diff options
author | Yigit Sever | 2021-04-15 14:30:41 +0300 |
---|---|---|
committer | Yigit Sever | 2021-04-15 14:30:41 +0300 |
commit | 55519b2de267f22f8d1dc8d42116e3075a0e43ab (patch) | |
tree | f19fb1a8cdb44d6fbe32126e407d852c60968558 /src/handlers.rs | |
parent | 343bf9ec1942de4d4453846681d178f2ca7f0790 (diff) | |
download | gradecoin-55519b2de267f22f8d1dc8d42116e3075a0e43ab.tar.gz gradecoin-55519b2de267f22f8d1dc8d42116e3075a0e43ab.tar.bz2 gradecoin-55519b2de267f22f8d1dc8d42116e3075a0e43ab.zip |
Cleaned up user authentication
Removed TODOs, unrolled unwraps
Diffstat (limited to 'src/handlers.rs')
-rw-r--r-- | src/handlers.rs | 136 |
1 files changed, 122 insertions, 14 deletions
diff --git a/src/handlers.rs b/src/handlers.rs index 848cb75..515caa5 100644 --- a/src/handlers.rs +++ b/src/handlers.rs | |||
@@ -60,9 +60,9 @@ const BEARER: &str = "Bearer "; | |||
60 | /// public_key: "---BEGIN PUBLIC KEY..." | 60 | /// public_key: "---BEGIN PUBLIC KEY..." |
61 | /// } | 61 | /// } |
62 | /// | 62 | /// |
63 | /// - Encrypts the serialized string of `auth_plaintext` with 128 bit block AES in CBC mode with Pkcs7 padding using the temporary key (`k_temp`), the result is `auth_ciphertext` TODO should this be base64'd? | 63 | /// - Encrypts the serialized string of `auth_plaintext` with 128 bit block AES in CBC mode with Pkcs7 padding using the temporary key (`k_temp`), the result is `auth_ciphertext` |
64 | /// - The temporary key student has picked `k_temp` is encrypted using RSA with OAEP padding scheme | 64 | /// - The temporary key student has picked `k_temp` is encrypted using RSA with OAEP padding scheme |
65 | /// using sha256 with `gradecoin_public_key` (TODO base64? same as above), giving us `key_ciphertext` | 65 | /// using sha256 with `gradecoin_public_key`, giving us `key_ciphertext` |
66 | /// - The payload JSON object (`auth_request`) can be JSON serialized now: | 66 | /// - The payload JSON object (`auth_request`) can be JSON serialized now: |
67 | /// { | 67 | /// { |
68 | /// c: "auth_ciphertext" | 68 | /// c: "auth_ciphertext" |
@@ -103,18 +103,126 @@ pub async fn authenticate_user( | |||
103 | let gradecoin_private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key"); | 103 | let gradecoin_private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key"); |
104 | 104 | ||
105 | let padding = PaddingScheme::new_oaep::<sha2::Sha256>(); | 105 | let padding = PaddingScheme::new_oaep::<sha2::Sha256>(); |
106 | let temp_key = gradecoin_private_key | 106 | |
107 | .decrypt(padding, &request.key.as_bytes()) | 107 | let key_ciphertext = match base64::decode(&request.key) { |
108 | .expect("failed to decrypt"); | 108 | Ok(c) => c, |
109 | 109 | Err(err) => { | |
110 | // decrypt c using key dec_key | 110 | debug!( |
111 | let cipher = Aes128Cbc::new_var(&temp_key, &request.iv.as_bytes()).unwrap(); | 111 | "The ciphertext of the key was not base64 encoded {}, {}", |
112 | let auth_plaintext = cipher | 112 | &request.key, err |
113 | .decrypt_vec(&base64::decode(request.c).unwrap()) | 113 | ); |
114 | .unwrap(); | 114 | |
115 | 115 | let res_json = warp::reply::json(&GradeCoinResponse { | |
116 | let request: AuthRequest = | 116 | res: ResponseType::Error, |
117 | serde_json::from_str(&String::from_utf8(auth_plaintext).unwrap()).unwrap(); | 117 | message: "The ciphertext of the key was not base64 encoded {}, {}".to_owned(), |
118 | }); | ||
119 | |||
120 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
121 | } | ||
122 | }; | ||
123 | |||
124 | let temp_key = match gradecoin_private_key.decrypt(padding, &key_ciphertext) { | ||
