[all] Use crypto random interface to generate UUID

Signed-off-by: Mykhailo Lohvynenko <[email protected]>

Author: mlohvynenko

include/aos/common/tools/uuid.hpp

@@ -11,6 +11,10 @@
 #include "aos/common/config.hpp"
 #include "aos/common/tools/string.hpp"
 
+namespace aos::crypto {
+class RandomItf;
+}
+
 namespace aos::uuid {
 
 /**
@@ -31,9 +35,9 @@ using UUID = StaticArray<uint8_t, cUUIDSize>;
 /**
  * Creates unique UUID.
  *
- * @return UUID.
+ * @return RetWithError<UUID>.
  */
-UUID CreateUUID();
+RetWithError<UUID> CreateUUID(class crypto::RandomItf& randomProvider);
 
 /**
  * Converts UUID to string.

include/aos/iam/certmodules/pkcs11/pkcs11.hpp

@@ -74,10 +74,11 @@ class PKCS11Module : public HSMItf {
      * @param config module configuration.
      * @param pkcs11 reference to pkcs11 library context.
      * @param x509Provider reference to x509 crypto interface.
+     * @param randomProvider reference to random crypto interface.
      * @return Error.
      */
     Error Init(const String& certType, const PKCS11ModuleConfig& config, pkcs11::PKCS11Manager& pkcs11,
-        crypto::x509::ProviderItf& x509Provider);
+        crypto::x509::ProviderItf& x509Provider, crypto::RandomItf& randomProvider);
 
     /**
      * Owns the module.
@@ -210,6 +211,7 @@ class PKCS11Module : public HSMItf {
 
     SharedPtr<pkcs11::LibraryContext> mPKCS11;
     crypto::x509::ProviderItf*        mX509Provider {};
+    crypto::RandomItf*                mRandomProvider {};
 
     uint32_t                        mSlotID = 0;
     StaticString<pkcs11::cLabelLen> mTokenLabel;

include/aos/iam/permhandler.hpp

@@ -94,6 +94,14 @@ class PermHandlerItf {
  */
 class PermHandler : public PermHandlerItf {
 public:
+    /**
+     * Initializes object instance.
+     *
+     * @param randomProvider random provider.
+     * @return Error.
+     */
+    Error Init(crypto::RandomItf& randomProvider);
+
     /**
      * Adds new service instance and its permissions into cache.
      *
@@ -129,11 +137,12 @@ class PermHandler : public PermHandlerItf {
                                          const Array<FunctionServicePermissions>& instancePermissions);
     InstancePermissions*                   FindBySecret(const String& secret);
     InstancePermissions*                   FindByInstanceIdent(const InstanceIdent& instanceIdent);
-    StaticString<cSecretLen>               GenerateSecret();
+    RetWithError<StaticString<cSecretLen>> GenerateSecret();
     RetWithError<StaticString<cSecretLen>> GetSecretForInstance(const InstanceIdent& instanceIdent);
 
     Mutex                                              mMutex;
     StaticArray<InstancePermissions, cMaxNumInstances> mInstancesPerms;
+    crypto::RandomItf*                                 mRandomProvider {};
 };
 
