Skip to content
This repository has been archived by the owner on Aug 19, 2022. It is now read-only.

Commit

Permalink
Use standard hostname for certs
Browse files Browse the repository at this point in the history
  • Loading branch information
Ichbinjoe committed Dec 12, 2018
1 parent a1e7e95 commit f9c5bcc
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
18 changes: 16 additions & 2 deletions crypto.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
peer "github.com/libp2p/go-libp2p-peer"
)

const PEER_HOSTNAME = "tls.libp2p"

// Identity is used to secure connections
type Identity struct {
*tls.Config
Expand All @@ -30,7 +32,12 @@ func NewIdentity(privKey ic.PrivKey) (*Identity, error) {

// ConfigForPeer creates a new tls.Config that verifies the peers certificate chain.
// It should be used to create a new tls.Config before dialing.
func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config {
// It also returns a pointer to the remote public key which points to the valid remote public
// key after the remote connects
func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, *ic.PubKey) {

var remotePubKey *ic.PubKey = nil

// We need to check the peer ID in the VerifyPeerCertificate callback.
// The tls.Config it is also used for listening, and we might also have concurrent dials.
// Clone it so we can check for the specific peer ID we're dialing here.
Expand All @@ -53,9 +60,15 @@ func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config {
if !remote.MatchesPublicKey(pubKey) {
return errors.New("peer IDs don't match")
}

remotePubKey = &pubKey

return nil
}
return conf

conf.ServerName = PEER_HOSTNAME

return conf, remotePubKey
}

// KeyFromChain takes a chain of x509.Certificates and returns the peer's public key.
Expand Down Expand Up @@ -102,6 +115,7 @@ func keyToCertificate(sk ic.PrivKey) (interface{}, *x509.Certificate, error) {
return nil, nil, err
}
tmpl := &x509.Certificate{
DNSNames: []string{PEER_HOSTNAME},
SerialNumber: sn,
NotBefore: time.Now().Add(-24 * time.Hour),
NotAfter: time.Now().Add(certValidityPeriod),
Expand Down
3 changes: 2 additions & 1 deletion transport.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (cs.Co

// SecureOutbound runs the TLS handshake as a client.
func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (cs.Conn, error) {
cl := tls.Client(insecure, t.identity.ConfigForPeer(p))
config, _ := t.identity.ConfigForPeer(p)
cl := tls.Client(insecure, config)
return t.handshake(ctx, insecure, cl)
}

Expand Down

0 comments on commit f9c5bcc

Please sign in to comment.