Skip to content
This repository has been archived by the owner on Aug 19, 2022. It is now read-only.

Changes for use in QUIC #7

Closed
wants to merge 2 commits into from
Closed

Changes for use in QUIC #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a2b5884
Use standard hostname for certs
Ichbinjoe Dec 12, 2018
5853617
Return pubkeys which connect to us to caller
Ichbinjoe Dec 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions crypto.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
peer "github.com/libp2p/go-libp2p-peer"
)

const PEER_HOSTNAME = "tls.libp2p"

// Identity is used to secure connections
type Identity struct {
*tls.Config
Expand All @@ -30,7 +32,12 @@ func NewIdentity(privKey ic.PrivKey) (*Identity, error) {

// ConfigForPeer creates a new tls.Config that verifies the peers certificate chain.
// It should be used to create a new tls.Config before dialing.
func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config {
// It also returns a pointer to the remote public key which points to the valid remote public
// key after the remote connects
func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, *ic.PubKey) {

var remotePubKey ic.PubKey = nil

// We need to check the peer ID in the VerifyPeerCertificate callback.
// The tls.Config it is also used for listening, and we might also have concurrent dials.
// Clone it so we can check for the specific peer ID we're dialing here.
Expand All @@ -53,9 +60,15 @@ func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config {
if !remote.MatchesPublicKey(pubKey) {
return errors.New("peer IDs don't match")
}

remotePubKey = pubKey

return nil
}
return conf

conf.ServerName = PEER_HOSTNAME

return conf, &remotePubKey
}

// KeyFromChain takes a chain of x509.Certificates and returns the peer's public key.
Expand Down Expand Up @@ -102,6 +115,7 @@ func keyToCertificate(sk ic.PrivKey) (interface{}, *x509.Certificate, error) {
return nil, nil, err
}
tmpl := &x509.Certificate{
DNSNames: []string{PEER_HOSTNAME},
SerialNumber: sn,
NotBefore: time.Now().Add(-24 * time.Hour),
NotAfter: time.Now().Add(certValidityPeriod),
Expand Down
3 changes: 2 additions & 1 deletion transport.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (cs.Co

// SecureOutbound runs the TLS handshake as a client.
func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (cs.Conn, error) {
cl := tls.Client(insecure, t.identity.ConfigForPeer(p))
config, _ := t.identity.ConfigForPeer(p)
cl := tls.Client(insecure, config)
return t.handshake(ctx, insecure, cl)
}

Expand Down