Builtin authentication plugin for DDS Security

Builtin authentication plugin of DDS Security implementation was added.
This plugin is the first implementation and it also contains the functions that are used initially in the secure communication sequence.

The builtin authentication plugin implements authentication using a trusted Certificate Authority (CA). It performs mutual authentication between discovered participants using the RSA or ECDSA Digital Signature Algorithms and establishes a shared secret using Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) Key Agreement Methods.

DDS Security core component is introduced with this commit. DDSI and other builtin plugins will also use the security core.

Like all builtin plugins, dds security authentication plugin is a shared library for providing dynamic library loading on runtime. So that, dds participants can use different plugin implementations with different configurations.

Authentication plugin uses ddsrt functions. ddsrt is not expected to be a shared library and statically adding ddsrt objects to authentication library produces linkage errors in windows. So, dynamically linking authentication plugin to ddc library is decided. Another decision should be taken for the platforms that are not supporting dynamic libraries later.

Signed-off-by: Kurtulus Oksuztepe <kurtulus.oksuztepe@adlinktech.com>

src/security/builtin_plugins/authentication/CMakeLists.txt

@@ -0,0 +1,65 @@
+#
+# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v. 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+# v. 1.0 which is available at
+# http://www.eclipse.org/org/documents/edl-v10.php.
+#
+# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+#
+include (GenerateExportHeader)
+
+PREPEND(srcs_authentication "${CMAKE_CURRENT_LIST_DIR}/src"
+    authentication.c
+    auth_utils.c
+)
+ 
+PREPEND(hdrs_private_authentication "${CMAKE_CURRENT_LIST_DIR}/src"
+    auth_defs.h
+    authentication.h
+    auth_utils.h
+    dds_security_core_if.h
+)
+
+add_library(dds_security_auth SHARED "")
+
+generate_export_header(
+        dds_security_auth
+        BASE_NAME SECURITY
+        EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/security/export.h"
+)
+
+
+
+find_package(OpenSSL )
+
+add_definitions(-DDDSI_INCLUDE_SSL)
+
+target_link_libraries(dds_security_auth PUBLIC ddsc)
+target_link_libraries(dds_security_auth PUBLIC OpenSSL::SSL)
+
+target_sources(dds_security_auth
+    PRIVATE
+        ${srcs_authentication}
+
+)
+
+target_include_directories(dds_security_auth
+    PUBLIC
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>"
+)
+
+install(
+  TARGETS 
+  EXPORT "${CMAKE_PROJECT_NAME}"
+  RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib
+  LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
+  ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
+)
+
+

src/security/builtin_plugins/authentication/src/auth_utils.h

@@ -0,0 +1,238 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+#ifndef AUTH_UTILS_H
+#define AUTH_UTILS_H
+
+#include "dds/security/dds_security_api.h"
+#include "dds/ddsrt/time.h"
+
+#define DDS_AUTH_PLUGIN_CONTEXT "Authentication"
+
+typedef enum {
+    AUTH_ALGO_KIND_UNKNOWN,
+    AUTH_ALGO_KIND_RSA_2048,
+    AUTH_ALGO_KIND_EC_PRIME256V1
+} AuthenticationAlgoKind_t;
+
+typedef enum {
+    AUTH_CONF_ITEM_PREFIX_UNKNOWN,
+    AUTH_CONF_ITEM_PREFIX_FILE,
+    AUTH_CONF_ITEM_PREFIX_DATA,
+    AUTH_CONF_ITEM_PREFIX_PKCS11
+} AuthConfItemPrefix_t;
+
+
+typedef struct AuthenticationChallenge {
+    unsigned char value[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE];
+} AuthenticationChallenge;
+
+typedef struct {
+    uint32_t length;
+    X509 **buffer;
+} X509Seq;
+
+typedef unsigned char HashValue_t[SHA256_DIGEST_LENGTH];
+/*typedef struct HashValue {
+    unsigned char value[SHA256_DIGEST_LENGTH];
+} HashValue_t;
+*/
+
+/* Return a string that contains an openssl error description
+ * When a openssl function returns an error this function can be
+ * used to retrieve a descriptive error string.
+ * Note that the returned string should be freed.
+ */
+char *
+get_openssl_error_message(
+        void);
+
+/* Return the subject name of contained in a X509 certificate
+ * Note that the returned string should be freed.
+ */
+char*
+get_certificate_subject_name(
+        const X509 *cert,
+        DDS_Security_SecurityException *ex);
+
+/* Return the expiry date of contained in a X509 certificate
+ *
+ */
+dds_time_t
+get_certificate_expiry(
+    const X509 *cert);
+
+/* Return the subject name of a X509 certificate DER
+ * encoded. The DER encoded subject name is returned in
+ * the provided buffer. The length of the allocated
+ * buffer is returned
+ *
+ * return length of allocated buffer or -1 on error
+ */
+DDS_Security_ValidationResult_t
+get_subject_name_DER_encoded(
+        const X509 *cert,
+        unsigned char **buffer,
+        size_t *size,
+        DDS_Security_SecurityException *ex);
+
+
+/* Load a X509 certificate for the provided data.
+ *
+ * data     : certificate in PEM format
+ * x509Cert : the openssl X509 return value
+ */
+DDS_Security_ValidationResult_t
+load_X509_certificate_from_data(
+        const char *data,
+        int len,
+        X509 **x509Cert,
+        DDS_Security_SecurityException *ex);
+
+
+/* Load a X509 certificate for the provided data.
+ *
+ * data     : URI of the certificate. URI format is defined in DDS Security spec 9.3.1
+
+ * x509Cert : the openssl X509 return value
+ */
+DDS_Security_ValidationResult_t
+load_X509_certificate(
+        const char *data,
+        X509 **x509Cert,
+        DDS_Security_SecurityException *ex);
+
+
+/* Load a X509 certificate for the provided file.
+ *
+ * filename : path of the file that contains PEM formatted certificate
+ * x509Cert : the openssl X509 return value
+ */
+DDS_Security_ValidationResult_t
+load_X509_certificate_from_file(
+        const char *filename,
+        X509 **x509Cert,
+        DDS_Security_SecurityException *ex);
+
+/* Load a Private Key for the provided data.
+ *
+ * data       : URI of the private key. URI format is defined in DDS Security spec 9.3.1
+ * privateKey : the openssl EVP_PKEY return value
+ */
+DDS_Security_ValidationResult_t
+load_X509_private_key(
+        const char *data,
+        const char *password,
+        EVP_PKEY **privateKey,
+        DDS_Security_SecurityException *ex);
+
+
+/* Validate an identity certificate against the identityCA
+ * The provided identity certificate is checked if it is
+ * signed by the identity corresponding to the identityCA.
+ *
+ * Note: Currently only a self signed CA is supported
+ *       The function does not yet check a CLR or ocsp
+ *       for expiry of identity certificate.
+ */
+DDS_Security_ValidationResult_t
+verify_certificate(
+        X509 *identityCert,
+        X509 *identityCa,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+check_certificate_expiry(
+    const X509 *cert,
+    DDS_Security_SecurityException *ex);
+
+AuthenticationAlgoKind_t
+get_auhentication_algo_kind(
+        X509 *cert);
+
+AuthenticationChallenge *
+generate_challenge(
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+get_certificate_contents(
+        X509 *cert,
+        unsigned char **data,
+        uint32_t *size,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+generate_dh_keys(
+    EVP_PKEY **dhkey,
+    AuthenticationAlgoKind_t authKind,
+    DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+dh_public_key_to_oct(
+    EVP_PKEY *pkey,
+    AuthenticationAlgoKind_t algo,
+    unsigned char **buffer,
+    uint32_t *length,
+    DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+dh_oct_to_public_key(
+    EVP_PKEY **data,
+    AuthenticationAlgoKind_t algo,
+    const unsigned char *str,
+    uint32_t size,
+    DDS_Security_SecurityException *ex);
+
+
+AuthConfItemPrefix_t
+get_conf_item_type(
+        const char *str,
+        char **data);
+
+/*
+ * Frees the contents of theCA list.
+ */
+void
+free_ca_list_contents(
+     X509Seq *ca_list);
+
+DDS_Security_ValidationResult_t
+get_trusted_ca_list (
+    const char* trusted_ca_dir,
+    X509Seq *ca_list,
+    DDS_Security_SecurityException *ex);
+
+char *
+string_from_data(
+    const unsigned char *data,
+    uint32_t size);
+
+
+DDS_Security_ValidationResult_t
+create_asymmetrical_signature(
+        EVP_PKEY *pkey,
+        const unsigned char *data,
+        const size_t dataLen,
+        unsigned char **signature,
+        size_t *signatureLen,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+validate_asymmetrical_signature(
+        EVP_PKEY *pkey,
+        const unsigned char *data,
+        const size_t dataLen,
+        const unsigned char *signature,
+        const size_t signatureLen,
+        DDS_Security_SecurityException *ex);
+
+#endif /* AUTH_UTILS_H */

