2022-05-03 14:50:40 +00:00
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
2022-06-10 15:32:15 +00:00
|
|
|
"bytes"
|
2022-05-10 09:34:53 +00:00
|
|
|
"crypto/ecdsa"
|
2022-08-06 13:26:16 +00:00
|
|
|
"crypto/sha256"
|
2022-05-03 14:50:40 +00:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2022-08-06 13:26:16 +00:00
|
|
|
"encoding/asn1"
|
2022-05-03 14:50:40 +00:00
|
|
|
"fmt"
|
2022-06-10 15:32:15 +00:00
|
|
|
"io/ioutil"
|
2022-08-06 13:26:16 +00:00
|
|
|
"math/big"
|
2022-05-03 14:50:40 +00:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
)
|
|
|
|
|
2022-06-10 15:32:15 +00:00
|
|
|
type PairingClient struct {
|
2022-05-03 14:50:40 +00:00
|
|
|
*http.Client
|
2022-07-05 05:40:43 +00:00
|
|
|
PayloadManager
|
2022-05-03 14:50:40 +00:00
|
|
|
|
2022-07-05 05:40:43 +00:00
|
|
|
baseAddress *url.URL
|
|
|
|
certPEM []byte
|
|
|
|
privateKey *ecdsa.PrivateKey
|
|
|
|
serverMode Mode
|
2022-08-06 13:26:16 +00:00
|
|
|
serverCert *x509.Certificate
|
2022-05-03 14:50:40 +00:00
|
|
|
}
|
|
|
|
|
2022-07-01 15:37:53 +00:00
|
|
|
func NewPairingClient(c *ConnectionParams, config *PairingPayloadManagerConfig) (*PairingClient, error) {
|
2022-05-03 14:50:40 +00:00
|
|
|
u, certPem, err := c.Generate()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
rootCAs, err := x509.SystemCertPool()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if ok := rootCAs.AppendCertsFromPEM(certPem); !ok {
|
|
|
|
return nil, fmt.Errorf("failed to append certPem to rootCAs")
|
|
|
|
}
|
|
|
|
|
|
|
|
tr := &http.Transport{
|
|
|
|
TLSClientConfig: &tls.Config{
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
InsecureSkipVerify: false, // MUST BE FALSE
|
|
|
|
RootCAs: rootCAs,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2022-07-01 15:37:53 +00:00
|
|
|
pm, err := NewPairingPayloadManager(c.privateKey, config)
|
2022-06-10 15:32:15 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &PairingClient{
|
2022-07-01 15:37:53 +00:00
|
|
|
Client: &http.Client{Transport: tr},
|
|
|
|
baseAddress: u,
|
|
|
|
certPEM: certPem,
|
|
|
|
privateKey: c.privateKey,
|
|
|
|
serverMode: c.serverMode,
|
|
|
|
PayloadManager: pm,
|
2022-05-03 14:50:40 +00:00
|
|
|
}, nil
|
|
|
|
}
|
2022-06-10 15:32:15 +00:00
|
|
|
|
|
|
|
func (c *PairingClient) PairAccount() error {
|
|
|
|
switch c.serverMode {
|
|
|
|
case Receiving:
|
|
|
|
return c.sendAccountData()
|
|
|
|
case Sending:
|
|
|
|
return c.receiveAccountData()
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unrecognised server mode '%d'", c.serverMode)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *PairingClient) sendAccountData() error {
|
|
|
|
c.baseAddress.Path = pairingReceive
|
2022-07-01 15:37:53 +00:00
|
|
|
_, err := c.Post(c.baseAddress.String(), "application/octet-stream", bytes.NewBuffer(c.PayloadManager.ToSend()))
|
2022-06-10 15:32:15 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *PairingClient) receiveAccountData() error {
|
|
|
|
c.baseAddress.Path = pairingSend
|
|
|
|
resp, err := c.Get(c.baseAddress.String())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-06-10 23:03:16 +00:00
|
|
|
payload, err := ioutil.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-06-10 15:32:15 +00:00
|
|
|
|
2022-07-01 15:37:53 +00:00
|
|
|
return c.PayloadManager.Receive(payload)
|
2022-06-10 15:32:15 +00:00
|
|
|
}
|
2022-08-06 13:26:16 +00:00
|
|
|
|
|
|
|
func verifyCertSig(cert *x509.Certificate) (bool, error) {
|
|
|
|
var esig struct {
|
|
|
|
R, S *big.Int
|
|
|
|
}
|
|
|
|
if _, err := asn1.Unmarshal(cert.Signature, &esig); err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
hash := sha256.New()
|
|
|
|
hash.Write(cert.RawTBSCertificate)
|
|
|
|
|
|
|
|
verified := ecdsa.Verify(cert.PublicKey.(*ecdsa.PublicKey), hash.Sum(nil), esig.R, esig.S)
|
|
|
|
return verified, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *PairingClient) getServerCert() error {
|
|
|
|
conf := &tls.Config{
|
|
|
|
InsecureSkipVerify: true, // Only skip verify to get the server's TLS cert. DO NOT skip for any other reason.
|
|
|
|
}
|
|
|
|
|
|
|
|
conn, err := tls.Dial("tcp", c.baseAddress.Host, conf)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
|
|
certs := conn.ConnectionState().PeerCertificates
|
|
|
|
if len(certs) != 1 {
|
|
|
|
return fmt.Errorf("expected 1 TLS certificate, received '%d'", len(certs))
|
|
|
|
}
|
|
|
|
|
|
|
|
certKey, ok := certs[0].PublicKey.(*ecdsa.PublicKey)
|
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("unexpected public key type, expected ecdsa.PublicKey")
|
|
|
|
}
|
|
|
|
|
|
|
|
if certKey.Equal(c.privateKey) {
|
|
|
|
return fmt.Errorf("server certificate MUST match the given public key")
|
|
|
|
}
|
|
|
|
|
|
|
|
verified, err := verifyCertSig(certs[0])
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if !verified {
|
|
|
|
return fmt.Errorf("server certificate signature MUST verify")
|
|
|
|
}
|
|
|
|
|
|
|
|
c.serverCert = certs[0]
|
|
|
|
return nil
|
|
|
|
}
|