Attempt at writing a camli object signing/verify server for app engine (in java); foiled by security manager restrictions preventing bouncycastle from working in App Engine

This commit is contained in:
Brett Slatkin 2011-01-22 17:02:27 -08:00
parent 2521ed5f9e
commit b909bc32c3
13 changed files with 356 additions and 1 deletions

View File

@ -0,0 +1,62 @@
<project>
<property name="sdk.dir" location="/tmp/appengine-java-sdk" />
<import file="${sdk.dir}/config/user/ant-macros.xml" />
<path id="project.classpath">
<pathelement path="war/WEB-INF/classes" />
<fileset dir="war/WEB-INF/lib">
<include name="**/*.jar" />
</fileset>
<fileset dir="${sdk.dir}/lib">
<include name="shared/**/*.jar" />
</fileset>
</path>
<target name="copyjars"
description="Copies the App Engine JARs to the WAR.">
<copy
todir="war/WEB-INF/lib"
flatten="true">
<fileset dir="${sdk.dir}/lib/user">
<include name="**/*.jar" />
</fileset>
</copy>
</target>
<target name="copylibs"
description="Copies the app-specific libs to the WAR.">
<copy
todir="war/WEB-INF/lib"
flatten="true">
<fileset dir="lib">
<include name="**/*.jar" />
</fileset>
</copy>
</target>
<target name="compile" depends="copylibs,copyjars"
description="Compiles Java source and copies other source files to the WAR.">
<mkdir dir="war/WEB-INF/classes" />
<copy todir="war/WEB-INF/classes">
<fileset dir="src">
<exclude name="**/*.java" />
</fileset>
</copy>
<javac
srcdir="src"
destdir="war/WEB-INF/classes"
classpathref="project.classpath"
debug="on" />
</target>
<target name="runserver" depends="compile"
description="Starts the development server.">
<dev_appserver war="war" port="8080" >
<options>
<arg value="--jvm_flag=-Xdebug"/>
</options>
</dev_appserver>
</target>
</project>

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,12 @@
package org.camlistore.sigserver;
import java.io.IOException;
import javax.servlet.http.*;
public class SignServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
resp.setContentType("text/plain");
resp.getWriter().println("Hello, world");
}
}

View File

@ -0,0 +1,138 @@
package org.camlistore.sigserver;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.SignatureException;
import java.util.Enumeration;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.*;
import com.google.gson.JsonObject;
import com.google.gson.JsonParseException;
import com.google.gson.JsonPrimitive;
import com.google.gson.JsonParser;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.PGPUtil;
public class VerifyServlet extends HttpServlet {
private Logger log = Logger.getLogger(VerifyServlet.class.getName());
public void doPost(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
String sjson = req.getParameter("sjson");
String keyArmored = req.getParameter("keyarmored"); // Non-standard
resp.setContentType("text/plain");
// Validate the signed JSON object and extract the signature and signer.
int sigIndex = sjson.lastIndexOf(",\"camliSig\":\"");
if (sigIndex == -1) {
resp.getWriter().println("Missing camli object signature");
return;
}
String sigJson = "{" + sjson.substring(sigIndex + 1);
JsonObject sigObj;
try {
sigObj = (new JsonParser()).parse(sigJson).getAsJsonObject();
} catch (JsonParseException e) {
e.printStackTrace();
resp.getWriter().println("Invalid JSON signature object: " + e);
return;
} catch (IllegalStateException e) {
e.printStackTrace();
resp.getWriter().println("Invalid JSON signature object: " + e);
return;
}
if (sigObj.entrySet().size() > 1) {
resp.getWriter().println(
"Signature object contains more than 'camliSig':\n" + sigJson);
return;
}
JsonPrimitive sigPrimative = sigObj.getAsJsonPrimitive("camliSig");
if (sigPrimative == null) {
resp.getWriter().println("'camliSig' missing from top-level");
return;
}
String camliSig;
try {
camliSig = sigPrimative.getAsString();
} catch (ClassCastException e) {
e.printStackTrace();
resp.getWriter().println("Invalid 'camliSig' value: " + e);
return;
}
String camliJson = sjson.substring(0, sigIndex) + "}";
JsonObject camliObj;
try {
camliObj = (new JsonParser()).parse(sjson).getAsJsonObject();
} catch (JsonParseException e) {
e.printStackTrace();
resp.getWriter().println("Invalid JSON object: " + e);
return;
} catch (IllegalStateException e) {
e.printStackTrace();
resp.getWriter().println("Invalid JSON object: " + e);
return;
}
JsonPrimitive signerPrimative = camliObj.getAsJsonPrimitive("camliSigner");
if (signerPrimative == null) {
resp.getWriter().println("'camliSigner' missing from top-level");
return;
}
String camliSigner;
try {
camliSigner = signerPrimative.getAsString();
} catch (ClassCastException e) {
resp.getWriter().println("Invalid 'camliSigner' value: " + e);
return;
}
log.info("camliSig='" + camliSig + "', " +
"camliSigner='" + camliSigner + "', " +
"keyArmored='" + keyArmored + "'");
// Most of this code originally from the Bouncy Castle PGP example app.
try {
PGPObjectFactory pgpFactory = new PGPObjectFactory(
new ArmoredInputStream(
new ByteArrayInputStream(camliSig.getBytes("UTF-8")),
false));
PGPSignatureList signatureList = (PGPSignatureList) pgpFactory.nextObject();
PGPSignature sig = signatureList.get(0);
log.info("Signature found: " + sig);
PGPPublicKeyRingCollection pubKeyRing =
new PGPPublicKeyRingCollection(
new ArmoredInputStream(
new ByteArrayInputStream(keyArmored.getBytes("UTF-8"))));
PGPPublicKey key = pubKeyRing.getPublicKey(sig.getKeyID());
// NOTE(bslatkin): Can't use BouncyCastle's security provider for crypto
// operations because of App Engine bug. Doh.
// http://code.google.com/p/googleappengine/issues/detail?id=1612
sig.initVerify(key, new BouncyCastleProvider());
sig.update(camliJson.getBytes("UTF-8"));
resp.getWriter().println(sig.verify() ? "YES" : "NO");
} catch (IOException e) {
log.log(Level.SEVERE, "Input problem", e);
resp.getWriter().println("Input problem: " + e);
} catch (PGPException e) {
log.log(Level.SEVERE, "PGP problem", e);
resp.getWriter().println("PGP problem: " + e);
} catch (SignatureException e) {
log.log(Level.SEVERE, "Signature problem", e);
resp.getWriter().println("Signature problem: " + e);
}
}
}

