2020-06-18 16:54:48 -04:00
|
|
|
package client
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/sha256"
|
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/makeworld-the-better-one/amfora/config"
|
|
|
|
)
|
|
|
|
|
|
|
|
// TOFU implementation.
|
|
|
|
// Stores cert hash and expiry for now, like Bombadillo.
|
2020-06-18 17:23:54 -04:00
|
|
|
// There is ongoing TOFU discussion on the mailing list about better
|
2020-06-18 16:54:48 -04:00
|
|
|
// ways to do this, and I will update this file once those are decided on.
|
2020-06-19 23:44:04 -04:00
|
|
|
// Update: See #7 for some small improvements made.
|
2020-06-18 16:54:48 -04:00
|
|
|
|
|
|
|
var ErrTofu = errors.New("server cert does not match TOFU database")
|
|
|
|
|
|
|
|
var tofuStore = config.TofuStore
|
|
|
|
|
|
|
|
// idKey returns the config/viper key needed to retrieve
|
|
|
|
// a cert's ID / fingerprint.
|
2020-06-19 23:44:04 -04:00
|
|
|
func idKey(domain string, port string) string {
|
|
|
|
if port == "1965" || port == "" {
|
|
|
|
return strings.ReplaceAll(domain, ".", "/")
|
|
|
|
}
|
|
|
|
return strings.ReplaceAll(domain, ".", "/") + ":" + port
|
2020-06-18 16:54:48 -04:00
|
|
|
}
|
|
|
|
|
2020-06-19 23:44:04 -04:00
|
|
|
func expiryKey(domain string, port string) string {
|
|
|
|
if port == "1965" || port == "" {
|
|
|
|
return strings.ReplaceAll(strings.TrimSuffix(domain, "."), ".", "/") + "/expiry"
|
|
|
|
}
|
|
|
|
return strings.ReplaceAll(strings.TrimSuffix(domain, "."), ".", "/") + "/expiry" + ":" + port
|
2020-06-18 16:54:48 -04:00
|
|
|
}
|
|
|
|
|
2020-06-19 23:44:04 -04:00
|
|
|
func loadTofuEntry(domain string, port string) (string, time.Time, error) {
|
|
|
|
id := tofuStore.GetString(idKey(domain, port)) // Fingerprint
|
2020-08-25 21:18:57 -04:00
|
|
|
if len(id) != sha256.Size*2 {
|
2020-06-18 16:54:48 -04:00
|
|
|
// Not set, or invalid
|
2020-08-25 21:18:57 -04:00
|
|
|
return "", time.Time{}, errors.New("not found") //nolint:goerr113
|
2020-06-18 16:54:48 -04:00
|
|
|
}
|
|
|
|
|
2020-06-19 23:44:04 -04:00
|
|
|
expiry := tofuStore.GetTime(expiryKey(domain, port))
|
2020-06-18 16:54:48 -04:00
|
|
|
if expiry.IsZero() {
|
|
|
|
// Not set
|
2020-08-25 21:18:57 -04:00
|
|
|
return id, time.Time{}, errors.New("not found") //nolint:goerr113
|
2020-06-18 16:54:48 -04:00
|
|
|
}
|
|
|
|
return id, expiry, nil
|
|
|
|
}
|
|
|
|
|
2020-08-25 21:18:57 -04:00
|
|
|
//nolint:errcheck
|
2020-06-18 16:54:48 -04:00
|
|
|
// certID returns a generic string representing a cert or domain.
|
|
|
|
func certID(cert *x509.Certificate) string {
|
|
|
|
h := sha256.New()
|
2020-06-19 23:44:04 -04:00
|
|
|
h.Write(cert.RawSubjectPublicKeyInfo) // Better than cert.Raw, see #7
|
2020-06-18 16:54:48 -04:00
|
|
|
return fmt.Sprintf("%X", h.Sum(nil))
|
2020-06-19 23:44:04 -04:00
|
|
|
}
|
2020-06-18 16:54:48 -04:00
|
|
|
|
2020-06-19 23:44:04 -04:00
|
|
|
// origCertID uses cert.Raw, which was used in v1.0.0 of the app.
