Verify SPKI hash

[mmc.git] / common.go

diff --git a/common.go b/common.go
index 04126017888120498d5dabc236bb75cdd8236e56..ce84af61c5cfb6fcafc871c25a499b8ad6a21826 100644 (file)
--- a/common.go
+++ b/common.go
@@ -1,5 +1,5 @@
 // mmc -- Mattermost client
-// Copyright (C) 2023 Sergey Matveev <stargrave@stargrave.org>
+// Copyright (C) 2023-2024 Sergey Matveev <stargrave@stargrave.org>
 //
 // This program is free software: you can redistribute it and/or modify
 // it under the terms of the GNU Affero General Public License as
@@ -17,6 +17,10 @@
 package mmc
 
 import (
+       "crypto/sha256"
+       "crypto/x509"
+       "encoding/hex"
+       "errors"
        "os"
        "strings"
        "time"
@@ -101,3 +105,38 @@ func GetUsers(c *model.Client4, debugFd *os.File) (map[string]*model.User, error
        }
        return users, nil
 }
+
+func GetEntrypoint() string {
+       s := os.Getenv("MMC_ENTRYPOINT")
+       if s == "" {
+               return "http://mm.invalid"
+       }
+       return s
+}
+
+func GetSPKIHash() string {
+       s := os.Getenv("MMC_SPKI")
+       if s == "" {
+               return "deadbeef"
+       }
+       return s
+}
+
+func NewVerifyPeerCertificate(hashExpected string) func(
+       rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+) error {
+       return func(
+               rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+       ) error {
+               cer, err := x509.ParseCertificate(rawCerts[0])
+               if err != nil {
+                       return err
+               }
+               spki := cer.RawSubjectPublicKeyInfo
+               hsh := sha256.Sum256(spki)
+               if hashExpected != hex.EncodeToString(hsh[:]) {
+                       return errors.New("server certificate's SPKI hash mismatch")
+               }
+               return nil
+       }
+}