diff --git a/conn.go b/conn.go index cf32fa4..689e385 100644 --- a/conn.go +++ b/conn.go @@ -1,15 +1,20 @@ package libp2ptls import ( - "crypto/tls" + "net" ci "github.com/libp2p/go-libp2p-core/crypto" "github.com/libp2p/go-libp2p-core/peer" "github.com/libp2p/go-libp2p-core/sec" ) +type handshakeConn interface { + net.Conn + Handshake() error +} + type conn struct { - *tls.Conn + net.Conn localPeer peer.ID privKey ci.PrivKey diff --git a/crypto.go b/crypto.go index e6d6d5f..002686a 100644 --- a/crypto.go +++ b/crypto.go @@ -1,16 +1,15 @@ +// +build !openssl + package libp2ptls import ( - "crypto/ecdsa" - "crypto/elliptic" "crypto/rand" "crypto/tls" "crypto/x509" "crypto/x509/pkix" - "encoding/asn1" "errors" "fmt" - "math/big" + "net" "time" "golang.org/x/sys/cpu" @@ -19,20 +18,10 @@ import ( "github.com/libp2p/go-libp2p-core/peer" ) -const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years -const certificatePrefix = "libp2p-tls-handshake:" -const alpn string = "libp2p" - -var extensionID = getPrefixedExtensionID([]int{1, 1}) - -type signedKey struct { - PubKey []byte - Signature []byte -} - // Identity is used to secure connections type Identity struct { - config tls.Config + config tls.Config + privateKey ic.PrivKey } // NewIdentity creates a new identity @@ -57,6 +46,25 @@ func NewIdentity(privKey ic.PrivKey) (*Identity, error) { }, nil } +func newIdentity(sk ic.PrivKey) (identity, error) { + return NewIdentity(sk) +} + +// CreateServerConn creates server connection to do the tls handshake. +func (i *Identity) CreateServerConn(insecure net.Conn) (handshakeConn, <-chan ic.PubKey, error) { + config, keyCh := i.ConfigForAny() + conn := tls.Server(insecure, config) + return conn, keyCh, nil +} + +// CreateClientConn creates client connection to do the tls handshake. +func (i *Identity) CreateClientConn(insecure net.Conn, remote peer.ID) (handshakeConn, + <-chan ic.PubKey, error) { + config, keyCh := i.ConfigForPeer(remote) + conn := tls.Client(insecure, config) + return conn, keyCh, nil +} + // ConfigForAny is a short-hand for ConfigForPeer(""). func (i *Identity) ConfigForAny() (*tls.Config, <-chan ic.PubKey) { return i.ConfigForPeer("") @@ -92,12 +100,9 @@ func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, <-chan ic.PubKey) if err != nil { return err } - if remote != "" && !remote.MatchesPublicKey(pubKey) { - peerID, err := peer.IDFromPublicKey(pubKey) - if err != nil { - peerID = peer.ID(fmt.Sprintf("(not determined: %s)", err.Error())) - } - return fmt.Errorf("peer IDs don't match: expected %s, got %s", remote, peerID) + err = validateRemote(pubKey, remote) + if err != nil { + return err } keyCh <- pubKey return nil @@ -132,74 +137,37 @@ func PubKeyFromCertChain(chain []*x509.Certificate) (ic.PubKey, error) { if !found { return nil, errors.New("expected certificate to contain the key extension") } - var sk signedKey - if _, err := asn1.Unmarshal(keyExt.Value, &sk); err != nil { - return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err) - } - pubKey, err := ic.UnmarshalPublicKey(sk.PubKey) - if err != nil { - return nil, fmt.Errorf("unmarshalling public key failed: %s", err) - } + certKeyPub, err := x509.MarshalPKIXPublicKey(cert.PublicKey) if err != nil { return nil, err } - valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature) - if err != nil { - return nil, fmt.Errorf("signature verification failed: %s", err) - } - if !valid { - return nil, errors.New("signature invalid") - } - return pubKey, nil + return