Add pkcs11 support to get_security_files (#66)

* Adding overload of get_security_files. * Implement changes to support .p11 files. * Security tests converted into TEST_P * Adding pkcs11 specific tests. Signed-off-by: Miguel Company <[email protected]>
ros2 · Apr 8, 2024 · d82d23a · d82d23a
1 parent ae7df87
commit d82d23a
Show file tree

Hide file tree

Showing 3 changed files with 391 additions and 45 deletions.
diff --git a/rmw_dds_common/include/rmw_dds_common/security.hpp b/rmw_dds_common/include/rmw_dds_common/security.hpp
@@ -52,6 +52,38 @@ bool get_security_files(
   const std::string & prefix, const std::string & secure_root,
   std::unordered_map<std::string, std::string> & result);
 
+/// Get the set of security files in a security enclave.
+/**
+ * This function will look through the passed in 'secure root'
+ * for a set of required filenames that must be in the enclave.
+ * If any of the required filenames are missing, the 'result'
+ * will be empty and the function will return false.
+ * If all of the required filenames are present, then this function
+ * will fill in the 'result' map with a key-value pair of
+ * friendy name -> filename.  If the prefix is not empty, then
+ * the prefix will be applied to the filename.
+ *
+ * The friendly names that this function will currently fill in are:
+ *   IDENTITY_CA
+ *   CERTIFICATE
+ *   PRIVATE_KEY
+ *   PERMISSIONS_CA
+ *   GOVERNANCE
+ *   PERMISSIONS
+ *
+ * \param[in]  supports_pkcs11 Whether the RMW has support for PKCS#11 URIs.
+ * \param[in]  prefix An optional prefix to apply to the filenames when storing them.
+ * \param[in]  secure_root The path to the security enclave to look at.
+ * \param[out] result The map where the friendly name -> filename pairs are stored.
+ * \return `true` if all required files exist in the security enclave, `false` otherwise.
+ */
+RMW_DDS_COMMON_PUBLIC
+bool get_security_files(
+  bool supports_pkcs11,
+  const std::string & prefix,
+  const std::string & secure_root,
+  std::unordered_map<std::string, std::string> & result);
+
 }  // namespace rmw_dds_common
 
 #endif  // RMW_DDS_COMMON__SECURITY_HPP_
diff --git a/rmw_dds_common/src/security.cpp b/rmw_dds_common/src/security.cpp
@@ -13,41 +13,127 @@
 // limitations under the License.
 
 #include <filesystem>
+#include <fstream>
+#include <functional>
 #include <string>
 #include <utility>
 #include <unordered_map>
+#include <vector>
 
 #include "rmw_dds_common/security.hpp"
 
 namespace rmw_dds_common
 {
 
+// Processor for security attributes with FILE URI
+static bool process_file_uri_security_file(
+  bool /*supports_pkcs11*/,
+  const std::string & prefix,
+  const std::filesystem::path & full_path,
+  std::string & result)
+{
+  if (!std::filesystem::is_regular_file(full_path)) {
+    return false;
+  }
+  result = prefix + full_path.generic_string();
+  return true;
+}
+
+// Processor for security attributes with PKCS#11 URI
+static bool process_pkcs_uri_security_file(
+  bool supports_pkcs11,
+  const std::string & /*prefix*/,
+  const std::filesystem::path & full_path,
+  std::string & result)
+{
+  if (!supports_pkcs11) {
+    return false;
+  }
+
+  const std::string p11_prefix("pkcs11:");
+
+  std::ifstream ifs(full_path);
+  if (!ifs.is_open()) {
+    return false;
+  }
+
+  if (!(ifs >> result)) {
+    return false;
+  }
+  if (result.find(p11_prefix) != 0) {
+    return false;
+  }
+
+  return true;
+}
+
 bool get_security_files(
   const std::string & prefix, const std::string & secure_root,
   std::unordered_map<std::string, std::string> & result)
 {
-  const std::unordered_map<std::string, std::string> required_files{
-    {"IDENTITY_CA", "identity_ca.cert.pem"},
-    {"CERTIFICATE", "cert.pem"},
-    {"PRIVATE_KEY", "key.pem"},
-    {"PERMISSIONS_CA", "permissions_ca.cert.pem"},
-    {"GOVERNANCE", "governance.p7s"},
-    {"PERMISSIONS", "permissions.p7s"},
+  return get_security_files(false, prefix, secure_root, result);
+}
+
+bool get_security_files(
+  bool supports_pkcs11,
+  const std::string & prefix,
+  const std::string & secure_root,
+  std::unordered_map<std::string, std::string> & result)
+{
+  using std::placeholders::_1;
+  using std::placeholders::_2;
+  using std::placeholders::_3;
+  using std::placeholders::_4;
+  using security_file_processor =
+    std::function<bool (bool, const std::string &, const std::filesystem::path &, std::string &)>;
+  using processor_vector =
+    std::vector<std::pair<std::string, security_file_processor>>;
+
+  // Key: the security attribute
+  // Value: ordered sequence of pairs. Each pair contains one possible file name
+  //        for the attribute and the corresponding processor method
+  // Pairs are ordered by priority: the first one matching is used.
+  const std::unordered_map<std::string, processor_vector> required_files{
+    {"IDENTITY_CA", {
+        {"identity_ca.cert.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)},
+        {"identity_ca.cert.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}},
+    {"CERTIFICATE", {
+        {"cert.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)},
+        {"cert.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}},
+    {"PRIVATE_KEY", {
+        {"key.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)},
+        {"key.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}},
+    {"PERMISSIONS_CA", {
+        {"permissions_ca.cert.p11", std::bind(process_pkcs_uri_security_file, _1, _2, _3, _4)},
+        {"permissions_ca.cert.pem", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}},
+    {"GOVERNANCE", {
+        {"governance.p7s", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}},
+    {"PERMISSIONS", {
+        {"permissions.p7s", std::bind(process_file_uri_security_file, _1, _2, _3, _4)}}},
   };
 
   const std::unordered_map<std::string, std::string> optional_files{
     {"CRL", "crl.pem"},
   };
 
-  for (const std::pair<const std::string, std::string> & el : required_files) {
-    std::filesystem::path full_path(secure_root);
-    full_path /= el.second;
-    if (!std::filesystem::is_regular_file(full_path)) {
+  for (const std::pair<const std::string,
+    std::vector<std::pair<std::string, security_file_processor>>> & el : required_files)
+  {
+    std::string attribute_value;
+    bool processed = false;
+    for (auto & proc : el.second) {
+      std::filesystem::path full_path(secure_root);
+      full_path /= proc.first;
+      if (proc.second(supports_pkcs11, prefix, full_path, attribute_value)) {
+        processed = true;
+        break;
+      }
+    }
+    if (!processed) {
       result.clear();
       return false;
     }
-
-    result[el.first] = prefix + full_path.generic_string();
+    result[el.first] = attribute_value;
   }
 
   for (const std::pair<const std::string, std::string> & el : optional_files) {