Uni/CSI-ES-2324
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[PD2] Made cert checks in cryptoutils

Browse source
This commit is contained in:
Afonso Franco 2024-05-30 15:48:28 +01:00
parent 69559f41ca
commit 62962a13c7
Signed by: afonso
SSH key fingerprint: SHA256:PQTRDHPH3yALEGtHXnXBp3Orfcn21pK20t0tS1kHg54
9 changed files with 160 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

183
Projs/PD2/internal/utils/cryptoUtils/cryptoUtils.go
View file

@ -19,19 +19,15 @@ import (
)
type KeyStore struct {
cert *x509.Certificate
caCertChain []*x509.Certificate
privKey *rsa.PrivateKey
cert *x509.Certificate
caCertPool *x509.CertPool
privKey *rsa.PrivateKey
}
func (k KeyStore) GetCert() *x509.Certificate {
return k.cert
}
func (k KeyStore) GetCACertChain() []*x509.Certificate {
return k.caCertChain
}
func (k KeyStore) GetPrivKey() *rsa.PrivateKey {
return k.privKey
}
@ -67,25 +63,31 @@ func LoadKeyStore(keyStorePath string, password string) (KeyStore, error) {
if err := privKey.Validate(); err != nil {
return KeyStore{}, err
}
return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}, err
}
// Check if the cert is signed by the CA and is for the correct user
func (k KeyStore) CheckCert(cert *x509.Certificate, uid string) error {
caCertPool := x509.NewCertPool()
for _, caCert := range k.caCertChain {
for _, caCert := range caCerts {
caCertPool.AddCert(caCert)
}
return KeyStore{cert: cert, caCertPool: caCertPool, privKey: privKey}, err
}
// Check if the cert is signed by a known CA
func (k KeyStore) CheckCertCA(cert *x509.Certificate) error {
// Verify the peer's certificate
opts := x509.VerifyOptions{
Roots: caCertPool,
Roots: k.caCertPool,
}
// Check if the certificate is signed by the specified CA
_, err := cert.Verify(opts)
if err != nil {
log.Println("Certificate not signed by a trusted CA")
return err
return errors.New("certificate not signed by trusted CA")
}
return nil
}
// Check if the cert is valid
func (k KeyStore) CheckCertTime(cert *x509.Certificate) error {
if cert.NotAfter.Before(time.Now()) {
return errors.New("certificate has expired")
}
@ -93,10 +95,37 @@ func (k KeyStore) CheckCert(cert *x509.Certificate, uid string) error {
return errors.New("certificate is not valid yet")
}
//Check if the pseudonym field is set to UID
return nil
}
// Check if the pseudonym field is set to the correct pseudonym
func (k KeyStore) CheckCertPseudonym(cert *x509.Certificate, pseudonym string) error {
oidMap := ExtractAllOIDValues(cert)
if oidMap["2.5.4.65"] != uid {
log.Println("Certificate does not belong to the message's receiver")
if oidMap["2.5.4.65"] != pseudonym {
return errors.New("Certificate does not belong to the correct pseudonym")
}
return nil
}
func (k KeyStore) CheckCertUsage(cert *x509.Certificate, usage string) error {
oidMap := ExtractAllOIDValues(cert)
if oidMap["2.5.4.11"] != usage {
return errors.New("Certificate does not have the correct usage")
}
return nil
}
func (k KeyStore) CheckCert(cert *x509.Certificate, pseudonym string, usage string) error {
if err := k.CheckCertCA(cert); err != nil {
return err
}
if err := k.CheckCertTime(cert); err != nil {
return err
}
if err := k.CheckCertPseudonym(cert, pseudonym); err != nil {
return err
}
if err := k.CheckCertUsage(cert, usage); err != nil {
return err
}
return nil
@ -106,49 +135,58 @@ func (k *KeyStore) GetTLSConfig() *tls.Config {
certificate := tls.Certificate{Certificate: [][]byte{k.cert.Raw}, PrivateKey: k.privKey, Leaf: k.cert}
//Add the CA certificate chain to a CertPool
caCertPool := x509.NewCertPool()
for _, caCert := range k.caCertChain {
caCertPool.AddCert(caCert)
}
config := &tls.Config{
Certificates: []tls.Certificate{certificate},
}
return config
}
func (k *KeyStore) GetServerTLSConfig() *tls.Config {
