Removed verification by CA for now, moved to whitelisted_keys (should be simpler). TODO: Move to smart ptrs
This commit is contained in:
@@ -47,19 +47,23 @@ namespace ColumnLynx::Net::TCP {
|
||||
// Preload the config map
|
||||
mRawClientConfig = Utils::getConfigMap("client_config");
|
||||
|
||||
if (!mRawClientConfig.empty()) {
|
||||
Utils::debug("Loading the keys");
|
||||
auto itPubkey = mRawClientConfig.find("CLIENT_PUBLIC_KEY");
|
||||
auto itPrivkey = mRawClientConfig.find("CLIENT_PRIVATE_KEY");
|
||||
|
||||
PrivateKey sk;
|
||||
if (itPubkey != mRawClientConfig.end() && itPrivkey != mRawClientConfig.end()) {
|
||||
Utils::log("Loading keypair from config file.");
|
||||
|
||||
PublicKey pk;
|
||||
std::copy_n(Utils::hexStringToBytes(mRawClientConfig.find("CLIENT_PRIVATE_KEY")->second).begin(), sk.size(), sk.begin()); // This is extremely stupid, but the C++ compiler has forced my hand (I would've just used to_array, but fucking asio decls)
|
||||
std::copy_n(Utils::hexStringToBytes(mRawClientConfig.find("CLIENT_PUBLIC_KEY")->second).begin(), pk.size(), pk.begin());
|
||||
|
||||
PrivateKey sk;
|
||||
|
||||
std::copy_n(Utils::hexStringToBytes(itPrivkey->second).begin(), sk.size(), sk.begin()); // This is extremely stupid, but the C++ compiler has forced my hand (I would've just used to_array, but fucking asio decls)
|
||||
std::copy_n(Utils::hexStringToBytes(itPubkey->second).begin(), pk.size(), pk.begin());
|
||||
|
||||
mLibSodiumWrapper->setKeys(pk, sk);
|
||||
|
||||
Utils::debug("Newly-Loaded Public Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getPublicKey(), 32));
|
||||
Utils::debug("Newly-Loaded Private Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getPrivateKey(), 64));
|
||||
Utils::debug("Public Encryption Key: " + Utils::bytesToHexString(mLibSodiumWrapper->getXPublicKey(), 32));
|
||||
} else {
|
||||
Utils::warn("No keypair found in config file! Using random key.");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -205,100 +205,6 @@ namespace ColumnLynx::Utils {
|
||||
return plaintext;
|
||||
}
|
||||
|
||||
// Verify a public key (certificate) against system-installed CAs
|
||||
static inline bool verifyCertificateWithSystemCAs(const std::vector<uint8_t>& cert_der) {
|
||||
// Parse DER-encoded certificate
|
||||
const unsigned char* p = cert_der.data();
|
||||
std::unique_ptr<X509, decltype(&X509_free)> cert(
|
||||
d2i_X509(nullptr, &p, cert_der.size()), X509_free
|
||||
);
|
||||
if (!cert) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Create a certificate store
|
||||
std::unique_ptr<X509_STORE, decltype(&X509_STORE_free)> store(
|
||||
X509_STORE_new(), X509_STORE_free
|
||||
);
|
||||
if (!store) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Load system default CA paths (/etc/ssl/certs, etc.)
|
||||
if (X509_STORE_set_default_paths(store.get()) != 1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Create a verification context
|
||||
std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)> ctx(
|
||||
X509_STORE_CTX_new(), X509_STORE_CTX_free
|
||||
);
|
||||
if (!ctx) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Initialize verification context
|
||||
if (X509_STORE_CTX_init(ctx.get(), store.get(), cert.get(), nullptr) != 1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Perform the actual certificate verification
|
||||
int result = X509_verify_cert(ctx.get());
|
||||
return result == 1;
|
||||
}
|
||||
|
||||
// Extract the hostnames (Subject Alternative Names and Common Names) out of a public key (certificate)
|
||||
static inline std::vector<std::string> getCertificateHostname(const std::vector<uint8_t>& cert_der) {
|
||||
std::vector<std::string> names;
|
||||
|
||||
if (cert_der.empty())
|
||||
return names;
|
||||
|
||||
// Parse DER certificate
|
||||
const unsigned char* p = cert_der.data();
|
||||
X509* cert = d2i_X509(nullptr, &p, cert_der.size());
|
||||
if (!cert)
|
||||
return names;
|
||||
|
||||
// --- Subject Alternative Names (SAN) ---
|
||||
GENERAL_NAMES* san_names =
|
||||
(GENERAL_NAMES*)X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr);
|
||||
|
||||
if (san_names) {
|
||||
int san_count = sk_GENERAL_NAME_num(san_names);
|
||||
for (int i = 0; i < san_count; i++) {
|
||||
const GENERAL_NAME* current = sk_GENERAL_NAME_value(san_names, i);
|
||||
if (current->type == GEN_DNS) {
|
||||
const char* dns_name = (const char*)ASN1_STRING_get0_data(current->d.dNSName);
|
||||
// Safety: ensure no embedded nulls
|
||||
if (ASN1_STRING_length(current->d.dNSName) == (int)std::strlen(dns_name)) {
|
||||
names.emplace_back(dns_name);
|
||||
}
|
||||
}
|
||||
}
|
||||
GENERAL_NAMES_free(san_names);
|
||||
}
|
||||
|
||||
// --- Fallback: Common Name (CN) ---
|
||||
if (names.empty()) {
|
||||
X509_NAME* subject = X509_get_subject_name(cert);
|
||||
if (subject) {
|
||||
int idx = X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
|
||||
if (idx >= 0) {
|
||||
X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject, idx);
|
||||
ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(entry);
|
||||
const char* cn_str = (const char*)ASN1_STRING_get0_data(cn_asn1);
|
||||
if (ASN1_STRING_length(cn_asn1) == (int)std::strlen(cn_str)) {
|
||||
names.emplace_back(cn_str);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
X509_free(cert);
|
||||
return names;
|
||||
}
|
||||
|
||||
private:
|
||||
std::array<uint8_t, crypto_sign_PUBLICKEYBYTES> mPublicKey;
|
||||
std::array<uint8_t, crypto_sign_SECRETKEYBYTES> mPrivateKey;
|
||||
|
||||
Reference in New Issue
Block a user