[PD1] Added verification that server returns the correct client cert

2024-04-24 17:49:36 +01:00 · 2024-04-24 17:49:36 +01:00 · 1d64590f33
commit 1d64590f33
parent 4f9312958d
4 changed files with 47 additions and 15 deletions
--- a/Projs/PD1/internal/client/client.go
+++ b/Projs/PD1/internal/client/client.go
@ -39,7 +39,7 @@ func Run() {
 		cl := networking.NewClient[protocol.Packet](&clientKeyStore)
 		defer cl.Connection.Conn.Close()

-		receiverCert := getUserCert(cl, uid)
+		receiverCert := getUserCert(cl, clientKeyStore, uid)
 		if receiverCert == nil {
 			return
 		}
@ -102,7 +102,7 @@ func Run() {
 			return
 		}
 		answerGetMsg := protocol.UnmarshalAnswerGetMsg(receivedMsgPacket.Body)
-		senderCert := getUserCert(cl, answerGetMsg.FromUID)
+		senderCert := getUserCert(cl, clientKeyStore, answerGetMsg.FromUID)
 		decSubjectBytes := clientKeyStore.DecryptMessageContent(senderCert, answerGetMsg.Subject)
 		decBodyBytes := clientKeyStore.DecryptMessageContent(senderCert, answerGetMsg.Body)
 		subject := Unmarshal(decSubjectBytes)
@ -119,7 +119,7 @@ func Run() {

 }

-func getUserCert(cl networking.Client[protocol.Packet], uid string) *x509.Certificate {
+func getUserCert(cl networking.Client[protocol.Packet], keyStore cryptoUtils.KeyStore, uid string) *x509.Certificate {
 	getUserCertPacket := protocol.NewGetUserCertPacket(uid)
 	if !cl.Connection.Send(getUserCertPacket) {
 		return nil
@ -139,10 +139,13 @@ func getUserCert(cl networking.Client[protocol.Packet], uid string) *x509.Certif
 	if err != nil {
 		return nil
 	}
+    if !keyStore.CheckCert(userCert, uid){
+        return nil
+    }
 	return userCert
 }

-func getManyMessagesInfo(cl networking.Client[protocol.Packet]) (protocol.AnswerGetUnreadMsgsInfo, map[string]*x509.Certificate) {
+func getManyMessagesInfo(cl networking.Client[protocol.Packet], keyStore cryptoUtils.KeyStore) (protocol.AnswerGetUnreadMsgsInfo, map[string]*x509.Certificate) {
 	answerGetUnreadMsgsInfoPacket, active := cl.Connection.Receive()
 	if !active {
 		return protocol.NewAnswerGetUnreadMsgsInfo(0, 0, nil), nil
@ -162,7 +165,7 @@ func getManyMessagesInfo(cl networking.Client[protocol.Packet]) (protocol.Answer
 	certificatesMap := map[string]*x509.Certificate{}
 	//Get senders' certificates
 	for senderUID := range senderSet {
-		senderCert := getUserCert(cl, senderUID)
+		senderCert := getUserCert(cl, keyStore, senderUID)
 		certificatesMap[senderUID] = senderCert
 	}
 	return answerGetUnreadMsgsInfo, certificatesMap
@ -173,7 +176,7 @@ func askQueue(cl networking.Client[protocol.Packet], clientKeyStore cryptoUtils.
 	if !cl.Connection.Send(requestUnreadMsgsQueuePacket) {
 		return
 	}
-	unreadMsgsInfo, certificates := getManyMessagesInfo(cl)
+	unreadMsgsInfo, certificates := getManyMessagesInfo(cl, clientKeyStore)
 	var clientMessages []ClientMessageInfo
 	for _, message := range unreadMsgsInfo.MessagesInfo {
 		senderCert, ok := certificates[message.FromUID]
--- a/Projs/PD1/internal/utils/cryptoUtils/cryptoUtils.go
+++ b/Projs/PD1/internal/utils/cryptoUtils/cryptoUtils.go
@ -69,6 +69,31 @@ func LoadKeyStore(keyStorePath string, password string) KeyStore {
 	return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}
 }

+// Check if the cert is signed by the CA and is for the correct user
+func (k KeyStore) CheckCert(cert *x509.Certificate, uid string) bool {
+	caCertPool := x509.NewCertPool()
+	for _, caCert := range k.caCertChain {
+		caCertPool.AddCert(caCert)
+	}
+	opts := x509.VerifyOptions{
+		Roots: caCertPool,
+	}
+	// Check if the certificate is signed by the specified CA
+	_, err := cert.Verify(opts)
+	if err != nil {
+		log.Println("Certificate not signed by a trusted CA")
+		return false
+	}
+
+	//Check if the pseudonym field is set to UID
+	oidMap := ExtractAllOIDValues(cert)
+	if oidMap["2.5.4.65"] != uid {
+		log.Println("Certificate does not belong to the message's receiver")
+		return false
+	}
+	return true
+}
+
 func (k *KeyStore) GetTLSConfig() *tls.Config {

 	certificate := tls.Certificate{Certificate: [][]byte{k.cert.Raw}, PrivateKey: k.privKey, Leaf: k.cert}
@ -93,8 +118,8 @@ func (k *KeyStore) GetServerTLSConfig() *tls.Config {
 		caCertPool.AddCert(caCert)
 	}
 	tlsConfig.ClientCAs = caCertPool
-    //FIX: SERVER ACCEPTS CONNECTIONS WITH UNMATCHING OR
-    // NO CERTIFICATE, NEEDS TO BE CHANGED SOMEHOW
+	//FIX: SERVER ACCEPTS CONNECTIONS WITH UNMATCHING OR
+	// NO CERTIFICATE, NEEDS TO BE CHANGED SOMEHOW
 	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 	return tlsConfig
 }
@ -158,8 +183,8 @@ func (k KeyStore) EncryptMessageContent(receiverCert *x509.Certificate, content

 	// sign the message and append the signature
 	hashedContent := sha256.Sum256(content)
-    // NOTE: in this case the sign then encrypt method is used
-    // but should it be used over the encrypt then sign method?
+	// NOTE: in this case the sign then encrypt method is used
+	// but should it be used over the encrypt then sign method?
 	signature, err := rsa.SignPKCS1v15(nil, k.privKey, crypto.SHA256, hashedContent[:])
 	if err != nil {
 		log.Panicln("Could not create content signature: ", err)
@ -196,7 +221,7 @@ func (k KeyStore) DecryptMessageContent(senderCert *x509.Certificate, cipherCont
 		log.Panicln("Could not decrypt ciphertext: ", err)
 	}
 	// check signature with sender public key
-	signature, content:= unPair(contentAndSig)
+	signature, content := unPair(contentAndSig)
 	hashedContent := sha256.Sum256(content)
 	senderKey := senderCert.PublicKey.(*rsa.PublicKey)
 	if err := rsa.VerifyPKCS1v15(senderKey, crypto.SHA256, hashedContent[:], signature); err != nil {