Added IPX support to Diameter signatures. Signing Realm AVP is added …

…into Diameter signed message.

AUTHORS

@@ -16,6 +16,12 @@ Ewout Pronk <[email protected]> {
 Fredrik Soderlund <[email protected]> {
     GSMA DESS group collaboration
 }
+Xiaolei Li <[email protected]> {
+    DiameterFW PoC and IOT tests
+}
+Chaoyi Zhang <[email protected]> {
+    DiameterFW PoC and IOT tests
+}
 
 
 Acknowledgements

sigfw/sigfw.sigfw/diameterfw.json

@@ -134,6 +134,8 @@
 			"origin_realm_verify": [
 				{
 					"origin_realm": "exchange.example.org",
+					"signing_realm_comment": "Subject name which is issuing signature",
+					"signing_realm": "exchange.example.org",
 					"public_key_type": "RSA",
 					"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB"
 				}

sigfw/sigfw.sigfw/diameterfw_1.json

@@ -125,13 +125,17 @@
 			"origin_realm_verify": [
 				{
 					"origin_realm": "exchange.example.org",
+					"signing_realm_comment": "Subject name which is issuing signature",
+					"signing_realm": "exchange.example.org",
 					"public_key_type": "RSA",
 					"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB"
 				}
 			],
 			"origin_realm_signing": [
 				{
 					"origin_realm": "exchangeClient.example.org",
+					"signing_realm_comment": "Subject name which is issuing signature",
+					"signing_realm": "exchangeClient.example.org",
 					"public_key_type": "RSA",
 					"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB",
 					"private_key_type": "RSA",

sigfw/sigfw.sigfw/diameterfw_2.json

@@ -125,13 +125,17 @@
 			"origin_realm_verify": [
 				{
 					"origin_realm": "exchangeClient.example.org",
+					"signing_realm_comment": "Subject name which is issuing signature",
+					"signing_realm": "exchangeClient.example.org",
 					"public_key_type": "RSA",
 					"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB"
 				}
 			],
 			"origin_realm_signing": [
 				{
 					"origin_realm": "exchange.example.org",
+					"signing_realm_comment": "Subject name which is issuing signature",
+					"signing_realm": "exchange.example.org",
 					"public_key_type": "RSA",
 					"public_key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm/PAsXOj7cjirJsQsiIeHauFNLwBIuM1brkUm3aVXeraDIeJ2BWXmWlKMmX/FRZh4Qhe9mUy6YgwTO8PndWdMDRWMw8vvXJFI7HPJpsNfcBykefSqhr5X4h6HyQr73V8O0U5PtgCBuVoyuOFIj87WFwaLuajHiQgps7NOloeH1wIDAQAB",
 					"private_key_type": "RSA",

sigfw/sigfw.sigfw/src/main/java/diameterfw/DiameterFirewall.java

@@ -109,6 +109,7 @@
 import java.net.URLClassLoader;
 import java.security.interfaces.ECPublicKey;
 import com.p1sec.sigfw.SigFW_interface.FirewallRulesInterface;
+import static diameterfw.DiameterFirewallConfig.origin_realm_signing_signing_realm;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import org.mobicents.protocols.sctp.netty.NettyAssociationImpl;
@@ -226,6 +227,7 @@ private static void configLog4j() {
     static final private int AVP_AUTO_ENCRYPTION_REALM = 1102;
     static final private int AVP_AUTO_ENCRYPTION_PUBLIC_KEY = 1103;
     static final private int AVP_AUTO_ENCRYPTION_PUBLIC_KEY_TYPE = 1104;
+    static final public int AVP_SIGNING_REALM = 1105;
 
