endif()
 
+if(LIBGCRYPT)
+    target_link_libraries(Crypto gcrypt)
+endif()
+
+if(KMCCRYPTO)
+    target_link_libraries(Crypto curl)
+endif()
+
 if(MYSQL)
     execute_process(COMMAND mysql_config --cflags
             OUTPUT_VARIABLE MYSQL_CFLAGS OUTPUT_STRIP_TRAILING_WHITESPACE)
@@ -64,8 +72,6 @@ if(MYSQL)
     target_link_libraries(Crypto ${MYSQL_LIBS})
 endif()
 
-# Add libgcrypt
-target_link_libraries(Crypto gcrypt)
 
 #Include cmake install module - todo
 #include(GNUInstallDirs)

diff --git a/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql b/src/crypto_sadb/sadb_mariadb_admin_scripts/create_sadb.sql
@@ -7,8 +7,8 @@ USE sadb;
 CREATE TABLE security_associations
 (
   spi INT NOT NULL
-  ,ekid MEDIUMINT NOT NULL DEFAULT spi
-  ,akid MEDIUMINT NOT NULL DEFAULT spi
+  ,ekid VARCHAR(20) CHARACTER SET utf8 NOT NULL DEFAULT '0' -- 'EG, for KMC Crypto KeyRef, 'kmc/test/KEY0', for libgcrypt '130'
+  ,akid VARCHAR(20) CHARACTER SET utf8 NOT NULL DEFAULT '0' -- Same as ekid
   ,sa_state SMALLINT NOT NULL DEFAULT 0
   ,tfvn TINYINT NOT NULL
   ,scid SMALLINT NOT NULL
@@ -21,8 +21,8 @@ CREATE TABLE security_associations
   ,shsnf_len SMALLINT NOT NULL DEFAULT 0
   ,shplf_len SMALLINT NOT NULL DEFAULT 0
   ,stmacf_len SMALLINT NOT NULL DEFAULT 0
-  ,ecs_len SMALLINT
-  ,ecs VARBINARY(4) NOT NULL DEFAULT X'00000000' -- ECS_SIZE=4
+  ,ecs_len SMALLINT NOT NULL DEFAULT 1
+  ,ecs VARBINARY(4) NOT NULL DEFAULT X'01' -- ECS_SIZE=4
   ,iv_len SMALLINT NOT NULL DEFAULT 12
   ,iv VARBINARY(20) NOT NULL DEFAULT X'000000000000000000000000' -- IV_SIZE=12
   ,acs_len SMALLINT NOT NULL DEFAULT 0

diff --git a/...rypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql b/...rypto_sadb/sadb_mariadb_admin_scripts/create_sadb_jpl_unit_test_security_associations.sql
@@ -1,21 +1,17 @@
 USE sadb;
 
--- SA 1 - CLEAR MODE
-INSERT INTO security_associations (spi,sa_state,est,ast,arc_len,arc,arcw_len,arcw,tfvn,scid,vcid,mapid)
-VALUES (1,0,0,0,1,X'0000000000000000000000000000000000000000',1,5,0,44,1,0);
+-- SA 1 - OPERATIONAL; ENC + AUTH - ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-0
+INSERT INTO security_associations (spi,ekid,sa_state,ecs,est,ast,shivf_len,stmacf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (1,'kmc/test/key130',3,X'01',1,1,12,16,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,0,0);
 
--- SA 2 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-0
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (2,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,0,0);
+-- SA 2 - OPERATIONAL; ENC + AUTH - ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-1
+INSERT INTO security_associations (spi,ekid,sa_state,ecs,est,ast,shivf_len,stmacf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (2,'kmc/test/key130',3,X'01',1,1,12,16,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,1,0);
 
--- SA 3 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-1
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (3,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,1,0);
+-- SA 3 - OPERATIONAL; ENC Only - ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-2
+INSERT INTO security_associations (spi,ekid,sa_state,ecs,est,ast,shivf_len,stmacf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (3,'kmc/test/key130',3,X'01',1,0,12,0,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,2,0);
 
--- SA 4 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-2
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (4,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,2,0);
-
--- SA 5 - OPERATIONAL;  ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-3
-INSERT INTO security_associations (spi,ekid,sa_state,est,ast,shivf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
-VALUES (4,130,3,1,0,12,X'000000000000000000000001',19,X'00000000000000000000000000000000000000',1,5,0,0,44,3,0);
+-- SA 4 - OPERATIONAL; AUTH Only - ARCW:5; AES-GCM; IV:00...01; IV-len:12; MAC-len:16; Key-ID: 130, SCID 44, VC-3
+INSERT INTO security_associations (spi,ekid,sa_state,ecs,est,ast,shivf_len,stmacf_len,iv,abm_len,abm,arcw_len,arcw,arc_len,tfvn,scid,vcid,mapid)
+VALUES (4,'kmc/test/key130',3,X'01',0,1,12,16,X'000000000000000000000001',1024,X'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',1,5,0,0,44,3,0);