[sedhcpv6] Compare keys, fixed error message concats

diff --git a/src/bin/dhcp6/dhcp6_srv.cc b/src/bin/dhcp6/dhcp6_srv.cc
index 0d1e2dfbca966bba9b575bb83ae16a85c3af71bf..9869eb8eaaf4299c43c8b4fa69ee157bfc1a9c7c 100644 (file)
--- a/src/bin/dhcp6/dhcp6_srv.cc
+++ b/src/bin/dhcp6/dhcp6_srv.cc
@@ -3123,8 +3123,8 @@ bool Dhcpv6Srv::validateSeDhcpOptions(const Pkt6Ptr& query, Pkt6Ptr& answer,
         key->update(&tbs[0], tbs.size());
         valid = key->verify(&sig[0], sig_len, BASIC);
     } catch (const Exception& ex) {
-        vermsg.str("signature verify failed: ");
-        vermsg << ex.what();
+        vermsg.str("");
+        vermsg << "signature verify failed: " << ex.what();
     } catch (...) {
         vermsg.str("signature verify failed?!");
     }

diff --git a/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc b/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc
index 8c1a4c69f7338b00950b7c381f0f3316884bb412..3b5aaf05733c6e171837d01298e91fe55874658f 100644 (file)
--- a/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc
+++ b/src/lib/dhcpsrv/parsers/sedhcp6_parser.cc
@@ -230,21 +230,21 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
 
     // When signing is disabled this is almost done
     if (!sign_answers) {
-       try {
-           return (CfgSeDhcp6(sign_answers,
-                              timestamp_answers,
-                              check_signatures,
-                              check_authorizations,
-                              check_timestamps,
-                              online_validation));
-       } catch (const std::exception& ex) {
-           isc_throw(DhcpConfigError, "Failed to build the secure "
-                     "DHCPv6 configuration state: " << ex.what());
-       } catch (...) {
-           isc_throw(DhcpConfigError, "Failed to build the secure "
-                     "DHCPv6 configuration state");
-       }
-       // unreachable
+        try {
+            return (CfgSeDhcp6(sign_answers,
+                               timestamp_answers,
+                               check_signatures,
+                               check_authorizations,
+                               check_timestamps,
+                               online_validation));
+        } catch (const std::exception& ex) {
+            isc_throw(DhcpConfigError, "Failed to build the secure "
+                      "DHCPv6 configuration state: " << ex.what());
+        } catch (...) {
+            isc_throw(DhcpConfigError, "Failed to build the secure "
+                      "DHCPv6 configuration state");
+        }
+        // unreachable
     }
 
     // Signing is enabled, we need more
@@ -291,7 +291,7 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
     CryptoLink& crypto = CryptoLink::getCryptoLink();
     std::ostringstream errmsg;
     try {
-        errmsg.str("Failed to get the private key from '");
+        errmsg << "Failed to get the private key from '";
         errmsg << private_key.c_str() << "'";
         AsymPtr priv_key(crypto.createAsym(private_key,
                                            "",
@@ -301,9 +301,10 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
                                            ASN1),
                          deleteAsym);
 
-        errmsg.str("Failed to get the ");
+        errmsg.str("");
+        errmsg << "Failed to get the ";
         errmsg << (public_key.empty() ? "certificate" : "public key")
-              << " from '" << credential.c_str() << "'";
+               << " from '" << credential.c_str() << "'";
         AsymPtr cred(crypto.createAsym(credential,
                                        "",
                                        signature_algorithm,
@@ -312,19 +313,29 @@ CfgSeDhcp6 SeDhcp6Parser::create() const {
                                        ASN1),
                      deleteAsym);
 
-        errmsg.str("Failed to build the secure DHCPv6 configuration state");
-       return (CfgSeDhcp6(sign_answers,
-                          timestamp_answers,
-                          check_signatures,
-                          check_authorizations,
-                          check_timestamps,
-                          online_validation,
-                          priv_key,
-                          cred));
+        errmsg.str("");
+        errmsg << "Mismatch between the private key and the";
+        errmsg << (public_key.empty() ? "certificate" : "public key");
+        if (!priv_key->compare(cred.get(), PUBLIC)) {
+            isc_throw(DhcpConfigError, errmsg.str());
+        }
+
+        errmsg.str("");
+        errmsg << "Failed to build the secure DHCPv6 configuration state";
+        return (CfgSeDhcp6(sign_answers,
+                           timestamp_answers,
+                           check_signatures,
+                           check_authorizations,
+                           check_timestamps,
+                           online_validation,
+                           priv_key,
+                           cred));
+    } catch (const DhcpConfigError&) {
+        throw;
     } catch (const std::exception& ex) {
         isc_throw(DhcpConfigError, errmsg << ": " << ex.what());
     } catch (...) {
-       isc_throw(DhcpConfigError, errmsg);
+        isc_throw(DhcpConfigError, errmsg.str());
     }
     // unreachable
 }