unmarshalExtenstionPublicKey(keyExt.Value, certKeyPub) } func keyToCertificate(sk ic.PrivKey) (*tls.Certificate, error) { - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + config, err := newCertificateConfig(sk) if err != nil { return nil, err } - keyBytes, err := ic.MarshalPublicKey(sk.GetPublic()) - if err != nil { - return nil, err - } - certKeyPub, err := x509.MarshalPKIXPublicKey(certKey.Public()) - if err != nil { - return nil, err - } - signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...)) - if err != nil { - return nil, err - } - value, err := asn1.Marshal(signedKey{ - PubKey: keyBytes, - Signature: signature, - }) - if err != nil { - return nil, err - } - - sn, err := rand.Int(rand.Reader, big.NewInt(1<<62)) - if err != nil { - return nil, err - } tmpl := &x509.Certificate{ - SerialNumber: sn, + SerialNumber: config.serialNumber, NotBefore: time.Time{}, NotAfter: time.Now().Add(certValidityPeriod), // after calling CreateCertificate, these will end up in Certificate.Extensions ExtraExtensions: []pkix.Extension{ - {Id: extensionID, Value: value}, + {Id: extensionID, Value: config.extensionValue}, }, } - certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, certKey.Public(), certKey) + certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, config.certKey.Public(), + config.certKey) if err != nil { return nil, err } return &tls.Certificate{ Certificate: [][]byte{certDER}, - PrivateKey: certKey, + PrivateKey: config.certKey, }, nil } diff --git a/go.mod b/go.mod index 8fa4f35..dd39746 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.14 require ( github.com/libp2p/go-libp2p-core v0.3.0 + github.com/libp2p/go-openssl v0.0.6 github.com/onsi/ginkgo v1.12.0 github.com/onsi/gomega v1.9.0 golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab diff --git a/go.sum b/go.sum index d5892b0..cc09687 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,6 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII= -github.com/btcsuite/btcd v0.0.0-20190824003749-130ea5bddde3 h1:A/EVblehb75cUgXA5njHPn0kLAsykn6mJGz7rnmW5W0= -github.com/btcsuite/btcd v0.0.0-20190824003749-130ea5bddde3/go.mod h1:3J08xEfcugPacsc34/LKRU2yO7YmuT8yt28J8k2+rrI= github.com/btcsuite/btcd v0.20.1-beta h1:Ik4hyJqN8Jfyv3S4AGBOmyouMsYE3EdYODkMbQjwPGw= github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ= github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA= @@ -55,16 +53,13 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/libp2p/go-flow-metrics v0.0.2/go.mod h1:HeoSNUrOJVK1jEpDqVEiUOIXqhbnS27omG0uWU5slZs= github.com/libp2p/go-flow-metrics v0.0.3/go.mod h1:HeoSNUrOJVK1jEpDqVEiUOIXqhbnS27omG0uWU5slZs= -github.com/libp2p/go-libp2p-core v0.2.5 h1:iP1PIiIrlRrGbE1fYq2918yBc5NlCH3pFuIPSWU9hds= -github.com/libp2p/go-libp2p-core v0.2.5/go.mod h1:6+5zJmKhsf7yHn1RbmYDu08qDUpIUxGdqHuEZckmZOA= github.com/libp2p/go-libp2p-core v0.3.0 h1:F7PqduvrztDtFsAa/bcheQ3azmNo+Nq7m8hQY5GiUW8= github.com/libp2p/go-libp2p-core v0.3.0/go.mod h1:ACp3DmS3/N64c2jDzcV429ukDpicbL6+TrrxANBjPGw= -github.com/libp2p/go-openssl v0.0.3 h1:wjlG7HvQkt4Fq4cfH33Ivpwp0omaElYEi9z26qaIkIk= -github.com/libp2p/go-openssl v0.0.3/go.mod h1:unDrJpgy3oFr+rqXsarWifmJuNnJR4chtO1HmaZjggc= github.com/libp2p/go-openssl v0.0.4 h1:d27YZvLoTyMhIN4njrkr8zMDOM4lfpHIp6A+TK9fovg= github.com/libp2p/go-openssl v0.0.4/go.mod h1:unDrJpgy3oFr+rqXsarWifmJuNnJR4chtO1HmaZjggc= +github.com/libp2p/go-openssl v0.0.6 h1:BFqTHVDt6V60Y7xU9f89FwljvFl/CEqZYO1vlfa2DCE= +github.com/libp2p/go-openssl v0.0.6/go.mod