---

ClientMessageVerifier.cc

/*
 * Copyright 2003 Michael A. Marsh, Cornell University. All rights reserved.
 * This software is released under the modified BSD license.
 * See the file LICENSE in the top-level directory for details.
 */
//
// $Id: ClientMessageVerifier.cc,v 1.4 2004/05/19 15:56:51 mmarsh Exp $
//
// $Log: ClientMessageVerifier.cc,v $
// Revision 1.4  2004/05/19 15:56:51  mmarsh
// *** empty log message ***
//
// Revision 1.3  2003/11/04 22:15:00  mmarsh
// General code cleanup and reorganization.  The signed ElGamal public key
// was moved to CODEX_Server, decoupling that package from CODEX_Client.
// Since CODEX_Server no longer knows about the cryptosystem used by
// the client, switching between cryptosystems is handled locally by
// CODEX_KeyService.
//
//

#include <assert.h>

#include "ClientMessageVerifier.h"
#include "ClientResponseEvent.h"
#include "ClientActivity.h"
#include "CODEX_Server/ServerState.h"
#include "StateInfo.h"
#include "CODEX_Server/ServerExceptions.h"
#include "Exceptions.h"

#include "timing.h"

using namespace CODEX_KeyService;

ClientMessageVerifier::ClientMessageVerifier(
   CODEX_Events::DeadPileType& deadPile,
   CODEX_Events::QType& eventQueue,
   ClientMessageHandler* destination ) :
   CODEX_Events::Activity(deadPile,eventQueue),
   m_destination( destination )
{
   assert( 0 != m_destination );
}

ClientMessageVerifier::~ClientMessageVerifier()
{
}

bool
ClientMessageVerifier::handler( CODEX_Events::CloseEvent& event )
{
   // We only consume close events.
   sendEvent( 0, event.source() );
   // The message handler doesn't terminate.  All of its predecessors
   // are ephemeral.
   return true;
}

bool
ClientMessageVerifier::handler( ClientMessageEvent< RequestKeyMsg >& event )
{
   // We should be able to handle this message here, and avoid any
   // further processing.
   const CODEX_Server::SignedAugmentedEGPublicKey& pkMsg =
      CODEX_Server::ServerState::instance()->signedEGKey();
   if ( pkMsg.initialized() )
   {
      ClientActivity* ca =
         StateInfo::instance()->getClient( event.source() );
      if ( 0 != ca )
      {
         typedef
            ClientResponseEvent< CODEX_Server::SignedAugmentedEGPublicKey >
            EvtType;
         EvtType* outEvt = new EvtType(this,ca,pkMsg);
         sendEvent( outEvt, event.source() );
         return true;
      }
   }
   sendEvent( 0, event.source() ); // just acknowledge
   return true;
}

bool
ClientMessageVerifier::handler(
   ClientMessageEvent< SignedCreateKeyMsg >& event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const CODEX_Ciphers::RSASignature& signature = event.message().signature();
   const CreateKeyMsg& request = event.message().message();

   BIGNUM * digest = 0;
   try
   {
      CODEX_Server::ServerState* serverState =
         CODEX_Server::ServerState::instance();
      const CODEX_Ciphers::HashFunction& hashFunc = serverState->hashFunc();

      StateInfo* stateInfo = StateInfo::instance();

