add support for openssl

conn.go

@@ -1,15 +1,20 @@
 package libp2ptls
 
 import (
-	"crypto/tls"
+	"net"
 
 	ci "github.com/libp2p/go-libp2p-core/crypto"
 	"github.com/libp2p/go-libp2p-core/peer"
 	"github.com/libp2p/go-libp2p-core/sec"
 )
 
+type handshakeConn interface {
+	net.Conn
+	Handshake() error
+}
+
 type conn struct {
-	*tls.Conn
+	net.Conn
 
 	localPeer peer.ID
 	privKey   ci.PrivKey

crypto.go

@@ -1,16 +1,15 @@
+// +build !openssl
+
 package libp2ptls
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"errors"
 	"fmt"
-	"math/big"
+	"net"
 	"time"
 
 	"golang.org/x/sys/cpu"
@@ -19,20 +18,10 @@ import (
 	"github.com/libp2p/go-libp2p-core/peer"
 )
 
-const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years
-const certificatePrefix = "libp2p-tls-handshake:"
-const alpn string = "libp2p"
-
-var extensionID = getPrefixedExtensionID([]int{1, 1})
-
-type signedKey struct {
-	PubKey    []byte
-	Signature []byte
-}
-
 // Identity is used to secure connections
 type Identity struct {
-	config tls.Config
+	config     tls.Config
+	privateKey ic.PrivKey
 }
 
 // NewIdentity creates a new identity
@@ -57,6 +46,25 @@ func NewIdentity(privKey ic.PrivKey) (*Identity, error) {
 	}, nil
 }
 
+func newIdentity(sk ic.PrivKey) (identity, error) {
+	return NewIdentity(sk)
+}
+
+// CreateServerConn creates server connection to do the tls handshake.
+func (i *Identity) CreateServerConn(insecure net.Conn) (handshakeConn, <-chan ic.PubKey, error) {
+	config, keyCh := i.ConfigForAny()
+	conn := tls.Server(insecure, config)
+	return conn, keyCh, nil
+}
+
+// CreateClientConn creates client connection to do the tls handshake.
+func (i *Identity) CreateClientConn(insecure net.Conn, remote peer.ID) (handshakeConn,
+	<-chan ic.PubKey, error) {
+	config, keyCh := i.ConfigForPeer(remote)
+	conn := tls.Client(insecure, config)
+	return conn, keyCh, nil
+}
+
 // ConfigForAny is a short-hand for ConfigForPeer("").
 func (i *Identity) ConfigForAny() (*tls.Config, <-chan ic.PubKey) {
 	return i.ConfigForPeer("")
@@ -92,12 +100,9 @@ func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, <-chan ic.PubKey)
 		if err != nil {
 			return err
 		}
-		if remote != "" && !remote.MatchesPublicKey(pubKey) {
-			peerID, err := peer.IDFromPublicKey(pubKey)
-			if err != nil {
-				peerID = peer.ID(fmt.Sprintf("(not determined: %s)", err.Error()))
-			}
-			return fmt.Errorf("peer IDs don't match: expected %s, got %s", remote, peerID)
+		err = validateRemote(pubKey, remote)
+		if err != nil {
+			return err
 		}
 		keyCh <- pubKey
 		return nil
@@ -132,74 +137,37 @@ func PubKeyFromCertChain(chain []*x509.Certificate) (ic.PubKey, error) {
 	if !found {
 		return nil, errors.New("expected certificate to contain the key extension")
 	}
-	var sk signedKey
-	if _, err := asn1.Unmarshal(keyExt.Value, &sk); err != nil {
-		return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err)
-	}
-	pubKey, err := ic.UnmarshalPublicKey(sk.PubKey)
-	if err != nil {
-		return nil, fmt.Errorf("unmarshalling public key failed: %s", err)
-	}
+
 	certKeyPub, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
 	if err != nil {
 		return nil, err
 	}
-	valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature)
-	if err != nil {
-		return nil, fmt.Errorf("signature verification failed: %s", err)
-	}
-	if !valid {
-		return nil, errors.New("signature invalid")
-	}
-	return pubKey, nil
+	return unmarshalExtenstionPublicKey(keyExt.Value, certKeyPub)
 }
 
 func keyToCertificate(sk ic.PrivKey) (*tls.Certificate, error) {
-	certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	config, err := newCertificateConfig(sk)
 	if err != nil {
 		return nil, err
 	}
 
