Added partial verification of server public key on client side - needs hostname verification. Added startup flag to ignore verification fail.

include/columnlynx/client/net/tcp/tcp_client.hpp

@@ -24,7 +24,8 @@ namespace ColumnLynx::Net::TCP {
                       const std::string& port,
                       Utils::LibSodiumWrapper* sodiumWrapper,
                       std::array<uint8_t, 32>* aesKey,
-                      uint64_t* sessionIDRef)
+                      uint64_t* sessionIDRef,
+                      bool* insecureMode)
                 :
                 mResolver(ioContext),
                 mSocket(ioContext),
@@ -33,6 +34,7 @@ namespace ColumnLynx::Net::TCP {
                 mLibSodiumWrapper(sodiumWrapper),
                 mGlobalKeyRef(aesKey),
                 mSessionIDRef(sessionIDRef),
+                mInsecureMode(insecureMode),
                 mHeartbeatTimer(mSocket.get_executor()),
                 mLastHeartbeatReceived(std::chrono::steady_clock::now()),
                 mLastHeartbeatSent(std::chrono::steady_clock::now())
@@ -62,6 +64,7 @@ namespace ColumnLynx::Net::TCP {
             SymmetricKey mConnectionAESKey;
             std::array<uint8_t, 32>* mGlobalKeyRef; // Reference to global AES key
             uint64_t* mSessionIDRef; // Reference to global Session ID
+            bool* mInsecureMode; // Reference to insecure mode flag
             asio::steady_timer mHeartbeatTimer;
             std::chrono::steady_clock::time_point mLastHeartbeatReceived;
             std::chrono::steady_clock::time_point mLastHeartbeatSent;

include/columnlynx/common/libsodium_wrapper.hpp

@@ -11,6 +11,9 @@
 #include <columnlynx/common/utils.hpp>
 #include <array>
 #include <vector>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/pem.h>
 
 namespace ColumnLynx {
     using PublicKey = std::array<uint8_t, crypto_sign_PUBLICKEYBYTES>;   // Ed25519
@@ -178,6 +181,47 @@ namespace ColumnLynx::Utils {
                 return plaintext;
             }
 
+        static inline bool verifyCertificateWithSystemCAs(const std::vector<uint8_t>& cert_der) {
+            // Parse DER-encoded certificate
+            const unsigned char* p = cert_der.data();
+            std::unique_ptr<X509, decltype(&X509_free)> cert(
+                d2i_X509(nullptr, &p, cert_der.size()), X509_free
+            );
+            if (!cert) {
+                return false;
+            }
+        
+            // Create a certificate store
+            std::unique_ptr<X509_STORE, decltype(&X509_STORE_free)> store(
+                X509_STORE_new(), X509_STORE_free
+            );
+            if (!store) {
+                return false;
+            }
+        
+            // Load system default CA paths (/etc/ssl/certs, etc.)
+            if (X509_STORE_set_default_paths(store.get()) != 1) {
+                return false;
+            }
+        
+            // Create a verification context
+            std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)> ctx(
+                X509_STORE_CTX_new(), X509_STORE_CTX_free
+            );
+            if (!ctx) {
+                return false;
+            }
+        
+            // Initialize verification context
+            if (X509_STORE_CTX_init(ctx.get(), store.get(), cert.get(), nullptr) != 1) {
+                return false;
+            }
+        
+            // Perform the actual certificate verification
+            int result = X509_verify_cert(ctx.get());
+            return result == 1;
+        }
+
         private:
             std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
             std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;