Uni/CSI-ES-2324
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[PD1] Added verification that server returns the correct client cert

Browse source
This commit is contained in:
Afonso Franco 2024-04-24 17:49:36 +01:00
parent 4f9312958d
commit 1d64590f33
Signed by: afonso
SSH key fingerprint: SHA256:aiLbdlPwXKJS5wMnghdtod0SPy8imZjlVvCyUX9DJNk
4 changed files with 47 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
Projs/PD1/internal/client/client.go
View file

@ -39,7 +39,7 @@ func Run() {
cl := networking.NewClient[protocol.Packet](&clientKeyStore) cl := networking.NewClient[protocol.Packet](&clientKeyStore)
defer cl.Connection.Conn.Close() defer cl.Connection.Conn.Close()
receiverCert := getUserCert(cl, uid) receiverCert := getUserCert(cl, clientKeyStore, uid)
if receiverCert == nil { if receiverCert == nil {
return return
} }
@ -102,7 +102,7 @@ func Run() {
return return
} }
answerGetMsg := protocol.UnmarshalAnswerGetMsg(receivedMsgPacket.Body) answerGetMsg := protocol.UnmarshalAnswerGetMsg(receivedMsgPacket.Body)
senderCert := getUserCert(cl, answerGetMsg.FromUID) senderCert := getUserCert(cl, clientKeyStore, answerGetMsg.FromUID)
decSubjectBytes := clientKeyStore.DecryptMessageContent(senderCert, answerGetMsg.Subject) decSubjectBytes := clientKeyStore.DecryptMessageContent(senderCert, answerGetMsg.Subject)
decBodyBytes := clientKeyStore.DecryptMessageContent(senderCert, answerGetMsg.Body) decBodyBytes := clientKeyStore.DecryptMessageContent(senderCert, answerGetMsg.Body)
subject := Unmarshal(decSubjectBytes) subject := Unmarshal(decSubjectBytes)
@ -119,7 +119,7 @@ func Run() {
} }
func getUserCert(cl networking.Client[protocol.Packet], uid string) *x509.Certificate { func getUserCert(cl networking.Client[protocol.Packet], keyStore cryptoUtils.KeyStore, uid string) *x509.Certificate {
getUserCertPacket := protocol.NewGetUserCertPacket(uid) getUserCertPacket := protocol.NewGetUserCertPacket(uid)
if !cl.Connection.Send(getUserCertPacket) { if !cl.Connection.Send(getUserCertPacket) {
return nil return nil
@ -139,10 +139,13 @@ func getUserCert(cl networking.Client[protocol.Packet], uid string) *x509.Certif
if err != nil { if err != nil {
return nil return nil
} }
if !keyStore.CheckCert(userCert, uid){
return nil
}
return userCert return userCert
} }
func getManyMessagesInfo(cl networking.Client[protocol.Packet]) (protocol.AnswerGetUnreadMsgsInfo, map[string]*x509.Certificate) { func getManyMessagesInfo(cl networking.Client[protocol.Packet], keyStore cryptoUtils.KeyStore) (protocol.AnswerGetUnreadMsgsInfo, map[string]*x509.Certificate) {
answerGetUnreadMsgsInfoPacket, active := cl.Connection.Receive() answerGetUnreadMsgsInfoPacket, active := cl.Connection.Receive()
if !active { if !active {
return protocol.NewAnswerGetUnreadMsgsInfo(0, 0, nil), nil return protocol.NewAnswerGetUnreadMsgsInfo(0, 0, nil), nil
@ -162,7 +165,7 @@ func getManyMessagesInfo(cl networking.Client[protocol.Packet]) (protocol.Answer
certificatesMap := map[string]*x509.Certificate{} certificatesMap := map[string]*x509.Certificate{}
//Get senders' certificates //Get senders' certificates
for senderUID := range senderSet { for senderUID := range senderSet {
senderCert := getUserCert(cl, senderUID) senderCert := getUserCert(cl, keyStore, senderUID)
certificatesMap[senderUID] = senderCert certificatesMap[senderUID] = senderCert
} }
return answerGetUnreadMsgsInfo, certificatesMap return answerGetUnreadMsgsInfo, certificatesMap
@ -173,7 +176,7 @@ func askQueue(cl networking.Client[protocol.Packet], clientKeyStore cryptoUtils.
if !cl.Connection.Send(requestUnreadMsgsQueuePacket) { if !cl.Connection.Send(requestUnreadMsgsQueuePacket) {
return return
} }
unreadMsgsInfo, certificates := getManyMessagesInfo(cl) unreadMsgsInfo, certificates := getManyMessagesInfo(cl, clientKeyStore)
var clientMessages []ClientMessageInfo var clientMessages []ClientMessageInfo
for _, message := range unreadMsgsInfo.MessagesInfo { for _, message := range unreadMsgsInfo.MessagesInfo {
senderCert, ok := certificates[message.FromUID] senderCert, ok := certificates[message.FromUID]

25
Projs/PD1/internal/utils/cryptoUtils/cryptoUtils.go
View file

@ -69,6 +69,31 @@ func LoadKeyStore(keyStorePath string, password string) KeyStore {
return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey} return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}
} }
// Check if the cert is signed by the CA and is for the correct user
func (k KeyStore) CheckCert(cert *x509.Certificate, uid string) bool {
caCertPool := x509.NewCertPool()
for _, caCert := range k.caCertChain {
caCertPool.AddCert(caCert)
}
opts := x509.VerifyOptions{
Roots: caCertPool,
}
// Check if the certificate is signed by the specified CA
_, err := cert.Verify(opts)
if err != nil {
log.Println("Certificate not signed by a trusted CA")
return false
}
//Check if the pseudonym field is set to UID
oidMap := ExtractAllOIDValues(cert)
if oidMap["2.5.4.65"] != uid {
log.Println("Certificate does not belong to the message's receiver")
return false
}
return true
}
func (k *KeyStore) GetTLSConfig() *tls.Config { func (k *KeyStore) GetTLSConfig() *tls.Config {
certificate := tls.Certificate{Certificate: [][]byte{k.cert.Raw}, PrivateKey: k.privKey, Leaf: k.cert} certificate := tls.Certificate{Certificate: [][]byte{k.cert.Raw}, PrivateKey: k.privKey, Leaf: k.cert}

BIN
Projs/PD1/server.db
View file

Binary file not shown.

12
Projs/PD1/tokefile.toml
View file

@ -12,8 +12,12 @@ cmd="go build"
[targets.server] [targets.server]
cmd="go run ./cmd/server/server.go" cmd="go run ./cmd/server/server.go"
[targets.queue]
cmd="go run ./cmd/client/client.go -user certs/client${NUM}/client${NUM}.p12 askqueue"
[targets.send] [targets.send]
cmd="go run ./cmd/client/client.go -user certs/client${NUM}/client${NUM}.p12 send ${DEST} ${SUBJECT}" cmd="echo client1 | go run ./cmd/client/client.go -user certs/client1/client1.p12 send CL2 testsubject"
[targets.askQueue]
cmd="go run ./cmd/client/client.go -user certs/client2/client2.p12 askqueue"
[targets.fakeAskQueue]
cmd="go run ./cmd/client/client.go -user certs/FakeClient1/client1.p12 askqueue"