diff options
-rw-r--r-- | src/http_auth.erl | 20 | ||||
-rw-r--r-- | src/plop_httputil.erl | 12 | ||||
-rw-r--r-- | src/sign.erl | 23 |
3 files changed, 23 insertions, 32 deletions
diff --git a/src/http_auth.erl b/src/http_auth.erl index a187e05..16d7dfa 100644 --- a/src/http_auth.erl +++ b/src/http_auth.erl @@ -17,24 +17,10 @@ init_key_table() -> read_key_table(). read_key_table() -> - PublickeyDir = application:get_env(plop, publickey_path, none), - ServersACL = application:get_env(plop, allowed_servers, []), - ClientsACL = application:get_env(plop, allowed_clients, []), - Keys = sets:from_list( - lists:flatmap(fun ({_, Keys}) -> - case Keys of - noauth -> - []; - _ when is_list(Keys) -> - Keys - end - end, ServersACL ++ ClientsACL)), lists:foreach( - fun (KeyName) -> - Key = sign:read_keyfile_ec(PublickeyDir ++ "/" ++ - KeyName ++ ".pem"), - true = ets:insert(?KEY_TABLE, {KeyName, Key}) - end, sets:to_list(Keys)), + fun ({KeyName, Der}) -> + true = ets:insert(?KEY_TABLE, {KeyName, sign:pem_entry_decode({'SubjectPublicKeyInfo', Der, []})}) + end, application:get_env(plop, apikeys, [])), case application:get_env(plop, own_key, none) of {_OwnKeyName, OwnKeyFile} -> OwnKey = sign:read_keyfile_ec(OwnKeyFile), diff --git a/src/plop_httputil.erl b/src/plop_httputil.erl index 37e25c1..af4a5d1 100644 --- a/src/plop_httputil.erl +++ b/src/plop_httputil.erl @@ -59,15 +59,25 @@ verify_fun(Cert, valid_peer, UserState) -> {valid, UserState} end. +read_and_verify_cacertfile(Filename) -> + {ok, PemBin} = file:read_file(Filename), + [KeyPem] = public_key:pem_decode(PemBin), + {'Certificate', Der, _} = KeyPem, + CalculatedHash = crypto:hash(sha256, Der), + CorrectHash = application:get_env(catlfish, https_cacert_fingerprint, none), + CorrectHash = CalculatedHash, + Der. + request(DebugTag, URL, Headers, RequestBody) -> Starttime = os:timestamp(), ParsedURL = hackney_url:parse_url(URL), CACertFile = application:get_env(catlfish, https_cacertfile, none), + CACert = read_and_verify_cacertfile(CACertFile), #hackney_url{path = Path, host = Host} = ParsedURL, lager:debug("~s: sending http request to ~p", [DebugTag, URL]), case hackney:connect(ParsedURL, - [{ssl_options, [{cacertfile, CACertFile}, + [{ssl_options, [{cacerts, [CACert]}, {verify, verify_peer}, {verify_fun, {fun verify_fun/3, [{check_hostname, Host}]}} diff --git a/src/sign.erl b/src/sign.erl index b656f8e..99b83e6 100644 --- a/src/sign.erl +++ b/src/sign.erl @@ -9,7 +9,7 @@ %% API. -export([start_link/0, stop/0]). -export([sign_sct/1, sign_sth/1, get_pubkey/0, get_logid/0, verify_sth/2]). --export([read_keyfile_ec/1]). +-export([read_keyfile_ec/1, pem_entry_decode/1]). %% API for tests. -export([read_keyfile_rsa/2]). %% gen_server callbacks. @@ -37,6 +37,9 @@ start_link() -> stop() -> call(?MODULE, stop). +get_log_public_key() -> + Der = application:get_env(plop, log_public_key, none), + pem_entry_decode({'SubjectPublicKeyInfo', Der, []}). init([]) -> %% Read RSA keypair. @@ -44,9 +47,8 @@ init([]) -> %% LogID = crypto:hash(sha256, %% public_key:der_encode('RSAPublicKey', Public_key)), %% Read EC keypair. - PubKeyfile = application:get_env(plop, log_public_key, none), - Public_key = read_keyfile_ec(PubKeyfile), - LogID = read_keyfile_ec_logid(PubKeyfile), + Public_key = get_log_public_key(), + LogID = get_logid(), case application:get_env(plop, hsm) of {ok, Args} -> @@ -84,12 +86,6 @@ read_keyfile_ec(KeyFile) -> [KeyPem] = filter_pem_types(public_key:pem_decode(PemBin), ['ECPrivateKey', 'SubjectPublicKeyInfo']), decode_key(KeyPem). -read_keyfile_ec_logid(KeyFile) -> - lager:debug("reading file ~p", [KeyFile]), - {ok, PemBin} = file:read_file(KeyFile), - [{'SubjectPublicKeyInfo', Der, _}] = filter_pem_types(public_key:pem_decode(PemBin), ['SubjectPublicKeyInfo']), - crypto:hash(sha256, Der). - pem_entry_decode({'SubjectPublicKeyInfo', Der, _}) -> SPKI = public_key:der_decode('SubjectPublicKeyInfo', Der), {Octets, Algorithm} = plop_compat:unpack_spki(SPKI), @@ -182,13 +178,12 @@ get_pubkey() -> call(?MODULE, {get, pubkey}). get_logid() -> - PubKeyfile = application:get_env(plop, log_public_key, none), - read_keyfile_ec_logid(PubKeyfile). + Der = application:get_env(plop, log_public_key, none), + crypto:hash(sha256, Der). verify_sth(STH, Signature) -> lager:debug("verifying ~p: ~p", [STH, Signature]), - PubKeyfile = application:get_env(plop, log_public_key, none), - PublicKey = read_keyfile_ec(PubKeyfile), + PublicKey = get_log_public_key(), public_key:verify(STH, sha256, Signature, PublicKey). encode_ec_signature(RawSignature, SignatureLength) -> |