[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - common/Crypto.cpp common/Crypto.hpp configure.ac Makefile.am tools/Config.cpp
Michael Meeks
michael.meeks at collabora.com
Tue Oct 3 19:52:44 UTC 2017
Makefile.am | 5 +
common/Crypto.cpp | 141 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
common/Crypto.hpp | 37 ++++++++++++++
configure.ac | 9 +++
tools/Config.cpp | 61 +++++++++++++++++++----
5 files changed, 242 insertions(+), 11 deletions(-)
New commits:
commit 56385cb8ac2a57af4eb70bc8bc7313a9299533c3
Author: Michael Meeks <michael.meeks at collabora.com>
Date: Fri Jul 21 15:33:19 2017 +0100
Support key logic and verification.
Change-Id: Ie55150b99df3e80239236571af185502196ad3e9
Reviewed-on: https://gerrit.libreoffice.org/43097
Reviewed-by: Jan Holesovsky <kendy at collabora.com>
Tested-by: Jan Holesovsky <kendy at collabora.com>
diff --git a/Makefile.am b/Makefile.am
index 42298d78..311fefd0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -125,7 +125,10 @@ loolstress_SOURCES = tools/Stress.cpp \
common/Log.cpp \
common/Util.cpp
-loolconfig_SOURCES = tools/Config.cpp
+loolconfig_SOURCES = tools/Config.cpp \
+ common/Crypto.cpp \
+ common/Log.cpp \
+ common/Util.cpp
wsd_headers = wsd/Admin.hpp \
wsd/AdminModel.hpp \
diff --git a/common/Crypto.cpp b/common/Crypto.cpp
new file mode 100644
index 00000000..aa268ae3
--- /dev/null
+++ b/common/Crypto.cpp
@@ -0,0 +1,141 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include "config.h"
+
+#if ENABLE_SUPPORT_KEY
+
+#include <Poco/DigestStream.h>
+#include <Poco/Base64Decoder.h>
+#include <Poco/DateTimeParser.h>
+#include <Poco/Crypto/RSADigestEngine.h>
+
+#include <fstream>
+#include <sstream>
+#include <iostream>
+
+#include "Log.hpp"
+#include "Crypto.hpp"
+
+using namespace Poco;
+using namespace Poco::Crypto;
+
+struct SupportKeyImpl
+{
+ bool _invalid;
+ std::string _key;
+ std::string _data;
+ std::string _signature;
+ DateTime _expiry;
+ // Key format: iso-expiry-date:field1:field2:field:...:<signature>
+ SupportKeyImpl(const std::string &key)
+ : _invalid(true), _key(key)
+ {
+ LOG_INF("Support key '" << key << "' provided");
+ size_t firstColon = key.find(':');
+ if (firstColon != std::string::npos)
+ {
+ std::string expiry(key.substr(0, firstColon));
+ LOG_INF("Support key with expiry '" << expiry << "'");
+
+ try {
+ int timeZoneDifferential = 0;
+ Poco::DateTimeParser::parse(expiry, _expiry, timeZoneDifferential);
+
+ size_t lastColon = key.rfind(":");
+ if (lastColon != std::string::npos)
+ {
+ _signature = key.substr(lastColon + 1,
+ key.length() - lastColon);
+ _data = key.substr(0, lastColon);
+ std::cout << "signature '" << _signature << "' data '" << _data << "'\n";
+
+ _invalid = false;
+ }
+ } catch (SyntaxException &e) {
+ LOG_ERR("Invalid support key expiry '" << expiry << "'");
+ }
+ }
+ }
+};
+
+SupportKey::SupportKey(const std::string &key) :