-	keyBytes, err := ic.MarshalPublicKey(sk.GetPublic())
-	if err != nil {
-		return nil, err
-	}
-	certKeyPub, err := x509.MarshalPKIXPublicKey(certKey.Public())
-	if err != nil {
-		return nil, err
-	}
-	signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...))
-	if err != nil {
-		return nil, err
-	}
-	value, err := asn1.Marshal(signedKey{
-		PubKey:    keyBytes,
-		Signature: signature,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
-	if err != nil {
-		return nil, err
-	}
 	tmpl := &x509.Certificate{
-		SerialNumber: sn,
+		SerialNumber: config.serialNumber,
 		NotBefore:    time.Time{},
 		NotAfter:     time.Now().Add(certValidityPeriod),
 		// after calling CreateCertificate, these will end up in Certificate.Extensions
 		ExtraExtensions: []pkix.Extension{
-			{Id: extensionID, Value: value},
+			{Id: extensionID, Value: config.extensionValue},
 		},
 	}
-	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, certKey.Public(), certKey)
+	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, config.certKey.Public(),
+		config.certKey)
 	if err != nil {
 		return nil, err
 	}
 	return &tls.Certificate{
 		Certificate: [][]byte{certDER},
-		PrivateKey:  certKey,
+		PrivateKey:  config.certKey,
 	}, nil
 }
 

go.mod

@@ -4,6 +4,7 @@ go 1.14
 
 require (
 	github.com/libp2p/go-libp2p-core v0.3.0
+	github.com/libp2p/go-openssl v0.0.6
 	github.com/onsi/ginkgo v1.12.0
 	github.com/onsi/gomega v1.9.0
 	golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab

go.sum

@@ -1,8 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
-github.com/btcsuite/btcd v0.0.0-20190824003749-130ea5bddde3 h1:A/EVblehb75cUgXA5njHPn0kLAsykn6mJGz7rnmW5W0=
-github.com/btcsuite/btcd v0.0.0-20190824003749-130ea5bddde3/go.mod h1:3J08xEfcugPacsc34/LKRU2yO7YmuT8yt28J8k2+rrI=
 github.com/btcsuite/btcd v0.20.1-beta h1:Ik4hyJqN8Jfyv3S4AGBOmyouMsYE3EdYODkMbQjwPGw=
 github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
 github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f/go.mod h1:TdznJufoqS23FtqVCzL0ZqgP5MqXbb4fg/WgDys70nA=
@@ -55,16 +53,13 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/libp2p/go-flow-metrics v0.0.2/go.mod h1:HeoSNUrOJVK1jEpDqVEiUOIXqhbnS27omG0uWU5slZs=
 github.com/libp2p/go-flow-metrics v0.0.3/go.mod h1:HeoSNUrOJVK1jEpDqVEiUOIXqhbnS27omG0uWU5slZs=
-github.com/libp2p/go-libp2p-core v0.2.5 h1:iP1PIiIrlRrGbE1fYq2918yBc5NlCH3pFuIPSWU9hds=
-github.com/libp2p/go-libp2p-core v0.2.5/go.mod h1:6+5zJmKhsf7yHn1RbmYDu08qDUpIUxGdqHuEZckmZOA=
 github.com/libp2p/go-libp2p-core v0.3.0 h1:F7PqduvrztDtFsAa/bcheQ3azmNo+Nq7m8hQY5GiUW8=
 github.com/libp2p/go-libp2p-core v0.3.0/go.mod h1:ACp3DmS3/N64c2jDzcV429ukDpicbL6+TrrxANBjPGw=
-github.com/libp2p/go-openssl v0.0.3 h1:wjlG7HvQkt4Fq4cfH33Ivpwp0omaElYEi9z26qaIkIk=
-github.com/libp2p/go-openssl v0.0.3/go.mod h1:unDrJpgy3oFr+rqXsarWifmJuNnJR4chtO1HmaZjggc=
 github.com/libp2p/go-openssl v0.0.4 h1:d27YZvLoTyMhIN4njrkr8zMDOM4lfpHIp6A+TK9fovg=
 github.com/libp2p/go-openssl v0.0.4/go.mod h1:unDrJpgy3oFr+rqXsarWifmJuNnJR4chtO1HmaZjggc=
+github.com/libp2p/go-openssl v0.0.6 h1:BFqTHVDt6V60Y7xU9f89FwljvFl/CEqZYO1vlfa2DCE=
+github.com/libp2p/go-openssl v0.0.6/go.mod h1:unDrJpgy3oFr+rqXsarWifmJuNnJR4chtO1HmaZjggc=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -84,8 +79,6 @@ github.com/mr-tron/base58 v1.1.3 h1:v+sk57XuaCKGXpWtVBX8YJzO7hMGx4Aajh4TQbdEFdc=
 github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
 github.com/multiformats/go-base32 v0.0.3 h1:tw5+NhuwaOjJCC5Pp82QuXbrmLzWg7uxlMFp8Nq/kkI=
 github.com/multiformats/go-base32 v0.0.3/go.mod h1:pLiuGC8y0QR3Ue4Zug5UzK9LjgbkL8NSQj0zQ5Nz/AA=
-github.com/multiformats/go-multiaddr v0.1.1 h1:rVAztJYMhCQ7vEFr8FvxW3mS+HF2eY/oPbOMeS0ZDnE=
-github.com/multiformats/go-multiaddr v0.1.1/go.mod h1:aMKBKNEYmzmDmxfX88/vz+J5IU55txyt0p4aiWVohjo=
 github.com/multiformats/go-multiaddr v0.2.0 h1:lR52sFwcTCuQb6bTfnXF6zA2XfyYvyd+5a9qECv/J90=
 github.com/multiformats/go-multiaddr v0.2.0/go.mod h1:0nO36NvPpyV4QzvTLi/lafl2y95ncPj0vFwVF6k6wJ4=
 github.com/multiformats/go-multibase v0.0.1 h1:PN9/v21eLywrFWdFNsFKaU04kLJzuYzmrJR+ubhT9qA=
@@ -101,18 +94,12 @@ github.com/multiformats/go-varint v0.0.1/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXS
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.3 h1:OoxbjfXVZyod1fmWYhI7SEyaD8B00ynP3T+D5GiyHOY=
-github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
 github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=
 github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1 h1:K0jcRCwNQM3vFGh1ppMtDh/+7ApJrjldlX8fA0jDTLQ=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
-github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -129,16 +116,13 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/x-cray/logrus-prefixed-formatter v0.5.2/go.mod h1:2duySbKsL6M18s5GU7VPsoEPHyzalCE06qoARUCeBBE=
-go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=

identity.go

@@ -0,0 +1,126 @@
+package libp2ptls
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+	"math/big"
+	"net"
+	"time"
+
+	ic "github.com/libp2p/go-libp2p-core/crypto"
+	"github.com/libp2p/go-libp2p-core/peer"
+)
+
+const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years
+const certificatePrefix = "libp2p-tls-handshake:"
+const alpn string = "libp2p"
+
+var extensionID = getPrefixedExtensionID([]int{1, 1})
+
+// getExtensionString returns libp2p's object id in string format.
+func getExtensionString(inputs []int) string {
+	out := ""
+	for i, input := range inputs {
+		out += fmt.Sprintf("%d", input)
+		if i != len(inputs)-1 {
+			out += "."
+		}
+	}
+	return out
+}
+
+func validateRemote(pubKey ic.PubKey, remote peer.ID) error {
+	if remote != "" && !remote.MatchesPublicKey(pubKey) {
+		peerID, err := peer.IDFromPublicKey(pubKey)
+		if err != nil {
+			peerID = peer.ID(fmt.Sprintf("(not determined: %s)", err.Error()))
+		}
+		return fmt.Errorf("peer IDs don't match: expected %s, got %s", remote, peerID)
+	}
+	return nil
+}
+
+func unmarshalExtenstionPublicKey(value []byte, certKeyPub []byte) (ic.PubKey, error) {
+	var sk signedKey
+	if _, err := asn1.Unmarshal(value, &sk); err != nil {
+		return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err)
+	}
+	pubKey, err := ic.UnmarshalPublicKey(sk.PubKey)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling public key failed: %s", err)
+	}
+	valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature)
+	if err != nil {
+		return nil, fmt.Errorf("signature verification failed: %s", err)
+	}
+	if !valid {
+		return nil, errors.New("signature invalid")
+	}
+	return pubKey, nil
+}
+
+type signedKey struct {
+	PubKey    []byte
+	Signature []byte
+}
+
+// certificateConfig contains config to create certificate.
+type certificateConfig struct {
+	// Certificate Private and Public key pair.
+	certKey *ecdsa.PrivateKey
+	// Custom Extenstion value. It contains public key and signature.
+	extensionValue []byte
+	// Certificate's serial number.
+	serialNumber *big.Int
+}
+
+// newCertificateConfig returns certificateConfig.
+func newCertificateConfig(sk ic.PrivKey) (*certificateConfig, error) {
+	certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	keyBytes, err := ic.MarshalPublicKey(sk.GetPublic())
+	if err != nil {
+		return nil, err
+	}
+	certKeyPub, err := x509.MarshalPKIXPublicKey(certKey.Public())
+	if err != nil {
+		return nil, err
+	}
+	signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...))
+	if err != nil {
+		return nil, err
+	}
+	value, err := asn1.Marshal(signedKey{
+		PubKey:    keyBytes,
+		Signature: signature,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+	if err != nil {
+		return nil, err
+	}
+	return &certificateConfig{
+		serialNumber:   sn,
+		extensionValue: value,
+		certKey:        certKey,
+	}, nil
+}
+
+// identity is used to secure connection.
+type identity interface {
+	// CreateServerConn creates server connection to do the tls handshake.
+	CreateServerConn(insecure net.Conn) (handshakeConn, <-chan ic.PubKey, error)
+	// CreateClientConn creates client connection to do the tls handshake.
+	CreateClientConn(insecure net.Conn, remote peer.ID) (handshakeConn, <-chan ic.PubKey, error)
+}