ClientMessageSigner.cc

/*
 * Copyright 2003 Michael A. Marsh, Cornell University. All rights reserved.
 * This software is released under the modified BSD license.
 * See the file LICENSE in the top-level directory for details.
 */
//
// $Id: ClientMessageSigner.cc,v 1.4 2004/05/19 15:56:51 mmarsh Exp $
//
// $Log: ClientMessageSigner.cc,v $
// Revision 1.4  2004/05/19 15:56:51  mmarsh
// *** empty log message ***
//
// Revision 1.3  2003/11/04 22:15:00  mmarsh
// General code cleanup and reorganization.  The signed ElGamal public key
// was moved to CODEX_Server, decoupling that package from CODEX_Client.
// Since CODEX_Server no longer knows about the cryptosystem used by
// the client, switching between cryptosystems is handled locally by
// CODEX_KeyService.
//
//

#include "ClientMessageSigner.h"
#include "CODEX_Server/ServerResponseEvent.h"
#include "CODEX_Server/ServerState.h"
#include "StateInfo.h"
#include "ClientDelegation.h"
#include "CODEX_Exceptions/BignumExceptions.h"

#ifdef ELGAMAL
#include "CODEX_ThresholdCrypto/DLProof.h"
#endif

#include "timing.h"

using namespace CODEX_KeyService;

ClientMessageSigner::ClientMessageSigner(
   CODEX_Events::DeadPileType& deadPile,
   CODEX_Events::QType& eventQueue,
   CODEX_Server::ServerResponseHandler* destination ):
   CODEX_Events::Activity( deadPile, eventQueue ),
   m_destination( destination )
{
}

ClientMessageSigner::~ClientMessageSigner()
{
}

bool
ClientMessageSigner::handler( CODEX_Events::CloseEvent& event )
{
   // just acknowledge
   sendEvent( 0, event.source() );
   return true;
}

bool
ClientMessageSigner::handler( ClientMessageEvent< RequestKeyMsg >& event )
{
   cerr <<
      "Error -- undecorated events should not be sent to ClientMessageSigner"
        << endl;
   ::exit(1);
   return true;
}

bool
ClientMessageSigner::handler( ClientMessageEvent< SignedCreateKeyMsg >& event )
{
   cerr <<
      "Error -- undecorated events should not be sent to ClientMessageSigner"
        << endl;
   ::exit(1);
   return true;
}

bool
ClientMessageSigner::handler( ClientMessageEvent< SignedWriteKeyMsg >& event )
{
   cerr <<
      "Error -- undecorated events should not be sent to ClientMessageSigner"
        << endl;
   ::exit(1);
   return true;
}

bool
ClientMessageSigner::handler( ClientMessageEvent< SignedReadKeyMsg >& event )
{
   cerr <<
      "Error -- undecorated events should not be sent to ClientMessageSigner"
        << endl;
   ::exit(1);
   return true;
}

bool
ClientMessageSigner::handler(
   RoutedClientMessageEvent< SignedCreateKeyMsg >& event )
{
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      return false;
   }

#ifdef TIMING
   ActiveTimer.start();
#endif

   CODEX_Quorum::Message msg;
   BIGNUM * digest = event.message().digest( serverState->hashFunc() );
   bool retVal =
      process( digest, event.source(), event, msg, event.failed() );
   BN_free(digest);
   int serverNum = msg.buffer()[0];
   sendEvent( new CODEX_Server::ServerResponseEvent(
      this, m_destination, msg, serverNum ), 0 );
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return retVal;
}

bool
ClientMessageSigner::handler(
   RoutedClientMessageEvent< SignedWriteKeyMsg >& event )
{
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      return false;
   }

#ifdef TIMING
   ActiveTimer.start();
#endif
   CODEX_Quorum::Message msg;
   BIGNUM * digest = event.message().digest( serverState->hashFunc() );
   bool retVal =
      process( digest, event.source(), event, msg, event.failed() );
   BN_free(digest);
   int serverNum = msg.buffer()[0];

   if ( event.failed() )
   {
      sendEvent( new CODEX_Server::ServerResponseEvent(
         this, m_destination, msg, serverNum ), 0 );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return retVal;
   }

   sendEvent( new CODEX_Server::ServerResponseEvent(
      this, m_destination, msg, serverNum ), 0 );
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return retVal;
}

bool
ClientMessageSigner::handler(
   RoutedClientMessageEvent< LabeledReadKeyMsg >& event )
{
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      return false;
   }

   StateInfo* stateInfo = StateInfo::instance();
   if ( 0 == stateInfo )
   {
      return false;
   }