 /** @}*/

include/aos/sm/launcher.hpp

@@ -12,6 +12,7 @@
 
 #include "aos/common/cloudprotocol/envvars.hpp"
 #include "aos/common/connectionsubsc.hpp"
+#include "aos/common/crypto/crypto.hpp"
 #include "aos/common/monitoring/monitoring.hpp"
 #include "aos/common/ocispec/ocispec.hpp"
 #include "aos/common/tools/list.hpp"
@@ -260,14 +261,16 @@ class Launcher : public LauncherItf,
      * @param statusReceiver status receiver instance.
      * @param connectionPublisher connection publisher instance.
      * @param storage storage instance.
+     * @param randomProvider random provider instance.
      * @return Error.
      */
     Error Init(const Config& config, iam::nodeinfoprovider::NodeInfoProviderItf& nodeInfoProvider,
         servicemanager::ServiceManagerItf& serviceManager, layermanager::LayerManagerItf& layerManager,
         resourcemanager::ResourceManagerItf& resourceManager, networkmanager::NetworkManagerItf& networkManager,
         iam::permhandler::PermHandlerItf& permHandler, runner::RunnerItf& runner, RuntimeItf& runtime,
         monitoring::ResourceMonitorItf& resourceMonitor, oci::OCISpecItf& ociManager,
-        InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage);
+        InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage,
+        crypto::RandomItf& randomProvider);
 
     /**
      * Starts launcher.
@@ -412,6 +415,7 @@ class Launcher : public LauncherItf,
     servicemanager::ServiceManagerItf*   mServiceManager {};
     StorageItf*                          mStorage {};
     RuntimeItf*                          mRuntime {};
+    crypto::RandomItf*                   mRandomProvider {};
 
     mutable StaticAllocator<cAllocatorSize> mAllocator;
 

src/common/tools/uuid.cpp

@@ -8,6 +8,7 @@
 #include <stdlib.h>
 #include <time.h>
 
+#include "aos/common/crypto/crypto.hpp"
 #include "aos/common/tools/uuid.hpp"
 
 namespace aos::uuid {
@@ -16,13 +17,17 @@ namespace aos::uuid {
 static const String cTemplate  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
 static const String cEmptyUUID = "00000000-0000-0000-0000-000000000000";
 
-UUID CreateUUID()
+RetWithError<UUID> CreateUUID(crypto::RandomItf& randomProvider)
 {
     UUID result;
 
     while (result.Size() < result.MaxSize()) {
-        unsigned value = rand();
-        auto     chunk = Array<uint8_t>(reinterpret_cast<uint8_t*>(&value), sizeof(value));
+        auto [value, err] = randomProvider.RandInt(RAND_MAX);
+        if (!err.IsNone()) {
+            return {{}, err};
+        }
+
+        auto chunk = Array<uint8_t>(reinterpret_cast<uint8_t*>(&value), sizeof(value));
 
         auto chunkSize = Min(result.MaxSize() - result.Size(), chunk.Size());
 

src/iam/certmodules/pkcs11/pkcs11.cpp

@@ -21,11 +21,12 @@ namespace aos::iam::certhandler {
  **********************************************************************************************************************/
 
 Error PKCS11Module::Init(const String& certType, const PKCS11ModuleConfig& config, pkcs11::PKCS11Manager& pkcs11,
-    crypto::x509::ProviderItf& x509Provider)
+    crypto::x509::ProviderItf& x509Provider, crypto::RandomItf& randomProvider)
 {
-    mCertType     = certType;
-    mConfig       = config;
-    mX509Provider = &x509Provider;
+    mCertType       = certType;
+    mConfig         = config;
+    mX509Provider   = &x509Provider;
+    mRandomProvider = &randomProvider;
 
     mPKCS11 = pkcs11.OpenLibrary(mConfig.mLibrary);
     if (!mPKCS11) {
@@ -198,7 +199,10 @@ RetWithError<SharedPtr<crypto::PrivateKeyItf>> PKCS11Module::CreateKey(const Str
     PKCS11Module::PendingKey pendingKey;
     Error                    err = ErrorEnum::eNone;
 
-    pendingKey.mUUID = uuid::CreateUUID();
+    Tie(pendingKey.mUUID, err) = uuid::CreateUUID(*mRandomProvider);
+    if (!err.IsNone()) {
+        return {nullptr, AOS_ERROR_WRAP(err)};
+    }
 
     SharedPtr<pkcs11::SessionContext> session;
 
@@ -787,7 +791,10 @@ Error PKCS11Module::CreateCertificateChain(const SharedPtr<pkcs11::SessionContex
             continue;
         }
 
-        auto uuid = uuid::CreateUUID();
+        auto [uuid, errUUID] = uuid::CreateUUID(*mRandomProvider);
+        if (!errUUID.IsNone()) {
+            return AOS_ERROR_WRAP(errUUID);
+        }
 
         LOG_DBG() << "Import root certificate with id: " << aos::uuid::UUIDToString(uuid);
 

src/iam/permhandler/permhandler.cpp

@@ -6,6 +6,7 @@
  */
 
 #include "aos/iam/permhandler.hpp"
+#include "aos/common/crypto/utils.hpp"
 #include "aos/common/tools/uuid.hpp"
 #include "log.hpp"
 
@@ -15,6 +16,15 @@ namespace aos::iam::permhandler {
  * Public
  **********************************************************************************************************************/
 
+Error PermHandler::Init(crypto::RandomItf& randomProvider)
+{
+    LOG_DBG() << "Init perm handler";
+
+    mRandomProvider = &randomProvider;
+
+    return ErrorEnum::eNone;
+}
+
 RetWithError<StaticString<cSecretLen>> PermHandler::RegisterInstance(
     const InstanceIdent& instanceIdent, const Array<FunctionServicePermissions>& instancePermissions)
 {
@@ -30,7 +40,10 @@ RetWithError<StaticString<cSecretLen>> PermHandler::RegisterInstance(
         return {secret};
     }
 
-    secret = GenerateSecret();
+    Tie(secret, err) = GenerateSecret();
+    if (!err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
 
     err = AddSecret(secret, instanceIdent, instancePermissions);
     if (!err.IsNone()) {
@@ -108,16 +121,18 @@ InstancePermissions* PermHandler::FindByInstanceIdent(const InstanceIdent& insta
     return mInstancesPerms.FindIf([&instanceIdent](const auto& elem) { return instanceIdent == elem.mInstanceIdent; });
 }
 
-StaticString<cSecretLen> PermHandler::GenerateSecret()
+RetWithError<StaticString<cSecretLen>> PermHandler::GenerateSecret()
 {
-    StaticString<cSecretLen> newSecret;
-
-    do {
-        newSecret = uuid::UUIDToString(uuid::CreateUUID());
+    if (!mRandomProvider) {
+        return {{}, AOS_ERROR_WRAP(ErrorEnum::eWrongState)};
+    }
 
-    } while (FindBySecret(newSecret) != mInstancesPerms.end());
+    auto [uuid, err] = uuid::CreateUUID(*mRandomProvider);
+    if (!err.IsNone()) {
+        return {{}, AOS_ERROR_WRAP(err)};
+    }
 
-    return newSecret;
+    return StaticString<cSecretLen>(uuid::UUIDToString(uuid));
 }
 
 RetWithError<StaticString<cSecretLen>> PermHandler::GetSecretForInstance(const InstanceIdent& instanceIdent)

src/sm/launcher/launcher.cpp

@@ -32,7 +32,8 @@ Error Launcher::Init(const Config& config, iam::nodeinfoprovider::NodeInfoProvid
     resourcemanager::ResourceManagerItf& resourceManager, networkmanager::NetworkManagerItf& networkManager,
     iam::permhandler::PermHandlerItf& permHandler, runner::RunnerItf& runner, RuntimeItf& runtime,
     monitoring::ResourceMonitorItf& resourceMonitor, oci::OCISpecItf& ociManager,
-    InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage)
+    InstanceStatusReceiverItf& statusReceiver, ConnectionPublisherItf& connectionPublisher, StorageItf& storage,
+    crypto::RandomItf& randomProvider)
 {
     LOG_DBG() << "Init launcher";
 
@@ -49,6 +50,7 @@ Error Launcher::Init(const Config& config, iam::nodeinfoprovider::NodeInfoProvid
     mServiceManager      = &serviceManager;
     mStatusReceiver      = &statusReceiver;
     mStorage             = &storage;
+    mRandomProvider      = &randomProvider;
 