|
|
|
|
func origCertID(cert *x509.Certificate) string {
|
|
|
|
h := sha256.New()
|
2020-08-25 21:18:57 -04:00
|
|
|
h.Write(cert.Raw) //nolint:errcheck
|
2020-06-19 23:44:04 -04:00
|
|
|
return fmt.Sprintf("%X", h.Sum(nil))
|
2020-06-18 16:54:48 -04:00
|
|
|
}
|
|
|
|
|
2020-06-24 13:31:01 -04:00
|
|
|
func saveTofuEntry(domain, port string, cert *x509.Certificate) {
|
|
|
|
tofuStore.Set(idKey(domain, port), certID(cert))
|
|
|
|
tofuStore.Set(expiryKey(domain, port), cert.NotAfter.UTC())
|
2020-08-25 21:18:57 -04:00
|
|
|
tofuStore.WriteConfig() //nolint:errcheck // Not an issue if it's not saved, only cached data
|
2020-06-18 16:54:48 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// handleTofu is the abstracted interface for taking care of TOFU.
|
|
|
|
// A cert is provided and storage, checking, etc, are taken care of.
|
|
|
|
// It returns a bool indicating if the cert is valid according to
|
|
|
|
// the TOFU database.
|
|
|
|
// If false is returned, the connection should not go ahead.
|
2020-06-24 13:31:01 -04:00
|
|
|
func handleTofu(domain, port string, cert *x509.Certificate) bool {
|
|
|
|
id, expiry, err := loadTofuEntry(domain, port)
|
2020-06-18 16:54:48 -04:00
|
|
|
if err != nil {
|
|
|
|
// Cert isn't in database or data is malformed
|
|
|
|
// So it can't be checked and anything is valid
|
2020-06-24 13:31:01 -04:00
|
|
|
saveTofuEntry(domain, port, cert)
|
2020-06-19 23:44:04 -04:00
|
|
|
return true
|
|
|
|
}
|
2020-06-18 16:54:48 -04:00
|
|
|
if certID(cert) == id {
|
2020-06-19 23:44:04 -04:00
|
|
|
// Same cert as the one stored
|
2020-07-03 20:32:37 -04:00
|
|
|
|
|
|
|
// Store expiry again in case it changed
|
|
|
|
tofuStore.Set(expiryKey(domain, port), cert.NotAfter.UTC())
|
2020-08-25 21:18:57 -04:00
|
|
|
tofuStore.WriteConfig() //nolint:errcheck
|
2020-07-03 20:32:37 -04:00
|
|
|
|
2020-06-18 16:54:48 -04:00
|
|
|
return true
|
|
|
|
}
|
2020-06-19 23:44:04 -04:00
|
|
|
if origCertID(cert) == id {
|
|
|
|
// Valid but uses old ID type
|
2020-06-24 13:31:01 -04:00
|
|
|
saveTofuEntry(domain, port, cert)
|
2020-06-18 16:54:48 -04:00
|
|
|
return true
|
|
|
|
}
|
2020-07-03 20:32:37 -04:00
|
|
|
if time.Now().After(expiry) {
|
|
|
|
// Old cert expired, so anything is valid
|
|
|
|
saveTofuEntry(domain, port, cert)
|
|
|
|
return true
|
|
|
|
}
|
2020-06-18 16:54:48 -04:00
|
|
|
return false
|
|
|
|
}
|
2020-06-21 20:37:27 -04:00
|
|
|
|
2020-06-24 12:06:44 -04:00
|
|
|
// ResetTofuEntry forces the cert passed to be valid, overwriting any previous TOFU entry.
|
2020-06-21 20:37:27 -04:00
|
|
|
// The port string can be empty, to indicate port 1965.
|
2020-06-24 13:31:01 -04:00
|
|
|
func ResetTofuEntry(domain, port string, cert *x509.Certificate) {
|
|
|
|
saveTofuEntry(domain, port, cert)
|
2020-06-21 20:37:27 -04:00
|
|
|
}
|
2020-07-10 18:59:51 -04:00
|
|
|
|
|
|
|
// GetExpiry returns the stored expiry date for the given host.
|
|
|
|
// The time will be empty (zero) if there is not expiry date stored for that host.
|
|
|
|
func GetExpiry(domain, port string) time.Time {
|
|
|
|
return tofuStore.GetTime(expiryKey(domain, port))
|
|
|
|
}
|