+ _impl(new SupportKeyImpl(key))
+{
+}
+
+SupportKey::~SupportKey()
+{
+}
+
+bool SupportKey::verify()
+{
+ if (_impl->_invalid)
+ {
+ LOG_ERR("Basic key structure is invalid.");
+ return false;
+ }
+
+ std::ifstream pubStream;
+ try {
+ pubStream.open ("pubKey.pub", std::ifstream::in);
+ if (pubStream.fail())
+ {
+ LOG_ERR("Failed to open support public key.");
+ return false;
+ }
+ } catch (...) {
+ LOG_ERR("Exception opening public key");
+ return false;
+ }
+ try {
+ RSAKey keyPub(&pubStream);
+ RSADigestEngine rsaEngine(keyPub, RSADigestEngine::DigestType::DIGEST_SHA1);
+ rsaEngine.update(_impl->_data);
+
+ std::istringstream sigStream(_impl->_signature);
+ Poco::Base64Decoder rawStream(sigStream);
+
+ std::istreambuf_iterator<char> eos;
+ std::vector<unsigned char> rawSignature(std::istreambuf_iterator<char>(rawStream), eos);
+ LOG_INF("Signature of length " << rawSignature.size()
+ << " data size: " << _impl->_data.length());
+ if (!rsaEngine.verify(rawSignature))
+ {
+ LOG_ERR("Support key is not correctly signed.");
+ return false;
+ }
+ } catch (...) {
+ LOG_ERR("Exception validating support key.");
+ return false;
+ }
+ LOG_INF("Support key correctly signed.");
+ return true;
+}
+
+int SupportKey::validDaysRemaining()
+{
+ if (!verify())
+ {
+ LOG_ERR("Support key signature is invalid.");
+ return 0;
+ }
+ Timespan remaining = _impl->_expiry - DateTime();
+ int days = remaining.days();
+ if (days > 0)
+ LOG_INF("Support key has " << days << " remaining");
+ else
+ LOG_ERR("Support key has expired for " << -days << " days");
+
+ return days;
+}
+
+#endif // ENABLE_SUPPORT_KEY
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/common/Crypto.hpp b/common/Crypto.hpp
new file mode 100644
index 00000000..94b194cc
--- /dev/null
+++ b/common/Crypto.hpp
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#ifndef INCLUDED_CRYPTO_HPP
+#define INCLUDED_CRYPTO_HPP
+
+#if ENABLE_SUPPORT_KEY
+
+#include <memory>
+
+struct SupportKeyImpl;
+
+class SupportKey {
+ std::unique_ptr<SupportKeyImpl> _impl;
+
+public:
+ SupportKey(const std::string &key);
+ virtual ~SupportKey();
+
+ /// Check the key is validly signed.
+ bool verify();
+
+ /// How many days until key expires
+ int validDaysRemaining();
+};
+
+#endif
+
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/configure.ac b/configure.ac
index 444c0cc5..ecd86ead 100644
--- a/configure.ac
+++ b/configure.ac
@@ -96,6 +96,10 @@ AC_ARG_ENABLE([ssl],
AS_HELP_STRING([--disable-ssl],
[Compile without SSL support]))
+AC_ARG_ENABLE([support-key],
+ AS_HELP_STRING([--enable-support-key],
+ [Implements signed key with expiration required for support. Almost certainly you don't want to enable this.]))
+
AC_ARG_WITH([max-connections],
AS_HELP_STRING([--max-connections],
[Set the limit on the total number of client connections. Def: 20, Min: 3.]))