src/security/builtin_plugins/authentication/src/authentication.h

@@ -0,0 +1,146 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+
+#ifndef SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_
+#define SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_
+
+#include "dds/ddsrt/atomics.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/export.h"
+
+SECURITY_EXPORT int32_t
+init_authentication(const char *argument, void **context);
+
+SECURITY_EXPORT int32_t
+finalize_authentication(void *context);
+
+
+
+
+DDS_Security_ValidationResult_t
+validate_local_identity(
+        dds_security_authentication *instance,
+        DDS_Security_IdentityHandle *local_identity_handle,
+        DDS_Security_GUID_t *adjusted_participant_guid,
+        const DDS_Security_DomainId domain_id,
+        const DDS_Security_Qos *participant_qos,
+        const DDS_Security_GUID_t *candidate_participant_guid,
+
+        DDS_Security_SecurityException *ex);
+DDS_Security_boolean
+get_identity_token(dds_security_authentication *instance,
+                   DDS_Security_IdentityToken *identity_token,
+                   const DDS_Security_IdentityHandle handle,
+                   DDS_Security_SecurityException *ex);
+DDS_Security_boolean
+set_permissions_credential_and_token(
+        dds_security_authentication *instance,
+        const DDS_Security_IdentityHandle handle,
+        const DDS_Security_PermissionsCredentialToken *permissions_credential,
+        const DDS_Security_PermissionsToken *permissions_token,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+validate_remote_identity(
+        dds_security_authentication *instance,
+        DDS_Security_IdentityHandle *remote_identity_handle,
+        DDS_Security_AuthRequestMessageToken *local_auth_request_token,
+        const DDS_Security_AuthRequestMessageToken *remote_auth_request_token,
+        const DDS_Security_IdentityHandle local_identity_handle,
+        const DDS_Security_IdentityToken *remote_identity_token,
+        const DDS_Security_GUID_t *remote_participant_guid,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+begin_handshake_request(
+        dds_security_authentication *instance,
+        DDS_Security_HandshakeHandle *handshake_handle,
+        DDS_Security_HandshakeMessageToken *handshake_message,
+        const DDS_Security_IdentityHandle initiator_identity_handle,
+        const DDS_Security_IdentityHandle replier_identity_handle,
+        const DDS_Security_OctetSeq *serialized_local_participant_data,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+begin_handshake_reply(
+        dds_security_authentication *instance,
+        DDS_Security_HandshakeHandle *handshake_handle,
+        DDS_Security_HandshakeMessageToken *handshake_message_out,
+        const DDS_Security_HandshakeMessageToken *handshake_message_in,
+        const DDS_Security_IdentityHandle initiator_identity_handle,
+        const DDS_Security_IdentityHandle replier_identity_handle,
+        const DDS_Security_OctetSeq *serialized_local_participant_data,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_ValidationResult_t
+process_handshake(
+        dds_security_authentication *instance,
+        DDS_Security_HandshakeMessageToken *handshake_message_out,
+        const DDS_Security_HandshakeMessageToken *handshake_message_in,
+        const DDS_Security_HandshakeHandle handshake_handle,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_SharedSecretHandle get_shared_secret(
+        dds_security_authentication *instance,
+        const DDS_Security_HandshakeHandle handshake_handle,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean
+get_authenticated_peer_credential_token(
+        dds_security_authentication *instance,
+        DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token,
+        const DDS_Security_HandshakeHandle handshake_handle,
+        DDS_Security_SecurityException *ex);
+
+
+DDS_Security_boolean get_identity_status_token(
+        dds_security_authentication *instance,
+        DDS_Security_IdentityStatusToken *identity_status_token,
+        const DDS_Security_IdentityHandle handle,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean set_listener(dds_security_authentication *instance,
+                                  const dds_security_authentication_listener *listener,
+                                  DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean return_identity_token(dds_security_authentication *instance,
+                                           const DDS_Security_IdentityToken *token,
+                                           DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean return_identity_status_token(
+        dds_security_authentication *instance,
+        const DDS_Security_IdentityStatusToken *token,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean return_authenticated_peer_credential_token(
+        dds_security_authentication *instance,
+        const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean
+return_handshake_handle(dds_security_authentication *instance,
+                        const DDS_Security_HandshakeHandle handshake_handle,
+                        DDS_Security_SecurityException *ex);
+DDS_Security_boolean
+return_identity_handle(
+        dds_security_authentication *instance,
+        const DDS_Security_IdentityHandle identity_handle,
+        DDS_Security_SecurityException *ex);
+
+DDS_Security_boolean return_sharedsecret_handle(
+        dds_security_authentication *instance,
+        const DDS_Security_SharedSecretHandle sharedsecret_handle,
+        DDS_Security_SecurityException *ex);
+
+
+#endif /* SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ */