[PD1] crypto changes and TLS almost done

2024-04-18 17:15:47 +01:00 · 2024-04-18 17:15:47 +01:00 · 5ae7358a0d
commit 5ae7358a0d
parent 2c4f1fd2fc
13 changed files with 138 additions and 87 deletions
--- a/Projs/PD1/internal/utils/cryptoUtils/cryptoUtils.go
+++ b/Projs/PD1/internal/utils/cryptoUtils/cryptoUtils.go
@ -1,7 +1,6 @@
 package cryptoUtils

 import (
-	"PD1/internal/client"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
@ -15,7 +14,7 @@ import (
 type KeyStore struct {
 	cert        *x509.Certificate
 	caCertChain []*x509.Certificate
-	privKey     rsa.PrivateKey
+	privKey     *rsa.PrivateKey
 }

 func (k KeyStore) GetCert() *x509.Certificate {
@ -26,67 +25,90 @@ func (k KeyStore) GetCACertChain() []*x509.Certificate {
 	return k.caCertChain
 }

-func (k KeyStore) GetPrivKey() rsa.PrivateKey {
+func (k KeyStore) GetPrivKey() *rsa.PrivateKey {
 	return k.privKey
 }

-func LoadKeyStore(keyStorePath string) KeyStore {
+func ExtractAllOIDValues(cert *x509.Certificate) map[string]string {
+	oidValueMap := make(map[string]string)
+	for _, name := range cert.Subject.Names {
+		oid := name.Type.String()
+		value := name.Value.(string)
+		oidValueMap[oid] = value
+	}
+	return oidValueMap
+}

-	var privKey rsa.PrivateKey
+func LoadKeyStore(keyStorePath string, password string) KeyStore {
+
+	var privKey *rsa.PrivateKey

 	certFile, err := os.ReadFile(keyStorePath)
 	if err != nil {
-		log.Panicln("Provided certificate %v couldn't be opened", keyStorePath)
+		log.Panicln("Provided certificate couldn't be opened")
 	}

-	password := client.AskUserPassword()
 	privKeyInterface, cert, caCerts, err := pkcs12.DecodeChain(certFile, password)
-	privKey = privKeyInterface.(rsa.PrivateKey)
 	if err != nil {
 		log.Panicln("PKCS12 key store couldn't be decoded")
 	}
+	privKey, ok := privKeyInterface.(*rsa.PrivateKey)
+	if !ok {
+		log.Panicln("Failed to convert private key to RSA private key")
+	}
+
 	if err := privKey.Validate(); err != nil {
 		log.Panicln("Private key is not valid")
 	}
 	return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}
 }

-func (k KeyStore)GetTLSConfig() *tls.Config {
-    certificate ,err := tls.X509KeyPair(k.cert.Raw, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(&k.privKey)}))
-    if err!=nil{
-        log.Panicln("Could not load certificate and privkey to TLS")
-    }
-    
-    //Add the CA certificate chain to a CertPool
-    caCertPool := x509.NewCertPool()
+func (k *KeyStore) GetTLSConfig() *tls.Config {
+
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: k.cert.Raw})
+	privKeyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k.privKey)})
+	certificate, err := tls.X509KeyPair(certPEM, privKeyPEM)
+	if err != nil {
+		log.Panicln("Could not load certificate and privkey to TLS", err)
+	}
+
+	config := &tls.Config{
+		Certificates: []tls.Certificate{certificate},
+	}
+	return config
+}
+
+func (k *KeyStore) GetTLSConfigServer() *tls.Config {
+	config := k.GetTLSConfig()
+
+	//Add the CA certificate chain to a CertPool
+	caCertPool := x509.NewCertPool()
 	for _, caCert := range k.caCertChain {
 		caCertPool.AddCert(caCert)
 	}
-
-    config := &tls.Config{
-		Certificates: []tls.Certificate{certificate},
-		ClientCAs:    caCertPool,
-	}
-    return config
-}
-
-func (k KeyStore)GetTLSConfigServer() *tls.Config {
-	config := k.GetTLSConfig()
-
+	config.ClientCAs = caCertPool
 	config.ClientAuth = tls.RequireAndVerifyClientCert

 	return config
 }

-func (k KeyStore)GetTLSConfigClient() *tls.Config {
-	config:= k.GetTLSConfig()
+func (k *KeyStore) GetTLSConfigClient() *tls.Config {
+	config := k.GetTLSConfig()

