Inicio Explorar Ayuda
Registro Iniciar sesión
zhouyuhuan
/
Cloudpods
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: 0d91f1698e
Ramas Etiquetas
Cloudpods
/
backend
/
vendor
/
github.com
/
pion
/
dtls
/
v2
/
certificate.go

certificate.go 4.5 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. package dtls
    2. 

  2. 

  3. import (
    4. 

  4. 	"bytes"
    5. 

  5. 	"crypto/tls"
    6. 

  6. 	"crypto/x509"
    7. 

  7. 	"fmt"
    8. 

  8. 	"strings"
    9. 

  9. )
    10. 

  10. 

  11. // ClientHelloInfo contains information from a ClientHello message in order to
    12. 

  12. // guide application logic in the GetCertificate.
    13. 

  13. type ClientHelloInfo struct {
    14. 

  14. 	// ServerName indicates the name of the server requested by the client
    15. 

  15. 	// in order to support virtual hosting. ServerName is only set if the
    16. 

  16. 	// client is using SNI (see RFC 4366, Section 3.1).
    17. 

  17. 	ServerName string
    18. 

  18. 

  19. 	// CipherSuites lists the CipherSuites supported by the client (e.g.
    20. 

  20. 	// TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).
    21. 

  21. 	CipherSuites []CipherSuiteID
    22. 

  22. }
    23. 

  23. 

  24. // CertificateRequestInfo contains information from a server's
    25. 

  25. // CertificateRequest message, which is used to demand a certificate and proof
    26. 

  26. // of control from a client.
    27. 

  27. type CertificateRequestInfo struct {
    28. 

  28. 	// AcceptableCAs contains zero or more, DER-encoded, X.501
    29. 

  29. 	// Distinguished Names. These are the names of root or intermediate CAs
    30. 

  30. 	// that the server wishes the returned certificate to be signed by. An
    31. 

  31. 	// empty slice indicates that the server has no preference.
    32. 

  32. 	AcceptableCAs [][]byte
    33. 

  33. }
    34. 

  34. 

  35. // SupportsCertificate returns nil if the provided certificate is supported by
    36. 

  36. // the server that sent the CertificateRequest. Otherwise, it returns an error
    37. 

  37. // describing the reason for the incompatibility.
    38. 

  38. // NOTE: original src: https://github.com/golang/go/blob/29b9a328d268d53833d2cc063d1d8b4bf6852675/src/crypto/tls/common.go#L1273
    39. 

  39. func (cri *CertificateRequestInfo) SupportsCertificate(c *tls.Certificate) error {
    40. 

  40. 	if len(cri.AcceptableCAs) == 0 {
    41. 

  41. 		return nil
    42. 

  42. 	}
    43. 

  43. 

  44. 	for j, cert := range c.Certificate {
    45. 

  45. 		x509Cert := c.Leaf
    46. 

  46. 		// Parse the certificate if this isn't the leaf node, or if
    47. 

  47. 		// chain.Leaf was nil.
    48. 

  48. 		if j != 0 || x509Cert == nil {
    49. 

  49. 			var err error
    50. 

  50. 			if x509Cert, err = x509.ParseCertificate(cert); err != nil {
    51. 

  51. 				return fmt.Errorf("failed to parse certificate #%d in the chain: %w", j, err)
    52. 

  52. 			}
    53. 

  53. 		}
    54. 

  54. 

  55. 		for _, ca := range cri.AcceptableCAs {
    56. 

  56. 			if bytes.Equal(x509Cert.RawIssuer, ca) {
    57. 

  57. 				return nil
    58. 

  58. 			}
    59. 

  59. 		}
    60. 

  60. 	}
    61. 

  61. 	return errNotAcceptableCertificateChain
    62. 

  62. }
    63. 

  63. 

  64. func (c *handshakeConfig) setNameToCertificateLocked() {
    65. 

  65. 	nameToCertificate := make(map[string]*tls.Certificate)
    66. 

  66. 	for i := range c.localCertificates {
    67. 

  67. 		cert := &c.localCertificates[i]
    68. 

  68. 		x509Cert := cert.Leaf
    69. 

  69. 		if x509Cert == nil {
    70. 

  70. 			var parseErr error
    71. 

  71. 			x509Cert, parseErr = x509.ParseCertificate(cert.Certificate[0])
    72. 

