[PD1] decryptMessageContent implemented
needs testing
This commit is contained in:
parent
c131aa2aea
commit
fb7a728aa4
SSH key fingerprint:
SHA256:odOD9vln9U7qNe1R8o3UCbE3jkQCkr5/q5mgd5hwua0
1 changed files with 31 additions and 9 deletions
|
|
@ -95,8 +95,8 @@ func (k *KeyStore) GetServerTLSConfig() *tls.Config {
|
||||||
}
|
}
|
||||||
tlsConfig.ClientCAs = caCertPool
|
tlsConfig.ClientCAs = caCertPool
|
||||||
//Request one valid or invalid certificate
|
//Request one valid or invalid certificate
|
||||||
//FIX: SERVER ACCEPTS CONNECTIONS WITH UNMATCHING OR
|
// FIX: SERVER ACCEPTS CONNECTIONS WITH UNMATCHING OR
|
||||||
// NO CERTIFICATE, NEEDS TO BE CHANGED SOMEHOW
|
// NO CERTIFICATE, NEEDS TO BE CHANGED SOMEHOW
|
||||||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||||
return tlsConfig
|
return tlsConfig
|
||||||
}
|
}
|
||||||
|
|
@ -121,18 +121,18 @@ func (k *KeyStore) GetClientTLSConfig() *tls.Config {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
oidMap := ExtractAllOIDValues(cert)
|
oidMap := ExtractAllOIDValues(cert)
|
||||||
|
|
||||||
// Check if the certificate is signed by the specified CA
|
// Check if the certificate is signed by the specified CA
|
||||||
_, err = cert.Verify(opts)
|
_, err = cert.Verify(opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.New("certificate not signed by trusted CA")
|
return errors.New("certificate not signed by trusted CA")
|
||||||
}
|
}
|
||||||
|
|
||||||
//Check if the pseudonym field is set to "SERVER"
|
//Check if the pseudonym field is set to "SERVER"
|
||||||
if oidMap["2.5.4.65"] != "SERVER"{
|
if oidMap["2.5.4.65"] != "SERVER" {
|
||||||
return errors.New("peer isn't the server")
|
return errors.New("peer isn't the server")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
@ -179,8 +179,30 @@ func (k KeyStore) EncryptMessageContent(receiverCert *x509.Certificate, content
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k KeyStore) DecryptMessageContent(senderCert *x509.Certificate, cipherContent []byte) []byte {
|
func (k KeyStore) DecryptMessageContent(senderCert *x509.Certificate, cipherContent []byte) []byte {
|
||||||
|
encryptedDataKey, encryptedMsg := unPair(cipherContent)
|
||||||
|
dataKey, err := rsa.DecryptOAEP(sha256.New(), rand.Reader, k.GetPrivKey(), encryptedDataKey, nil)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicln("Could not decrypt dataKey: ", err)
|
||||||
|
}
|
||||||
|
// decrypt ciphertext
|
||||||
|
cipher, err := chacha20poly1305.New(dataKey)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicln("Could not create cipher: ", err)
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
nonce, ciphertext := encryptedMsg[:cipher.NonceSize()], encryptedMsg[cipher.NonceSize():]
|
||||||
|
contentAndSig, err := cipher.Open(nil, nonce, ciphertext, nil)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicln("Could not decrypt ciphertext: ", err)
|
||||||
|
}
|
||||||
|
// check signature with sender public key
|
||||||
|
content, signature := unPair(contentAndSig)
|
||||||
|
hashedContent := sha256.Sum256(content)
|
||||||
|
senderKey := senderCert.PublicKey.(*rsa.PublicKey)
|
||||||
|
if err := rsa.VerifyPKCS1v15(senderKey, crypto.SHA256, hashedContent[:], signature); err != nil {
|
||||||
|
log.Panicln("Signature is not valid: ", err)
|
||||||
|
}
|
||||||
|
return content
|
||||||
}
|
}
|
||||||
|
|
||||||
func pair(l []byte, r []byte) []byte {
|
func pair(l []byte, r []byte) []byte {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue