From 6dc4b49086f1e10ac6c6f95d704bfadfd2b2e414 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Mon, 13 Jun 2022 20:14:49 +0530 Subject: [PATCH] Crypto++ and OpenSSL macros added in CMakeLists.txt --- CMakeLists.txt | 7 +++ bftengine/src/bftengine/SigManager.cpp | 18 +++---- .../tests/SigManager/SigManager_test.cpp | 50 ++++++++----------- .../clientsManager/ClientsManager_test.cpp | 46 +++++++++++------ bftengine/tests/messages/helper.cpp | 13 +++-- client/bftclient/src/bft_client.cpp | 10 ++-- .../bftclient/test/bft_client_api_tests.cpp | 15 +++--- kvbc/src/pruning_handler.cpp | 14 +++--- kvbc/test/pruning_test.cpp | 5 +- .../src/reconfiguration_handler.cpp | 9 ++-- secretsmanager/CMakeLists.txt | 12 +++++ secretsmanager/src/aes.cpp | 14 +++--- secretsmanager/src/base64.cpp | 10 ++-- secretsmanager/src/key_params.cpp | 9 ++-- secretsmanager/test/secrets_manager_test.cpp | 2 - tools/CMakeLists.txt | 12 +++++ tools/GenerateConcordKeys.cpp | 20 ++++---- tools/KeyfileIOUtils.cpp | 26 +++++----- tools/TestGeneratedKeys.cpp | 15 +++--- 19 files changed, 165 insertions(+), 142 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5689c5d5bc..f46e9925b8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -23,6 +23,8 @@ if (NOT DEFINED USE_LOG4CPP) option(USE_LOG4CPP "Enable LOG4CPP" ON) endif() +option(USE_CRYPTOPP "Enable usage of Crypto++ library for RSA/ECDSA signature generation/verification" OFF) +option(USE_EDDSA_OPENSSL "Enable usage of OpenSSL library for EdDSA signature generation/verification" ON) option(RUN_APOLLO_TESTS "Enable Apollo tests run" ON) option(KEEP_APOLLO_LOGS "Retains logs from replicas in separate folder for each test in build/tests/apollo/logs" ON) option(TXN_SIGNING_ENABLED "Enable External concord client transcattion signing" ON) @@ -46,6 +48,11 @@ option(BUILD_THIRDPARTY "Wheter to build third party librarie or use preinstalle option(CODECOVERAGE "Enable Code Coverage Metrics in Clang" OFF) option(ENABLE_RESTART_RECOVERY_TESTS "Enable tests for restart recovery" OFF) +if ((NOT USE_CRYPTOPP) AND (NOT USE_EDDSA_OPENSSL)) + message(FATAL_ERROR "At least one signature/verification algorithm implementation must be chosen. " + "Choose at least one of the following cmake options: [USE_EDDSA_OPENSSL, USE_CRYPTOPP]") +endif() + if(USE_OPENSSL AND NOT BUILD_THIRDPARTY) set(OPENSSL_ROOT_DIR /usr/local/ssl) # not to confuse with system ssl libs endif() diff --git a/bftengine/src/bftengine/SigManager.cpp b/bftengine/src/bftengine/SigManager.cpp index 00147626bd..9f561b18df 100644 --- a/bftengine/src/bftengine/SigManager.cpp +++ b/bftengine/src/bftengine/SigManager.cpp @@ -24,12 +24,10 @@ using namespace std; namespace bftEngine { namespace impl { -#define RSA_Algo false - -#if RSA_Algo +#ifdef USE_CRYPTOPP using concord::util::cryptopp_utils::RSASigner; using concord::util::cryptopp_utils::RSAVerifier; -#else +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Signer; using concord::util::openssl_utils::EdDSA_Verifier; #endif @@ -147,9 +145,9 @@ SigManager::SigManager(PrincipalId myId, ConcordAssert(publicKeysMapping.size() >= numPublickeys); if (!mySigPrivateKey.first.empty()) { -#if RSA_Algo +#ifdef USE_CRYPTOPP mySigner_.reset(new RSASigner(mySigPrivateKey.first.c_str(), mySigPrivateKey.second)); -#else +#elif USE_EDDSA_OPENSSL mySigner_.reset(new EdDSA_Signer(mySigPrivateKey.first, mySigPrivateKey.second)); #endif } @@ -160,9 +158,9 @@ SigManager::SigManager(PrincipalId myId, auto iter = publicKeyIndexToVerifier.find(p.second); const auto& [key, format] = publickeys[p.second]; if (iter == publicKeyIndexToVerifier.end()) { -#if RSA_Algo +#ifdef USE_CRYPTOPP verifiers_[p.first] = std::make_shared(key.c_str(), format); -#else +#elif USE_EDDSA_OPENSSL verifiers_[p.first] = std::make_shared(key, format); #endif publicKeyIndexToVerifier[p.second] = verifiers_[p.first]; @@ -272,9 +270,9 @@ void SigManager::setClientPublicKey(const std::string& key, PrincipalId id, conc if (replicasInfo_.isIdOfExternalClient(id) || replicasInfo_.isIdOfClientService(id)) { try { std::unique_lock lock(mutex_); -#if RSA_Algo +#ifdef USE_CRYPTOPP verifiers_.insert_or_assign(id, std::make_shared(key.c_str(), format)); -#else +#elif USE_EDDSA_OPENSSL verifiers_.insert_or_assign(id, std::make_shared(key, format)); #endif } catch (const std::exception& e) { diff --git a/bftengine/tests/SigManager/SigManager_test.cpp b/bftengine/tests/SigManager/SigManager_test.cpp index 21b93627c6..82a0884bb3 100644 --- a/bftengine/tests/SigManager/SigManager_test.cpp +++ b/bftengine/tests/SigManager/SigManager_test.cpp @@ -26,14 +26,12 @@ #include #include -#define RSA_Algo false - using namespace std; using concord::util::crypto::KeyFormat; -#if RSA_Algo +#ifdef USE_CRYPTOPP using concord::util::cryptopp_utils::RSASigner; using concord::util::cryptopp_utils::RSAVerifier; -#else +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Signer; using concord::util::openssl_utils::EdDSA_Verifier; #endif @@ -95,10 +93,10 @@ TEST(SignerAndVerifierTest, LoadSignVerifyFromPemfiles) { generateRandomData(data, RANDOM_DATA_SIZE); readFile(privateKeyFullPath, privKey); readFile(publicKeyFullPath, pubkey); -#if RSA_Algo +#ifdef USE_CRYPTOPP auto verifier_ = unique_ptr(new RSAVerifier(pubkey, KeyFormat::PemFormat)); auto signer_ = unique_ptr(new RSASigner(privKey, KeyFormat::PemFormat)); -#else +#elif USE_EDDSA_OPENSSL auto verifier_ = unique_ptr(new EdDSA_Verifier(pubkey, KeyFormat::PemFormat)); auto signer_ = unique_ptr(new EdDSA_Signer(privKey, KeyFormat::PemFormat)); #endif @@ -132,10 +130,9 @@ TEST(SigManagerTest, ReplicasOnlyCheckVerify) { constexpr size_t numReplicas{4}; constexpr PrincipalId myId{0}; string myPrivKey; - string myPrivateKeyFullPath; -#if RSA_Algo +#ifdef USE_CRYPTOPP unique_ptr signers[numReplicas]; -#else +#elif USE_EDDSA_OPENSSL unique_ptr signers[numReplicas]; #endif set> publicKeysOfReplicas; @@ -151,20 +148,19 @@ TEST(SigManagerTest, ReplicasOnlyCheckVerify) { if (pid == myId) { myPrivKey = privKey; - myPrivateKeyFullPath = privateKeyFullPath; continue; } -#if RSA_Algo +#ifdef USE_CRYPTOPP signers[pid].reset(new RSASigner(privKey, KeyFormat::PemFormat)); -#else +#elif USE_EDDSA_OPENSSL signers[pid].reset(new EdDSA_Signer(privKey, KeyFormat::PemFormat)); #endif string pubKeyFullPath({string(KEYS_BASE_PATH) + string("/") + to_string(i) + string("/") + PUB_KEY_NAME}); readFile(pubKeyFullPath, pubKey); -#if RSA_Algo +#ifdef USE_CRYPTOPP publicKeysOfReplicas.insert(make_pair(pid, pubKey)); -#else +#elif USE_EDDSA_OPENSSL publicKeysOfReplicas.insert(make_pair(pid, pubKey)); #endif } @@ -211,9 +207,9 @@ TEST(SigManagerTest, ReplicasOnlyCheckSign) { constexpr size_t numReplicas{4}; constexpr PrincipalId myId{0}; string myPrivKey, privKey, pubKey, sig; -#if RSA_Algo +#ifdef USE_CRYPTOPP unique_ptr verifier; -#else +#elif USE_EDDSA_OPENSSL unique_ptr verifier; #endif set> publicKeysOfReplicas; @@ -229,9 +225,9 @@ TEST(SigManagerTest, ReplicasOnlyCheckSign) { // Load single other replica's verifier (mock) string pubKeyFullPath({string(KEYS_BASE_PATH) + string("/") + to_string(1) + string("/") + PUB_KEY_NAME}); readFile(pubKeyFullPath, pubKey); -#if RSA_Algo +#ifdef USE_CRYPTOPP verifier.reset(new RSAVerifier(pubKey, KeyFormat::PemFormat)); -#else +#elif USE_EDDSA_OPENSSL verifier.reset(new EdDSA_Verifier(pubKey, KeyFormat::PemFormat)); #endif @@ -239,9 +235,9 @@ TEST(SigManagerTest, ReplicasOnlyCheckSign) { for (size_t i{2}; i <= numReplicas; ++i) { pubKeyFullPath = string(KEYS_BASE_PATH) + string("/") + to_string(i) + string("/") + PUB_KEY_NAME; readFile(pubKeyFullPath, pubKey); -#if RSA_Algo +#ifdef USE_CRYPTOPP publicKeysOfReplicas.insert(make_pair(i - 1, pubKey)); -#else +#elif USE_EDDSA_OPENSSL publicKeysOfReplicas.insert(make_pair(i - 1, pubKey)); #endif } @@ -282,12 +278,11 @@ TEST(SigManagerTest, ReplicasAndClientsCheckVerify) { constexpr size_t totalNumberofExternalBftClients{1200}; // numOfExternaClients * numBftClientsInExternalClient constexpr PrincipalId myId{0}; string myPrivKey; - string myPrivateKeyFullPath; size_t i, signerIndex{0}; -#if RSA_Algo +#ifdef USE_CRYPTOPP unique_ptr signers[numReplicas + numParticipantNodes]; // only external clients and consensus replicas sign -#else +#elif USE_EDDSA_OPENSSL unique_ptr signers[numReplicas + numParticipantNodes]; // only external clients and consensus replicas sign #endif @@ -306,12 +301,11 @@ TEST(SigManagerTest, ReplicasAndClientsCheckVerify) { if (currPrincipalId == myId) { myPrivKey = privKey; - myPrivateKeyFullPath = privateKeyFullPath; continue; } -#if RSA_Algo +#ifdef USE_CRYPTOPP signers[signerIndex].reset(new RSASigner(privKey, KeyFormat::PemFormat)); -#else +#elif USE_EDDSA_OPENSSL signers[signerIndex].reset(new EdDSA_Signer(privKey, KeyFormat::PemFormat)); #endif @@ -329,9 +323,9 @@ TEST(SigManagerTest, ReplicasAndClientsCheckVerify) { string privateKeyFullPath({string(KEYS_BASE_PATH) + string("/") + to_string(i) + string("/") + PRIV_KEY_NAME}); readFile(privateKeyFullPath, privKey); -#if RSA_Algo +#ifdef USE_CRYPTOPP signers[signerIndex].reset(new RSASigner(privKey, KeyFormat::PemFormat)); -#else +#elif USE_EDDSA_OPENSSL signers[signerIndex].reset(new EdDSA_Signer(privKey, KeyFormat::PemFormat)); #endif string pubKeyFullPath({string(KEYS_BASE_PATH) + string("/") + to_string(i) + string("/") + PUB_KEY_NAME}); diff --git a/bftengine/tests/clientsManager/ClientsManager_test.cpp b/bftengine/tests/clientsManager/ClientsManager_test.cpp index 9026801375..ee77f477ee 100644 --- a/bftengine/tests/clientsManager/ClientsManager_test.cpp +++ b/bftengine/tests/clientsManager/ClientsManager_test.cpp @@ -42,12 +42,10 @@ using std::this_thread::sleep_for; using std::unique_ptr; using std::vector; -#define RSA_Algo false - -#if RSA_Algo +#ifdef USE_CRYPTOPP using concord::util::cryptopp_utils::RSASigner; using concord::util::cryptopp_utils::Crypto; -#else +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Signer; using concord::util::openssl_utils::Crypto; #endif @@ -55,11 +53,16 @@ using concord::util::openssl_utils::Crypto; // Testing values to be used for certain Concord-BFT configuration that ClientsManager and/or its dependencies may // reference. const ReplicaId kReplicaIdForTesting = 0; -// const uint32_t kRSASigLengthForTesting = 2048; const KeyFormat kKeyFormatForTesting = KeyFormat::HexaDecimalStrippedFormat; + +#ifdef USE_CRYPTOPP +const uint32_t kRSASigLengthForTesting = 2048; const SigManager::Key kReplicaPrivateKeyForTesting( - /*Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting).first*/ - Crypto::instance().generateEdDSAKeyPair().first); + Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting).first); +#elif USE_EDDSA_OPENSSL +const SigManager::Key kReplicaPrivateKeyForTesting(Crypto::instance().generateEdDSAKeyPair().first); +#endif + const set> kPublicKeysOfReplicasForTesting{}; const set>> kInitialPublicKeysOfClientsForTesting; unique_ptr sigManagerReplicasInfoForTesting; @@ -235,9 +238,9 @@ static bool verifyClientPublicKeyLoadedToKEM(NodeIdType client_id, const pair internal_client_ids{}; map> client_keys; - client_keys[2] = - Crypto::instance().generateEdDSAKeyPair(); /*Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, - kKeyFormatForTesting)*/ + +#ifdef USE_CRYPTOPP + client_keys[2] = Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting); +#elif USE_EDDSA_OPENSSL + client_keys[2] = Crypto::instance().generateEdDSAKeyPair(); +#endif map> client_replies; client_replies[2] = {9, "reply 9 to client 2"}; @@ -445,9 +451,13 @@ TEST(ClientsManager, loadInfoFromReservedPagesHandlesNoInfoAvailable) { } TEST(ClientsManager, loadInfoFromReservedPagesHandlesSingleClientClientsManager) { +#ifdef USE_CRYPTOPP pair client_key_pair = - Crypto::instance().generateEdDSAKeyPair(); /*Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, - kKeyFormatForTesting)*/ + Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting); +#elif USE_EDDSA_OPENSSL + pair client_key_pair = Crypto::instance().generateEdDSAKeyPair(); +#endif + string reply_message = "reply 1 to client 2"; resetMockReservedPages(); @@ -1323,12 +1333,16 @@ TEST(ClientsManager, isInternal) { TEST(ClientsManager, setClientPublicKey) { resetMockReservedPages(); map> client_keys; - /*pair client_2_key = + +#ifdef USE_CRYPTOPP + pair client_2_key = Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting); pair client_7_key = - Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting);*/ + Crypto::instance().generateRsaKeyPair(kRSASigLengthForTesting, kKeyFormatForTesting); +#elif USE_EDDSA_OPENSSL pair client_2_key = Crypto::instance().generateEdDSAKeyPair(); pair client_7_key = Crypto::instance().generateEdDSAKeyPair(); +#endif unique_ptr cm(new ClientsManager({}, {4, 5, 