422 lines
14 KiB
Python
422 lines
14 KiB
Python
"""Client-side operations for registry management and direct P2P grants."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import base64
|
|
import json
|
|
import os
|
|
import socket
|
|
import struct
|
|
|
|
import zkac
|
|
from zkac.tcp import FramedSession, client_handshake_anon, server_handshake_anon
|
|
|
|
from . import store
|
|
|
|
|
|
def _b64(data: bytes) -> str:
|
|
return base64.b64encode(data).decode()
|
|
|
|
|
|
def _unb64(s: str) -> bytes:
|
|
return base64.b64decode(s)
|
|
|
|
|
|
def _parse_server(server: str) -> tuple[str, int]:
|
|
host, sep, port_s = server.rpartition(":")
|
|
if not sep:
|
|
raise ValueError(
|
|
f"invalid server {server!r}: expected host:port (e.g. 127.0.0.1:9800). "
|
|
"That is the TCP address of the running node, not the userid from "
|
|
"`zkac-node serve <userid>`."
|
|
)
|
|
try:
|
|
port = int(port_s, 10)
|
|
except ValueError as e:
|
|
raise ValueError(
|
|
f"invalid server {server!r}: port after ':' must be a number (host:port)"
|
|
) from e
|
|
if not 1 <= port <= 65535:
|
|
raise ValueError(f"invalid server port {port}")
|
|
return (host or "127.0.0.1"), port
|
|
|
|
|
|
def _parse_host_port(value: str, name: str) -> tuple[str, int]:
|
|
host, sep, port_s = value.rpartition(":")
|
|
if not sep:
|
|
raise ValueError(f"{name} must be host:port")
|
|
try:
|
|
port = int(port_s, 10)
|
|
except ValueError as e:
|
|
raise ValueError(f"{name} port must be numeric") from e
|
|
if not 1 <= port <= 65535:
|
|
raise ValueError(f"{name} port out of range: {port}")
|
|
return (host or "127.0.0.1"), port
|
|
|
|
|
|
def _proxy_target() -> tuple[str, int] | None:
|
|
raw = os.environ.get("ZKAC_SOCKS5_PROXY", "").strip()
|
|
if not raw:
|
|
return None
|
|
return _parse_host_port(raw, "ZKAC_SOCKS5_PROXY")
|
|
|
|
|
|
def _recv_exact(sock: socket.socket, n: int) -> bytes:
|
|
buf = bytearray()
|
|
while len(buf) < n:
|
|
chunk = sock.recv(n - len(buf))
|
|
if not chunk:
|
|
raise ConnectionError("connection closed during SOCKS5 handshake")
|
|
buf.extend(chunk)
|
|
return bytes(buf)
|
|
|
|
|
|
def _socks5_connect(sock: socket.socket, host: str, port: int):
|
|
sock.sendall(b"\x05\x01\x00")
|
|
hello = _recv_exact(sock, 2)
|
|
if hello != b"\x05\x00":
|
|
raise RuntimeError("SOCKS5 proxy requires unsupported authentication")
|
|
host_b = host.encode("idna")
|
|
if len(host_b) > 255:
|
|
raise ValueError("destination host too long for SOCKS5")
|
|
req = b"\x05\x01\x00\x03" + bytes([len(host_b)]) + host_b + struct.pack(">H", port)
|
|
sock.sendall(req)
|
|
head = _recv_exact(sock, 4)
|
|
if head[0] != 0x05:
|
|
raise RuntimeError("invalid SOCKS5 proxy reply")
|
|
if head[1] != 0x00:
|
|
raise RuntimeError(f"SOCKS5 connect failed (code=0x{head[1]:02x})")
|
|
atyp = head[3]
|
|
if atyp == 0x01:
|
|
_ = _recv_exact(sock, 4 + 2)
|
|
elif atyp == 0x03:
|
|
ln = _recv_exact(sock, 1)[0]
|
|
_ = _recv_exact(sock, ln + 2)
|
|
elif atyp == 0x04:
|
|
_ = _recv_exact(sock, 16 + 2)
|
|
else:
|
|
raise RuntimeError("invalid SOCKS5 address type in reply")
|
|
|
|
|
|
def _connect(host: str, port: int) -> socket.socket:
|
|
proxy = _proxy_target()
|
|
if proxy is None:
|
|
return socket.create_connection((host, port))
|
|
sock = socket.create_connection(proxy)
|
|
try:
|
|
_socks5_connect(sock, host, port)
|
|
return sock
|
|
except Exception:
|
|
sock.close()
|
|
raise
|
|
|
|
|
|
def net_check(target: str, timeout_s: float = 8.0) -> dict:
|
|
"""Connectivity diagnostic for direct/server endpoints, with optional SOCKS5."""