@@ -290,6 +294,11 @@ fi
AC_SUBST(ENABLE_SSL)
+AS_IF([test "$enable_support_key" == "yes"],
+ [AC_DEFINE([ENABLE_SUPPORT_KEY],1,[Whether to enable support key])],
+ [AC_DEFINE([ENABLE_SUPPORT_KEY],0,[Whether to enable support key])])
+AC_SUBST(ENABLE_SUPPORT_KEY)
+
LIBS="$LIBS -lPocoNet${POCO_DEBUG_SUFFIX} -lPocoUtil${POCO_DEBUG_SUFFIX} -lPocoJSON${POCO_DEBUG_SUFFIX} -lPocoFoundation${POCO_DEBUG_SUFFIX} -lPocoXML${POCO_DEBUG_SUFFIX} -lPocoNetSSL${POCO_DEBUG_SUFFIX} -lPocoCrypto${POCO_DEBUG_SUFFIX}"
AC_CHECK_HEADERS([LibreOfficeKit/LibreOfficeKit.h],
diff --git a/tools/Config.cpp b/tools/Config.cpp
index e51681a8..468bea66 100644
--- a/tools/Config.cpp
+++ b/tools/Config.cpp
@@ -23,6 +23,7 @@
#include <Poco/Util/XMLConfiguration.h>
#include "Util.hpp"
+#include "Crypto.hpp"
using Poco::Util::Application;
using Poco::Util::Option;
@@ -73,7 +74,11 @@ void Config::displayHelp()
{
std::cout << "loolconfig - Configuration tool for LibreOffice Online." << std::endl
<< "Commands:" << std::endl
- << " set-admin-password" << std::endl;
+ << " set-admin-password" << std::endl
+#if ENABLE_SUPPORT_KEY
+ << " set-support-key" << std::endl
+#endif
+ ;
}
void Config::defineOptions(OptionSet& optionSet)
@@ -154,12 +159,14 @@ int Config::main(const std::vector<std::string>& args)
return Application::EXIT_NOINPUT;
}
-#if HAVE_PKCS5_PBKDF2_HMAC
+ bool changed = false;
_loolConfig.load(ConfigFile);
- for (unsigned i = 0; i < args.size(); i++) {
+ for (unsigned i = 0; i < args.size(); i++)
+ {
if (args[i] == "set-admin-password")
{
+#if HAVE_PKCS5_PBKDF2_HMAC
unsigned char pwdhash[_adminConfig.pwdHashLength];
unsigned char salt[_adminConfig.pwdSaltLength];
RAND_bytes(salt, _adminConfig.pwdSaltLength);
@@ -215,18 +222,52 @@ int Config::main(const std::vector<std::string>& args)
"Salt and password hash combination generated using PBKDF2 with SHA512 digest.");
_loolConfig.setString("admin_console.secure_password", pwdConfigValue);
- std::cout << "Saving configuration to : " << ConfigFile << " ..." << std::endl;
- _loolConfig.save(ConfigFile);
- std::cout << "Saved" << std::endl;
+ changed = true;
+#else
+ std::cerr << "This application was compiled with old OpenSSL. Operation not supported. You can use plain text password in /etc/loolwsd/loolwsd.xml." << std::endl;
+ return Application::EXIT_UNAVAILABLE;
+#endif
}
+#if ENABLE_SUPPORT_KEY
+ else if (args[i] == "set-support-key")
+ {
+ std::string supportKeyString;
+ std::cout << "Enter support key: ";
+ std::cin >> supportKeyString;
+ if (supportKeyString.length() > 0)
+ {
+ SupportKey key(supportKeyString);
+ if (!key.verify())
+ std::cerr << "Invalid key\n";
+ else {
+ int validDays = key.validDaysRemaining();
+ if (validDays <= 0)
+ std::cerr << "Valid but expired key\n";
+ else
+ {
+ std::cerr << "Valid for " << validDays << " days - setting to config\n";
+ _loolConfig.setString("support_key", supportKeyString);
+ }
+ }
+ }
+ else
+ {
+ std::cerr << "Removing empty support key\n";
+ _loolConfig.remove("support_key");
+ }
+ changed = true;
+ }
+#endif
+ }
+ if (changed)
+ {
+ std::cout << "Saving configuration to : " << ConfigFile << " ..." << std::endl;
+ _loolConfig.save(ConfigFile);
+ std::cout << "Saved" << std::endl;
}
// This tool only handles options, nothing to do here
return Application::EXIT_OK;
-#else
- std::cerr << "This application was compiled with old OpenSSL. Operation not supported. You can use plain text password in /etc/loolwsd/loolwsd.xml." << std::endl;
- return Application::EXIT_UNAVAILABLE;
-#endif
}
POCO_APP_MAIN(Config);
More information about the Libreoffice-commits
mailing list