diff --git a/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc b/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc
index 0d80e0700c16154dbc4c2cbea0c0bc771b3fc414..d2161c4f178489d64caa0ec168d901e5a2761c63 100644 (file)
--- a/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc
+++ b/src/lib/dhcpsrv/tests/sedhcp6_parser_unittest.cc
@@ -382,6 +382,21 @@ TEST_F(SeDhcp6ParserTest, fullPubKeySha512) {
     EXPECT_EQ(pub_key->getAsymKeyKind(), PUBLIC);
 }
 
+// This test checks another public key config
+TEST_F(SeDhcp6ParserTest, fullPubKeyBadKey) {
+    std::string config = "{ \"sign-answers\": true,"
+        " \"private-key\": \"" SEDHCP6_DATA_DIR "/priv2.pem\","
+        " \"public-key\": \"" SEDHCP6_DATA_DIR "/pub.pem\" }";
+
+    ElementPtr config_element = Element::fromJSON(config);
+
+    SeDhcp6Parser parser("secure-dhcp6", Option::V6);
+    ASSERT_NO_THROW(parser.build(config_element));
+
+    // Keys don't match
+    ASSERT_THROW(parser.commit(), DhcpConfigError);
+}
+
 // This test checks the parsing of a full config using a certificate
 TEST_F(SeDhcp6ParserTest, fullWithCertificate) {
     std::string config = "{ \"sign-answers\": true,"

diff --git a/src/lib/dhcpsrv/tests/testdata/README b/src/lib/dhcpsrv/tests/testdata/README
index c13258ff447f7aff467a9c4b586ca475940a2f2d..e2f9d5c0547bbdc7763b6c03d685cf5a6f9c2c1a 100644 (file)
--- a/src/lib/dhcpsrv/tests/testdata/README
+++ b/src/lib/dhcpsrv/tests/testdata/README
@@ -34,3 +34,11 @@ cert2.pem: another X.509 certificate with a different serial
 $ openssl x509 -in cert.pem -text
 
 displays the certificate content
+
+$ openssl ecparam -genkey -name prime256v1 -out ec
+
+ec: P256 key pair
+
+$ openssl ecparam -list_curves
+
+lists available curves

diff --git a/src/lib/dhcpsrv/tests/testdata/priv2.pem b/src/lib/dhcpsrv/tests/testdata/priv2.pem
new file mode 100644 (file)
index 0000000..ca84119
--- /dev/null
+++ b/src/lib/dhcpsrv/tests/testdata/priv2.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAK21g50Q7XXd8vuc
+D/irGG+qJaVOdnAYdzrCXgMv7yY0ViKYv49sI4qWkM7Yzx2mQpu6fkxRmShhIRyX
+HMlrE7swi6pLzb/ZXcH8yAM6gXtIOw97jiE8QQvawdZZ33kYThE/hd7N2uUAnejh
+iFHfLZSY9PIx5qfPhKKD1ZxudVXTAgMBAAECgYB83V5HF/TpZeqUrIDaifpdwhuf
+cQA34Y5LAY5ckidA+hv0cII6UUxXAZYD6dsvf+SfVnYU3A7Q9Mi9aW465qpeE1cZ
+AeshQvRrDNW5gz7pRmsQfoTlswQXuI4hKyOna1XnvI6OUTOLKh3Ohu/QBGtQbpqL
+a1ZWE/iB16Tdi47cUQJBAOFimVWoyQDjQCG4gSti2OORVgwsjN5fiG+4dJuvfRbK
+JIOoH4dQW5/BthZ/Tk6HRR+Dh8RP+B44Rcrl4N+VRikCQQDFTfZufrhUfooWT5pE
+w4sZtQcprKsQ3PBuIShwEPaBredRoZ5NVxE5d75d3DQmqLq+/XitXaQkqc3r6TBX
+omObAkEAm8Z6FCpEQsjOWoAbRtFa9m5M+r0P3+JHenASqEfyPP4ZnqVkpTF1IkXQ
+hFwY003LCKzv+U8MPlbGZiXb9qxFgQJBAIbgieL1K4tPSZSA7EOvrSpwrynVCMgp
+UQ7oCd26KtlxiV0rb60NJRA1BGTjgJ8g3zBq1BEnn2sUzVlE+rAdqZsCQQCk8yNm
+PGgVEd6dT2o9fTvJbOz3yHcFDga/e46/klm2aoEtZwFF+qIo8qiIRnbMJczgQL+Z
+3mT0bxrvypE3n6b4
+-----END PRIVATE KEY-----