veyron/services/identity,veyron{2}/security: Switch from vom to vom2.
Change-Id: I5ccadd9d847208d879651a0230288f77f7472ba2
diff --git a/security/principal_test.go b/security/principal_test.go
index 741911f..3b3100c 100644
--- a/security/principal_test.go
+++ b/security/principal_test.go
@@ -44,18 +44,6 @@
os.RemoveAll(dir)
}
-// This Test checks that the all changes made to the principal's serialization
-// format stay backwards compatible.
-//
-// The 'testdata' directory used by this test was generated using the
-// principal tool as part of CL #6820.
-// $VANADIUM_ROOT/release/go/bin/principal create testdata test
-func TestLoadPersistentPrincipalBackwardsCompatibility(t *testing.T) {
- if _, err := LoadPersistentPrincipal("./testdata", nil); err != nil {
- t.Fatal("LoadPersistentPrincipal is not backwards compatible: failed to read serialized principal data from CL #6820")
- }
-}
-
func TestCreatePersistentPrincipal(t *testing.T) {
tests := []struct {
Message, Passphrase []byte
diff --git a/security/serialization/signing_writer.go b/security/serialization/signing_writer.go
index 21a7762..a13aec8 100644
--- a/security/serialization/signing_writer.go
+++ b/security/serialization/signing_writer.go
@@ -9,33 +9,29 @@
"io"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
const defaultChunkSizeBytes = 1 << 20
-type header struct {
- ChunkSizeBytes int
-}
-
// signingWriter implements io.WriteCloser.
type signingWriter struct {
data io.WriteCloser
signature io.WriteCloser
signer Signer
- chunkSizeBytes int
+ chunkSizeBytes int64
curChunk bytes.Buffer
signatureHash hash.Hash
- sigEnc *vom.Encoder
+ sigEnc *vom2.Encoder
}
func (w *signingWriter) Write(p []byte) (int, error) {
bytesWritten := 0
for len(p) > 0 {
pLimited := p
- curChunkFreeBytes := w.chunkSizeBytes - w.curChunk.Len()
- if len(pLimited) > curChunkFreeBytes {
+ curChunkFreeBytes := w.chunkSizeBytes - int64(w.curChunk.Len())
+ if int64(len(pLimited)) > curChunkFreeBytes {
pLimited = pLimited[:curChunkFreeBytes]
}
@@ -71,7 +67,7 @@
type Options struct {
// ChunkSizeBytes controls the maximum amount of memory devoted to buffering
// data provided to Write calls. See NewSigningWriteCloser.
- ChunkSizeBytes int
+ ChunkSizeBytes int64
}
// Signer is the interface for digital signature operations used by NewSigningWriteCloser.
@@ -92,7 +88,11 @@
if (data == nil) || (signature == nil) || (s == nil) {
return nil, fmt.Errorf("data:%v signature:%v signer:%v cannot be nil", data, signature, s)
}
- w := &signingWriter{data: data, signature: signature, signer: s, signatureHash: sha256.New(), chunkSizeBytes: defaultChunkSizeBytes, sigEnc: vom.NewEncoder(signature)}
+ enc, err := vom2.NewBinaryEncoder(signature)
+ if err != nil {
+ return nil, fmt.Errorf("failed to create new encoder: %v", err)
+ }
+ w := &signingWriter{data: data, signature: signature, signer: s, signatureHash: sha256.New(), chunkSizeBytes: defaultChunkSizeBytes, sigEnc: enc}
if opts != nil {
w.chunkSizeBytes = opts.ChunkSizeBytes
@@ -108,14 +108,14 @@
if err := binary.Write(w.signatureHash, binary.LittleEndian, int64(w.chunkSizeBytes)); err != nil {
return err
}
- if err := w.sigEnc.Encode(header{w.chunkSizeBytes}); err != nil {
+ if err := w.sigEnc.Encode(SignedHeader{w.chunkSizeBytes}); err != nil {
return err
}
return nil
}
func (w *signingWriter) commitChunk(force bool) error {
- if !force && w.curChunk.Len() < w.chunkSizeBytes {
+ if !force && int64(w.curChunk.Len()) < w.chunkSizeBytes {
return nil
}
@@ -126,7 +126,7 @@
if _, err := w.signatureHash.Write(hashBytes[:]); err != nil {
return err
}
- return w.sigEnc.Encode(hashBytes)
+ return w.sigEnc.Encode(SignedDataHash{hashBytes})
}
func (w *signingWriter) commitSignature() error {
@@ -135,7 +135,7 @@
return fmt.Errorf("signing failed: %s", err)
}
- return w.sigEnc.Encode(sig)
+ return w.sigEnc.Encode(SignedDataSignature{sig})
}
func (w *signingWriter) close() error {
diff --git a/security/serialization/types.vdl b/security/serialization/types.vdl
new file mode 100644
index 0000000..2033af3
--- /dev/null
+++ b/security/serialization/types.vdl
@@ -0,0 +1,13 @@
+package serialization
+
+import "v.io/core/veyron2/security"
+
+type SignedHeader struct {
+ ChunkSizeBytes int64
+}
+
+// SignedData describes the information sent by a SigningWriter and read by VerifiyingReader.