125 | Ok(k) => k, | ||
126 | Err(err) => { | ||
127 | debug!( | ||
128 | "Failed to decrypt ciphertext {:?}, {}", | ||
129 | &key_ciphertext, err | ||
130 | ); | ||
131 | |||
132 | let res_json = warp::reply::json(&GradeCoinResponse { | ||
133 | res: ResponseType::Error, | ||
134 | message: "Failed to decrypt the ciphertext of the temporary key".to_owned(), | ||
135 | }); | ||
136 | |||
137 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
138 | } | ||
139 | }; | ||
140 | |||
141 | let cipher = match Aes128Cbc::new_var(&temp_key, &request.iv.as_bytes()) { | ||
142 | Ok(c) => c, | ||
143 | Err(err) => { | ||
144 | debug!( | ||
145 | "Could not create a cipher from temp_key and request.iv {:?}, {}, {}", | ||
146 | &temp_key, &request.iv, err | ||
147 | ); | ||
148 | |||
149 | let res_json = warp::reply::json(&GradeCoinResponse { | ||
150 | res: ResponseType::Error, | ||
151 | message: "Given IV has invalid length".to_owned(), | ||
152 | }); | ||
153 | |||
154 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
155 | } | ||
156 | }; | ||
157 | |||
158 | let auth_packet = match base64::decode(&request.c) { | ||
159 | Ok(a) => a, | ||
160 | |||
161 | Err(err) => { | ||
162 | debug!( | ||
163 | "The auth_packet (c field) did not base64 decode {} {}", | ||
164 | &request.c, err | ||
165 | ); | ||
166 | |||
167 | let res_json = warp::reply::json(&GradeCoinResponse { | ||
168 | res: ResponseType::Error, | ||
169 | message: "The c field was not correctly base64 encoded".to_owned(), | ||
170 | }); | ||
171 | |||
172 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
173 | } | ||
174 | }; | ||
175 | |||
176 | let auth_plaintext = match cipher.decrypt_vec(&auth_packet) { | ||
177 | Ok(p) => p, | ||
178 | Err(err) => { | ||
179 | debug!( | ||
180 | "Base64 decoded auth request did not decrypt correctly {:?} {}", | ||
181 | &auth_packet, err | ||
182 | ); | ||
183 | |||
184 | let res_json = warp::reply::json(&GradeCoinResponse { | ||
185 | res: ResponseType::Error, | ||
186 | message: "The Bas64 decoded auth request did not decrypt correctly".to_owned(), | ||
187 | }); | ||
188 | |||
189 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
190 | } | ||
191 | }; | ||
192 | |||
193 | let utf8_auth_plaintext = match String::from_utf8(auth_plaintext.clone()) { | ||
194 | Ok(text) => text, | ||
195 | Err(err) => { | ||
196 | debug!( | ||
197 | "Auth plaintext did not convert into utf8 {:?} {}", | ||
198 | &auth_plaintext, err | ||
199 | ); | ||
200 | |||
201 | let res_json = warp::reply::json(&GradeCoinResponse { | ||
202 | res: ResponseType::Error, | ||
203 | message: "Auth plaintext couldn't get converted to UTF-8".to_owned(), | ||
204 | }); | ||
205 | |||
206 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
207 | } | ||
208 | }; | ||
209 | |||
210 | let request: AuthRequest = match serde_json::from_str(&utf8_auth_plaintext) { | ||
211 | Ok(req) => req, | ||
212 | Err(err) => { | ||
213 | debug!( | ||
214 | "Auth plaintext did not serialize correctly {:?} {}", | ||
215 | &utf8_auth_plaintext, err | ||
216 | ); | ||
217 | |||
218 | let res_json = warp::reply::json(&GradeCoinResponse { | ||
219 | res: ResponseType::Error, | ||
220 | message: "The auth request JSON did not serialize correctly".to_owned(), | ||
221 | }); | ||
222 | |||
223 | return Ok(warp::reply::with_status(res_json, StatusCode::BAD_REQUEST)); | ||
224 | } | ||
225 | }; | ||
118 | 226 | ||
119 | let provided_id = request.student_id.clone(); | 227 | let provided_id = request.student_id.clone(); |
120 | 228 | ||