From f9c5bcc4f5cf1bc5eef3b3578f70f181799979ff Mon Sep 17 00:00:00 2001 From: Joseph Hirschfeld Date: Wed, 12 Dec 2018 14:19:50 -0500 Subject: [PATCH] Use standard hostname for certs --- crypto.go | 18 ++++++++++++++++-- transport.go | 3 ++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/crypto.go b/crypto.go index 1a6812a..8e70127 100644 --- a/crypto.go +++ b/crypto.go @@ -14,6 +14,8 @@ import ( peer "github.com/libp2p/go-libp2p-peer" ) +const PEER_HOSTNAME = "tls.libp2p" + // Identity is used to secure connections type Identity struct { *tls.Config @@ -30,7 +32,12 @@ func NewIdentity(privKey ic.PrivKey) (*Identity, error) { // ConfigForPeer creates a new tls.Config that verifies the peers certificate chain. // It should be used to create a new tls.Config before dialing. -func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config { +// It also returns a pointer to the remote public key which points to the valid remote public +// key after the remote connects +func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, *ic.PubKey) { + + var remotePubKey *ic.PubKey = nil + // We need to check the peer ID in the VerifyPeerCertificate callback. // The tls.Config it is also used for listening, and we might also have concurrent dials. // Clone it so we can check for the specific peer ID we're dialing here. @@ -53,9 +60,15 @@ func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config { if !remote.MatchesPublicKey(pubKey) { return errors.New("peer IDs don't match") } + + remotePubKey = &pubKey + return nil } - return conf + + conf.ServerName = PEER_HOSTNAME + + return conf, remotePubKey } // KeyFromChain takes a chain of x509.Certificates and returns the peer's public key. @@ -102,6 +115,7 @@ func keyToCertificate(sk ic.PrivKey) (interface{}, *x509.Certificate, error) { return nil, nil, err } tmpl := &x509.Certificate{ + DNSNames: []string{PEER_HOSTNAME}, SerialNumber: sn, NotBefore: time.Now().Add(-24 * time.Hour), NotAfter: time.Now().Add(certValidityPeriod), diff --git a/transport.go b/transport.go index 5a75296..6ab67d3 100644 --- a/transport.go +++ b/transport.go @@ -48,7 +48,8 @@ func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (cs.Co // SecureOutbound runs the TLS handshake as a client. func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (cs.Conn, error) { - cl := tls.Client(insecure, t.identity.ConfigForPeer(p)) + config, _ := t.identity.ConfigForPeer(p) + cl := tls.Client(insecure, config) return t.handshake(ctx, insecure, cl) }