+type SignedData union {
+ Signature security.Signature
+ Hash [32]byte
+}
\ No newline at end of file
diff --git a/security/serialization/types.vdl.go b/security/serialization/types.vdl.go
new file mode 100644
index 0000000..f73ef5c
--- /dev/null
+++ b/security/serialization/types.vdl.go
@@ -0,0 +1,64 @@
+// This file was auto-generated by the veyron vdl tool.
+// Source: types.vdl
+
+package serialization
+
+import (
+ "v.io/core/veyron2/security"
+
+ // The non-user imports are prefixed with "__" to prevent collisions.
+ __vdl "v.io/core/veyron2/vdl"
+)
+
+type SignedHeader struct {
+ ChunkSizeBytes int64
+}
+
+func (SignedHeader) __VDLReflect(struct {
+ Name string "v.io/core/veyron/security/serialization.SignedHeader"
+}) {
+}
+
+type (
+ // SignedData represents any single field of the SignedData union type.
+ //
+ // SignedData describes the information sent by a SigningWriter and read by VerifiyingReader.
+ SignedData interface {
+ // Index returns the field index.
+ Index() int
+ // Interface returns the field value as an interface.
+ Interface() interface{}
+ // Name returns the field name.
+ Name() string
+ // __VDLReflect describes the SignedData union type.
+ __VDLReflect(__SignedDataReflect)
+ }
+ // SignedDataSignature represents field Signature of the SignedData union type.
+ SignedDataSignature struct{ Value security.Signature }
+ // SignedDataHash represents field Hash of the SignedData union type.
+ SignedDataHash struct{ Value [32]byte }
+ // __SignedDataReflect describes the SignedData union type.
+ __SignedDataReflect struct {
+ Name string "v.io/core/veyron/security/serialization.SignedData"
+ Type SignedData
+ Union struct {
+ Signature SignedDataSignature
+ Hash SignedDataHash
+ }
+ }
+)
+
+func (x SignedDataSignature) Index() int { return 0 }
+func (x SignedDataSignature) Interface() interface{} { return x.Value }
+func (x SignedDataSignature) Name() string { return "Signature" }
+func (x SignedDataSignature) __VDLReflect(__SignedDataReflect) {}
+
+func (x SignedDataHash) Index() int { return 1 }
+func (x SignedDataHash) Interface() interface{} { return x.Value }
+func (x SignedDataHash) Name() string { return "Hash" }
+func (x SignedDataHash) __VDLReflect(__SignedDataReflect) {}
+
+func init() {
+ __vdl.Register(SignedHeader{})
+ __vdl.Register(SignedData(SignedDataSignature{security.Signature{}}))
+}
diff --git a/security/serialization/verifying_reader.go b/security/serialization/verifying_reader.go
index a9bfc34..5da2ab2 100644
--- a/security/serialization/verifying_reader.go
+++ b/security/serialization/verifying_reader.go
@@ -9,15 +9,14 @@
"io"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vdl/vdlutil"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
// verifyingReader implements io.Reader.
