tools: add certification check
If the server disable the anonymous connection option, it accept a client only if the CA of the client matches the CA of the server.
Else (anonymous connection option enabled), the server accept any request.
Change-Id: I6ff6ec72d6f6452ce50fd8aa35896ff7117be6c0
diff --git a/tools/dnc/dnc.cpp b/tools/dnc/dnc.cpp
index 37c8b22..88bf61d 100644
--- a/tools/dnc/dnc.cpp
+++ b/tools/dnc/dnc.cpp
@@ -59,12 +59,14 @@
const std::string& turn_host,
const std::string& turn_user,
const std::string& turn_pass,
- const std::string& turn_realm)
+ const std::string& turn_realm,
+ const bool anonymous)
: logger(dht::log::getStdLogger())
, ioContext(std::make_shared<asio::io_context>()),
- iceFactory(std::make_shared<IceTransportFactory>(logger))
+ iceFactory(std::make_shared<IceTransportFactory>(logger)),
+ certStore(std::make_shared<tls::CertificateStore>(path / "certstore", logger)),
+ trustStore(std::make_shared<tls::TrustStore>(*certStore))
{
- auto certStore = std::make_shared<tls::CertificateStore>(path / "certstore", logger);
ioContextRunner = std::thread([context = ioContext, logger = logger] {
try {
auto work = asio::make_work_guard(*context);
@@ -75,6 +77,9 @@
}
});
+ auto ca = identity.second->issuer;
+ trustStore->setCertificateStatus(ca->getId().toString(), tls::TrustStore::PermissionStatus::ALLOWED);
+
auto config = connectionManagerConfig(path,
identity,
bootstrap,
@@ -90,10 +95,9 @@
connectionManager = std::make_unique<ConnectionManager>(std::move(config));
connectionManager->onDhtConnected(identity.first->getPublicKey());
- connectionManager->onICERequest([this](const dht::Hash<32>&) { // handle ICE request
- if (logger)
- logger->debug("ICE request received");
- return true;
+ connectionManager->onICERequest([this, identity, anonymous](const DeviceId& deviceId) {
+ auto cert = certStore->getCertificate(deviceId.toString());
+ return trustStore->isAllowed(*cert, anonymous);
});
std::mutex mtx;
@@ -177,7 +181,7 @@
const std::string& turn_user,
const std::string& turn_pass,
const std::string& turn_realm)
- : Dnc(path, identity, bootstrap,turn_host,turn_user,turn_pass, turn_realm)
+ : Dnc(path, identity, bootstrap,turn_host,turn_user,turn_pass, turn_realm, true)
{
std::condition_variable cv;
auto name = fmt::format("nc://{:s}:{:d}", remote_host, remote_port);
diff --git a/tools/dnc/dnc.h b/tools/dnc/dnc.h
index b9545c1..77cfe9f 100644
--- a/tools/dnc/dnc.h
+++ b/tools/dnc/dnc.h
@@ -38,7 +38,8 @@
const std::string& turn_host,
const std::string& turn_user,
const std::string& turn_pass,
- const std::string& turn_realm);
+ const std::string& turn_realm,
+ const bool anonymous);
// Build a client
Dnc(const std::filesystem::path& path,
dht::crypto::Identity identity,
@@ -46,10 +47,10 @@
dht::InfoHash peer_id,
const std::string& remote_host,
int remote_port,
- const std::string& turn_host = "",
- const std::string& turn_user = "",
- const std::string& turn_pass = "",
- const std::string& turn_realm = "");
+ const std::string& turn_host,
+ const std::string& turn_user,
+ const std::string& turn_pass,
+ const std::string& turn_realm);
~Dnc();
void run();
@@ -60,6 +61,7 @@
std::shared_ptr<IceTransportFactory> iceFactory;
std::shared_ptr<asio::io_context> ioContext;
std::thread ioContextRunner;
+ std::shared_ptr<tls::TrustStore> trustStore;
std::pair<std::string, std::string> parseName(const std::string_view name);
};
diff --git a/tools/dnc/dnc.yaml b/tools/dnc/dnc.yaml
index 6e092fa..a107615 100644
--- a/tools/dnc/dnc.yaml
+++ b/tools/dnc/dnc.yaml
@@ -6,4 +6,5 @@
turn_realm: "ring"
port: 22
ip: "127.0.0.1"
-CA: Home/.dhtnet # Change this to the path of the CA directory
+CA: HOME/.dhtnet # Change this to the path of the CA directory
+anonymous: false
\ No newline at end of file
diff --git a/tools/dnc/main.cpp b/tools/dnc/main.cpp
index 0ba8b57..363e05e 100644
--- a/tools/dnc/main.cpp
+++ b/tools/dnc/main.cpp
@@ -47,6 +47,7 @@
std::string turn_realm {};
std::string ca {};
std::string dnc_configuration {};
+ bool anonymous_cnx {false};
};
static const constexpr struct option long_options[]
@@ -63,6 +64,7 @@
{"turn_realm", required_argument, nullptr, 'r'},
{"CA", required_argument, nullptr, 'C'},
{"dnc_configuration", required_argument, nullptr, 'd'},
+ {"anonymous_cnx", no_argument, nullptr, 'a'},
{nullptr, 0, nullptr, 0}};
dhtnc_params
@@ -70,7 +72,7 @@
{
dhtnc_params params;
int opt;
- while ((opt = getopt_long(argc, argv, "hvlw:r:u:t:I:b:p:i:C:d:", long_options, nullptr)) != -1) {
+ while ((opt = getopt_long(argc, argv, "ahvlw:r:u:t:I:b:p:i:C:d:", long_options, nullptr)) != -1) {
switch (opt) {
case 'h':
params.help = true;
@@ -110,6 +112,10 @@
break;
case 'd':
params.dnc_configuration = optarg;
+ break;
+ case 'a':
+ params.anonymous_cnx = true;
+ break;
default:
std::cerr << "Invalid option" << std::endl;
exit(EXIT_FAILURE);
@@ -162,6 +168,9 @@
if (config["port"] && params.remote_port == 0) {
params.remote_port = config["port"].as<int>();
}
+ if (config["anonymous"] && !params.anonymous_cnx) {
+ params.anonymous_cnx = config["anonymous"].as<bool>();
+ }
}
}
return params;
@@ -202,16 +211,20 @@
" -u, --turn_user Specify the turn_user option with an argument.\n"
" -w, --turn_pass Specify the turn_pass option with an argument.\n"
" -r, --turn_realm Specify the turn_realm option with an argument.\n"
- " -C, --CA Specify the CA option with an argument.\n");
+ " -C, --CA Specify the CA option with an argument.\n"
+ " -d, --dnc_configuration Specify the dnc_configuration option with an argument.\n"
+ " -a, --anonymous_cnx Enable the anonymous mode.\n");
return EXIT_SUCCESS;
}
+
if (params.version) {
fmt::print("dnc v1.0\n");
return EXIT_SUCCESS;
}
+ auto identity = dhtnet::loadIdentity(params.path, params.ca);
+
fmt::print("dnc 1.0\n");
- auto identity = dhtnet::loadIdentity(params.path, params.ca);
fmt::print("Loaded identity: {} from {}\n", identity.second->getId(), params.path);
std::unique_ptr<dhtnet::Dnc> dhtnc;
@@ -223,7 +236,8 @@
params.turn_host,
params.turn_user,
params.turn_pass,
- params.turn_realm);
+ params.turn_realm,
+ params.anonymous_cnx);
} else {
dhtnc = std::make_unique<dhtnet::Dnc>(params.path,
identity,