4
.. versionadded:: 2.4.0
6
Many applications need to store pre-shared keys (hereafter PSKs) for
7
authentication purposes.
9
An abstract interface to PSK stores is provided in ``psk_db.h``
11
.. cpp:class:: PSK_Database
13
.. cpp:function:: bool is_encrypted() const
15
Returns true if (at least) the PSKs themselves are encrypted. Returns
16
false if PSKs are stored in plaintext.
18
.. cpp:function:: std::set<std::string> list_names() const
20
Return the set of valid names stored in the database, ie values for which
21
``get`` will return a value.
23
.. cpp:function:: void set(const std::string& name, const uint8_t psk[], size_t psk_len)
25
Save a PSK. If ``name`` already exists, the current value will be
28
.. cpp:function:: secure_vector<uint8_t> get(const std::string& name) const
30
Return a value saved with ``set``. Throws an exception if ``name`` doesn't
33
.. cpp:function:: void remove(const std::string& name)
35
Remove ``name`` from the database. If ``name`` doesn't exist, ignores the request.
37
.. cpp::function:: std::string get_str(const std::string& name) const
39
Like ``get`` but casts the return value to a string.
41
.. cpp:function:: void set_str(const std::string& name, const std::string& psk)
43
Like ``set`` but accepts the psk as a string (eg for a password).
45
.. cpp:function:: template<typename Alloc> void set_vec(const std::string& name, \
46
const std::vector<uint8_t, Alloc>& psk)
48
Like ``set`` but accepting a vector.
50
The same header also provides a specific instantiation of ``PSK_Database`` which
51
encrypts both names and PSKs. It must be subclassed to provide the storage.
53
.. cpp:class:: Encrypted_PSK_Database : public PSK_Database
55
.. cpp:function:: Encrypted_PSK_Database(const secure_vector<uint8_t>& master_key)
57
Initializes or opens a PSK database. The master key is used the secure the
58
contents. It may be of any length. If encrypting PSKs under a passphrase,
59
use a suitable key derivation scheme (such as PBKDF2) to derive the secret
60
key. If the master key is lost, all PSKs stored are unrecoverable.
62
Both names and values are encrypted using NIST key wrapping (see NIST
63
SP800-38F) with AES-256. First the master key is used with HMAC(SHA-256)
64
to derive two 256-bit keys, one for encrypting all names and the other to
65
key an instance of HMAC(SHA-256). Values are each encrypted under an
66
individual key created by hashing the encrypted name with HMAC. This
67
associates the encrypted key with the name, and prevents an attacker with
68
write access to the data store from taking an encrypted key associated
69
with one entity and copying it to another entity.
71
Names and PSKs are both padded to the next multiple of 8 bytes, providing
72
some obfuscation of the length.
74
One artifact of the names being encrypted is that is is possible to use
75
multiple different master keys with the same underlying storage. Each
76
master key will be responsible for a subset of the keys. An attacker who
77
knows one of the keys will be able to tell there are other values
78
encrypted under another key.
80
.. cpp:function:: virtual void kv_set(const std::string& index, const std::string& value) = 0
82
Save an encrypted value. Both ``index`` and ``value`` will be non-empty
83
base64 encoded strings.
85
.. cpp:function:: virtual std::string kv_get(const std::string& index) const = 0
87
Return a value saved with ``kv_set``, or return the empty string.
89
.. cpp:function:: virtual void kv_del(const std::string& index) = 0
91
Remove a value saved with ``kv_set``.
93
.. cpp:function:: virtual std::set<std::string> kv_get_all() const = 0
95
Return all active names (ie values for which ``kv_get`` will return a
98
A subclass of ``Encrypted_PSK_Database`` which stores data in a SQL database
99
is also available. This class is declared in ``psk_db_sql.h``:
101
.. cpp:class:: Encrypted_PSK_Database_SQL : public Encrypted_PSK_Database
103
.. cpp:function:: Encrypted_PSK_Database_SQL(const secure_vector<uint8_t>& master_key, \
104
std::shared_ptr<SQL_Database> db, \
105
const std::string& table_name)
107
Creates or uses the named table in ``db``. The SQL schema of the table is
108
``(psk_name TEXT PRIMARY KEY, psk_value TEXT)``.