     /**
      * Reset Unit Testing Flags
@@ -1297,7 +1299,20 @@ else if (!msg.isRequest()) {
                     if (!orig_realm.equals("") && msg.isRequest()) {
                         // ------------- Diameter verify --------------
                         if (DiameterFirewallConfig.origin_realm_verify.containsKey(orig_realm)) {
-                            PublicKey publicKey = DiameterFirewallConfig.origin_realm_verify.get(orig_realm);
+                            if (msg.getAvps().getAvp(AVP_SIGNING_REALM) == null) {
+                                // Missing AVP_SIGNING_REALM, message dropped
+                                firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, "Missing AVP_SIGNING_REALM, message dropped", lua_hmap);
+                                return;
+                            }
+                            String signing_realm;
+                            try {
+                                signing_realm = new String(msg.getAvps().getAvp(AVP_SIGNING_REALM).getOctetString());
+                            } catch (AvpDataException ex) {
+                                //java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
+                                firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, "Decoding error with AVP_SIGNING_REALM, message dropped", lua_hmap);
+                                return;
+                            }
+                            PublicKey publicKey = DiameterFirewallConfig.origin_realm_verify_signing_realm.get(orig_realm + ":" + signing_realm);
                             String r = crypto.diameterVerify(msg, publicKey);
                             if (!r.equals("")) {
                                 firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, r, lua_hmap);
@@ -1312,7 +1327,7 @@ else if (!msg.isRequest()) {
                         // ------------- Diameter signing -------------
                         if (DiameterFirewallConfig.origin_realm_signing.containsKey(orig_realm)) {
                             KeyPair keyPair = DiameterFirewallConfig.origin_realm_signing.get(orig_realm);
-                            crypto.diameterSign(msg, keyPair);
+                            crypto.diameterSign(msg, keyPair, origin_realm_signing_signing_realm.get(orig_realm));
                         }
                         // --------------------------------------------
                     }
@@ -1399,7 +1414,7 @@ else if (DiameterFirewallConfig.encryption_autodiscovery.equals("true")
                             // --------- Add also Diameter signature ------------
                             if (DiameterFirewallConfig.origin_realm_signing.containsKey(orig_realm)) {
                                 KeyPair keyPair = DiameterFirewallConfig.origin_realm_signing.get(orig_realm);
-                                crypto.diameterSign(message, keyPair);
+                                crypto.diameterSign(message, keyPair, DiameterFirewallConfig.origin_realm_signing_signing_realm.get(orig_realm));
                             }
                             // --------------------------------------------------
 

sigfw/sigfw.sigfw/src/main/java/diameterfw/DiameterFirewallConfig.java

@@ -87,7 +87,9 @@ public enum FirewallPolicy {
     public static SortedMap<String, KeyPair> destination_realm_decryption;
     public static String encryption_autodiscovery = "false";
     public static SortedMap<String, PublicKey> origin_realm_verify;
+    public static SortedMap<String, PublicKey> origin_realm_verify_signing_realm;
     public static SortedMap<String, KeyPair> origin_realm_signing;
+    public static SortedMap<String, String> origin_realm_signing_signing_realm;
     public static FirewallPolicy firewallPolicy = FirewallPolicy.DROP_SILENTLY;
     public static String honeypot_diameter_host = "";
     public static String honeypot_diameter_realm = "";
@@ -357,10 +359,12 @@ public static void loadConfigFromFile(String filename) throws FileNotFoundExcept
         // ------------------------------------
         // Signing
         origin_realm_verify = new ConcurrentSkipListMap<String, PublicKey>();
+        origin_realm_verify_signing_realm = new ConcurrentSkipListMap<String, PublicKey>();
         try {
             List<Map<String, Object>> _origin_realm_verify = DiameterFirewallConfig.get("$.sigfw_configuration.signature_rules.origin_realm_verify");
             for (int i = 0; i < _origin_realm_verify.size(); i++) {
                 String origin_realm = (String)_origin_realm_verify.get(i).get("origin_realm");
+                String signing_realm = (String)_origin_realm_verify.get(i).get("signing_realm");
                 if (origin_realm != null) {
 
