// This function performs the following checks on a secret disclosure directive.
// (1) the directive signature is valid with respect to signerKey of directive
// (2) Either
// - policyKey matches the signerKey of directive
// - directive cert is a valid program cert (signed by policyKey) certifying the signerKey
// of directive as belonging to 'delegator'
// (3) the directive message is a statement of the form:
// 'policyKey/'delegator' says delegate can read protectedObjectId'
// where delegate is a Tao Principal and protectedObjectId is a (serialized) protected
// object message id.
func VerifySecretDisclosureDirective(policyKey *tao.Keys, directive *DirectiveMessage) (*auth.Prin,
*auth.Prin, *string, *po.ObjectIdMessage, error) {
// Check type of directive
if directive.Type == nil || *(directive.Type) != DirectiveMessage_SECRET_DISCLOSURE {
return nil, nil, nil, nil, errors.New(
"secret_disclosure: directive not of secret disclosure type.")
}
var verifier *tao.Verifier
var delegatorStr string
// Check directive signer matches policy key.
if bytes.Compare(
auth.Marshal(policyKey.SigningKey.ToPrincipal()), directive.GetSigner()) == 0 {
verifier = policyKey.SigningKey.GetVerifier()
delegatorStr = verifier.ToPrincipal().String()
} else {
// Check if program cert is valid, signed by policy key,
// cert public key matches signer and cert name matches speaker
// of says statement.
cert, err := x509.ParseCertificate(directive.Cert)
if err != nil {
return nil, nil, nil, nil, errors.New(
"error parsing directive program cert")
}
rootCert := x509.NewCertPool()
rootCert.AddCert(policyKey.Cert)
verifyOptions := x509.VerifyOptions{Roots: rootCert}
_, err = cert.Verify(verifyOptions)
if err != nil {
return nil, nil, nil, nil, errors.New(
"program cert not valid")
}
verifier, err = tao.FromX509(cert)
delegatorStr = cert.Subject.CommonName
if err != nil {
return nil, nil, nil, nil, err
}
if bytes.Compare(auth.Marshal(verifier.ToPrincipal()), directive.GetSigner()) != 0 {
return nil, nil, nil, nil, errors.New(
"secret_disclosure: directive signer doesn't match program key.")
}
}
// Verify signature.
ok, err := verifier.Verify(directive.GetSerializedStatement(), SigningContext,
directive.GetSignature())
if err != nil {
return nil, nil, nil, nil, err
}
if !ok {
return nil, nil, nil, nil,
errors.New("secret_disclosure: directive signature check failed.")
}
// Validate and return statement.
statement, err := auth.UnmarshalForm(directive.GetSerializedStatement())
if err != nil {
return nil, nil, nil, nil, err
}
var saysStatement *auth.Says
if ptr, ok := statement.(*auth.Says); ok {
saysStatement = ptr
} else if val, ok := statement.(auth.Says); ok {
saysStatement = &val
} else {
return nil, nil, nil, nil,
errors.New("secret_disclosure: directive statement not a 'Says'")
}
stmtSpeaker, ok := saysStatement.Speaker.(auth.Prin)
if !ok {
return nil, nil, nil, nil,
errors.New("secret_disclosure: directive speaker not a 'Prin'")
}
if stmtSpeaker.String() != delegatorStr {
return nil, nil, nil, nil, errors.New(
"secret_disclosure: directive statement speaker does not match signer")
}
pred, ok := saysStatement.Message.(auth.Pred)
if !ok {
return nil, nil, nil, nil,
errors.New("secret_disclosure: directive message not a 'Pred'")
}
predName := pred.Name
if predName == "" {
return nil, nil, nil, nil,
errors.New("secret_disclosure: directive predicate name is empty")
}
if len(pred.Arg) != 2 {
return nil, nil, nil, nil,
errors.New("secret_disclosure: directive predicate doesn't have 2 terms")
}
delegateName, ok := pred.Arg[0].(auth.Prin)
if !ok {
return nil, nil, nil, nil, errors.New(
"secret_disclosure: directive delegateName Term not of type auth.Prin.")
}
serializedObjId, ok := pred.Arg[1].(auth.Bytes)
if !ok {
return nil, nil, nil, nil, errors.New(
"secret_disclosure: directive ObjId Term not of type []byte.")
}
protectedObjId := po.ObjectIdMessage{}
err = proto.Unmarshal(serializedObjId, &protectedObjId)
if err != nil {
return nil, nil, nil, nil, errors.New(
"secret_disclosure: error deserializing protected ObjId.")
}
return &stmtSpeaker, &delegateName, &predName, &protectedObjId, nil
}
