removed some debug info about PGP signature validation, and added the ability to accept fingerprint instead of ID in the handshake

2024-12-27 00:19:25 -05:00 · 2019-09-21 19:00:52 +02:00 · 2019-09-21 19:00:52 +02:00 · ed864f9470
commit ed864f9470
parent 4fabf3deb1
4 changed files with 25 additions and 14 deletions
--- a/libretroshare/src/pqi/authssl.cc
+++ b/libretroshare/src/pqi/authssl.cc
@ -534,7 +534,7 @@ bool	AuthSSLimpl::validateOwnCertificate(X509 *x509, EVP_PKEY *pkey)
 	uint32_t diagnostic ;

 	/* standard authentication */
-	if (!AuthX509WithGPG(x509,diagnostic))
+	if (!AuthX509WithGPG(x509,true,diagnostic))
 	{
 		std::cerr << "Validate Own certificate ERROR: diagnostic = " << diagnostic << std::endl;
 		return false;
@ -970,7 +970,7 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/)
 }


-bool AuthSSLimpl::AuthX509WithGPG(X509 *x509, uint32_t& diagnostic)
+bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,bool verbose, uint32_t& diagnostic)
 {
 	RsPgpId issuer = RsX509Cert::getCertIssuer(*x509);
 	RsPeerDetails pd;
@ -1127,11 +1127,12 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509, uint32_t& diagnostic)
 			goto err;
 		}

-		RsInfo() << __PRETTY_FUNCTION__ << " Verified: " << sigtypestring
-		         << " signature of certificate sslId: "
-		         << RsX509Cert::getCertSslId(*x509)
-		         << ", Version " << std::hex << certificate_version << std::dec
-		         << " using PGP key " << pd.fpr << " " << pd.name << std::endl;
+        if(verbose)
+			std::cerr<< " Verified: " << sigtypestring
+			         << " signature of certificate sslId: "
+			         << RsX509Cert::getCertSslId(*x509)
+			         << ", Version " << std::hex << certificate_version << std::dec
+			         << " using PGP key " << pd.fpr << " " << pd.name << std::endl;
 	}

 	EVP_MD_CTX_destroy(ctx);
@ -1196,8 +1197,17 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)

 	RsPeerId sslId = RsX509Cert::getCertSslId(*x509Cert);
 	std::string sslCn = RsX509Cert::getCertIssuerString(*x509Cert);
+
 	RsPgpId pgpId(sslCn);

+    if(sslCn.length() == 40)
+	{
+		RsPgpFingerprint pgpFpr(sslCn);	// we also accept fingerprint format, so that in the future we can switch to fingerprints without backward compatibility issues
+
+		if(!pgpFpr.isNull())
+			pgpId = PGPHandler::pgpIdFromFingerprint(pgpFpr);	// in the future, we drop PGP ids and keep the fingerprint all along
+	}
+
    RsPeerDetails det;
    if(!rsPeers->getPeerDetails(sslId,det))
    {
@ -1249,7 +1259,7 @@ int AuthSSLimpl::VerifyX509Callback(int /*preverify_ok*/, X509_STORE_CTX* ctx)
 	}

 	uint32_t auth_diagnostic;
-	if(!isSslOnlyFriend && !AuthX509WithGPG(x509Cert, auth_diagnostic))
+	if(!isSslOnlyFriend && !AuthX509WithGPG(x509Cert,true, auth_diagnostic))
 	{
 		std::string errMsg = "Certificate was rejected because PGP "
 		                     "signature verification failed with diagnostic: "
@ -1334,7 +1344,7 @@ bool AuthSSLimpl::parseX509DetailsFromFile(
 	}

 	uint32_t diagnostic = 0;
-	if(!AuthX509WithGPG(x509, diagnostic))
+	if(!AuthX509WithGPG(x509,false, diagnostic))
 	{
 		RsErr() << __PRETTY_FUNCTION__ << " AuthX509WithGPG failed with "
 		        << "diagnostic: " << diagnostic << std::endl;
@ -1748,7 +1758,7 @@ bool AuthSSLimpl::loadList(std::list<RsItem*>& load)
                            X509 *peer = loadX509FromPEM(kit->value);
 			    /* authenticate it */
 				uint32_t diagnos ;
-			    if (AuthX509WithGPG(peer,diagnos))
+			    if (AuthX509WithGPG(peer,false,diagnos))
 			    {
 				LocalStoreCert(peer);
 			    }
--- a/libretroshare/src/pqi/authssl.h
+++ b/libretroshare/src/pqi/authssl.h
@ -140,10 +140,12 @@ public:
 	 * @param[in] x509 pointer ti the X509 certificate to check
 	 * @param[out] diagnostic one of RS_SSL_HANDSHAKE_DIAGNOSTIC_* diagnostic
 	 *	codes
+	 * @param[in] verbose if true, prints the authentication result to screen.
 	 * @return true if correctly signed, false otherwise
 	 */
 	virtual bool AuthX509WithGPG(
 	        X509* x509,
+            bool verbose,
 	        uint32_t& diagnostic = RS_DEFAULT_STORAGE_PARAM(uint32_t)
 	        ) = 0;

@ -233,7 +235,7 @@ public:
 	virtual X509* SignX509ReqWithGPG(X509_REQ *req, long days) override;

 	/// @see AuthSSL
-	bool AuthX509WithGPG(X509 *x509, uint32_t& auth_diagnostic) override;
+	bool AuthX509WithGPG(X509 *x509, bool verbose, uint32_t& auth_diagnostic) override;

 	/// @see AuthSSL
 	int VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) override;
--- a/libretroshare/src/pqi/pqissl.cc
+++ b/libretroshare/src/pqi/pqissl.cc
@ -1185,8 +1185,7 @@ int pqissl::Authorise_SSL_Connection()
 	bool isSslOnlyFriend = rsPeers->isSslOnlyFriend(certPeerId);

 	uint32_t authErrCode = 0;
-	if( !isSslOnlyFriend &&
-	        !AuthSSL::instance().AuthX509WithGPG(peercert, authErrCode) )
+	if( !isSslOnlyFriend && !AuthSSL::instance().AuthX509WithGPG(peercert,false, authErrCode) )
 	{
 		RsFatal() << __PRETTY_FUNCTION__ << " failure verifying peer "
 		          << "certificate signature. This should never happen at this "
--- a/libretroshare/src/pqi/pqissllistener.cc
+++ b/libretroshare/src/pqi/pqissllistener.cc
@ -790,7 +790,7 @@ int pqissllistener::completeConnection(int fd, IncomingSSLInfo& info)

 	uint32_t authErrCode = 0;
 	if( !isSslOnlyFriend &&
-	        !AuthSSL::instance().AuthX509WithGPG(peercert, authErrCode) )
+	        !AuthSSL::instance().AuthX509WithGPG(peercert,false, authErrCode) )
 	{
 		RsFatal() << __PRETTY_FUNCTION__ << " failure verifying peer "
 		          << "certificate signature. This should never happen at this "