                     PublicKey publicKey = null;
@@ -373,17 +377,22 @@ public static void loadConfigFromFile(String filename) throws FileNotFoundExcept
                     } else if (publicKeyType.equals("EC")) {
                         publicKey = keyFactoryEC.generatePublic(pubKeySpec);
                     }
-                    origin_realm_verify.put(origin_realm, publicKey);
+                    if (origin_realm_verify.containsKey(origin_realm) == false) {
+                        origin_realm_verify.put(origin_realm, publicKey);
+                    }
+                    origin_realm_verify_signing_realm.put(origin_realm + ":" + signing_realm, publicKey);
                 }
             }
         } catch (InvalidKeySpecException ex) {
            Logger.getLogger(DiameterFirewallConfig.class.getName()).log(Level.SEVERE, null, ex);
         }
         origin_realm_signing = new ConcurrentSkipListMap<String, KeyPair>();
+        origin_realm_signing_signing_realm = new ConcurrentSkipListMap<String, String>();
         try {
             List<Map<String, Object>> _origin_realm_signing = DiameterFirewallConfig.get("$.sigfw_configuration.signature_rules.origin_realm_signing");
             for (int i = 0; i < _origin_realm_signing.size(); i++) {
                 String origin_realm = (String)_origin_realm_signing.get(i).get("origin_realm");
+                String signing_realm = (String)_origin_realm_signing.get(i).get("signing_realm");
                 if (origin_realm != null) {
 
                     PrivateKey privateKey = null;
@@ -410,6 +419,7 @@ public static void loadConfigFromFile(String filename) throws FileNotFoundExcept
 
                     KeyPair keypair = new KeyPair(publicKey, privateKey);
                     origin_realm_signing.put(origin_realm, keypair);
+                    origin_realm_signing_signing_realm.put(origin_realm, signing_realm);
                 }
             }
         } catch (InvalidKeySpecException ex) {

sigfw/sigfw.sigfw/src/main/java/sigfw/common/Crypto.java

@@ -26,6 +26,7 @@
 
 import com.p1sec.sigfw.SigFW_interface.CryptoInterface;
 import diameterfw.DiameterFirewall;
+import static diameterfw.DiameterFirewall.AVP_SIGNING_REALM;
 import diameterfw.DiameterFirewallConfig;
 import java.io.IOException;
 import java.io.InputStream;
@@ -158,7 +159,7 @@ protected static void configLog4j() {
     }
 
     @Override
-    public void diameterSign(Message message, KeyPair keyPair) {
+    public void diameterSign(Message message, KeyPair keyPair, String signingRealm) {
         //logger.debug("Message Sign = " + message.getAvps().toString());
 
         Signature signatureRSA = null;
@@ -182,8 +183,10 @@ public void diameterSign(Message message, KeyPair keyPair) {
         if (keyPair != null) {
             PrivateKey privateKey = keyPair.getPrivate();
             if(privateKey != null) {
-
+                
                 AvpSet avps = message.getAvps();
+
+                avps.addAvp(AVP_SIGNING_REALM, signingRealm.getBytes());
 
                 boolean signed = false;
                 for (int i = 0; i < avps.size(); i++) {
@@ -350,7 +353,7 @@ public String diameterVerify(Message message, PublicKey publicKey) {
                 for (int i = 0; i < signed_index.size(); i++) {
                     avps.removeAvpByIndex(signed_index.get(i));
                 }
-
+                
                 // verify signature
                 String dataToSign = message.getApplicationId() + ":" + message.getCommandCode() + ":" + message.getEndToEndIdentifier() + ":" + t_tvp;
 
@@ -374,6 +377,9 @@ public String diameterVerify(Message message, PublicKey publicKey) {
                     }
                 }*/
 
+                // remove AVP_SIGNING_REALM;
+                avps.removeAvp(AVP_SIGNING_REALM);
+
                 if (publicKey instanceof RSAPublicKey) {
                     signatureRSA.initVerify(publicKey);
                     signatureRSA.update(dataToSign.getBytes());
@@ -387,7 +393,7 @@ public String diameterVerify(Message message, PublicKey publicKey) {
                     logger.warn("Unknown Public Key algorithm");
                     return "";
                 }
-
+                
             } catch (InvalidKeyException ex) {
                 java.util.logging.Logger.getLogger(Crypto.class.getName()).log(Level.SEVERE, null, ex);
             } catch (SignatureException ex) {

sigfw/sigfw_interface/src/main/java/com/p1sec/sigfw/SigFW_interface/CryptoInterface.java

@@ -47,7 +47,7 @@ public interface CryptoInterface {
      * @param message Diameter message which will be signed
      * @param keyPair KeyPair used to sign message
      */
-    public void diameterSign(Message message, KeyPair keyPair);
+    public void diameterSign(Message message, KeyPair keyPair, String signingRealm);
 
     /**
      * Method to verify the Diameter message signature