/* * ZeroTier One - Network Virtualization Everywhere * Copyright (C) 2011-2019 ZeroTier, Inc. https://www.zerotier.com/ * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * -- * * You can be released from the requirements of the license by purchasing * a commercial license. Buying such a license is mandatory as soon as you * develop commercial closed-source software that incorporates or links * directly against ZeroTier software without disclosing the source code * of your own application. */ #ifndef ZT_IDENTITY_HPP #define ZT_IDENTITY_HPP #include #include #include "Constants.hpp" #include "Utils.hpp" #include "Address.hpp" #include "C25519.hpp" #include "Buffer.hpp" #include "SHA512.hpp" #include "ECC384.hpp" #define ZT_IDENTITY_STRING_BUFFER_LENGTH 512 namespace ZeroTier { /** * A ZeroTier identity * * An identity consists of a public key, a 40-bit ZeroTier address computed * from that key in a collision-resistant fashion, and a self-signature. * * The address derivation algorithm makes it computationally very expensive to * search for a different public key that duplicates an existing address. (See * code for deriveAddress() for this algorithm.) */ class Identity { public: /** * Identity type -- numeric values of these enums are protocol constants */ enum Type { C25519 = ZT_CRYPTO_ALG_C25519, // Type 0 -- Curve25519 and Ed25519 (1.x and 2.x, default) P384 = ZT_CRYPTO_ALG_P384 // Type 1 -- NIST P-384 with linked Curve25519 and Ed25519 secondaries (2.x+) }; inline Identity() { memset(reinterpret_cast(this),0,sizeof(Identity)); } inline Identity(const Identity &id) { memcpy(reinterpret_cast(this),&id,sizeof(Identity)); } inline Identity(const char *str) { if (!fromString(str)) throw ZT_EXCEPTION_INVALID_SERIALIZED_DATA_INVALID_TYPE; } template inline Identity(const Buffer &b,unsigned int startAt = 0) { deserialize(b,startAt); } inline ~Identity() { Utils::burn(reinterpret_cast(this),sizeof(Identity)); } /** * Set identity to NIL value (all zero) */ inline void zero() { Utils::burn(reinterpret_cast(this),sizeof(Identity)); } inline Identity &operator=(const Identity &id) { memcpy(reinterpret_cast(this),&id,sizeof(Identity)); return *this; } /** * @return Identity type */ inline Type type() const { return _type; } /** * Generate a new identity (address, key pair) * * This is a time consuming operation. * * @param t Type of identity to generate */ void generate(const Type t); /** * Check the validity of this identity's pairing of key to address * * @return True if validation check passes */ bool locallyValidate() const; /** * @return True if this identity contains a private key */ inline bool hasPrivate() const { return _hasPrivate; } /** * Compute the SHA512 hash of our private key (if we have one) * * @param sha Buffer to receive SHA512 (MUST be ZT_SHA512_DIGEST_LEN (64) bytes in length) * @return True on success, false if no private key */ inline bool sha512PrivateKey(void *sha) const { if (_hasPrivate) { switch(_type) { case C25519: SHA512(sha,_priv.c25519,ZT_C25519_PRIVATE_KEY_LEN); return true; case P384: SHA512(sha,&_priv,ZT_C25519_PRIVATE_KEY_LEN + ZT_ECC384_PRIVATE_KEY_SIZE); return true; } } return false; } /** * Sign a message with this identity (private key required) * * The signature buffer should be large enough for the largest * signature, which is currently 96 bytes. * * @param data Data to sign * @param len Length of data * @param sig Buffer to receive signature * @param siglen Length of buffer * @return Number of bytes actually written to sig or 0 on error */ inline unsigned int sign(const void *data,unsigned int len,void *sig,unsigned int siglen) const { uint8_t h[48 + ZT_C25519_PUBLIC_KEY_LEN]; if (!