#ifdef TIMING
   ActiveTimer.start();
#endif

   StateInfo::LSType keyShares;
   try
   {
      unsigned int server =
         event.server()[0] & ~(CODEX_Server::ServerState::OutgoingMask);
      keyShares = stateInfo->decryptionShares( event.message().label(),
                                               server );
   }
   catch ( CODEX_Server::InvalidLabelException& )
   {
      CODEX_Quorum::Message fmsg;

      unsigned char* server =
         new unsigned char[CODEX_Server::ServerState::nSID];
      if ( 0 == server )
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false;
      }
      memcpy( server, event.server(), CODEX_Server::ServerState::nSID );
      // Make sure the "outgoing" mask isn't set.
      server[0] &= ~(CODEX_Server::ServerState::OutgoingMask);
      fmsg.fill( server, CODEX_Server::ServerState::nSID );

      fmsg.fill( event.seqNum(), CODEX_Server::ServerState::nMID );
      fmsg.fill( stateInfo->delegationDomain() );
      fmsg.fill( ClientDelegation::kBadShareLabel );
      const StateInfo::LSType::LabelType& label =
         stateInfo->defaultDecryptionLabel();
      int length = label.marshal(0);
      unsigned char* buffer = new unsigned char[length];
      unsigned char* pBuffer = buffer;
      label.marshal(&pBuffer);
      fmsg.fill( buffer, length );
      delete [] buffer;

      sendEvent( new CODEX_Server::ServerResponseEvent(
         this, m_destination, fmsg, server[0] ), 0 );
      delete [] server;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   catch ( CODEX_Server::KeySharesNotFoundException& )
   {
      sendEvent( 0, event.source(), true ); // NACK
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }      

   // Check if we have the (verified) key.
   const KeyInfo* kInfo =
      stateInfo->getKeyInfo( event.message().message().name().value() );
   if ( 0 == kInfo )
   {
      CODEX_Quorum::Message fmsg;

      unsigned char* server =
         new unsigned char[CODEX_Server::ServerState::nSID];
      if ( 0 == server )
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false;
      }
      memcpy( server, event.server(), CODEX_Server::ServerState::nSID );
      // Make sure the "outgoing" mask isn't set.
      server[0] &= ~(CODEX_Server::ServerState::OutgoingMask);
      fmsg.fill( server, CODEX_Server::ServerState::nSID );

      fmsg.fill( event.seqNum(), CODEX_Server::ServerState::nMID );
      fmsg.fill( stateInfo->delegationDomain() );
      fmsg.fill( ClientDelegation::kRejectClientRequest );
      sendEvent( new CODEX_Server::ServerResponseEvent(
         this, m_destination, fmsg, server[0] ), 0 );
      delete [] server;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   const CODEX_Client::RequestCipherTextType& k = kInfo->keyValue();
   if ( ! ( k.initialized() && kInfo->verified() ) )
   {
      CODEX_Quorum::Message fmsg;

      unsigned char* server =
         new unsigned char[CODEX_Server::ServerState::nSID];
      if ( 0 == server )
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false;
      }
      memcpy( server, event.server(), CODEX_Server::ServerState::nSID );
      // Make sure the "outgoing" mask isn't set.
      server[0] &= ~(CODEX_Server::ServerState::OutgoingMask);
      fmsg.fill( server, CODEX_Server::ServerState::nSID );

      fmsg.fill( event.seqNum(), CODEX_Server::ServerState::nMID );
      fmsg.fill( stateInfo->delegationDomain() );
      fmsg.fill( ClientDelegation::kRejectClientRequest );
      sendEvent( new CODEX_Server::ServerResponseEvent(
         this, m_destination, fmsg, server[0] ), 0 );
      delete [] server;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Now blind the ciphertext.
   const CODEX_ASN1::BigNumber& modulus =
#ifndef ELGAMAL
      serverState->serviceKey().n()
#else
      serverState->publicEGKey().p()
#endif
      ;

   CODEX_Client::BlindCipherTextType* blindCipher =
      k.blind( event.message().message().blinding(), modulus );

   CODEX_Quorum::Message msg;
   BIGNUM * digest = 0;
   unsigned char* buff = 0;
   CODEX_ASN1::ustring* str = 0;
   try
   {
      int length = event.message().SignedReadKeyMsg::marshal(0);
      length += blindCipher->marshal(0);
      buff = new unsigned char[ length ];
      unsigned char* pBuff = buff;
      event.message().SignedReadKeyMsg::marshal(&pBuff);
      blindCipher->marshal(&pBuff);
      str = serverState->hashFunc()( CODEX_ASN1::ustring(buff,length) );
      delete [] buff;
      buff = 0;
      digest = BN_new();
      if ( 0 == digest )
      {
         throw CODEX_Exceptions::BignumNullException( __FILE__ , __LINE__ );
      }
      if ( 0 == BN_bin2bn( str->data(), str->length(), digest ) )
      {
         throw CODEX_Exceptions::BignumBin2BNException( __FILE__ , __LINE__ );
      }

      delete str;
   }
   catch ( ... )
   {
      if ( 0 != buff ) delete [] buff;
      if ( 0 != str ) delete str;
      if ( 0 != digest ) BN_free( digest );
      if ( 0 != blindCipher ) delete blindCipher;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      throw;
   }

   bool retVal =
      process( digest, event.source(), event, msg, event.failed() );
   BN_free(digest);
   int serverNum = msg.buffer()[0];

   if ( event.failed() )
   {
      delete blindCipher;
      sendEvent( new CODEX_Server::ServerResponseEvent(
         this, m_destination, msg, serverNum ), 0 );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return retVal;
   }