type verifyingReader struct {
data io.Reader
- chunkSizeBytes int
+ chunkSizeBytes int64
curChunk bytes.Buffer
hashes bytes.Buffer
}
@@ -77,21 +76,23 @@
}
func (r *verifyingReader) verifySignature(signature io.Reader, key security.PublicKey) error {
- dec := vom.NewDecoder(signature)
signatureHash := sha256.New()
-
- var h header
+ dec, err := vom2.NewDecoder(signature)
+ if err != nil {
+ return fmt.Errorf("failed to create new decoder: %v", err)
+ }
+ var h SignedHeader
if err := dec.Decode(&h); err != nil {
return fmt.Errorf("failed to decode header: %v", err)
}
r.chunkSizeBytes = h.ChunkSizeBytes
- if err := binary.Write(signatureHash, binary.LittleEndian, int64(r.chunkSizeBytes)); err != nil {
+ if err := binary.Write(signatureHash, binary.LittleEndian, r.chunkSizeBytes); err != nil {
return err
}
var signatureFound bool
for !signatureFound {
- var i interface{}
+ var i SignedData
if err := dec.Decode(&i); err == io.EOF {
break
} else if err != nil {
@@ -99,13 +100,13 @@
}
switch v := i.(type) {
- case [sha256.Size]byte:
- if _, err := io.MultiWriter(&r.hashes, signatureHash).Write(v[:]); err != nil {
+ case SignedDataHash:
+ if _, err := io.MultiWriter(&r.hashes, signatureHash).Write(v.Value[:]); err != nil {
return err
}
- case security.Signature:
+ case SignedDataSignature:
signatureFound = true
- if !v.Verify(key, signatureHash.Sum(nil)) {
+ if !v.Value.Verify(key, signatureHash.Sum(nil)) {
return errors.New("signature verification failed")
}
default:
@@ -118,7 +119,3 @@
}
return nil
}
-
-func init() {
- vdlutil.Register([sha256.Size]byte{})
-}
diff --git a/security/storage.go b/security/storage.go
index 75963ec..c37945f 100644
--- a/security/storage.go
+++ b/security/storage.go
@@ -6,7 +6,7 @@
"v.io/core/veyron/security/serialization"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
func encodeAndStore(obj interface{}, data, signature io.WriteCloser, signer serialization.Signer) error {
@@ -17,7 +17,12 @@
if err != nil {
return err
}
- if err := vom.NewEncoder(swc).Encode(obj); err != nil {
+ enc, err := vom2.NewBinaryEncoder(swc)
+ if err != nil {
+ swc.Close()
+ return err
+ }
+ if err := enc.Encode(obj); err != nil {
swc.Close()
return err
}
@@ -34,5 +39,9 @@
if err != nil {
return err
}
- return vom.NewDecoder(vr).Decode(obj)
+ dec, err := vom2.NewDecoder(vr)
+ if err != nil {
+ return err
+ }
+ return dec.Decode(obj)
}
diff --git a/security/testdata/blessingroots.data b/security/testdata/blessingroots.data
deleted file mode 100644
index 433594c..0000000
--- a/security/testdata/blessingroots.data
+++ /dev/null
Binary files differ
diff --git a/security/testdata/blessingroots.sig b/security/testdata/blessingroots.sig
deleted file mode 100644
index b1419bb..0000000
--- a/security/testdata/blessingroots.sig
+++ /dev/null
Binary files differ
diff --git a/security/testdata/blessingstore.data b/security/testdata/blessingstore.data
deleted file mode 100644
index d8c9e3d..0000000
--- a/security/testdata/blessingstore.data
+++ /dev/null
Binary files differ
diff --git a/security/testdata/blessingstore.sig b/security/testdata/blessingstore.sig
deleted file mode 100644
index 9be22d7..0000000
--- a/security/testdata/blessingstore.sig
+++ /dev/null
Binary files differ
diff --git a/security/testdata/privatekey.pem b/security/testdata/privatekey.pem
deleted file mode 100644
index 597e66a..0000000
--- a/security/testdata/privatekey.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIHHFWtYvzxb29atRvtBlO6uH/0L7dlVJSDKcy0V5jLI1oAoGCCqGSM49
-AwEHoUQDQgAEA/DsAoI91h8WEYxv4FZK9gr4V2MTcpEfZOurMdt5yGJwJJ48p/XM
-g7ATOw4WzFg7FyR8UrqiXobztsacg9wJiQ==
------END EC PRIVATE KEY-----
diff --git a/security/util.go b/security/util.go
index 0ba2fbd..40e37b6 100644
--- a/security/util.go
+++ b/security/util.go
@@ -1,7 +1,6 @@
package security
import (
- "bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
@@ -13,7 +12,7 @@
"io/ioutil"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
const ecPrivateKeyPEMType = "EC PRIVATE KEY"
@@ -100,7 +99,7 @@
var tpCaveats []security.ThirdPartyCaveat
for _, c := range caveats {
var t security.ThirdPartyCaveat
- if err := vom.NewDecoder(bytes.NewReader(c.ValidatorVOM)).Decode(&t); err != nil {
+ if err := vom2.Decode(c.ValidatorVOM, &t); err != nil {
continue
}
tpCaveats = append(tpCaveats, t)
diff --git a/services/identity/auditor/blessing_auditor.go b/services/identity/auditor/blessing_auditor.go
index 144cf1b..4463772 100644
--- a/services/identity/auditor/blessing_auditor.go
+++ b/services/identity/auditor/blessing_auditor.go
@@ -1,7 +1,6 @@
package auditor
import (
- "bytes"
"database/sql"
"fmt"
"strings"
@@ -10,7 +9,7 @@
vsecurity "v.io/core/veyron/security"
"v.io/core/veyron/security/audit"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
// BlessingLogReader provides the Read method to read audit logs.