View File

@ -0,0 +1 @@
test

View File

@ -0,0 +1,35 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
lQH+BE07cOIBBADTiCllLdf8M8hOQlIRq5lyQdhX558hFIb38uciWXp5AfunqEAb
xXiM2Enk87EJTEzItUtv7ID3E7kKSqB38XJQqQzL14VDW6Nid5nya5GcHYx49wYe
hSo9ktIUOplkWrPH4D+Ty6KXkieMQZ18xdk1fl7nQDZJaeNXIJQHiKNxEQARAQAB
/gMDAiuPXA+l3ORRYBgyD6g2k6ootIBSvOG41aMS256sgkkMm2gRDqEhTvgocEHY
I+2IXpiLfYVND3qbVp8Loxd0MF7cCEp8MQ81b0W9UIrUaevXmNjQsAmeEJj7r1yp
R+BEG7kZxe+KZWJQWVNpKbE15XNEItBqLAfq9Az5ivgejm+uhn7oIYPkHH/8w7xK
/JYfVRrB17fzIl7hR8UkvI/rFeyK8aFdl6X9jjb1m+4I9aa9XNc/QWBSIaCo8ffP
H85RiFHeDAFanBi8r9sME5F3ZwH6l9JSiGBo3a7XLoM4mOmD6nLHX51MjNnggCjE
mBYOdH6AJJanLBUjvFXliipX/6E4Ynodp/hk/IeolJtZyeooRCYk174eePYjVsUp
zh7q/6yLuhSbsmaCndcftN/bYYjT6NStlmkY3FnRhs8Op8jKhDf+hLIwlm2aztUo
O2rr9Pw71J6ZhRhjrMruFMqisp24DPQ6UoXo6OLIX+rWtClUZXN0IEtleSAoRm9y
IHRlc3RpbmcpIDx0ZXN0QGV4YW1wbGUuY29tPoi4BBMBAgAiBQJNO3DiAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCLTbKtgJM85PJWA/9oPLLlhyn7uYCw
8xlh8CbNANXyEiQJJLfL6xsaXI1lFcAm7Y/ET+Un7FOvEwUcNLtxPLxpQtD52Gmx
8vQ2PI9evUUqdNWEK7E5ZoSx1BJAD2mlSjLl+rME+GJQXYnZj/3BVPTdJGFLT8Of
3lEpmVtrB19omE4dhAYXNlExA7y8q50B/gRNO3DiAQQAzInHYdrRHC7i4e4wYLly
0B/52adRQTyJ3RuC/hdBOdQBcTs3d20a3O/Y1pfzfoUcZCNeZbLSrpIT4Ljqubt4
J9KF/Fds/HUXsHLAAio/g5p+i0v8luB48JuL+alPtYVG6UNjp/NcaDeHBcb2F/NY
/9VBUa9dwkbnxhM9sMYgAEcAEQEAAf4DAwIrj1wPpdzkUWD9iXyvzQ6HCfMFdu6d
7J3Qtl6U5oWDGseNczNBhP9Hw/Gj/rrmS2Q4ssfLCHEYmkSn6VojppolMO3cP7pH
bxw1+NXKrtHnWF+AxrGjIal7vCAEHp8KcLjjFxnvHhPxfT5GX7NYu+HIP4a9EWlJ
qXm8sjvq5EDDN4JZKNUhuYeKTBuZOba9XSAS0PblERueoOJuMX86FBe1NtIYZSj+
Vprt0ZBmLmvSbXzh329eMJ7IlSOGva9siBMiUF1fEqKWw1tim2e5Ujw9xLeqhj0Z
GeqVfaNWFXQsTooClxG4xal1ujX5N+l4cX4Q6Q3HPNFYPyj1MPv0IQmYtxrzJsdv
yIyC91vZ3tUgMEvsOte8p1ixhmpzoksfGNpmmLVLSA5dn9U96zX7l/lBQddXD51t
fHSA70Q42G/jU4W9JQOunrJRr12vKUufxuovIG8pU1BjXDzn8elArdnQjtJWhs8o
BPoVwfgKloifBBgBAgAJBQJNO3DiAhsMAAoJEItNsq2AkzzkwE0D/0YC2OsJMWp8
BJxdU5JI2F3c5ueXAT1FZJumfrebG50jE1CguziRxnXd1CxyZ8Lc/4g77qVKo8Vl
IFyl9D2F7kK7AUUrKzagQfaPFMh7crqjySJcarz2YcKfCVvfJJNBhP3dDMGAsciu
blbcSKSWFiohB1u1uaXuZAht+cuZ4YJs
=JQkK
-----END PGP PRIVATE KEY BLOCK-----