7}, {}, {}, metrics)); cm->setClientPublicKey(7, client_7_key.second, kKeyFormatForTesting); diff --git a/bftengine/tests/messages/helper.cpp b/bftengine/tests/messages/helper.cpp index 9a54b3919d..29d38ae747 100644 --- a/bftengine/tests/messages/helper.cpp +++ b/bftengine/tests/messages/helper.cpp @@ -13,10 +13,8 @@ typedef std::pair IdToKeyPair; -const char replicaPrivateKey[] = {"09a30490ebf6f6685556046f2497fd9c7df4a552998c9a9b6ebec742e8183174"}; -const std::string pubKey = {"7363bc5ab96d7f85e71a5ffe0b284405ae38e2e0f032fb3ffe805d9f0e2d117b"}; - -/*const char replicaPrivateKey[] = +#ifdef USE_CRYPTOPP +const char replicaPrivateKey[] = "308204BC020100300D06092A864886F70D0101010500048204A6308204A20201000282010100BCC5BEA607F4F52A493AA2F40C2D5482D7CE37" "DFC526E98131FDC92CE2ECA6035DB307B182EF52CA8471B78A65E445399816AFACB224F4CEA9597D4B6FE5E84030B7AF78A88BA0233263A9F0" "E2658A6E5BE57923D9093B7D6B70FDBAEC3CDA05C5EDE237674A598F5D607A50C1C528EEAE4B690C90820901A01BF4747C39FE6BD6DA535A9B" @@ -50,7 +48,12 @@ const std::string pubKey = { "6BD1A984C7DD11E36293A45EDBBFB61E438C189C2B73A69" "F6605C909F98B6C3F795354BBB988C9695F8A1E27FFC3CE4FFA64B549DD90727634" "04FBD352C5C1A05FA3D17377E113600B1EDCAEE17687BC4" - "C1AA6F3D020111"};*/ + "C1AA6F3D020111"}; +#elif USE_EDDSA_OPENSSL +const char replicaPrivateKey[] = {"09a30490ebf6f6685556046f2497fd9c7df4a552998c9a9b6ebec742e8183174"}; +const std::string pubKey = {"7363bc5ab96d7f85e71a5ffe0b284405ae38e2e0f032fb3ffe805d9f0e2d117b"}; +#endif + const std::vector replicasPubKeys = {pubKey, pubKey, pubKey, pubKey, pubKey, pubKey, pubKey}; void loadPrivateAndPublicKeys(std::string& myPrivateKey, diff --git a/client/bftclient/src/bft_client.cpp b/client/bftclient/src/bft_client.cpp index 3764ab7765..d50ef8ed53 100644 --- a/client/bftclient/src/bft_client.cpp +++ b/client/bftclient/src/bft_client.cpp @@ -24,11 +24,9 @@ using namespace bftEngine; using namespace bftEngine::impl; using concord::util::crypto::KeyFormat; -#define RSA_Algo false - -#if RSA_Algo +#ifdef USE_CRYPTOPP using concord::util::cryptopp_utils::RSASigner; -#else +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Signer; #endif @@ -66,9 +64,9 @@ Client::Client(SharedCommPtr comm, const ClientConfig& config, std::shared_ptrdecryptFile(file_path); if (!key_plaintext) throw InvalidPrivateKeyException(file_path, config.secrets_manager_config != std::nullopt); -#if RSA_Algo +#ifdef USE_CRYPTOPP transaction_signer_ = std::make_unique(key_plaintext.value().c_str(), KeyFormat::PemFormat); -#else +#elif USE_EDDSA_OPENSSL transaction_signer_ = std::make_unique(key_plaintext.value(), KeyFormat::PemFormat); #endif } diff --git a/client/bftclient/test/bft_client_api_tests.cpp b/client/bftclient/test/bft_client_api_tests.cpp index 353e4e43f5..7c3fad78d5 100644 --- a/client/bftclient/test/bft_client_api_tests.cpp +++ b/client/bftclient/test/bft_client_api_tests.cpp @@ -38,14 +38,19 @@ using namespace std; using namespace bft::client; using namespace bft::communication; -// using namespace CryptoPP; using namespace bftEngine::impl; using namespace bftEngine; using namespace placeholders; using namespace concord::secretsmanager; using concord::util::crypto::KeyFormat; -// using concord::util::cryptopp_utils::RSAVerifier; + +#ifdef USE_CRYPTOPP +using namespace CryptoPP; +using concord::util::cryptopp_utils::RSAVerifier; +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Verifier; +#endif + using ReplicaId_t = bft::client::ReplicaId; constexpr char KEYS_BASE_PARENT_PATH[] = "/tmp/"; @@ -58,8 +63,6 @@ constexpr char ENC_IV[] = "38106509f6528ff859c366747aa04f21"; constexpr char KEYS_GEN_SCRIPT_PATH[] = "/concord-bft//scripts/linux/create_concord_clients_transaction_signing_keys.sh"; -#define RSA_Algo false - class ClientApiTestFixture : public ::testing::Test { public: ClientConfig test_config_ = {ClientId{5}, @@ -188,9 +191,9 @@ TEST_P(ClientApiTestParametrizedFixture, print_received_messages_and_timeout) { std::stringstream stream; stream << file.rdbuf(); auto pub_key_str = stream.str(); -#if RSA_Algo +#ifdef USE_CRYPTOPP transaction_verifier_.reset(new RSAVerifier(pub_key_str, KeyFormat::PemFormat)); -#else +#elif USE_EDDSA_OPENSSL transaction_verifier_.reset(new EdDSA_Verifier(pub_key_str, KeyFormat::PemFormat)); #endif } diff --git