-	config.ServerName = "SERVER"
+	//Add the CA certificate chain to a CertPool
+	caCertPool := x509.NewCertPool()
+	for _, caCert := range k.caCertChain {
+		caCertPool.AddCert(caCert)
+	}
+	config.RootCAs = caCertPool
+
+	//TODO: FIX THE VERIFICATION OF THE SERVER
+	//config.ServerName = "SERVER"

 	return config
 }

-func (k KeyStore)EncryptMessageContent(peerPubKey rsa.PublicKey, content []byte) []byte {
+func (k KeyStore) EncryptMessageContent(peerPubKey rsa.PublicKey, content []byte) []byte {
 	// Digital envolope
-    return nil
+	return nil
 }
--- a/Projs/PD1/internal/utils/networking/client.go
+++ b/Projs/PD1/internal/utils/networking/client.go
@ -2,7 +2,7 @@ package networking

 import (
 	"crypto/tls"
-	"net"
+	"log"
 )


@ -17,7 +17,7 @@ type Client[T any] struct {
 func NewClient[T any](clientTLSConfigProvider ClientTLSConfigProvider) Client[T] {
    dialConn, err := tls.Dial("tcp", "localhost:8080", clientTLSConfigProvider.GetTLSConfigClient())
 	if err != nil {
-		panic("Could not open connection to server")
+		log.Panicln("Could not open connection to server",err)
 	}
 	conn := NewConnection[T](dialConn)
 	return Client[T]{Connection: conn}
--- a/Projs/PD1/internal/utils/networking/connection.go
+++ b/Projs/PD1/internal/utils/networking/connection.go
@ -1,18 +1,18 @@
 package networking

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
-	"net"
 )

 type Connection[T any] struct {
-	Conn    net.Conn
+	Conn    *tls.Conn
 	encoder *json.Encoder
 	decoder *json.Decoder
 }

-
-func NewConnection[T any](netConn net.Conn) Connection[T] {
+func NewConnection[T any](netConn *tls.Conn) Connection[T] {
 	return Connection[T]{
 		Conn:    netConn,
 		encoder: json.NewEncoder(netConn),
@ -20,16 +20,21 @@ func NewConnection[T any](netConn net.Conn) Connection[T] {
 	}
 }

-func (jc Connection[T]) Send(obj T) {
-	if err := jc.encoder.Encode(&obj); err != nil {
+func (c Connection[T]) Send(obj T) {
+	if err := c.encoder.Encode(&obj); err != nil {
 		panic("Failed encoding data or sending it to connection")
 	}
 }

-func (jc Connection[T]) Receive() T {
+func (c Connection[T]) Receive() T {
 	var obj T
-	if err := jc.decoder.Decode(&obj); err != nil {
+	if err := c.decoder.Decode(&obj); err != nil {
 		panic("Failed decoding data or reading it from connection")
 	}
 	return obj
 }
+
+func (c Connection[T]) GetPeerCertificate() *x509.Certificate {
+	state := c.Conn.ConnectionState()
+	return state.PeerCertificates[0]
+}
--- a/Projs/PD1/internal/utils/networking/server.go
+++ b/Projs/PD1/internal/utils/networking/server.go
@ -3,11 +3,12 @@ package networking
 import (
 	"crypto/tls"
 	"fmt"
+	"log"
 	"net"
 )

 type ServerTLSConfigProvider interface {
-    GetServerTLSConfig() *tls.Config
+	GetTLSConfigServer() *tls.Config
 }

 type Server[T any] struct {
@ -15,16 +16,16 @@ type Server[T any] struct {
 	C        chan Connection[T]
 }

-func NewServer[T any](serverTLSConfigProvider ServerTLSConfigProvider,port int) Server[T]{
+func NewServer[T any](serverTLSConfigProvider ServerTLSConfigProvider, port int) Server[T] {

-    listener, err := tls.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port), serverTLSConfigProvider.GetServerTLSConfig())
+	listener, err := tls.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port), serverTLSConfigProvider.GetTLSConfigServer())
 	if err != nil {
 		panic("Server could not bind to address")
 	}
-   return Server[T]{
-        listener:listener,
-        C: make(chan Connection[T]),
-    } 
+	return Server[T]{
+		listener: listener,
+		C:        make(chan Connection[T]),
+	}
 }

 func (s *Server[T]) ListenLoop() {
@ -34,7 +35,16 @@ func (s *Server[T]) ListenLoop() {
 		if err != nil {
 			panic("Server could not accept connection")
 		}
-        conn := NewConnection[T](listenerConn)
+		tlsConn, ok := listenerConn.(*tls.Conn)
+		if !ok {
+			panic("Connection is not a TLS connection")
+		}
+
+		state := tlsConn.ConnectionState()
+		if len(state.PeerCertificates) == 0 {
+			log.Panicln("Client did not provide a certificate")
+		}
+		conn := NewConnection[T](tlsConn)
 		s.C <- conn
 	}
 }