      // Check if the name is already bound at this server.
      const KeyInfo* keyInfo =
         stateInfo->getKeyInfo( request.name().value() );
      if ( 0 != keyInfo )
      {
         // Is it the same binding?  Compare signatures on the requests.
         if ( signature != keyInfo->binding().request().signature() )
         {
            throw KeyExistsException( __FILE__ , __LINE__ );
         }
         // Has this request been serviced?  If so, just return the cached
         // response.
         if ( keyInfo->signature().initialized() )
         {
            ClientActivity* ca =
               stateInfo->getClient( event.source() );
            if ( 0 != ca )
            {
               typedef ClientResponseEvent< CODEX_Client::SignedBoundNameMsg >
                  EvtType;
               EvtType* outEvt =
                  new EvtType( this, ca, CODEX_Client::SignedBoundNameMsg(
                     keyInfo->binding(), keyInfo->signature() ) );
               sendEvent( outEvt, event.source() );
               // Don't sign another response.
#ifdef TIMING
               ActiveTimer.stop();
#endif
               return true;
            }
            // This is a duplicate, but we must allow it.
#ifdef TIMING
            ActiveTimer.stop();
#endif
            return false;
         }
      }

      // Check signature on client's certificate.
      EVP_PKEY* caKey = (EVP_PKEY*) serverState->caKey();
      if ( 0 == caKey )
      {
         throw CODEX_Server::PublicKeyNotFoundException( __FILE__ , __LINE__ );
      }
      X509 * ownerCert = (X509*) request.owner().value();
      if ( ! X509_verify( ownerCert, caKey ) )
      {
         throw CODEX_Server::CertificateNotFoundException( __FILE__ ,
                                                           __LINE__ );
      }

      // Check signature on message.
      CODEX_Ciphers::RSAPublicKey ownerKey( request.owner().value() );
      digest = request.digest( hashFunc );
      bool sigOK = ownerKey.verifySignature( signature, digest );
      BN_free( digest );
      digest = 0;
      if ( ! sigOK )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }

      // Check the signatures on the policies.
      // NOTE: Policies no longer need to be verified
//      if ( ! request.readP().verify( ownerKey, hashFunc ) )
//      {
//         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
//                                                                   __LINE__ );
//      }
//      if ( ! request.writeP().verify( ownerKey, hashFunc ) )
//      {
//         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
//                                                                   __LINE__ );
//      }

      // We have now seen a valid create_key request, and should _not_
      // respond to another.
      if ( 0 == keyInfo )
      {
         if ( ! stateInfo->addKeyName( request.name().value(),
                                       CODEX_Client::BoundNameMsg(
                                          request.name(),
                                          event.message() ) ) )
         {
            throw KeyExistsException( __FILE__ , __LINE__ );
         }
      }

      // Now we're done. Re-route the event to our successor.
      event.reRoute( m_destination );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false; // Event hasn't been fully handled yet.
   }
   catch ( CODEX_Exceptions::ExceptionBase& e )
   {
      e.report();
      if ( 0 != digest ) BN_free( digest );
      // send a NACK
      sendEvent( 0, event.source(), true );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free( digest );
      // send a NACK
      sendEvent( 0, event.source(), true );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
}

bool
ClientMessageVerifier::handler(
   ClientMessageEvent< SignedWriteKeyMsg >& event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const CODEX_Ciphers::RSASignature& signature = event.message().signature();
   const WriteKeyMsg& request = event.message().message();

   BIGNUM * digest = 0;
   try
   {
      CODEX_Server::ServerState* serverState =
         CODEX_Server::ServerState::instance();
      StateInfo* stateInfo = StateInfo::instance();
      const CODEX_Ciphers::HashFunction& hashFunc = serverState->hashFunc();

      // Check if the name is already bound at this server.
      const KeyInfo* keyInfo = stateInfo->getKeyInfo( request.name().value() );
      if ( 0 == keyInfo )
      {
         // Check the binding that was passed in.

         // Do the names match?
         if ( request.name().value() !=
              request.binding().message().name().value() )
         {
            throw NameMismatchException( __FILE__ , __LINE__ );
         }

         // Is the signature valid?
         const CODEX_Ciphers::RSAPublicKey& servKey =
            serverState->serviceKey();
         if ( ! servKey.initialized() )
         {
            throw CODEX_Server::PublicKeyNotFoundException( __FILE__ ,
                                                            __LINE__ );
         }
         const CODEX_Ciphers::RSASignature& bSig =
            request.binding().signature();
         digest = request.binding().message().digest( hashFunc );
         if ( ! servKey.verifySignature( bSig, digest ) )
         {
            throw
               CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
         }
         BN_free( digest );
         digest = 0;

         // Add the binding as if this server had participated in the
         // original transaction.
         if ( ! stateInfo->addKeyName( request.name().value(),
                                       request.binding() ) )
         {
            throw KeyExistsException( __FILE__ , __LINE__ );
         }
         // Now get the KeyInfo object.
         keyInfo = stateInfo->getKeyInfo( request.name().value() );
         if ( 0 == keyInfo )
         {
            throw KeyNotFoundException( __FILE__ , __LINE__ );
         }
      }
      else
      {
         // Check if the bindings match
         if ( ! keyInfo->signature().initialized() )
         {
            const CODEX_Ciphers::RSAPublicKey& servKey =
               serverState->serviceKey();
            if ( ! servKey.initialized() )
            {
               throw CODEX_Server::PublicKeyNotFoundException( __FILE__ ,
                                                               __LINE__ );
            }
            const CODEX_Ciphers::RSASignature& bSig =
               request.binding().signature();
            digest = request.binding().message().digest( hashFunc );
            if ( ! servKey.verifySignature( bSig, digest ) )
            {
               throw CODEX_Server::SignatureVerificationFailedException(
                  __FILE__ , __LINE__ );
            }
            BN_free( digest );
            digest = 0;
            digest = keyInfo->binding().digest( hashFunc );
            if ( servKey.verifySignature( bSig, digest ) )
            {
               // Add the signature for the binding
               if ( ! stateInfo->addKeySignature( request.name().value(),
                                                  bSig ) )
               {
                  throw KeyNotFoundException( __FILE__ , __LINE__ );
               }
            }
            else
            {
               // Replace the binding -- the old one was not approved
               if ( ! stateInfo->replaceKeyBinding( request.name().value(),
                                                    request.binding() ) )
               {
                  throw KeyNotFoundException( __FILE__ , __LINE__ );
               }
            }
            BN_free( digest );
            digest = 0;
         }
         else
         {
            // If the key already exists at this server and has a value set,
            // then fail.  This enforces write-once semantics in the absence
            // of an explicit clear operation.  It also results in failures
            // for multiple clients attempting to write values simultaneously,
            // rather than each thinking it has successfully written a value
            // for the key.
            if ( keyInfo->keyValue().initialized() )
            {
               if ( keyInfo->keyValue() != request.encryption() )
               {
                  throw KeyExistsException( __FILE__ , __LINE__ );
               }
            }
         }
      }

      // Check the client's credentials (which are signed).
      const CODEX_Ciphers::Policy& writeP =
         keyInfo->binding().request().message().writeP();
      if ( ! writeP.verify( request.credentials() ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }

      // Check signature on message.
      const CODEX_Ciphers::RSAPublicKey& clientKey =
         request.credentials().publicKey();
      digest = request.digest( hashFunc );
      if ( ! clientKey.verifySignature( signature, digest ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }
      BN_free( digest );
      digest = 0;

#ifndef ELGAMAL
      // Check the plaintext proof of knowledge certificate.
      const CODEX_Ciphers::RSAPublicKey& pubKey = serverState->serviceKey();
      if ( ! pubKey.initialized() )
      {
         throw CODEX_Server::PublicKeyNotFoundException( __FILE__ , __LINE__ );
      }
      if ( ! request.proof().verify( request.encryption().c1(),
                                     pubKey,
                                     request.credentials(),
                                     hashFunc ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }
#else
      // Check the validity of the signed encryption.
      //
      // The client's credentials provide its identity, which must have
      // been used to generate the Schnorr signature.  This provides a
      // plaintext-client binding.
      const CODEX_Ciphers::ElGamalPublicKey& pubEGKey =
         serverState->publicEGKey();
      if ( ! pubEGKey.initialized() )
      {
         throw CODEX_Server::PublicKeyNotFoundException( __FILE__ , __LINE__ );
      }
      if ( ! request.encryption().verify( pubEGKey.g(),
                                          pubEGKey.p(),
                                          request.credentials(),
                                          hashFunc ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }
#endif      

      // Everything is good.  Write the value now so that write-once
      // semantics can be enforced (in the absence of an explicit clearing
      // operation).
      if ( ! keyInfo->keyValue().initialized() )
      {
         if ( ! stateInfo->addKeyValue( request.name().value(),
                                        request.encryption() ) )
         {
            throw KeyNotFoundException( __FILE__ , __LINE__ );
         }
         // Now we're done. Re-route the event to our successor.
         event.reRoute( m_destination );
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false; // Event hasn't been fully handled yet.
      }
      else
      {
         if ( keyInfo->keyValue() != request.encryption() )
         {
            // Only write once.
#ifdef TIMING
            ActiveTimer.stop();
#endif
            return true;
         }
         // This is a duplicate request, but should still be approved.
         event.reRoute( m_destination );
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false; // Event hasn't been fully handled yet.
      }
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free( digest );
      // send a NACK
      sendEvent( 0, event.source(), true );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
}

bool
ClientMessageVerifier::handler( ClientMessageEvent< SignedReadKeyMsg >& event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const CODEX_Ciphers::RSASignature& signature = event.message().signature();
   const ReadKeyMsg& request = event.message().message();

   BIGNUM * digest = 0;
   try
   {
      CODEX_Server::ServerState* serverState =
         CODEX_Server::ServerState::instance();
      const CODEX_Ciphers::HashFunction& hashFunc = serverState->hashFunc();

      StateInfo* stateInfo = StateInfo::instance();

      // Check if the name is bound at this server.
      const KeyInfo* keyInfo =
         stateInfo->getKeyInfo( request.name().value() );
      if ( 0 != keyInfo )
      {
         // Check the client's credentials (which are signed).
         const CODEX_Ciphers::Policy& readP =
            keyInfo->binding().request().message().readP();
         if ( ! readP.verify( request.credentials() ) )
         {
            throw
               CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
         }
      }

      // Check signature on message, assuming the credentials are valid.
      const CODEX_Ciphers::RSAPublicKey& clientKey =
         request.credentials().publicKey();
      digest = request.digest( hashFunc );
      if ( ! clientKey.verifySignature( signature, digest ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }
      BN_free( digest );
      digest = 0;

#ifndef ELGAMAL
      // Check the plaintext proof of knowledge certificate.
      const CODEX_Ciphers::RSAPublicKey& pubKey = serverState->serviceKey();
      if ( ! pubKey.initialized() )
      {
         throw CODEX_Server::PublicKeyNotFoundException( __FILE__ , __LINE__ );
      }
      if ( ! request.proof().verify( request.blinding(),
                                     pubKey,
                                     request.credentials(),
                                     hashFunc ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }
#else
      // Check the validity of the signed encryption.
      //
      // The client's credentials provide its identity, which must have
      // been used to generate the Schnorr signature.  This provides a
      // plaintext-client binding.
      const CODEX_Ciphers::ElGamalPublicKey& pubEGKey =
         serverState->publicEGKey();
      if ( ! pubEGKey.initialized() )
      {
         throw CODEX_Server::PublicKeyNotFoundException( __FILE__ , __LINE__ );
      }
      if ( ! request.blinding().verify( pubEGKey.g(),
                                        pubEGKey.p(),
                                        request.credentials(),
                                        hashFunc ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }
#endif      

      // Now we're done. Re-route the event to our successor.
      event.reRoute( m_destination );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false; // Event hasn't been fully handled yet.
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free( digest );
      // send a NACK
      sendEvent( 0, event.source(), true );
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
}

---