CCF
Loading...
Searching...
No Matches
key_exchange.h
Go to the documentation of this file.
1// Copyright (c) Microsoft Corporation. All rights reserved.
2// Licensed under the Apache 2.0 License.
3#pragma once
4
5#include "ccf/crypto/ec_key_pair.h"
6#include "ccf/crypto/openssl/openssl_wrappers.h"
7#include "crypto/openssl/ec_public_key.h"
8#include "ds/internal_logger.h"
9
10#include <iostream>
11#include <map>
12#include <openssl/crypto.h>
13#include <openssl/ec.h>
14#include <openssl/ossl_typ.h>
15#include <stdexcept>
16
17namespace tls
18{
19 class KeyExchangeContext
20 {
21 private:
22 ccf::crypto::ECKeyPairPtr own_key;
23 ccf::crypto::ECPublicKeyPtr peer_key;
24 ccf::crypto::CurveID curve{ccf::crypto::CurveID::SECP384R1};
25 std::vector<uint8_t> shared_secret;
26
27 void compute_shared_secret()
28 {
29 if (!own_key)
30 {
31 own_key = make_ec_key_pair(curve);
32 }
33
34 if (!peer_key)
35 {
36 throw std::logic_error(
37 "Cannot compute shared secret - missing peer key");
38 }
39
40 shared_secret = own_key->derive_shared_secret(*peer_key);
41 }
42
43 public:
44 KeyExchangeContext() = default;
45
46 ~KeyExchangeContext() = default;
47
48 std::vector<uint8_t> get_own_key_share()
49 {
50 if (!own_key)
51 {
52 own_key = make_ec_key_pair(curve);
53 shared_secret.clear();
54 }
55
56 // For backwards compatibility we need to keep the format we used with
57 // mbedTLS, which is the raw EC point with an extra size byte in the
58 // front.
59 auto tmp = own_key->public_key_raw();
60 tmp.insert(tmp.begin(), tmp.size());
61 return tmp;
62 }
63
64 [[nodiscard]] std::vector<uint8_t> get_peer_key_share() const
65 {
66 if (!peer_key)
67 {
68 throw std::runtime_error("Cannot get peer key - missing peer key");
69 }
70
71 auto tmp = peer_key->public_key_raw();
72 tmp.insert(tmp.begin(), tmp.size());
73 return tmp;
74 }
75
76 void reset()
77 {
78 own_key.reset();
79 peer_key.reset();
80 OPENSSL_cleanse(shared_secret.data(), shared_secret.size());
81 shared_secret.clear();
82 }
83
84 void load_peer_key_share(std::span<const uint8_t> ks)
85 {
86 if (ks.empty())
87 {
88 throw std::runtime_error("Provided peer key share is empty");
89 }
90
91 std::vector<uint8_t> tmp(ks.begin(), ks.end());
92 tmp.erase(tmp.begin());
93
94 int nid = ccf::crypto::ECPublicKey_OpenSSL::get_openssl_group_id(curve);
95 auto pk = ccf::crypto::key_from_raw_ec_point(tmp, nid);
96
97 if (pk == nullptr)
98 {
99 throw std::runtime_error("Failed to parse peer key share");
100 }
101
102 peer_key = std::make_shared<ccf::crypto::ECPublicKey_OpenSSL>(pk);
103 shared_secret.clear();
104 }
105
106 const std::vector<uint8_t>& get_shared_secret()
107 {
108 if (shared_secret.empty())
109 {
110 compute_shared_secret();
111 }
112
113 return shared_secret;
114 }
115 };
116}
ccf::crypto::ECPublicKey_OpenSSL::get_openssl_group_id
int get_openssl_group_id() const
Definition ec_public_key.cpp:136
tls::KeyExchangeContext
Definition key_exchange.h:20
tls::KeyExchangeContext::get_peer_key_share
std::vector< uint8_t > get_peer_key_share() const
Definition key_exchange.h:64
tls::KeyExchangeContext::load_peer_key_share
void load_peer_key_share(std::span< const uint8_t > ks)
Definition key_exchange.h:84
tls::KeyExchangeContext::get_shared_secret
const std::vector< uint8_t > & get_shared_secret()
Definition key_exchange.h:106
tls::KeyExchangeContext::get_own_key_share
std::vector< uint8_t > get_own_key_share()
Definition key_exchange.h:48
tls::KeyExchangeContext::reset
void reset()
Definition key_exchange.h:76
ec_key_pair.h
internal_logger.h
ccf::crypto::CurveID
CurveID
Definition curve.h:18
ccf::crypto::CurveID::SECP384R1
@ SECP384R1
The SECP384R1 curve.
ccf::crypto::ECPublicKeyPtr
std::shared_ptr< ECPublicKey > ECPublicKeyPtr
Definition ec_public_key.h:158
ccf::crypto::key_from_raw_ec_point
Unique_PKEY key_from_raw_ec_point(const std::vector< uint8_t > &raw, int nid)
Definition ec_public_key.cpp:264
ccf::crypto::ECKeyPairPtr
std::shared_ptr< ECKeyPair > ECKeyPairPtr
Definition ec_key_pair.h:144
tls
Definition key_exchange.h:18
openssl_wrappers.h
ec_public_key.h
Generated by doxygen 1.9.8