func (k *KeyStore) GetGatewayIncomingTLSConfig() *tls.Config {
tlsConfig := k.GetTLSConfig()
//Add the CA certificate chain to a CertPool
caCertPool := x509.NewCertPool()
for _, caCert := range k.caCertChain {
caCertPool.AddCert(caCert)
}
tlsConfig.ClientCAs = caCertPool
tlsConfig.ClientAuth = tls.RequireAnyClientCert
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
// Verify the peer's certificate
opts := x509.VerifyOptions{
Roots: caCertPool,
}
for _, certBytes := range rawCerts {
cert, err := x509.ParseCertificate(certBytes)
if err != nil {
return err
}
if cert.NotAfter.Before(time.Now()) {
return errors.New("certificate has expired")
if err = k.CheckCertCA(cert); err != nil {
return err
}
if cert.NotBefore.After(time.Now()) {
return errors.New("certificate is not valid yet")
if err = k.CheckCertTime(cert); err != nil {
return err
}
if err = k.CheckCertUsage(cert, "MSG SERVICE"); err != nil {
return err
}
}
return nil
}
return tlsConfig
}
// Check if the certificate is signed by the specified CA
_, err = cert.Verify(opts)
func (k *KeyStore) GetGatewayOutgoingTLSConfig() *tls.Config {
tlsConfig := k.GetTLSConfig()
tlsConfig.RootCAs = k.caCertPool
tlsConfig.InsecureSkipVerify = true
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
for _, certBytes := range rawCerts {
cert, err := x509.ParseCertificate(certBytes)
if err != nil {
return errors.New("certificate not signed by trusted CA")
return err
}
if err = k.CheckCertCA(cert); err != nil {
return err
}
if err = k.CheckCertTime(cert); err != nil {
return err
}
if err = k.CheckCertPseudonym(cert, "SERVER"); err != nil {
return err
}
if err = k.CheckCertUsage(cert, "MSG SERVICE"); err != nil {
return err
}
}
return nil
@ -159,41 +197,54 @@ func (k *KeyStore) GetServerTLSConfig() *tls.Config {
func (k *KeyStore) GetClientTLSConfig() *tls.Config {
tlsConfig := k.GetTLSConfig()
//Add the CA certificate chain to a CertPool
caCertPool := x509.NewCertPool()
for _, caCert := range k.caCertChain {
caCertPool.AddCert(caCert)
}
tlsConfig.RootCAs = caCertPool
tlsConfig.RootCAs = k.caCertPool
tlsConfig.InsecureSkipVerify = true
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
// Verify the peer's certificate
opts := x509.VerifyOptions{
Roots: caCertPool,
}
for _, certBytes := range rawCerts {
cert, err := x509.ParseCertificate(certBytes)
if err != nil {
return err
}
if cert.NotAfter.Before(time.Now()) {
return errors.New("certificate has expired")
if err = k.CheckCertCA(cert); err != nil {
return err
}
if cert.NotBefore.After(time.Now()) {
return errors.New("certificate is not valid yet")
if err = k.CheckCertTime(cert); err != nil {
return err
}
if err = k.CheckCertPseudonym(cert, "GATEWAY"); err != nil {
return err
}
if err = k.CheckCertUsage(cert, "MSG SERVICE"); err != nil {
return err
}
oidMap := ExtractAllOIDValues(cert)
// Check if the certificate is signed by the specified CA
_, err = cert.Verify(opts)
}
return nil
}
return tlsConfig
}
func (k *KeyStore) GetServerTLSConfig() *tls.Config {
tlsConfig := k.GetTLSConfig()
tlsConfig.ClientAuth = tls.RequireAnyClientCert
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
for _, certBytes := range rawCerts {
cert, err := x509.ParseCertificate(certBytes)
if err != nil {
return errors.New("certificate not signed by trusted CA")
return err
}
//Check if the pseudonym field is set to "SERVER"
if oidMap["2.5.4.65"] != "SERVER" {
return errors.New("peer isn't the server")
if err = k.CheckCertCA(cert); err != nil {
return err
}
if err = k.CheckCertTime(cert); err != nil {
return err
}
if err = k.CheckCertPseudonym(cert, "GATEWAY"); err != nil {
return err
}
if err = k.CheckCertUsage(cert, "MSG SERVICE"); err != nil {
return err
}
}
return nil