Verify SPKI hash

[mmc.git] / common.go

diff --git a/common.go b/common.go
index 3e631db52b215564d7993a6995dee0649e392022..ce84af61c5cfb6fcafc871c25a499b8ad6a21826 100644 (file)
--- a/common.go
+++ b/common.go
@@ -17,6 +17,10 @@
 package mmc
 
 import (
+       "crypto/sha256"
+       "crypto/x509"
+       "encoding/hex"
+       "errors"
        "os"
        "strings"
        "time"
@@ -105,7 +109,34 @@ func GetUsers(c *model.Client4, debugFd *os.File) (map[string]*model.User, error
 func GetEntrypoint() string {
        s := os.Getenv("MMC_ENTRYPOINT")
        if s == "" {
-               return "mm.invalid"
+               return "http://mm.invalid"
        }
        return s
 }
+
+func GetSPKIHash() string {
+       s := os.Getenv("MMC_SPKI")
+       if s == "" {
+               return "deadbeef"
+       }
+       return s
+}
+
+func NewVerifyPeerCertificate(hashExpected string) func(
+       rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+) error {
+       return func(
+               rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+       ) error {
+               cer, err := x509.ParseCertificate(rawCerts[0])
+               if err != nil {
+                       return err
+               }
+               spki := cer.RawSubjectPublicKeyInfo
+               hsh := sha256.Sum256(spki)
+               if hashExpected != hex.EncodeToString(hsh[:]) {
+                       return errors.New("server certificate's SPKI hash mismatch")
+               }
+               return nil
+       }
+}