h1:unDrJpgy3oFr+rqXsarWifmJuNnJR4chtO1HmaZjggc= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -84,8 +79,6 @@ github.com/mr-tron/base58 v1.1.3 h1:v+sk57XuaCKGXpWtVBX8YJzO7hMGx4Aajh4TQbdEFdc= github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc= github.com/multiformats/go-base32 v0.0.3 h1:tw5+NhuwaOjJCC5Pp82QuXbrmLzWg7uxlMFp8Nq/kkI= github.com/multiformats/go-base32 v0.0.3/go.mod h1:pLiuGC8y0QR3Ue4Zug5UzK9LjgbkL8NSQj0zQ5Nz/AA= -github.com/multiformats/go-multiaddr v0.1.1 h1:rVAztJYMhCQ7vEFr8FvxW3mS+HF2eY/oPbOMeS0ZDnE= -github.com/multiformats/go-multiaddr v0.1.1/go.mod h1:aMKBKNEYmzmDmxfX88/vz+J5IU55txyt0p4aiWVohjo= github.com/multiformats/go-multiaddr v0.2.0 h1:lR52sFwcTCuQb6bTfnXF6zA2XfyYvyd+5a9qECv/J90= github.com/multiformats/go-multiaddr v0.2.0/go.mod h1:0nO36NvPpyV4QzvTLi/lafl2y95ncPj0vFwVF6k6wJ4= github.com/multiformats/go-multibase v0.0.1 h1:PN9/v21eLywrFWdFNsFKaU04kLJzuYzmrJR+ubhT9qA= @@ -101,18 +94,12 @@ github.com/multiformats/go-varint v0.0.1/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXS github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.3 h1:OoxbjfXVZyod1fmWYhI7SEyaD8B00ynP3T+D5GiyHOY= -github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= -github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU= github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1 h1:K0jcRCwNQM3vFGh1ppMtDh/+7ApJrjldlX8fA0jDTLQ= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34= -github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg= github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -129,7 +116,6 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/x-cray/logrus-prefixed-formatter v0.5.2/go.mod h1:2duySbKsL6M18s5GU7VPsoEPHyzalCE06qoARUCeBBE= -go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -137,8 +123,6 @@ golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= diff --git a/identity.go b/identity.go new file mode 100644 index 0000000..a2e016b --- /dev/null +++ b/identity.go @@ -0,0 +1,126 @@ +package libp2ptls + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "encoding/asn1" + "errors" + "fmt" + "math/big" + "net" + "time" + + ic "github.com/libp2p/go-libp2p-core/crypto" + "github.com/libp2p/go-libp2p-core/peer" +) + +const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years +const certificatePrefix = "libp2p-tls-handshake:" +const alpn string = "libp2p" + +var extensionID = getPrefixedExtensionID([]int{1, 1}) + +// getExtensionString returns libp2p's object id in string format. +func getExtensionString(inputs []int) string { + out := "" + for i, input := range inputs { + out += fmt.Sprintf("%d", input) + if i != len(inputs)-1 { + out += "." + } + } + return out +} + +func validateRemote(pubKey ic.PubKey, remote peer.ID) error { + if remote != "" && !remote.MatchesPublicKey(pubKey) { + peerID, err := peer.IDFromPublicKey(pubKey) + if err != nil { + peerID = peer.ID(fmt.Sprintf("(not determined: %s)", err.Error())) + } + return fmt.Errorf("peer IDs don't match: expected %s, got %s", remote, peerID) + } + return nil +} + +func unmarshalExtenstionPublicKey(value []byte, certKeyPub []byte) (ic.PubKey, error) { + var sk signedKey + if _, err := asn1.Unmarshal(value, &sk); err != nil { + return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err) + } + pubKey, err := ic.UnmarshalPublicKey(sk.PubKey) + if err != nil { + return nil, fmt.Errorf("unmarshalling public key failed: %s", err) + } + valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature) + if err != nil { + return nil, fmt.Errorf("signature verification failed: %s", err) + } + if !valid { + return nil, errors.New("signature invalid") + } + return pubKey, nil +} + +type signedKey struct { + PubKey []byte + Signature []byte +} + +// certificateConfig contains config to create certificate. +type certificateConfig struct { + // Certificate Private and Public key pair. + certKey *ecdsa.PrivateKey + // Custom Extenstion value. It contains public key and signature. + extensionValue []byte + // Certificate's serial number. + serialNumber *big.Int +} + +// newCertificateConfig returns certificateConfig. +func newCertificateConfig(sk ic.PrivKey) (*certificateConfig, error) { + certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, err + } + + keyBytes, err := ic.MarshalPublicKey(sk.GetPublic()) + if err != nil { + return nil, err + } + certKeyPub, err := x509.MarshalPKIXPublicKey(certKey.Public()) + if err != nil { + return nil, err + } + signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...)) + if err != nil { + return nil, err + } + value, err := asn1.Marshal(signedKey{ + PubKey: keyBytes, + Signature: signature, + }) + if err != nil { + return nil, err + } + + sn, err := rand.Int(rand.Reader, big.NewInt(1<<62)) + if err != nil { + return nil, err + } + return &certificateConfig{ + serialNumber: sn, + extensionValue: value, + certKey: certKey, + }, nil +} + +// identity is used to secure connection. +type identity interface { + // CreateServerConn creates server connection to do the tls handshake. + CreateServerConn(insecure net.Conn) (handshakeConn, <-chan ic.PubKey, error) + // CreateClientConn creates client connection to do the tls handshake. + CreateClientConn(insecure net.Conn, remote peer.ID) (handshakeConn, <-chan ic.PubKey, error) +} diff --git a/openssl.go b/openssl.go new file mode 100644 index 0000000..d7b3669 --- /dev/null +++ b/openssl.go @@ -0,0 +1,185 @@ +// +build openssl + +package libp2ptls + +import ( + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "net" + "time" + + ic "github.com/libp2p/go-libp2p-core/crypto" + "github.com/libp2p/go-libp2p-core/peer" + "github.com/libp2p/go-openssl" +) + +// libp2pNID is the NID for the libp2p-tls oid. +var libp2pNID openssl.NID = openssl.CreateObjectIdentifier(getExtensionString(extensionID), + "libp2p-tls", + "Object Identifier for libp2p-tls") + +// openSSLIdentity is used to +type openSSLIdentity struct { + certificate *openssl.Certificate + privateKey openssl.PrivateKey +} + +// newOpenSSLIdentity create openSSLIdentity. +func newOpenSSLIdentity(sk ic.PrivKey) (*openSSLIdentity, error) { + cert, privKey, err := createOpenSSLCertificate(sk) + if err != nil { + return nil, err + } + return &openSSLIdentity{ + certificate: cert, + privateKey: privKey, + }, nil +} + +func newIdentity(sk ic.PrivKey) (identity, error) { + return newOpenSSLIdentity(sk) +} + +// CreateServerConn creates server connection to do the tls handshake. +func (o *openSSLIdentity) CreateServerConn(insecure net.Conn) (handshakeConn, + <-chan ic.PubKey, error) { + opensslCtx, keyCh, err := o.createOpenSSLCtx("") + if err := opensslCtx.UsePrivateKey(o.privateKey); err != nil { + return nil, nil, err + } + conn, err := openssl.Server(insecure, opensslCtx) + if err != nil { + return nil, nil, err + } + return conn, keyCh, nil +} + +// CreateClientConn creates client connection to do the tls handshake. +func (o *openSSLIdentity) CreateClientConn(insecure net.Conn, remote peer.ID) (handshakeConn, + <-chan