[PD1] FIXED TLS Handshake
This commit is contained in:
parent
1cb81d2279
commit
4cf7880e57
SSH key fingerprint:
SHA256:aiLbdlPwXKJS5wMnghdtod0SPy8imZjlVvCyUX9DJNk
5 changed files with 77 additions and 22 deletions
|
|
@ -8,7 +8,9 @@ import (
|
|||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"errors"
|
||||
|
||||
//"errors"
|
||||
"log"
|
||||
"os"
|
||||
|
||||
|
|
@ -65,7 +67,6 @@ func LoadKeyStore(keyStorePath string, password string) KeyStore {
|
|||
if err := privKey.Validate(); err != nil {
|
||||
log.Panicln("Private key is not valid")
|
||||
}
|
||||
fmt.Println(cert.SignatureAlgorithm)
|
||||
return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}
|
||||
}
|
||||
|
||||
|
|
@ -80,13 +81,64 @@ func (k *KeyStore) GetTLSConfig() *tls.Config {
|
|||
}
|
||||
config := &tls.Config{
|
||||
Certificates: []tls.Certificate{certificate},
|
||||
ClientCAs: caCertPool,
|
||||
RootCAs: caCertPool,
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
}
|
||||
return config
|
||||
}
|
||||
|
||||
func (k *KeyStore) GetServerTLSConfig() *tls.Config {
|
||||
tlsConfig := k.GetTLSConfig()
|
||||
|
||||
//Add the CA certificate chain to a CertPool
|
||||
caCertPool := x509.NewCertPool()
|
||||
for _, caCert := range k.caCertChain {
|
||||
caCertPool.AddCert(caCert)
|
||||
}
|
||||
tlsConfig.ClientCAs = caCertPool
|
||||
//Request one valid or invalid certificate
|
||||
//FIX: SERVER ACCEPTS CONNECTIONS WITH UNMATCHING OR
|
||||
// NO CERTIFICATE, NEEDS TO BE CHANGED SOMEHOW
|
||||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
return tlsConfig
|
||||
}
|
||||
|
||||
func (k *KeyStore) GetClientTLSConfig() *tls.Config {
|
||||
tlsConfig := k.GetTLSConfig()
|
||||
|
||||
//Add the CA certificate chain to a CertPool
|
||||
caCertPool := x509.NewCertPool()
|
||||
for _, caCert := range k.caCertChain {
|
||||
caCertPool.AddCert(caCert)
|
||||
}
|
||||
tlsConfig.RootCAs = caCertPool
|
||||
tlsConfig.InsecureSkipVerify = true
|
||||
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
||||
// Verify the peer's certificate
|
||||
opts := x509.VerifyOptions{
|
||||
Roots: caCertPool,
|
||||
}
|
||||
for _, certBytes := range rawCerts {
|
||||
cert, err := x509.ParseCertificate(certBytes)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
oidMap := ExtractAllOIDValues(cert)
|
||||
|
||||
// Check if the certificate is signed by the specified CA
|
||||
_, err = cert.Verify(opts)
|
||||
if err != nil {
|
||||
return errors.New("certificate not signed by trusted CA")
|
||||
}
|
||||
|
||||
//Check if the pseudonym field is set to "SERVER"
|
||||
if oidMap["2.5.4.65"] != "SERVER"{
|
||||
return errors.New("peer isn't the server")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
return tlsConfig
|
||||
}
|
||||
|
||||
func (k KeyStore) EncryptMessageContent(receiverCert *x509.Certificate, content []byte) []byte {
|
||||
// Digital envolope
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue