// mmc -- Mattermost client
-// Copyright (C) 2023 Sergey Matveev <stargrave@stargrave.org>
+// Copyright (C) 2023-2024 Sergey Matveev <stargrave@stargrave.org>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
package mmc
import (
+ "crypto/sha256"
+ "crypto/x509"
+ "encoding/hex"
+ "errors"
"os"
"strings"
"time"
}
return users, nil
}
+
+func GetEntrypoint() string {
+ s := os.Getenv("MMC_ENTRYPOINT")
+ if s == "" {
+ return "http://mm.invalid"
+ }
+ return s
+}
+
+func GetSPKIHash() string {
+ s := os.Getenv("MMC_SPKI")
+ if s == "" {
+ return "deadbeef"
+ }
+ return s
+}
+
+func NewVerifyPeerCertificate(hashExpected string) func(
+ rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+) error {
+ return func(
+ rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+ ) error {
+ cer, err := x509.ParseCertificate(rawCerts[0])
+ if err != nil {
+ return err
+ }
+ spki := cer.RawSubjectPublicKeyInfo
+ hsh := sha256.Sum256(spki)
+ if hashExpected != hex.EncodeToString(hsh[:]) {
+ return errors.New("server certificate's SPKI hash mismatch")
+ }
+ return nil
+ }
+}