Create invitation management module

This facilitates the generation of invitations and logistics of proving knowledge of the invitation and the integrity of the certificates. peercert is to be gotten through getpeercert(binary_form=True) and local cert through the util function to load from file, since we don't have another way of getting local certificate.
2024-11-26 19:40:12 +00:00 · 2018-03-15 19:22:03 -04:00 · 2018-03-15 19:22:03 -04:00 · 1e0cf7e9fb
commit 1e0cf7e9fb
parent 7ebe9da24b
2 changed files with 55 additions and 0 deletions
--- a/confluent_server/confluent/multimanager/init.py
+++ b/confluent_server/confluent/multimanager/init.py
--- a/confluent_server/confluent/multimanager/invites.py
+++ b/confluent_server/confluent/multimanager/invites.py
@ -0,0 +1,55 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2018 Lenovo
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This handles the process of generating and tracking/validating invites
+
+import base64
+import hashlib
+import hmac
+import os
+pending_invites = {}
+
+def create_server_invitation(servername):
+    invitation = os.urandom(66)
+    pending_invites[servername] = invitation
+    return base64.b64encode(invitation)
+
+def create_client_proof(invitation, mycert, peercert):
+    return hmac.new(invitation, peercert + mycert, hashlib.sha256).digest()
+
+def check_server_proof(invitation, mycert, peercert, proof):
+    validproof = hmac.new(invitation, mycert + peercert, hashlib.sha256
+                          ).digest()
+    return proof == validproof
+
+def check_client_proof(servername, mycert, peercert, proof):
+    invitation = pending_invites[servername]
+    validproof = hmac.new(invitation, mycert + peercert, hashlib.sha256
+                          ).digest()
+    if proof == validproof:
+        # We know that the client knew the secret, and that it measured our
+        # certificate, and thus calling code can bless the certificate, and
+        # we can forget the invitation
+        del pending_invites[servername]
+        # We now want to prove to the client that we also know the secret,
+        # and that we measured their certificate well
+        # Now to generate an answer...., reverse the cert order so our answer
+        # is different, but still proving things
+        return hmac.new(invitation, peercert + mycert, hashlib.sha256
+                          ).digest()
+    # The given proof did not verify the invitation
+    return False
+