     Error err;
 
@@ -589,7 +591,12 @@ Error Launcher::GetDesiredInstancesData(
             return instance.mInstanceInfo.mInstanceIdent == instanceInfo.mInstanceIdent;
         });
         if (currentInstance == currentInstances->end()) {
-            const auto instanceID = uuid::UUIDToString(uuid::CreateUUID());
+            auto [uuid, err] = uuid::CreateUUID(*mRandomProvider);
+            if (!err.IsNone()) {
+                return AOS_ERROR_WRAP(err);
+            }
+
+            auto instanceID = uuid::UUIDToString(uuid);
 
             if (auto err = desiredInstancesData.EmplaceBack(instanceInfo, instanceID); !err.IsNone()) {
                 return AOS_ERROR_WRAP(err);

tests/common/src/tools/uuid_test.cpp

@@ -11,23 +11,29 @@
 #include <gtest/gtest.h>
 
 #include "aos/common/tools/uuid.hpp"
+#include "mocks/cryptomock.hpp"
 
 namespace aos::uuid {
 
 TEST(UUIDTest, CreateUUID)
 {
     static constexpr auto cTestUUIDsCount = 1000;
 
+    crypto::RandomMock randomProvider;
+
     std::vector<UUID> uuids;
 
     for (int i = 0; i < cTestUUIDsCount; i++) {
-        auto tmp = CreateUUID();
+        EXPECT_CALL(randomProvider, RandInt).WillRepeatedly(testing::Invoke([]() { return rand(); }));
+        auto [uuid, err] = CreateUUID(randomProvider);
+
+        ASSERT_TRUE(err.IsNone());
 
-        ASSERT_EQ(tmp.Size(), tmp.MaxSize());
+        ASSERT_EQ(uuid.Size(), uuid.MaxSize());
 
-        ASSERT_EQ(std::find(uuids.begin(), uuids.end(), tmp), uuids.end());
+        ASSERT_EQ(std::find(uuids.begin(), uuids.end(), uuid), uuids.end());
 
-        uuids.push_back(tmp);
+        uuids.push_back(uuid);
     }
 }
 

tests/iam/iam_test.cpp

@@ -31,6 +31,7 @@ class IAMTest : public Test {
 
         ASSERT_TRUE(mCryptoFactory.Init().IsNone());
         mCryptoProvider = &mCryptoFactory.GetCryptoProvider();
+        mRandomProvider = &mCryptoFactory.GetRandomProvider();
 
         mCertHandler = MakeShared<CertHandler>(&mAllocator);
         ASSERT_TRUE(mSOFTHSMEnv.Init("", "certhanler-integr-tests").IsNone());
@@ -51,7 +52,9 @@ class IAMTest : public Test {
         auto& certModule   = mCertModules.Back();
 
         ASSERT_TRUE(
-            pkcs11Module.Init(name, GetPKCS11ModuleConfig(), mSOFTHSMEnv.GetManager(), *mCryptoProvider).IsNone());
+            pkcs11Module
+                .Init(name, GetPKCS11ModuleConfig(), mSOFTHSMEnv.GetManager(), *mCryptoProvider, *mRandomProvider)
+                .IsNone());
         ASSERT_TRUE(
             certModule.Init(name, GetCertModuleConfig(keyType, isSelfSigned), *mCryptoProvider, pkcs11Module, mStorage)
                 .IsNone());
@@ -91,6 +94,7 @@ class IAMTest : public Test {
     // Service providers
     crypto::DefaultCryptoFactory mCryptoFactory;
     crypto::x509::ProviderItf*   mCryptoProvider = nullptr;
+    crypto::RandomItf*           mRandomProvider = nullptr;
     test::SoftHSMEnv             mSOFTHSMEnv;
     StorageStub                  mStorage;