Msg forums are now signed by ssl certs

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@2178 b45a01b8-16f6-495d-af2f-9b41ad6348cc

libretroshare/src/pqi/authssl.cc

@@ -193,7 +193,7 @@ X509_REQ *GenerateX509Req(
 
 	if (!X509_REQ_set_pubkey(req,pkey)) 
 	{
-		fprintf(stderr,"GenerateX509Req() Couldn't Set PUBKEY Version!\n");
+                fprintf(stderr,"GenerateX509Req() Couldn't Set PUBKEY !\n");
 		return 0;
 	}
 
@@ -889,21 +889,24 @@ std::string AuthSSL::getOwnLocation()
 bool AuthSSL::LoadDetailsFromStringCert(std::string pem, RsPeerDetails &pd)
 {
 #ifdef AUTHSSL_DEBUG
-        std::cerr << "AuthSSL::LoadIdsFromStringCert() ";
-	std::cerr << std::endl;
-        std::cerr << "AuthSSL::LoadIdsFromStringCert() Cleaning up Certificate First!";
-	std::cerr << std::endl;
+        std::cerr << "AuthSSL::LoadIdsFromStringCert() " << std::endl;
 #endif
 
-	std::string cleancert = cleanUpCertificate(pem);
-
-	X509 *x509 = loadX509FromPEM(cleancert);
-	if (!x509)
+        X509 *x509 = loadX509FromPEM(pem);
+        if (!x509) {
+                #ifdef AUTHSSL_DEBUG
+                std::cerr << "AuthSSL::LoadIdsFromStringCert() certificate not loadable (maybe malformed)" << std::endl;
+                #endif
                 return false;
+        }
 
         if (!ValidateCertificate(x509, pd.id)) {
             return false;
         } else {
+            #ifdef AUTHSSL_DEBUG
+            std::cerr << "AuthSSL::LoadIdsFromStringCert() certificate validated." << std::endl;
+            #endif
+
             pd.gpg_id = getX509CNString(x509->cert_info->issuer);
             pd.location = getX509LocString(x509->cert_info->subject);
             return true;
@@ -1148,18 +1151,44 @@ bool AuthSSL::SignDataBin(const void *data, const uint32_t len,
 }
 
 #define AUTHSSL_DEBUG2
+bool AuthSSL::VerifyOtherSignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen, std::string sslCert) {
+        X509 *x509 = loadX509FromPEM(sslCert);
+        std::string sslId;
+        if (!ValidateCertificate(x509, sslId)) {
+            std::cerr << "AuthSSL::VerifyOtherSignBin() failed to validate certificate." << std::endl;
+            return false;
+        } else {
+            sslcert *cert = new sslcert(x509, sslId);
+            return VerifySignBin(data, len, sign, signlen, cert);
+        }
+        return false;
+}
+
+bool AuthSSL::VerifyOwnSignBin(const void *data, const uint32_t len,
+                        unsigned char *sign, unsigned int signlen) {
+    return VerifySignBin(data, len, sign, signlen, mOwnCert);
+}
 
 bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
-                       	unsigned char *sign, unsigned int signlen)
+                        unsigned char *sign, unsigned int signlen, sslcert* peer)
 {
+
 	RsStackMutex stack(sslMtx);   /***** STACK LOCK MUTEX *****/
 
 	/* find the peer */
 #ifdef AUTHSSL_DEBUG2
-	std::cerr << "In AuthSSL::VerifySignBin" << std::endl ;
+        std::cerr << "In AuthSSL::VerifySignBin" << std::endl;
 #endif
 	
-        sslcert *peer = mOwnCert;
+        //std::cerr << "Cert info : " << getX509Info(X509 *cert) << std::endl;
+
+        /* cert->cert_info->key->pkey is NULL until we call SSL_CTX_use_certificate(),
+         * so we do it here then...  */
+        SSL_CTX *newSslctx = SSL_CTX_new(TLSv1_method());
+        SSL_CTX_set_cipher_list(newSslctx, "DEFAULT");
+        SSL_CTX_use_certificate(newSslctx, peer->certificate);
+
 
         EVP_PKEY *peerkey = peer->certificate->cert_info->key->pkey;
 
@@ -1178,6 +1207,7 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
 		std::cerr << "EVP_VerifyInit Failure!" << std::endl;
 
 		EVP_MD_CTX_destroy(mdctx);
+                X509_free(peer->certificate);
                 return false;
 	}
 