_hasPrivate) return 0; switch(_type) { case C25519: if (siglen < ZT_C25519_SIGNATURE_LEN) return 0; C25519::sign(_priv.c25519,_pub.c25519,data,len,sig); return ZT_C25519_SIGNATURE_LEN; case P384: if (siglen < ZT_ECC384_SIGNATURE_SIZE) return 0; // Include C25519 public key in input for P-384 signature so the two keys are "bound // together" and cannot be decoupled in the same identity. An identity can have the // same C25519 key but a different P-384 key and have the same address, but this // means its signatures and key agreements will be different. SHA384(h,data,len); memcpy(h + 48,_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN); SHA384(h,h,48 + ZT_C25519_PUBLIC_KEY_LEN); ECC384ECDSASign(_priv.p384,h,(uint8_t *)sig); return ZT_ECC384_SIGNATURE_SIZE; } return 0; } /** * Verify a message signature against this identity * * @param data Data to check * @param len Length of data * @param signature Signature bytes * @param siglen Length of signature in bytes * @return True if signature validates and data integrity checks */ inline bool verify(const void *data,unsigned int len,const void *sig,unsigned int siglen) const { switch(_type) { case C25519: return C25519::verify(_pub.c25519,data,len,sig,siglen); case P384: if (siglen == ZT_ECC384_SIGNATURE_SIZE) { uint8_t h[48 + ZT_C25519_PUBLIC_KEY_LEN]; SHA384(h,data,len); memcpy(h + 48,_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN); SHA384(h,h,48 + ZT_C25519_PUBLIC_KEY_LEN); return ECC384ECDSAVerify(_pub.p384,h,(const uint8_t *)sig); } break; } return false; } /** * Shortcut method to perform key agreement with another identity * * This identity must have a private key. (Check hasPrivate()) * * @param id Identity to agree with * @param key Result parameter to fill with key bytes * @return Was agreement successful? */ inline bool agree(const Identity &id,uint8_t key[ZT_PEER_SECRET_KEY_LENGTH]) const { uint8_t rawkey[128]; uint8_t h[64]; if (_hasPrivate) { switch(_type) { case C25519: C25519::agree(_priv.c25519,id._pub.c25519,rawkey); SHA512(h,rawkey,ZT_C25519_SHARED_KEY_LEN); memcpy(key,h,32); return true; case P384: if (id._type == P384) { // Perform key agreement over both curves for the same reason that C25519 public // keys are included in P-384 signature inputs: to bind the keys together so // that a type 1 identity with the same C25519 public key (and therefore address) // but a different P-384 key will not work. C25519::agree(_priv.c25519,id._pub.c25519,rawkey); ECC384ECDH(id._pub.p384,_priv.p384,rawkey + ZT_C25519_SHARED_KEY_LEN); SHA384(h,rawkey,ZT_C25519_SHARED_KEY_LEN + ZT_ECC384_SHARED_SECRET_SIZE); for(unsigned int i=0;i<32;++i) key[i] = h[i]; for(unsigned int i=0;i<16;++i) key[i] ^= h[32+i]; return true; } return false; } } return false; } /** * @return This identity's address */ inline const Address &address() const { return _address; } /** * Serialize this identity (binary) * * @param b Destination buffer to append to * @param includePrivate If true, include private key component (if present) (default: false) * @throws std::out_of_range Buffer too small */ template inline void serialize(Buffer &b,bool includePrivate = false) const { _address.appendTo(b); switch(_type) { case C25519: b.append((uint8_t)C25519); b.append(_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN); if ((_hasPrivate)&&(includePrivate)) { b.append((uint8_t)ZT_C25519_PRIVATE_KEY_LEN); b.append(_priv.c25519,ZT_C25519_PRIVATE_KEY_LEN); } else { b.append((uint8_t)0); } break; case P384: b.append((uint8_t)P384); b.append(_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN); b.append(_pub.p384,ZT_ECC384_PUBLIC_KEY_SIZE); if ((_hasPrivate)&&(includePrivate)) { b.append((uint8_t)(ZT_C25519_PRIVATE_KEY_LEN + ZT_ECC384_PRIVATE_KEY_SIZE)); b.append(_priv.c25519,ZT_C25519_PRIVATE_KEY_LEN); b.append(_priv.p384,ZT_ECC384_PRIVATE_KEY_SIZE); } else { b.append((uint8_t)0); } break; } } /** * Deserialize a binary serialized identity * * If an exception is thrown, the Identity object is left in an undefined * state and should not be used. * * @param b Buffer containing serialized data * @param startAt Index within buffer of serialized data (default: 0) * @return Length of serialized data read from buffer * @throws std::out_of_range Serialized data invalid * @throws std::invalid_argument Serialized data invalid */ template inline unsigned int deserialize(const Buffer &b,unsigned int startAt = 0) { _hasPrivate = false; unsigned int p = startAt; unsigned int pkl; _address.