  72. 			if parseErr != nil {
    73. 

  73. 				continue
    74. 

  74. 			}
    75. 

  75. 		}
    76. 

  76. 		if len(x509Cert.Subject.CommonName) > 0 {
    77. 

  77. 			nameToCertificate[strings.ToLower(x509Cert.Subject.CommonName)] = cert
    78. 

  78. 		}
    79. 

  79. 		for _, san := range x509Cert.DNSNames {
    80. 

  80. 			nameToCertificate[strings.ToLower(san)] = cert
    81. 

  81. 		}
    82. 

  82. 	}
    83. 

  83. 	c.nameToCertificate = nameToCertificate
    84. 

  84. }
    85. 

  85. 

  86. func (c *handshakeConfig) getCertificate(clientHelloInfo *ClientHelloInfo) (*tls.Certificate, error) {
    87. 

  87. 	c.mu.Lock()
    88. 

  88. 	defer c.mu.Unlock()
    89. 

  89. 

  90. 	if c.localGetCertificate != nil &&
    91. 

  91. 		(len(c.localCertificates) == 0 || len(clientHelloInfo.ServerName) > 0) {
    92. 

  92. 		cert, err := c.localGetCertificate(clientHelloInfo)
    93. 

  93. 		if cert != nil || err != nil {
    94. 

  94. 			return cert, err
    95. 

  95. 		}
    96. 

  96. 	}
    97. 

  97. 

  98. 	if c.nameToCertificate == nil {
    99. 

  99. 		c.setNameToCertificateLocked()
    100. 

  100. 	}
    101. 

  101. 

  102. 	if len(c.localCertificates) == 0 {
    103. 

  103. 		return nil, errNoCertificates
    104. 

  104. 	}
    105. 

  105. 

  106. 	if len(c.localCertificates) == 1 {
    107. 

  107. 		// There's only one choice, so no point doing any work.
    108. 

  108. 		return &c.localCertificates[0], nil
    109. 

  109. 	}
    110. 

  110. 

  111. 	if len(clientHelloInfo.ServerName) == 0 {
    112. 

  112. 		return &c.localCertificates[0], nil
    113. 

  113. 	}
    114. 

  114. 

  115. 	name := strings.TrimRight(strings.ToLower(clientHelloInfo.ServerName), ".")
    116. 

  116. 

  117. 	if cert, ok := c.nameToCertificate[name]; ok {
    118. 

  118. 		return cert, nil
    119. 

  119. 	}
    120. 

  120. 

  121. 	// try replacing labels in the name with wildcards until we get a
    122. 

  122. 	// match.
    123. 

  123. 	labels := strings.Split(name, ".")
    124. 

  124. 	for i := range labels {
    125. 

  125. 		labels[i] = "*"
    126. 

  126. 		candidate := strings.Join(labels, ".")
    127. 

  127. 		if cert, ok := c.nameToCertificate[candidate]; ok {
    128. 

  128. 			return cert, nil
    129. 

  129. 		}
    130. 

  130. 	}
    131. 

  131. 

  132. 	// If nothing matches, return the first certificate.
    133. 

  133. 	return &c.localCertificates[0], nil
    134. 

  134. }
    135. 

  135. 

  136. // NOTE: original src: https://github.com/golang/go/blob/29b9a328d268d53833d2cc063d1d8b4bf6852675/src/crypto/tls/handshake_client.go#L974
    137. 

  137. func (c *handshakeConfig) getClientCertificate(cri *CertificateRequestInfo) (*tls.Certificate, error) {
    138. 

  138. 	c.mu.Lock()
    139. 

  139. 	defer c.mu.Unlock()
    140. 

  140. 	if c.localGetClientCertificate != nil {
    141. 

  141. 		return c.localGetClientCertificate(cri)
    142. 

  142. 	}
    143. 

  143. 

  144. 	for i := range c.localCertificates {
    145. 

  145. 		chain := c.localCertificates[i]
    146. 

  146. 		if err := cri.SupportsCertificate(&chain); err != nil {
    147. 

  147. 			continue
    148. 

  148. 		}
    149. 

  149. 		return &chain, nil
    150. 

  150. 	}
    151. 

  151. 

  152. 	// No acceptable certificate found. Don't send a certificate.
    153. 

  153. 	return new(tls.Certificate), nil
    154. 

  154. }
    155.