   // Append the blinded ciphertext to the message.
   int length = blindCipher->marshal(0);
   unsigned char* buffer = new unsigned char[length];
   unsigned char* pBuffer = buffer;
   blindCipher->marshal(&pBuffer);
   msg.fill( buffer, length );
   delete [] buffer;

   // Now threshold decrypt the ciphertext.
   const StateInfo::ThresholdDecryptionType&
      thresholdDecryption = stateInfo->thresholdDecryption();
   StateInfo::ShareType decryptions;
   thresholdDecryption.decrypt( keyShares.share(), *blindCipher, decryptions );
   if ( ! decryptions.initialized() )
   {
      delete blindCipher;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return retVal;
   }

   // Append the partial decryptions to the message.
   length = decryptions.marshal(0);
   buffer = new unsigned char[length];
   pBuffer = buffer;
   decryptions.marshal(&pBuffer);
   msg.fill( buffer, length );
   delete [] buffer;

   // Calculate the discrete log proofs to demonstrate correctness
#ifdef ELGAMAL
   CODEX_Server::ServerState::ShareSetType ss;
   ss.addShare( keyShares.share() );
   const unsigned int numShares = StateInfo::ShareType::NumShares;
   for ( unsigned int i = 0 ; i < numShares ; ++i )
   {
      // Record whether there's a proof entry for this index.
      CODEX_ASN1::Integer ai( ss(i).initialized() ? 1 : 0 );
      length = ai.marshal(0);
      buffer = new unsigned char[length];
      pBuffer = buffer;
      ai.marshal(&pBuffer);
      msg.fill( buffer, length );
      delete [] buffer;

      if ( ss(i).initialized() )
      {
         CODEX_ThresholdCrypto::DLProof proof(
            blindCipher->c1().value(),
            serverState->publicEGKey().g().value(),
            serverState->publicEGKey().p().value(),
            serverState->publicEGKey().p1(),
            ss(i).value(),
            serverState->hashFunc() );

         length = proof.marshal(0);
         buffer = new unsigned char[length];
         pBuffer = buffer;
         proof.marshal(&pBuffer);
         msg.fill( buffer, length );
         delete [] buffer;
      }
   }
#endif

   delete blindCipher;

   // Send the resulting event.
   sendEvent( new CODEX_Server::ServerResponseEvent(
      this, m_destination, msg, serverNum ), 0 );
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return retVal;
}

bool
ClientMessageSigner::process( const BIGNUM* digest,
                              CODEX_Events::Activity* source,
                              const CODEX_Server::RoutingInfo& routingInfo,
                              CODEX_Quorum::Message& m,
                              bool failed )
{
   unsigned char* server = new unsigned char[CODEX_Server::ServerState::nSID];
   if ( 0 == server )
   {
      return false;
   }
   memcpy( server, routingInfo.server(), CODEX_Server::ServerState::nSID );
   // Make sure the "outgoing" mask isn't set.
   server[0] &= ~(CODEX_Server::ServerState::OutgoingMask);

   StateInfo* stateInfo = StateInfo::instance();
   if ( 0 == stateInfo )
   {
      sendEvent( 0, source, true ); // NACK
      return true;
   }

   // Fill message headers.
   m.fill( server, CODEX_Server::ServerState::nSID );
   delete [] server;
   m.fill( routingInfo.seqNum(), CODEX_Server::ServerState::nMID );
   m.fill( stateInfo->delegationDomain() );
   if ( failed )
   {
      m.fill( ClientDelegation::kRejectClientRequest );
      return true;
   }
   m.fill( ClientDelegation::kApproveClientRequest );

   // Sign the request.
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      sendEvent( 0, source, true ); // NACK
      return true;
   }
   const CODEX_Ciphers::RSAPrivateKey& key = serverState->privateKey();
   CODEX_Ciphers::RSASignature* signature = key.sign( digest );
   if ( 0 == signature )
   {
      sendEvent( 0, source, true ); // NACK
      return true;
   }
   int length = signature->marshal(0);
   unsigned char* buffer = new unsigned char[length];
   unsigned char* pBuffer = buffer;
   signature->marshal(&pBuffer);
   m.fill( buffer, length );
   delete [] buffer;
   delete signature;

   sendEvent( 0, source );
   return true;
}

---