ic.PubKey, error) { + opensslCtx, keyCh, err := o.createOpenSSLCtx(remote) + + conn, err := openssl.Client(insecure, opensslCtx) + if err != nil { + return nil, nil, err + } + return conn, keyCh, nil +} + +func (o *openSSLIdentity) createOpenSSLCtx(remote peer.ID) (*openssl.Ctx, + <-chan ic.PubKey, error) { + keyCh := make(chan ic.PubKey, 4) + opensslCtx, err := openssl.NewCtxWithVersion(openssl.TLSv1_2) + if err != nil { + return nil, nil, err + } + + // Add the certificate. + if err := opensslCtx.UseCertificate(o.certificate); err != nil { + return nil, nil, err + } + + // Enable two way tls. + opensslCtx.SetVerifyMode(openssl.VerifyPeer) + + opensslCtx.SetVerifyCallback(func(a bool, store *openssl.CertificateStoreCtx) bool { + cert := store.GetCurrentCert() + pubKey, err := pubKeyFromOpenSSLCertificate(cert) + if err != nil { + return false + } + err = validateRemote(pubKey, remote) + if err != nil { + return false + } + keyCh <- pubKey + return true + }) + + if err = opensslCtx.SetNextProtos([]string{alpn}); err != nil { + return nil, nil, err + } + + if err := opensslCtx.UsePrivateKey(o.privateKey); err != nil { + return nil, nil, err + } + return opensslCtx, keyCh, nil +} + +// pubKeyFromOpenSSLCertificate extracts the public key from the custom extension. +func pubKeyFromOpenSSLCertificate(cert *openssl.Certificate) (ic.PubKey, error) { + extValue := cert.GetExtensionValue(libp2pNID) + if len(extValue) == 0 { + return nil, errors.New("unable to find extension value") + } + + pubKey, err := cert.PublicKey() + if err != nil { + return nil, err + } + certKeyPub, err := pubKey.MarshalPKIXPublicKeyDER() + if err != nil { + return nil, err + } + return unmarshalExtenstionPublicKey(extValue, certKeyPub) +} + +// createOpenSSLCertificate creates openssl certificate and returns the certificate and it's +// private key. +func createOpenSSLCertificate(sk ic.PrivKey) (*openssl.Certificate, openssl.PrivateKey, error) { + config, err := newCertificateConfig(sk) + if err != nil { + return nil, nil, err + } + info := &openssl.CertificateInfo{ + Issued: time.Since(time.Time{}), + Expires: time.Since(time.Now().Add(certValidityPeriod)), + Serial: config.serialNumber, + Country: "US", + CommonName: "libp2p", + Organization: "libp2p", + } + + // Create the public key in pem format. + encodedPublicKey, err := x509.MarshalPKIXPublicKey(config.certKey.Public()) + if err != nil { + return nil, nil, err + } + + pemPublicKey := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: encodedPublicKey}) + pubKey, err := openssl.LoadPublicKeyFromPEM(pemPublicKey) + if err != nil { + return nil, nil, err + } + + // Create a certificate with the given public key, + certificate, err := openssl.NewCertificate(info, pubKey) + if err != nil { + return nil, nil, err + } + + // Add the custom extension. + config.extensionValue = append(config.extensionValue, 0) + fmt.Println(len(config.extensionValue)) + err = certificate.AddCustomExtension(openssl.NID(libp2pNID), config.extensionValue) + if err != nil { + return nil, nil, err + } + encodedPrivateKey, err := x509.MarshalPKCS8PrivateKey(config.certKey) + if err != nil { + return nil, nil, err + } + pemPrivateKey := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: encodedPrivateKey}) + privKey, err := openssl.LoadPrivateKeyFromPEM(pemPrivateKey) + if err != nil { + return nil, nil, err + } + + // Self sign the certificate. + if err = certificate.Sign(privKey, openssl.EVP_SHA512); err != nil { + return nil, nil, err + } + return certificate, privKey, nil +} diff --git a/transport.go b/transport.go index 214853c..7ae87e0 100644 --- a/transport.go +++ b/transport.go @@ -2,7 +2,6 @@ package libp2ptls import ( "context" - "crypto/tls" "errors" "net" "os" @@ -24,7 +23,7 @@ const ID = "/tls/1.0.0" // Transport constructs secure communication sessions for a peer. type Transport struct { - identity *Identity + identity identity localPeer peer.ID privKey ci.PrivKey @@ -41,11 +40,11 @@ func New(key ci.PrivKey) (*Transport, error) { privKey: key, } - identity, err := NewIdentity(key) + i, err := newIdentity(key) if err != nil { return nil, err } - t.identity = identity + t.identity = i return t, nil } @@ -53,8 +52,11 @@ var _ sec.SecureTransport = &Transport{} // SecureInbound runs the TLS handshake as a server. func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (sec.SecureConn, error) { - config, keyCh := t.identity.ConfigForAny() - cs, err := t.handshake(ctx, tls.Server(insecure, config), keyCh) + conn, keyCh, err := t.identity.CreateServerConn(insecure) + if err != nil { + return nil, err + } + cs, err := t.handshake(ctx, conn, keyCh) if err != nil { insecure.Close() } @@ -69,8 +71,11 @@ func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (sec.S // If the handshake fails, the server will close the connection. The client will // notice this after 1 RTT when calling Read. func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error) { - config, keyCh := t.identity.ConfigForPeer(p) - cs, err := t.handshake(ctx, tls.Client(insecure, config), keyCh) + conn, keyCh, err := t.identity.CreateClientConn(insecure, p) + if err != nil { + return nil, err + } + cs, err := t.handshake(ctx, conn, keyCh) if err != nil { insecure.Close() } @@ -79,7 +84,7 @@ func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p pee func (t *Transport) handshake( ctx context.Context, - tlsConn *tls.Conn, + tlsConn handshakeConn, keyCh <-chan ci.PubKey, ) (sec.SecureConn, error) { // There's no way to pass a context to tls.Conn.Handshake(). @@ -139,7 +144,7 @@ func (t *Transport) handshake( return conn, nil } -func (t *Transport) setupConn(tlsConn *tls.Conn, remotePubKey ci.PubKey) (sec.SecureConn, error) { +func (t *Transport) setupConn(tlsConn net.Conn, remotePubKey ci.PubKey) (sec.SecureConn, error) { remotePeerID, err := peer.IDFromPublicKey(remotePubKey) if err != nil { return nil, err diff --git a/transport_test.go b/transport_test.go index 2b5be8f..c9dd10b 100644 --- a/transport_test.go +++ b/transport_test.go @@ -378,9 +378,13 @@ var _ = Describe("Transport", func() { It(fmt.Sprintf("fails if the client presents an invalid cert: %s", t.name), func() { serverTransport, err := New(serverKey) Expect(err).ToNot(HaveOccurred()) - clientTransport, err := New(clientKey) + i, err := NewIdentity(clientKey) + Expect(err).ToNot(HaveOccurred()) + clientTransport := &Transport{ + identity: i, + } Expect(err).ToNot(HaveOccurred()) - t.apply(clientTransport.identity) + t.apply(i) clientInsecureConn, serverInsecureConn := connect() @@ -406,9 +410,13 @@ var _ = Describe("Transport", func() { }) It(fmt.Sprintf("fails if the server presents an invalid cert: %s", t.name), func() { - serverTransport, err := New(serverKey) + i, err := NewIdentity(serverKey) + Expect(err).ToNot(HaveOccurred()) + serverTransport := &Transport{ + identity: i, + } Expect(err).ToNot(HaveOccurred()) - t.apply(serverTransport.identity) + t.apply(i) clientTransport, err := New(clientKey) Expect(err).ToNot(HaveOccurred())