|
|
host, port = _parse_server(target)
|
|
proxy = _proxy_target()
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
sock.settimeout(timeout_s)
|
|
try:
|
|
if proxy is None:
|
|
sock.connect((host, port))
|
|
via = "direct"
|
|
else:
|
|
sock.connect(proxy)
|
|
_socks5_connect(sock, host, port)
|
|
via = f"socks5:{proxy[0]}:{proxy[1]}"
|
|
return {"ok": True, "target": target, "via": via}
|
|
except Exception as exc:
|
|
via = "direct" if proxy is None else f"socks5:{proxy[0]}:{proxy[1]}"
|
|
return {"ok": False, "target": target, "via": via, "error": str(exc)}
|
|
finally:
|
|
sock.close()
|
|
|
|
|
|
def parse_spec(spec: str) -> tuple[str, str, str]:
|
|
"""Parse 'host:port:registry_id:role' into (server, registry_id, role)."""
|
|
parts = spec.rsplit(":", 2)
|
|
if len(parts) != 3:
|
|
raise ValueError(f"invalid spec {spec!r}, expected host:port:registry_id:role")
|
|
return parts[0], parts[1], parts[2]
|
|
|
|
|
|
def _resolve_server_pk(userid: str, server: str) -> zkac.PublicKey:
|
|
pin = store.load_server_pin(userid, server)
|
|
if pin is None:
|
|
raise RuntimeError(
|
|
f"no pinned transport key for {server!r} under client {userid!r} "
|
|
f"(pins are per client identity in ~/.zkac/{userid}/, not the userid "
|
|
"passed to `zkac-node serve <…>` on the server). "
|
|
f"Run: zkac-node server pin {userid} {server} --key <hex>"
|
|
)
|
|
return zkac.PublicKey.from_bytes(_unb64(pin["server_public_key_b64"]))
|
|
|
|
|
|
def _local_node(userid: str) -> zkac.Node:
|
|
ident = store.load_identity(userid)
|
|
keypair = zkac.Keypair.from_secret_key(ident["transport_sk"])
|
|
return zkac.Node(keypair)
|
|
|
|
|
|
def _mgmt_connect(userid: str, server: str) -> tuple[socket.socket, FramedSession]:
|
|
host, port = _parse_server(server)
|
|
sock = _connect(host, port)
|
|
server_pk = _resolve_server_pk(userid, server)
|
|
node = _local_node(userid)
|
|
session = client_handshake_anon(sock, node, server_pk)
|
|
framed = FramedSession(sock, session)
|
|
framed.send(json.dumps({"op": "mgmt"}).encode())
|
|
return sock, framed
|
|
|
|
|
|
def _mgmt_cmd(framed: FramedSession, cmd: dict) -> dict:
|
|
framed.send(json.dumps(cmd).encode())
|
|
return json.loads(framed.recv())
|
|
|
|
|
|
def _mgmt_single(userid: str, server: str, cmd: dict) -> dict:
|
|
sock, framed = _mgmt_connect(userid, server)
|
|
try:
|
|
return _ok(_mgmt_cmd(framed, cmd))
|
|
finally:
|
|
sock.close()
|
|
|
|
|
|
def _ok(resp: dict) -> dict:
|
|
if resp.get("error"):
|
|
raise RuntimeError(resp["error"])
|
|
return resp
|
|
|
|
|
|
# ── Public operations ────────────────────────────────────────────────
|
|
|
|
def create_registry(userid: str, server: str, role_names: list[str]) -> str:
|
|
identity = store.load_identity(userid)
|
|
admin_mat = store.new_admin_material()
|
|
bbs_issuer, bbs_pk, admin_cred = store.reconstruct_admin(admin_mat)
|
|
|
|
role_entries = [(zkac.role_id(name), bbs_pk, 1) for name in role_names]
|
|
state = zkac.RegistryState.build(
|
|
bbs_pk, identity["issuance_pk"], 1, b"\x00" * 32, role_entries,
|
|
)
|
|
state_bytes = state.serialize()
|
|
state_cert = state.certify(admin_cred)
|
|
registry_id = state.registry_id()
|
|
|
|
resp = _mgmt_single(userid, server, {
|
|
"cmd": "create_registry",
|
|
"state_bytes_b64": _b64(state_bytes),
|
|
"state_cert_b64": _b64(bytes(state_cert)),
|
|
})
|
|
|
|
rid_hex = resp["registry_id"]
|
|
store.save_admin(userid, rid_hex, {
|
|
"server": server,
|
|
"roles": role_names,
|
|
**admin_mat,
|
|
})
|
|
return rid_hex
|
|
|
|
|
|