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH; switch((_type = (Type)b[p++])) { case C25519: memcpy(_pub.c25519,b.field(p,ZT_C25519_PUBLIC_KEY_LEN),ZT_C25519_PUBLIC_KEY_LEN); p += ZT_C25519_PUBLIC_KEY_LEN; pkl = (unsigned int)b[p++]; if (pkl) { if (pkl != ZT_C25519_PRIVATE_KEY_LEN) throw ZT_EXCEPTION_INVALID_SERIALIZED_DATA_INVALID_CRYPTOGRAPHIC_TOKEN; _hasPrivate = true; memcpy(_priv.c25519,b.field(p,ZT_C25519_PRIVATE_KEY_LEN),ZT_C25519_PRIVATE_KEY_LEN); p += ZT_C25519_PRIVATE_KEY_LEN; } else { _hasPrivate = false; } break; case P384: memcpy(_pub.c25519,b.field(p,ZT_C25519_PUBLIC_KEY_LEN),ZT_C25519_PUBLIC_KEY_LEN); p += ZT_C25519_PUBLIC_KEY_LEN; memcpy(_pub.p384,b.field(p,ZT_ECC384_PUBLIC_KEY_SIZE),ZT_ECC384_PUBLIC_KEY_SIZE); p += ZT_ECC384_PUBLIC_KEY_SIZE; pkl = (unsigned int)b[p++]; if (pkl) { if (pkl != (ZT_C25519_PRIVATE_KEY_LEN + ZT_ECC384_PRIVATE_KEY_SIZE)) throw ZT_EXCEPTION_INVALID_SERIALIZED_DATA_INVALID_CRYPTOGRAPHIC_TOKEN; _hasPrivate = true; memcpy(_priv.c25519,b.field(p,ZT_C25519_PRIVATE_KEY_LEN),ZT_C25519_PRIVATE_KEY_LEN); p += ZT_C25519_PRIVATE_KEY_LEN; memcpy(_priv.p384,b.field(p,ZT_ECC384_PRIVATE_KEY_SIZE),ZT_ECC384_PRIVATE_KEY_SIZE); p += ZT_ECC384_PRIVATE_KEY_SIZE; } else { _hasPrivate = false; } break; default: throw ZT_EXCEPTION_INVALID_SERIALIZED_DATA_INVALID_TYPE; } return (p - startAt); } /** * Serialize to a more human-friendly string * * @param includePrivate If true, include private key (if it exists) * @param buf Buffer to store string * @return ASCII string representation of identity */ char *toString(bool includePrivate,char buf[ZT_IDENTITY_STRING_BUFFER_LENGTH]) const; /** * Deserialize a human-friendly string * * Note: validation is for the format only. The locallyValidate() method * must be used to check signature and address/key correspondence. * * @param str String to deserialize * @return True if deserialization appears successful */ bool fromString(const char *str); /** * @return True if this identity contains something */ inline operator bool() const { return (_address); } inline bool operator==(const Identity &id) const { if ((_address == id._address)&&(_type == id._type)) { switch(_type) { case C25519: return (memcmp(_pub.c25519,id._pub.c25519,ZT_C25519_PUBLIC_KEY_LEN) == 0); case P384: return (memcmp(&_pub,&id._pub,ZT_C25519_PUBLIC_KEY_LEN + ZT_ECC384_PUBLIC_KEY_SIZE) == 0); default: return false; } } return false; } inline bool operator<(const Identity &id) const { if (_address < id._address) return true; if (_address == id._address) { if ((int)_type < (int)id._type) return true; if (_type == id._type) { switch(_type) { case C25519: return (memcmp(_pub.c25519,id._pub.c25519,ZT_C25519_PUBLIC_KEY_LEN) < 0); case P384: return (memcmp(&_pub,&id._pub,ZT_C25519_PUBLIC_KEY_LEN + ZT_ECC384_PUBLIC_KEY_SIZE) < 0); } } } return false; } inline bool operator!=(const Identity &id) const { return !(*this == id); } inline bool operator>(const Identity &id) const { return (id < *this); } inline bool operator<=(const Identity &id) const { return !(id < *this); } inline bool operator>=(const Identity &id) const { return !(*this < id); } inline unsigned long hashCode() const { return (unsigned long)_address.toInt(); } private: Address _address; Type _type; bool _hasPrivate; ZT_PACKED_STRUCT(struct { // don't re-order these uint8_t c25519[ZT_C25519_PRIVATE_KEY_LEN]; uint8_t p384[ZT_ECC384_PRIVATE_KEY_SIZE]; }) _priv; ZT_PACKED_STRUCT(struct { // don't re-order these uint8_t c25519[ZT_C25519_PUBLIC_KEY_LEN]; uint8_t p384[ZT_ECC384_PUBLIC_KEY_SIZE]; }) _pub; }; } // namespace ZeroTier #endif