@@ -93,19 +92,12 @@
if blessings, ok = entry.Results[0].(security.Blessings); !ok {
return d, fmt.Errorf("failed to extract result blessing")
}
- {
- var buf bytes.Buffer
- if err := vom.NewEncoder(&buf).Encode(security.MarshalBlessings(blessings)); err != nil {
- return d, err
- }
- d.blessings = buf.Bytes()
+ var err error
+ if d.blessings, err = vom2.Encode(security.MarshalBlessings(blessings)); err != nil {
+ return d, err
}
- {
- var buf bytes.Buffer
- if err := vom.NewEncoder(&buf).Encode(caveats); err != nil {
- return d, err
- }
- d.caveats = buf.Bytes()
+ if d.caveats, err = vom2.Encode(caveats); err != nil {
+ return d, err
}
return d, nil
}
@@ -120,13 +112,13 @@
}
var wireBlessings security.WireBlessings
var err error
- if err = vom.NewDecoder(bytes.NewBuffer(dbentry.blessings)).Decode(&wireBlessings); err != nil {
+ if err = vom2.Decode(dbentry.blessings, &wireBlessings); err != nil {
return BlessingEntry{DecodeError: fmt.Errorf("failed to decode blessings: %s", err)}
}
if b.Blessings, err = security.NewBlessings(wireBlessings); err != nil {
return BlessingEntry{DecodeError: fmt.Errorf("failed to construct blessings: %s", err)}
}
- if err = vom.NewDecoder(bytes.NewBuffer(dbentry.caveats)).Decode(&b.Caveats); err != nil {
+ if err = vom2.Decode(dbentry.caveats, &b.Caveats); err != nil {
return BlessingEntry{DecodeError: fmt.Errorf("failed to decode caveats: %s", err)}
}
b.RevocationCaveatID = revocationCaveatID(b.Caveats)
diff --git a/services/identity/blesser/macaroon.go b/services/identity/blesser/macaroon.go
index 2ae48fb..4e58635 100644
--- a/services/identity/blesser/macaroon.go
+++ b/services/identity/blesser/macaroon.go
@@ -1,7 +1,6 @@
package blesser
import (
- "bytes"
"fmt"
"time"
@@ -10,7 +9,7 @@
"v.io/core/veyron2/ipc"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
type macaroonBlesser struct {
@@ -37,7 +36,7 @@
return empty, err
}
var m BlessingMacaroon
- if err := vom.NewDecoder(bytes.NewBuffer(inputs)).Decode(&m); err != nil {
+ if err := vom2.Decode(inputs, &m); err != nil {
return empty, err
}
if time.Now().After(m.Creation.Add(time.Minute * 5)) {
diff --git a/services/identity/blesser/macaroon_test.go b/services/identity/blesser/macaroon_test.go
index b555a47..3973489 100644
--- a/services/identity/blesser/macaroon_test.go
+++ b/services/identity/blesser/macaroon_test.go
@@ -1,7 +1,6 @@
package blesser
import (
- "bytes"
"crypto/rand"
"reflect"
"testing"
@@ -12,7 +11,7 @@
"v.io/core/veyron2/ipc"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
func TestMacaroonBlesser(t *testing.T) {
@@ -111,9 +110,9 @@
}
func newMacaroon(t *testing.T, key []byte, m BlessingMacaroon) string {
- buf := new(bytes.Buffer)
- if err := vom.NewEncoder(buf).Encode(m); err != nil {
+ encMac, err := vom2.Encode(m)
+ if err != nil {
t.Fatal(err)
}
- return string(util.NewMacaroon(key, buf.Bytes()))
+ return string(util.NewMacaroon(key, encMac))
}
diff --git a/services/identity/oauth/handler.go b/services/identity/oauth/handler.go
index cd4ba93..2718404 100644
--- a/services/identity/oauth/handler.go
+++ b/services/identity/oauth/handler.go
@@ -19,7 +19,6 @@
package oauth
import (
- "bytes"
"encoding/base64"
"encoding/json"
"fmt"
@@ -39,7 +38,7 @@
"v.io/core/veyron2"
"v.io/core/veyron2/security"
