Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / 8e170d64c34448d20fdcc55c533bdf90ca0850b8^! / . / src / ca-module.cpp
commit8e170d64c34448d20fdcc55c533bdf90ca0850b8[log] [tgz]
authortylerliu <tylersiqi@163.com>Wed Sep 30 01:31:53 2020 -0700
committertylerliu <tylersiqi@163.com>Wed Sep 30 01:31:53 2020 -0700
treefc4299e5412d06d169790700097905dafd05fe91
parent8bd8e5be263ceba7fdf27dfe2f889dc0d5f94917 [diff] [blame]
use unique ECDH state / Encryption key for request in CA

Change-Id: If9f5471664d2eec7562b963c40f404ecfa3e5269

diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index 0c5373f..0cd35cc 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp

@@ -247,9 +247,10 @@
   }
 
   // get server's ECDH pub key
-  auto myEcdhPubKeyBase64 = m_ecdh.getBase64PubKey();
+  ECDHState ecdh;
+  auto myEcdhPubKeyBase64 = ecdh.getBase64PubKey();
   try {
-    m_ecdh.deriveSecret(peerKeyBase64);
+    ecdh.deriveSecret(peerKeyBase64);
   }
   catch (const std::exception& e) {
     _LOG_ERROR("Cannot derive a shared secret using the provided ECDH key: " << e.what());
@@ -260,8 +261,9 @@
   // generate salt for HKDF
   auto saltInt = random::generateSecureWord64();
   // hkdf
-  hkdf(m_ecdh.context->sharedSecret, m_ecdh.context->sharedSecretLen,
-       (uint8_t*)&saltInt, sizeof(saltInt), m_aesKey, sizeof(m_aesKey));
+  uint8_t aesKey[AES_128_KEY_LEN];
+  hkdf(ecdh.context->sharedSecret, ecdh.context->sharedSecretLen,
+       (uint8_t*)&saltInt, sizeof(saltInt), aesKey, sizeof(aesKey));
 
   shared_ptr<security::v2::Certificate> clientCert = nullptr;
   // parse certificate request
@@ -334,7 +336,8 @@
 
   // create new request instance
   std::string requestId = std::to_string(random::generateWord64());
-  RequestState certRequest(m_config.m_caPrefix, requestId, requestType, Status::BEFORE_CHALLENGE, *clientCert);
+  RequestState certRequest(m_config.m_caPrefix, requestId, requestType, Status::BEFORE_CHALLENGE, *clientCert,
+          makeBinaryBlock(tlv::ContentType_Key, aesKey, sizeof(aesKey)));
   m_storage->addRequest(certRequest);
   Data result;
   result.setName(request.getName());
@@ -379,7 +382,7 @@
   // decrypt the parameters
   Buffer paramTLVPayload;
   try {
-    paramTLVPayload = decodeBlockWithAesGcm128(request.getApplicationParameters(), m_aesKey,
+    paramTLVPayload = decodeBlockWithAesGcm128(request.getApplicationParameters(), certRequest.m_encryptionKey.value(),
                                                (uint8_t*)"test", strlen("test"));
   }
   catch (const std::exception& e) {
@@ -450,7 +453,7 @@
   Data result;
   result.setName(request.getName());
   result.setFreshnessPeriod(DEFAULT_DATA_FRESHNESS_PERIOD);
-  auto contentBlock = encodeBlockWithAesGcm128(tlv::Content, m_aesKey, payload.value(),
+  auto contentBlock = encodeBlockWithAesGcm128(tlv::Content, certRequest.m_encryptionKey.value(), payload.value(),
                                                payload.value_size(), (uint8_t*)"test", strlen("test"));
   result.setContent(contentBlock);
   m_keyChain.sign(result, signingByIdentity(m_config.m_caPrefix));