@@ -1186,6 +1216,7 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
 		std::cerr << "EVP_VerifyUpdate Failure!" << std::endl;
 
 		EVP_MD_CTX_destroy(mdctx);
+                X509_free(peer->certificate);
 		return false;
 	}
 
@@ -1195,6 +1226,7 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
 		std::cerr << "AuthSSL::VerifySignBin: signlen=" << signlen << ", sign=" << (void*)sign << "!!" << std::endl ;
 #endif
 		EVP_MD_CTX_destroy(mdctx);
+                X509_free(peer->certificate);
 		return false ;
 	}
 
@@ -1203,10 +1235,12 @@ bool AuthSSL::VerifySignBin(const void *data, const uint32_t len,
 		std::cerr << "EVP_VerifyFinal Failure!" << std::endl;
 
 		EVP_MD_CTX_destroy(mdctx);
+                X509_free(peer->certificate);
 		return false;
 	}
 
 	EVP_MD_CTX_destroy(mdctx);
+        X509_free(peer->certificate);
 	return true;
 }
 
@@ -1947,7 +1981,6 @@ bool AuthSSL::AuthX509(X509 *x509)
         int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF;
         ASN1_BIT_STRING *signature = x509->signature;
         X509_CINF *data = x509->cert_info;
-        EVP_PKEY *pkey = NULL;
         const EVP_MD *type = EVP_sha1();
 
         EVP_MD_CTX ctx;

libretroshare/src/pqi/authssl.h

@@ -139,7 +139,9 @@ virtual bool 	SignData(std::string input, std::string &sign);
 virtual bool 	SignData(const void *data, const uint32_t len, std::string &sign);
 virtual bool 	SignDataBin(std::string, unsigned char*, unsigned int*);
 virtual bool    SignDataBin(const void*, uint32_t, unsigned char*, unsigned int*);
-virtual bool    VerifySignBin(const void*, uint32_t, unsigned char*, unsigned int);
+virtual bool    VerifySignBin(const void*, uint32_t, unsigned char*, unsigned int, sslcert* cert);
+virtual bool    VerifyOwnSignBin(const void*, uint32_t, unsigned char*, unsigned int);
+virtual bool    VerifyOtherSignBin(const void*, uint32_t, unsigned char*, unsigned int, std::string sslCert);
 
 // return : false if encrypt failed
 bool     encrypt(void *&out, int &outlen, const void *in, int inlen, std::string peerId);

libretroshare/src/serialiser/rstlvbase.h

@@ -133,6 +133,7 @@ const uint16_t TLV_TYPE_STR_GENID     = 0x005a;
 const uint16_t TLV_TYPE_STR_GPGID     = 0x005b;
 const uint16_t TLV_TYPE_STR_LOCATION  = 0x005c;
 const uint16_t TLV_TYPE_STR_CERT_GPG  = 0x005d;
+const uint16_t TLV_TYPE_STR_CERT_SSL  = 0x005e;
 
 /* Wide Chars (4 bytes per char) for internationalisation */
 const uint16_t TLV_TYPE_WSTR_PEERID   = 0x0060;

libretroshare/src/serialiser/rstlvkeys.cc

@@ -371,6 +371,7 @@ uint32_t RsTlvKeySignature::TlvSize()
 
 	s += GetTlvStringSize(keyId); 
 	s += signData.TlvSize();
+        s += GetTlvStringSize(sslCert);
 
 	return s;
 
@@ -394,6 +395,7 @@ bool  RsTlvKeySignature::SetTlv(void *data, uint32_t size, uint32_t *offset) /*
 
 	ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId);  
 	ok &= signData.SetTlv(data, tlvend, offset);  
+        ok &= SetTlvString(data, tlvend, offset, TLV_TYPE_STR_CERT_SSL, sslCert);
 
 	return ok;
 
@@ -425,6 +427,7 @@ bool  RsTlvKeySignature::GetTlv(void *data, uint32_t size, uint32_t *offset) /*
 
 	ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_KEYID, keyId);
 	ok &= signData.GetTlv(data, tlvend, offset);  
+        ok &= GetTlvString(data, tlvend, offset, TLV_TYPE_STR_CERT_SSL, sslCert);
    
 	/***************************************************************************
 	 * NB: extra components could be added (for future expansion of the type).

libretroshare/src/serialiser/rstlvkeys.h

@@ -95,6 +95,7 @@ virtual std::ostream &print(std::ostream &out, uint16_t indent);
 
 	std::string keyId;		// Mandatory :
         RsTlvBinaryData signData; 	// Mandatory :
+        std::string sslCert;               // Mandatory :
 };
 
 

libretroshare/src/services/p3distrib.cc

@@ -1729,10 +1729,11 @@ std::string	p3GroupDistrib::publishMsg(RsDistribMsg *msg, bool personalSign)
 	{
 		unsigned int siglen = EVP_PKEY_size(publishKey);
         	unsigned char sigbuf[siglen];
-                if (AuthGPG::getAuthGPG()->SignDataBin(data, size, sigbuf, &siglen))
+                if (AuthSSL::getAuthSSL()->SignDataBin(data, size, sigbuf, &siglen))
 		{
 			signedMsg->personalSignature.signData.setBinData(sigbuf, siglen);
-                        signedMsg->personalSignature.keyId = AuthGPG::getAuthGPG()->getGPGOwnId();
+                        signedMsg->personalSignature.keyId = AuthSSL::getAuthSSL()->OwnId();
+                        signedMsg->personalSignature.sslCert = AuthSSL::getAuthSSL()->SaveOwnCertificateToString();
 		}
 	}
 
@@ -2446,49 +2447,44 @@ bool 	p3GroupDistrib::locked_validateDistribSignedMsg(
 
 
 	/* now verify Personal signature */
-#ifdef DISTRIB_DEBUG
-	std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Personal Signature";
-	std::cerr << std::endl;
-#endif
-
-        if (AuthGPG::getAuthGPG()->isGPGValid(newMsg->personalSignature.keyId))
+        if (signOk == 1 && ((info.grpFlags & RS_DISTRIB_AUTHEN_MASK) & RS_DISTRIB_AUTHEN_REQ))
 	{
-#ifdef DISTRIB_DEBUG
-		std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Peer Known";
-		std::cerr << std::endl;
-#endif
+            #ifdef DISTRIB_DEBUG
+            std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Personal Signature. sslCert : " << newMsg->personalSignature.sslCert << std::endl;
+            #endif
+
+            //check the sslCert
+            RsPeerDetails pd;
+            if (!AuthSSL::getAuthSSL()->LoadDetailsFromStringCert(newMsg->personalSignature.sslCert, pd)) {
+                #ifdef DISTRIB_DEBUG
+                    std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - ssl cert not valid" << std::endl;
+                #endif
+                signOk = 0;
+            } else if (pd.id != newMsg->personalSignature.keyId) {
+                #ifdef DISTRIB_DEBUG
+                    std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - ssl cert id does not match the personal signature key id" << std::endl;
+                #endif
+                signOk = 0;
+            } else {
                 unsigned int personalsiglen =
                                 newMsg->personalSignature.signData.bin_len;
                 unsigned char *personalsigbuf = (unsigned char *)
                                 newMsg->personalSignature.signData.bin_data;
-
-#ifdef TEMPORARILY SUSPENDED
-			// csoler:
-			//  I'm suspending this because it prevents messages to be displayed. I guess there is a signature
-			//  problem, such as the msg is signed by the SSL key and authed by the PGP one, or something like this.
-			//
-		if (!mAuthMgr->VerifySignBin(
-			newMsg->personalSignature.keyId,
+                bool sslSign = AuthSSL::getAuthSSL()->VerifyOtherSignBin(
                         newMsg->packet.bin_data, newMsg->packet.bin_len,
-			personalsigbuf, personalsiglen))
-		{
-#ifdef DISTRIB_DEBUG
-			std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() VerifySign Failed";
-			std::cerr << std::endl;
-#endif
+                        personalsigbuf, personalsiglen, newMsg->personalSignature.sslCert);
+                if (sslSign) {
+                    #ifdef DISTRIB_DEBUG
+                    std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Success for ssl signature." << std::endl;
+                    #endif
+                    signOk = 1;
+                } else {
+                    #ifdef DISTRIB_DEBUG
+                    std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail for ssl signature." << std::endl;
+                    #endif
                     signOk = 0;
                 }
-#endif
             }
-	else if ((info.grpFlags & RS_DISTRIB_AUTHEN_MASK)
-					& RS_DISTRIB_AUTHEN_REQ)
-	{
-#ifdef DISTRIB_DEBUG
-			std::cerr << "p3GroupDistrib::locked_validateDistribSignedMsg() Fail - No Personal Sign on AUTH grp";
-			std::cerr << std::endl;
-#endif
-		/* must know the signer */
-		signOk = 0;
 	}
 
 	if (signOk == 1)