a/kvbc/src/pruning_handler.cpp b/kvbc/src/pruning_handler.cpp index ede5cbd295..9e62c098d7 100644 --- a/kvbc/src/pruning_handler.cpp +++ b/kvbc/src/pruning_handler.cpp @@ -20,13 +20,11 @@ namespace concord::kvbc::pruning { -#define RSA_Algo false - using concord::util::crypto::KeyFormat; -#if RSA_Algo +#ifdef USE_CRYPTOPP using concord::util::cryptopp_utils::RSASigner; using concord::util::cryptopp_utils::RSAVerifier; -#else +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Signer; using concord::util::openssl_utils::EdDSA_Verifier; #endif @@ -42,11 +40,11 @@ void PruningSigner::sign(concord::messages::LatestPrunableBlock& block) { PruningSigner::PruningSigner(const std::string& key) : -#if RSA_Algo +#ifdef USE_CRYPTOPP signer_ { std::make_unique(key, KeyFormat::HexaDecimalStrippedFormat) } -#else +#elif USE_EDDSA_OPENSSL signer_ { std::make_unique(key, KeyFormat::HexaDecimalStrippedFormat) } @@ -56,9 +54,9 @@ PruningSigner::PruningSigner(const std::string& key) PruningVerifier::PruningVerifier(const std::set>& replicasPublicKeys) { auto i = 0u; for (auto& [idx, pkey] : replicasPublicKeys) { -#if RSA_Algo +#ifdef USE_CRYPTOPP replicas_.push_back(Replica{idx, std::make_unique(pkey, KeyFormat::HexaDecimalStrippedFormat)}); -#else +#elif USE_EDDSA_OPENSSL replicas_.push_back(Replica{idx, std::make_unique(pkey, KeyFormat::HexaDecimalStrippedFormat)}); #endif const auto ins_res = replica_ids_.insert(replicas_.back().principal_id); diff --git a/kvbc/test/pruning_test.cpp b/kvbc/test/pruning_test.cpp index 0dbebbadc0..d81240a8f0 100644 --- a/kvbc/test/pruning_test.cpp +++ b/kvbc/test/pruning_test.cpp @@ -38,13 +38,12 @@ using namespace concord::kvbc; using namespace concord::kvbc::categorization; using namespace concord::kvbc::pruning; namespace { -#define RSA_Algo false const NodeIdType replica_0 = 0; const NodeIdType replica_1 = 1; const NodeIdType replica_2 = 2; const NodeIdType replica_3 = 3; -#if RSA_Algo +#ifdef USE_CRYPTOPP std::string privateKey_0 = "308204BA020100300D06092A864886F70D0101010500048204A4308204A00201000282010100C55B8F7979BF24B335017082BF33EE2960E3" "A0" @@ -325,7 +324,7 @@ std::string publicKey_4 = "BF2EA16F58773514249B03A4775C6A10561AFC8CF54B551A43FD014F3C5FE12D96AC5F117645E26D125DC7430114FA60577BF7C9AA1224D1" "90" "B2D8A83B020111"; -#else +#elif USE_EDDSA_OPENSSL const std::string privateKey_0 = "61498efe1764b89357a02e2887d224154006ceacf26269f8695a4af561453eef"; const std::string privateKey_1 = "247a74ab3620ec6b9f5feab9ee1f86521da3fa2804ad45bb5bf2c5b21ef105bc"; const std::string privateKey_2 = "fb539bc3d66deda55524d903da26dbec1f4b6abf41ec5db521e617c64eb2c341"; diff --git a/reconfiguration/src/reconfiguration_handler.cpp b/reconfiguration/src/reconfiguration_handler.cpp index 5f2e2f1227..f0a0c0a09c 100644 --- a/reconfiguration/src/reconfiguration_handler.cpp +++ b/reconfiguration/src/reconfiguration_handler.cpp @@ -21,18 +21,17 @@ #include "communication/StateControl.hpp" #include "secrets_manager_plain.h" #include "bftengine/DbCheckpointManager.hpp" -#include "openssl_utils.hpp" #include -#define ECDSA_Algo true - using namespace concord::messages; using concord::util::crypto::KeyFormat; -#if ECDSA_Algo +#if USE_CRYPTOPP using concord::util::cryptopp_utils::ECDSAVerifier; #else +#include "openssl_utils.hpp" + using concord::util::openssl_utils::EdDSA_Verifier; #endif @@ -340,7 +339,7 @@ BftReconfigurationHandler::BftReconfigurationHandler() { key_str.append(buf, 0, key_content.gcount()); } key_str.append(buf, 0, key_content.gcount()); -#if ECDSA_Algo +#ifdef USE_CRYPTOPP verifier_.reset(new ECDSAVerifier(key_str, KeyFormat::PemFormat)); #else verifier_.reset(new EdDSA_Verifier(key_str, KeyFormat::PemFormat)); diff --git a/secretsmanager/CMakeLists.txt b/secretsmanager/CMakeLists.txt index 7abfeced03..afd5baad75 100644 --- a/secretsmanager/CMakeLists.txt +++ b/secretsmanager/CMakeLists.txt @@ -28,6 +28,18 @@ target_include_directories(secretsmanager PRIVATE src) target_link_libraries(secretsmanager_shared PUBLIC util_shared ${CRYPTOPP_LIBRARIES}) target_include_directories(secretsmanager_shared PUBLIC include ${CRYPTOPP_INCLUDE_DIRS}) +if (USE_CRYPTOPP) + message(STATUS "Using Crypto++ RSA/ECDSA signature/verification") + target_compile_definitions(secretsmanager PUBLIC