commit 4325f0ff509827fac554a1b56b4768e5f67ae663
author Amna <amna.snene@savoirfairelinux.com> Mon Jan 22 16:11:00 2024 -0500
committer Amna Snene <amna.snene@savoirfairelinux.com> Tue Feb 06 15:25:18 2024 -0500
tree 4b8e81706dd5ff1d0c0932df2e95171bbcabfe4f
parent ad16157b6c7299443a7b2ba919ca463eb08b5647

tools: add certification check

If the server disable the anonymous connection option, it accept a client only if the CA of the client matches the CA of the server.
Else (anonymous connection option enabled), the server accept any request.

Change-Id: I6ff6ec72d6f6452ce50fd8aa35896ff7117be6c0

tools/dnc/dnc.cpp

diff --git a/tools/dnc/dnc.cpp b/tools/dnc/dnc.cpp
index 37c8b22..88bf61d 100644
--- a/tools/dnc/dnc.cpp
+++ b/tools/dnc/dnc.cpp
@@ -59,12 +59,14 @@
          const std::string& turn_host,
          const std::string& turn_user,
          const std::string& turn_pass,
-         const std::string& turn_realm)
+         const std::string& turn_realm,
+         const bool anonymous)
     : logger(dht::log::getStdLogger())
     , ioContext(std::make_shared<asio::io_context>()),
-    iceFactory(std::make_shared<IceTransportFactory>(logger))
+    iceFactory(std::make_shared<IceTransportFactory>(logger)),
+    certStore(std::make_shared<tls::CertificateStore>(path / "certstore", logger)),
+    trustStore(std::make_shared<tls::TrustStore>(*certStore))
 {
-    auto certStore = std::make_shared<tls::CertificateStore>(path / "certstore", logger);
     ioContextRunner = std::thread([context = ioContext, logger = logger] {
         try {
             auto work = asio::make_work_guard(*context);
@@ -75,6 +77,9 @@
         }
     });
 
+    auto ca = identity.second->issuer;
+    trustStore->setCertificateStatus(ca->getId().toString(), tls::TrustStore::PermissionStatus::ALLOWED);
+
     auto config = connectionManagerConfig(path,
                                           identity,
                                           bootstrap,
@@ -90,10 +95,9 @@
     connectionManager = std::make_unique<ConnectionManager>(std::move(config));
 
     connectionManager->onDhtConnected(identity.first->getPublicKey());
-    connectionManager->onICERequest([this](const dht::Hash<32>&) { // handle ICE request
-        if (logger)
-            logger->debug("ICE request received");
-        return true;
+    connectionManager->onICERequest([this, identity, anonymous](const DeviceId& deviceId) {
+        auto cert = certStore->getCertificate(deviceId.toString());
+        return trustStore->isAllowed(*cert, anonymous);
     });
 
     std::mutex mtx;
@@ -177,7 +181,7 @@
          const std::string& turn_user,
          const std::string& turn_pass,
          const std::string& turn_realm)
-    : Dnc(path, identity, bootstrap,turn_host,turn_user,turn_pass, turn_realm)
+    : Dnc(path, identity, bootstrap,turn_host,turn_user,turn_pass, turn_realm, true)
 {
     std::condition_variable cv;
     auto name = fmt::format("nc://{:s}:{:d}", remote_host, remote_port);