View File

@ -0,0 +1,20 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
mI0ETTtw4gEEANOIKWUt1/wzyE5CUhGrmXJB2FfnnyEUhvfy5yJZenkB+6eoQBvF
eIzYSeTzsQlMTMi1S2/sgPcTuQpKoHfxclCpDMvXhUNbo2J3mfJrkZwdjHj3Bh6F
Kj2S0hQ6mWRas8fgP5PLopeSJ4xBnXzF2TV+XudANklp41cglAeIo3ERABEBAAG0
KVRlc3QgS2V5IChGb3IgdGVzdGluZykgPHRlc3RAZXhhbXBsZS5jb20+iLgEEwEC
ACIFAk07cOICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEItNsq2Akzzk
8lYD/2g8suWHKfu5gLDzGWHwJs0A1fISJAkkt8vrGxpcjWUVwCbtj8RP5SfsU68T
BRw0u3E8vGlC0PnYabHy9DY8j169RSp01YQrsTlmhLHUEkAPaaVKMuX6swT4YlBd
idmP/cFU9N0kYUtPw5/eUSmZW2sHX2iYTh2EBhc2UTEDvLyruI0ETTtw4gEEAMyJ
x2Ha0Rwu4uHuMGC5ctAf+dmnUUE8id0bgv4XQTnUAXE7N3dtGtzv2NaX836FHGQj
XmWy0q6SE+C46rm7eCfShfxXbPx1F7BywAIqP4OafotL/JbgePCbi/mpT7WFRulD
Y6fzXGg3hwXG9hfzWP/VQVGvXcJG58YTPbDGIABHABEBAAGInwQYAQIACQUCTTtw
4gIbDAAKCRCLTbKtgJM85MBNA/9GAtjrCTFqfAScXVOSSNhd3ObnlwE9RWSbpn63
mxudIxNQoLs4kcZ13dQscmfC3P+IO+6lSqPFZSBcpfQ9he5CuwFFKys2oEH2jxTI
e3K6o8kiXGq89mHCnwlb3ySTQYT93QzBgLHIrm5W3EiklhYqIQdbtbml7mQIbfnL
meGCbA==
=5YOm
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
<application>camlisig</application>
<version>1</version>
</appengine-web-app>

View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5">
<servlet>
<servlet-name>signservlet</servlet-name>
<servlet-class>org.camlistore.sigserver.SignServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>verifyservlet</servlet-name>
<servlet-class>org.camlistore.sigserver.VerifyServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>signservlet</servlet-name>
<url-pattern>/camli/sig/sign</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>verifyservlet</servlet-name>
<url-pattern>/camli/sig/verify</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>

View File

@ -0,0 +1,25 @@
<html>
<head>
<title>Test /camli/sig/*</title>
</head>
<body>
<h1>Verify</h1>
<form action="/camli/sig/verify" method="post" accept-charset="utf-8">
<p>
<label for="sjson">Camli object (JSON with "camliSig" and "camliSigner"):</label>
<p>
<textarea id="sjson" name="sjson" rows="10" cols="70"></textarea>
<p>
<label for="keyarmored">Optional armored public key (eg, "-----BEGIN PGP PUBLIC KEY BLOCK"):</label>
<p>
<textarea id="keyarmored" name="keyarmored" rows="10" cols="70"></textarea>
<p>
<input type="submit" value="Verify">
</form>
</body>
</html>

View File

@ -1,3 +1,5 @@
Sign:
(https) POST /camli/sig/sign
WWW-Authenticate: [user] [b64pass]
@ -8,5 +10,35 @@ On good response:
HTTP 200 OK
(signed blob)
else: (if verification fails)
else: (if signing fails)
HTTP 4xx/5xx
TODO(bslatkin): Should the sign response be a more specific value, so
we can tell the difference between a temporary server error and a signing
failure? For verification purposes we need that characteristic anyways.
---
Verify:
(https) POST /camli/sig/verify
sjson=[signed json to verify]
(proposed) keyarmored=[GnuPG armored key]
On good response:
HTTP 200 OK
YES
else: (if verification fails)
HTTP 200 OK
<any other message that describes the problem>
Verify will look in the object to find the "camliSigner" key and use that
blobref's contents (assumed to be a public key) to verify the signature on
the object. Configuring the signing server to have the public key blobref
is out of scope.