USE_CRYPTOPP) + target_compile_definitions(secretsmanager_shared PUBLIC USE_CRYPTOPP) +endif() + +if (USE_EDDSA_OPENSSL) + message(STATUS "Using OpenSSL EdDSA signature/verification") + target_compile_definitions(secretsmanager PUBLIC USE_EDDSA_OPENSSL) + target_compile_definitions(secretsmanager_shared PUBLIC USE_EDDSA_OPENSSL) +endif() + if (USE_JSON AND USE_HTTPLIB) add_subdirectory(secretretriever) else () diff --git a/secretsmanager/src/aes.cpp b/secretsmanager/src/aes.cpp index 5d03d69aa8..635406546a 100644 --- a/secretsmanager/src/aes.cpp +++ b/secretsmanager/src/aes.cpp @@ -31,28 +31,26 @@ class BIO_Deleter { void operator()(BIO* p) { BIO_free_all(p); } }; -#define RSA_Algo false - AES_CBC::AES_CBC(const KeyParams& params) { -#if RSA_Algo +#ifdef USE_CRYPTOPP ConcordAssertEQ(params.key.size(), 256 / 8); aesEncryption = CryptoPP::AES::Encryption(params.key.data(), params.key.size()); aesDecryption = CryptoPP::AES::Decryption(params.key.data(), params.key.size()); enc = CryptoPP::CBC_Mode_ExternalCipher::Encryption(aesEncryption, params.iv.data()); dec = CryptoPP::CBC_Mode_ExternalCipher::Decryption(aesDecryption, params.iv.data()); -#else +#elif USE_EDDSA_OPENSSL key = params.key; iv = params.iv; #endif } vector AES_CBC::encrypt(const string& input) const { -#if RSA_Algo +#ifdef USE_CRYPTOPP vector cipher; CryptoPP::StringSource ss( input, true, new CryptoPP::StreamTransformationFilter(enc, new CryptoPP::VectorSink(cipher))); return cipher; -#else +#elif USE_EDDSA_OPENSSL if (input.empty()) { return {}; } @@ -89,11 +87,11 @@ vector AES_CBC::encrypt(const string& input) const { } string AES_CBC::decrypt(const vector& cipher) const { -#if RSA_Algo +#ifdef USE_CRYPTOPP string pt; CryptoPP::VectorSource ss(cipher, true, new CryptoPP::StreamTransformationFilter(dec, new CryptoPP::StringSink(pt))); return pt; -#else +#elif USE_EDDSA_OPENSSL if (cipher.capacity() == 0) { return {}; } diff --git a/secretsmanager/src/base64.cpp b/secretsmanager/src/base64.cpp index 60469c122b..40d27b496f 100644 --- a/secretsmanager/src/base64.cpp +++ b/secretsmanager/src/base64.cpp @@ -19,10 +19,8 @@ #include namespace concord::secretsmanager { -#define RSA_Algo false - string base64Enc(const vector& cipher_text) { -#if RSA_Algo +#ifdef USE_CRYPTOPP CryptoPP::Base64Encoder encoder; encoder.Put(cipher_text.data(), cipher_text.size()); encoder.MessageEnd(); @@ -31,7 +29,7 @@ string base64Enc(const vector& cipher_text) { encoder.Get((unsigned char*)output.data(), output.size()); return output; -#else +#elif USE_EDDSA_OPENSSL if (cipher_text.capacity() == 0) { return {}; } @@ -58,11 +56,11 @@ string base64Enc(const vector& cipher_text) { } vector base64Dec(const string& input) { -#if RSA_Algo +#ifdef USE_CRYPTOPP vector dec; CryptoPP::StringSource ss(input, true, new CryptoPP::Base64Decoder(new CryptoPP::VectorSink(dec))); return dec; -#else +#elif USE_EDDSA_OPENSSL if (input.empty()) { return {}; } diff --git a/secretsmanager/src/key_params.cpp b/secretsmanager/src/key_params.cpp index 5d7d6bcba9..00b47ae992 100644 --- a/secretsmanager/src/key_params.cpp +++ b/secretsmanager/src/key_params.cpp @@ -1,22 +1,21 @@ #include "key_params.h" #include -#define RSA_Algo false -#if RSA_Algo +#ifdef USE_CRYPTOPP #include #include #include -#else +#elif USE_EDDSA_OPENSSL #include "hex_tools.h" #endif namespace concord::secretsmanager { KeyParams::KeyParams(const std::string& pkey, const std::string& piv) { -#if RSA_Algo +#ifdef USE_CRYPTOPP CryptoPP::StringSource sskey(pkey, true, new CryptoPP::HexDecoder(new CryptoPP::VectorSink(key))); CryptoPP::StringSource ssiv(piv, true, new CryptoPP::HexDecoder(new CryptoPP::VectorSink(iv))); -#else +#elif USE_EDDSA_OPENSSL const auto keyInAsciiStr = concordUtils::hexToASCII(pkey); const auto ivInAsciiStr = concordUtils::hexToASCII(piv); diff --git a/secretsmanager/test/secrets_manager_test.cpp b/secretsmanager/test/secrets_manager_test.cpp index 1a4497ca81..1cf6cad0a5 100644 --- a/secretsmanager/test/secrets_manager_test.cpp +++ b/secretsmanager/test/secrets_manager_test.cpp @@ -9,8 +9,6 @@ using namespace concord::secretsmanager; -#define RSA_Algo false - const std::string long_input{R"L0R3M( Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas ut ultrices nisi. Sed eu venenatis tellus. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Sed ante tellus, auctor non feugiat et, feugiat vitae ante. Pellentesque volutpat tincidunt orci non efficitur. Vestibulum eu sagittis nisi, et faucibus neque. Nullam eu ultrices dolor. Nulla facilisi. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur luctus lectus non neque sollicitudin facilisis. Curabitur dapibus, lorem eget lacinia luctus, eros velit interdum odio, non efficitur massa ipsum id orci. Morbi sagittis enim neque, et blandit arcu vehicula eget. Aliquam lacinia lacus at metus elementum pretium. Aenean efficitur nisl ut arcu sodales gravida. Cras malesuada magna ac eros pharetra feugiat. diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index dc39256906..0a9a337ae2 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -63,6 +63,18 @@ if (BUILD_TESTING) .) endif() +if (USE_CRYPTOPP) + message(STATUS "Using Crypto++ RSA/ECDSA signature/verification") + target_compile_definitions(GenerateConcordKeys PUBLIC USE_CRYPTOPP) + target_compile_definitions(TestGeneratedKeys PUBLIC USE_CRYPTOPP) +endif() + +if (USE_EDDSA_OPENSSL) + message(STATUS "Using OpenSSL EdDSA signature/verification") + target_compile_definitions(GenerateConcordKeys PUBLIC USE_EDDSA_OPENSSL) + target_compile_definitions(TestGeneratedKeys PUBLIC USE_EDDSA_OPENSSL) +endif() + if (BUILD_ROCKSDB_STORAGE) add_executable(skvb_db_editor DBEditor.cpp ) target_include_directories(skvb_db_editor PUBLIC diff --git a/tools/GenerateConcordKeys.cpp b/tools/GenerateConcordKeys.cpp index 3a38e50adf..6798a1389f 100644 --- a/tools/GenerateConcordKeys.cpp +++ b/tools/GenerateConcordKeys.cpp @@ -26,8 +26,6 @@ using concord::util::openssl_utils::Crypto; -#define RSA_Algo false - // Helper functions and static state to this executable's main function. static bool containsHelpOption(int argc, char** argv) { @@ -39,7 +37,7 @@ static bool containsHelpOption(int argc, char** argv) { return false; } -#if RSA_Algo +#ifdef USE_CRYPTOPP static CryptoPP::RandomPool sGlobalRandGen; const unsigned int rsaKeyLength = 2048; @@ -194,17 +192,17 @@ int main(int argc, char** argv) { config.cVal = (n - (3 * config.fVal) - 1) / 2; -#if RSA_Algo +#ifdef USE_CRYPTOPP std::vector> rsaKeys; -#else +#elif USE_EDDSA_OPENSSL std::vector> eddsaKeys; #endif for (uint16_t i = 0; i < n + ro; ++i) { -#if RSA_Algo +#ifdef USE_CRYPTOPP rsaKeys.push_back(generateRsaKey()); config.publicKeysOfReplicas.insert(std::pair(i, rsaKeys[i].second)); -#else +#elif USE_EDDSA_OPENSSL eddsaKeys.push_back(Crypto::instance().generateEdDSAKeyPair()); config.publicKeysOfReplicas.insert(std::pair(i, eddsaKeys[i].second)); #endif @@ -216,9 +214,9 @@ int main(int argc, char** argv) { // Output the generated keys. for (uint16_t i = 0; i < n; ++i) { config.replicaId = i; -#if RSA_Algo +#ifdef USE_CRYPTOPP config.replicaPrivateKey = rsaKeys[i].first; -#else +#elif USE_EDDSA_OPENSSL config.replicaPrivateKey = eddsaKeys[i].first; #endif outputReplicaKeyfile(n, ro, config, outputPrefix + std::to_string(i), &cryptoSys); @@ -227,9 +225,9 @@ int main(int argc, char** argv) { for (uint16_t i = n; i < n + ro; ++i) { config.isReadOnly = true; config.replicaId = i; -#if RSA_Algo +#ifdef USE_CRYPTOPP config.replicaPrivateKey = rsaKeys[i].first; -#else +#elif USE_EDDSA_OPENSSL config.replicaPrivateKey = eddsaKeys[i].first; #endif outputReplicaKeyfile(n, ro, config, outputPrefix + std::to_string(i)); diff --git a/tools/KeyfileIOUtils.cpp b/tools/KeyfileIOUtils.cpp index ff87fbb8ee..ee13d4c81a 100644 --- a/tools/KeyfileIOUtils.cpp +++ b/tools/KeyfileIOUtils.cpp @@ -21,8 +21,6 @@ #include "KeyfileIOUtils.hpp" #include "yaml_utils.hpp" -#define RSA_Algo false - void outputReplicaKeyfile(uint16_t numReplicas, uint16_t numRoReplicas, bftEngine::ReplicaConfig& config, @@ -41,10 +39,10 @@ void outputReplicaKeyfile(uint16_t numReplicas, << "c_val: " << config.cVal << "\n" << "replica_id: " << config.replicaId << "\n" << "read-only: " << config.isReadOnly << "\n\n" -#if RSA_Algo +#ifdef USE_CRYPTOPP << "# RSA non-threshold replica public keys\n" << "rsa_public_keys:\n"; -#else +#elif USE_EDDSA_OPENSSL << "# EdDSA non-threshold replica public keys\n" << "eddsa_public_keys:\n"; #endif @@ -52,16 +50,16 @@ void outputReplicaKeyfile(uint16_t numReplicas, for (auto& v : config.publicKeysOfReplicas) output << " - " << v.second << "\n"; output << "\n"; -#if RSA_Algo +#ifdef USE_CRYPTOPP output << "rsa_private_key: " << config.replicaPrivateKey << "\n"; -#else +#elif USE_EDDSA_OPENSSL output << "eddsa_private_key: " << config.replicaPrivateKey << "\n"; #endif if (commonSys) commonSys->writeConfiguration(output, "common", config.replicaId); } -#if RSA_Algo +#ifdef USE_CRYPTOPP static void validateRSAPublicKey(const std::string& key) { const size_t rsaPublicKeyHexadecimalLength = 584; if (!