"v.io/core/veyron2/vlog"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
const (
@@ -359,13 +358,13 @@
util.HTTPBadRequest(w, r, fmt.Errorf("server disallows attempts to bless with no caveats"))
return
}
- buf := &bytes.Buffer{}
m := blesser.BlessingMacaroon{
Creation: time.Now(),
Caveats: caveats,
Name: name,
}
- if err := vom.NewEncoder(buf).Encode(m); err != nil {
+ macBytes, err := vom2.Encode(m)
+ if err != nil {
util.HTTPServerError(w, fmt.Errorf("failed to encode BlessingsMacaroon: %v", err))
return
}
@@ -376,7 +375,7 @@
return
}
params := url.Values{}
- params.Add("macaroon", string(util.NewMacaroon(h.args.MacaroonKey, buf.Bytes())))
+ params.Add("macaroon", string(util.NewMacaroon(h.args.MacaroonKey, macBytes)))
params.Add("state", inputMacaroon.ToolState)
params.Add("object_name", h.args.MacaroonBlessingService)
baseURL.RawQuery = params.Encode()
diff --git a/services/identity/revocation/revocation_test.go b/services/identity/revocation/revocation_test.go
index 76ba630..3911150 100644
--- a/services/identity/revocation/revocation_test.go
+++ b/services/identity/revocation/revocation_test.go
@@ -1,18 +1,17 @@
package revocation
import (
- "bytes"
"testing"
+ "v.io/core/veyron/profiles"
+ services "v.io/core/veyron/services/security"
+ "v.io/core/veyron/services/security/discharger"
+
"v.io/core/veyron2"
"v.io/core/veyron2/naming"
"v.io/core/veyron2/rt"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
-
- "v.io/core/veyron/profiles"
- services "v.io/core/veyron/services/security"
- "v.io/core/veyron/services/security/discharger"
+ "v.io/core/veyron2/vom2"
)
func revokerSetup(t *testing.T, r veyron2.Runtime) (dischargerKey security.PublicKey, dischargerEndpoint string, revoker RevocationManager, closeFunc func(), runtime veyron2.Runtime) {
@@ -54,7 +53,7 @@
t.Fatalf("failed to create revocation caveat: %s", err)
}
var cav security.ThirdPartyCaveat
- if err := vom.NewDecoder(bytes.NewBuffer(caveat.ValidatorVOM)).Decode(&cav); err != nil {
+ if err := vom2.Decode(caveat.ValidatorVOM, &cav); err != nil {
t.Fatalf("failed to create decode tp caveat: %s", err)
}
diff --git a/services/identity/util/csrf.go b/services/identity/util/csrf.go
index f4049ba..8ed71e4 100644
--- a/services/identity/util/csrf.go
+++ b/services/identity/util/csrf.go
@@ -1,7 +1,6 @@
package util
import (
- "bytes"
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
@@ -11,7 +10,7 @@
"time"
"v.io/core/veyron2/vlog"
- "v.io/core/veyron2/vom"
+ "v.io/core/veyron2/vom2"
)
const (
@@ -47,13 +46,13 @@
if err != nil {
return "", fmt.Errorf("bad cookie: %v", err)
}
- buf := &bytes.Buffer{}
+ var encData []byte
if data != nil {
- if err := vom.NewEncoder(buf).Encode(data); err != nil {
+ if encData, err = vom2.Encode(data); err != nil {
return "", err
}
}
- return string(NewMacaroon(c.keyForCookie(cookieValue), buf.Bytes())), nil
+ return string(NewMacaroon(c.keyForCookie(cookieValue), encData)), nil
}
// ValidateToken checks the validity of the provided CSRF token for the
@@ -74,7 +73,7 @@
return err
}
if decoded != nil {
- if err := vom.NewDecoder(bytes.NewBuffer(encodedInput)).Decode(decoded); err != nil {
+ if err := vom2.Decode(encodedInput, decoded); err != nil {
return fmt.Errorf("invalid token data: %v", err)
}
}
