Verify SPKI hash

[mmc.git] / common.go

diff --git a/common.go b/common.go
index f4d6a9d74b6da787780a6c75fafc0e091ce1e758..ce84af61c5cfb6fcafc871c25a499b8ad6a21826 100644 (file)
--- a/common.go
+++ b/common.go
@@ -17,6 +17,10 @@
 package mmc
 
 import (
+       "crypto/sha256"
+       "crypto/x509"
+       "encoding/hex"
+       "errors"
        "os"
        "strings"
        "time"
@@ -109,3 +113,30 @@ func GetEntrypoint() string {
        }
        return s
 }
+
+func GetSPKIHash() string {
+       s := os.Getenv("MMC_SPKI")
+       if s == "" {
+               return "deadbeef"
+       }
+       return s
+}
+
+func NewVerifyPeerCertificate(hashExpected string) func(
+       rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+) error {
+       return func(
+               rawCerts [][]byte, verifiedChains [][]*x509.Certificate,
+       ) error {
+               cer, err := x509.ParseCertificate(rawCerts[0])
+               if err != nil {
+                       return err
+               }
+               spki := cer.RawSubjectPublicKeyInfo
+               hsh := sha256.Sum256(spki)
+               if hashExpected != hex.EncodeToString(hsh[:]) {
+                       return errors.New("server certificate's SPKI hash mismatch")
+               }
+               return nil
+       }
+}