def update_registry(userid: str, server: str, registry_id_hex: str, add_roles: list[str]):
|
|
admin_data = store.load_admin(userid, registry_id_hex)
|
|
bbs_issuer, bbs_pk, admin_cred = store.reconstruct_admin(admin_data)
|
|
identity = store.load_identity(userid)
|
|
|
|
cur = _mgmt_single(userid, server, {
|
|
"cmd": "get_registry", "registry_id": registry_id_hex,
|
|
})
|
|
|
|
old_state = zkac.RegistryState.deserialize(_unb64(cur["state_bytes_b64"]))
|
|
prev_hash = old_state.state_hash()
|
|
new_version = old_state.version() + 1
|
|
|
|
old_roles = admin_data.get("roles", [])
|
|
all_roles = list(old_roles) + [r for r in add_roles if r not in old_roles]
|
|
role_entries = [(zkac.role_id(name), bbs_pk, 1) for name in all_roles]
|
|
|
|
new_state = zkac.RegistryState.build(
|
|
bbs_pk, identity["issuance_pk"], new_version, bytes(prev_hash), role_entries,
|
|
)
|
|
new_cert = new_state.certify(admin_cred)
|
|
|
|
_mgmt_single(userid, server, {
|
|
"cmd": "update_registry",
|
|
"registry_id": registry_id_hex,
|
|
"state_bytes_b64": _b64(new_state.serialize()),
|
|
"state_cert_b64": _b64(bytes(new_cert)),
|
|
})
|
|
|
|
admin_data["roles"] = all_roles
|
|
store.save_admin(userid, registry_id_hex, admin_data)
|
|
|
|
|
|
def get_registry(userid: str, server: str, registry_id_hex: str) -> dict:
|
|
return _mgmt_single(userid, server, {
|
|
"cmd": "get_registry", "registry_id": registry_id_hex,
|
|
})
|
|
|
|
|
|
def list_own_registries(userid: str) -> list[dict]:
|
|
result = []
|
|
for rid in store.list_admin_registries(userid):
|
|
data = store.load_admin(userid, rid)
|
|
result.append({
|
|
"registry_id": rid,
|
|
"server": data.get("server", "?"),
|
|
"roles": data.get("roles", []),
|
|
})
|
|
return result
|
|
|
|
|
|
def grant_p2p(
|
|
userid: str,
|
|
server: str,
|
|
registry_id_hex: str,
|
|
role_name: str,
|
|
recipient_pk_hex: str,
|
|
peer: str,
|
|
peer_transport_pk_hex: str,
|
|
) -> dict:
|
|
admin_data = store.load_admin(userid, registry_id_hex)
|
|
roles = admin_data.get("roles", [])
|
|
if role_name not in roles:
|
|
raise RuntimeError(f"role {role_name!r} not in registry (have: {roles})")
|
|
|
|
bbs_issuer, bbs_pk, admin_cred = store.reconstruct_admin(admin_data)
|
|
role_rid = zkac.role_id(role_name)
|
|
epoch = 1
|
|
|
|
req = zkac.prepare_blind_request()
|
|
blind_sig = bbs_issuer.issue_blind(req.commitment_with_proof(), role_rid, epoch)
|
|
|
|
payload = json.dumps({
|
|
"registry_id": registry_id_hex,
|
|
"role_name": role_name,
|
|
"epoch": epoch,
|
|
"issuer_pk_b64": _b64(bbs_pk.to_bytes()),
|
|
"blind_sig_b64": _b64(blind_sig),
|
|
"member_secret_b64": _b64(req.member_secret()),
|
|
"prover_blind_b64": _b64(req.prover_blind()),
|
|
}).encode()
|
|
|
|
recipient_pk = bytes.fromhex(recipient_pk_hex)
|
|
eph_kp = zkac.IssuanceKeypair()
|
|
ciphertext = eph_kp.encrypt(recipient_pk, payload)
|
|
reg = _mgmt_single(userid, server, {"cmd": "get_registry", "registry_id": registry_id_hex})
|
|
host, port = _parse_server(peer)
|
|
peer_transport_pk = zkac.PublicKey.from_bytes(bytes.fromhex(peer_transport_pk_hex))
|
|
sock = _connect(host, port)
|
|
try:
|
|
session = client_handshake_anon(sock, _local_node(userid), peer_transport_pk)
|
|
framed = FramedSession(sock, session)
|
|
transcript_hash = bytes(session.transcript_hash())
|
|
admin_proof = admin_cred.present(transcript_hash)
|
|
resp = _ok(json.loads(framed.recv()))
|
|
if resp.get("op") != "ready_for_grant":
|
|
raise RuntimeError("peer did not accept grant session")
|
|
framed.send(json.dumps({
|
|
"op": "p2p_grant",
|
|
"registry_id": registry_id_hex,
|
|
"registry_state_bytes_b64": reg["state_bytes_b64"],
|
|
"registry_state_cert_b64": reg["state_cert_b64"],
|
|
"role_name": role_name,
|
|
"eph_pk_b64": _b64(eph_kp.public_key_bytes()),
|
|
"ciphertext_b64": _b64(ciphertext),
|
|
"admin_proof_b64": _b64(admin_proof),
|
|
}).encode())
|
|
ack = _ok(json.loads(framed.recv()))
|
|
finally:
|
|
sock.close()
|
|
return {"status": ack.get("status", "ok"), "peer": peer}
|
|
|
|
|
|
def receive_p2p(userid: str, host: str, port: int) -> dict:
|
|
ident = store.load_identity(userid)
|
|
receiver_kp = zkac.IssuanceKeypair.from_secret(ident["issuance_sk"])
|
|
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
|
listener.bind((host, port))
|
|
listener.listen(1)
|
|
conn, _addr = listener.accept()
|
|
try:
|
|
session = server_handshake_anon(conn, _local_node(userid))
|
|
framed = FramedSession(conn, session)
|
|
framed.send(json.dumps({"ok": True, "op": "ready_for_grant"}).encode())
|
|
msg = _ok(json.loads(framed.recv()))
|
|
if msg.get("op") != "p2p_grant":
|
|
raise RuntimeError("unexpected p2p message")
|
|
registry_id_hex = msg["registry_id"]
|
|
state_bytes = _unb64(msg["registry_state_bytes_b64"])
|
|
state_cert = _unb64(msg["registry_state_cert_b64"])
|
|
mgr = zkac.RegistryManager()
|
|
mgr.restore(state_bytes, state_cert)
|
|
if not mgr.verify_admin(
|
|
bytes.fromhex(registry_id_hex),
|
|
_unb64(msg["admin_proof_b64"]),
|
|
bytes(session.transcript_hash()),
|
|
):
|
|
raise RuntimeError("sender admin proof failed")
|
|
payload = json.loads(
|
|
receiver_kp.decrypt(_unb64(msg["eph_pk_b64"]), _unb64(msg["ciphertext_b64"]))
|
|
)
|
|
cred_data = {
|
|
"blind_sig_b64": payload["blind_sig_b64"],
|
|
"member_secret_b64": payload["member_secret_b64"],
|
|
"prover_blind_b64": payload["prover_blind_b64"],
|
|
"role_name": payload["role_name"],
|
|
"epoch": payload["epoch"],
|
|
"issuer_pk_b64": payload["issuer_pk_b64"],
|
|
}
|
|
cred = store.reconstruct_credential(cred_data)
|
|
cred.present(b"self-test")
|
|
store.save_credential(userid, payload["registry_id"], payload["role_name"], cred_data)
|
|
framed.send(json.dumps({"ok": True, "status": "stored"}).encode())
|
|
return {"registry_id": payload["registry_id"], "role": payload["role_name"]}
|
|
finally:
|
|
conn.close()
|
|
listener.close()
|
|
|
|
|
|
def authenticate(userid: str, registry_id_hex: str, role_name: str,
|
|
server: str | None = None) -> dict:
|
|
admin_data = None
|
|
try:
|
|
admin_data = store.load_admin(userid, registry_id_hex)
|
|
except FileNotFoundError:
|
|
pass
|
|
|
|
if server is None:
|
|
if admin_data and admin_data.get("server"):
|
|
server = admin_data["server"]
|
|
else:
|
|
raise RuntimeError("server address required (--server host:port)")
|
|
|
|
cred_data = store.load_credential_data(userid, registry_id_hex, role_name)
|
|
cred = store.reconstruct_credential(cred_data)
|
|
|
|
server_pk = _resolve_server_pk(userid, server)
|
|
node = zkac.Node(zkac.Keypair())
|
|
host, port = _parse_server(server)
|
|
|
|
sock = _connect(host, port)
|
|
try:
|
|
session = client_handshake_anon(sock, node, server_pk)
|
|
framed = FramedSession(sock, session)
|
|
|
|
transcript_hash = bytes(session.transcript_hash())
|
|
auth_proof = cred.present(transcript_hash)
|
|
role_rid = zkac.role_id(role_name)
|
|
|
|
framed.send(json.dumps({
|
|
"op": "auth",
|
|
"registry_id": registry_id_hex,
|
|
"role_id": role_rid.hex(),
|
|
"bbs_auth_b64": _b64(auth_proof),
|
|
}).encode())
|
|
|
|
return json.loads(framed.recv())
|
|
finally:
|
|
sock.close()
|