(key.length() == rsaPublicKeyHexadecimalLength) && (std::regex_match(key, std::regex("[0-9A-Fa-f]+")))) @@ -75,7 +73,7 @@ static void validateRSAPrivateKey(const std::string& key) { if (!std::regex_match(key, std::regex("[0-9A-Fa-f]+"))) throw std::runtime_error("Invalid RSA private key: " + key); } -#else +#elif USE_EDDSA_OPENSSL static void validateEdDSAPublicKey(const std::string& key) { const size_t eddsaPublicKeyHexadecimalLength{64UL}; if (!(key.length() == eddsaPublicKeyHexadecimalLength) && (std::regex_match(key, std::regex("[0-9A-Fa-f]+")))) { @@ -113,12 +111,12 @@ Cryptosystem* inputReplicaKeyfileMultisig(const std::string& filename, bftEngine if (config.replicaId >= config.numReplicas + config.numRoReplicas) throw std::runtime_error("replica IDs must be in the range [0, num_replicas + num_ro_replicas]"); -#if RSA_Algo +#ifdef USE_CRYPTOPP std::vector rsaPublicKeys = yaml::readCollection(input, "rsa_public_keys"); if (rsaPublicKeys.size() != config.numReplicas + config.numRoReplicas) throw std::runtime_error("number of public RSA keys must match num_replicas"); -#else +#elif USE_EDDSA_OPENSSL std::vector eddsaPublicKeys = yaml::readCollection(input, "eddsa_public_keys"); if (eddsaPublicKeys.size() != config.numReplicas + config.numRoReplicas) @@ -127,19 +125,19 @@ Cryptosystem* inputReplicaKeyfileMultisig(const std::string& filename, bftEngine config.publicKeysOfReplicas.clear(); for (size_t i = 0; i < config.numReplicas + config.numRoReplicas; ++i) { -#if RSA_Algo +#ifdef USE_CRYPTOPP validateRSAPublicKey(rsaPublicKeys[i]); config.publicKeysOfReplicas.insert(std::pair(i, rsaPublicKeys[i])); -#else +#elif USE_EDDSA_OPENSSL validateEdDSAPublicKey(eddsaPublicKeys[i]); config.publicKeysOfReplicas.insert(std::pair(i, eddsaPublicKeys[i])); #endif } -#if RSA_Algo +#ifdef USE_CRYPTOPP config.replicaPrivateKey = yaml::readValue(input, "rsa_private_key"); validateRSAPrivateKey(config.replicaPrivateKey); -#else +#elif USE_EDDSA_OPENSSL config.replicaPrivateKey = yaml::readValue(input, "eddsa_private_key"); validateEdDSAPrivateKey(config.replicaPrivateKey); #endif diff --git a/tools/TestGeneratedKeys.cpp b/tools/TestGeneratedKeys.cpp index 8b75238b6a..fd62bae8ea 100644 --- a/tools/TestGeneratedKeys.cpp +++ b/tools/TestGeneratedKeys.cpp @@ -22,12 +22,10 @@ #include "cryptopp_utils.hpp" #include "openssl_utils.hpp" -#define RSA_Algo false - -#if RSA_Algo +#ifdef USE_CRYPTOPP using concord::util::cryptopp_utils::RSASigner; using concord::util::cryptopp_utils::RSAVerifier; -#else +#elif USE_EDDSA_OPENSSL using concord::util::openssl_utils::EdDSA_Signer; using concord::util::openssl_utils::EdDSA_Verifier; #endif @@ -132,7 +130,7 @@ static bool validateFundamentalFields(const std::vector& conf return true; } -#if RSA_Algo +#ifdef USE_CRYPTOPP // Helper function to test RSA keys to test the compatibility of a single key // pair. static bool testRSAKeyPair(const std::string& privateKey, const std::string& publicKey, uint16_t replicaID) { @@ -255,8 +253,7 @@ static bool testRSAKeys(const std::vector& configs) { return true; } - -#else +#elif USE_EDDSA_OPENSSL // Helper function to test EdDSA keys to test the compatibility of a single key pair. static bool testEdDSAKeyPair(const std::string& privateKey, const std::string& publicKey, uint16_t replicaID) { // The signer and verifier are stored with unique pointers rather than by @@ -856,9 +853,9 @@ int main(int argc, char** argv) { std::cout << "Cryptographic configurations read appear to be sane.\n"; std::cout << "Testing key functionality and agreement...\n"; -#if RSA_Algo +#ifdef USE_CRYPTOPP if (!testRSAKeys(configs)) -#else +#elif USE_EDDSA_OPENSSL if (!testEdDSAKeys(configs)) #endif {