0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2025-01-13 16:33:53 +01:00

ircd:Ⓜ️ Remove tls fingerprint related.

This commit is contained in:
Jason Volk 2019-09-30 19:30:09 -07:00
parent 06d8e4f5cf
commit 9c49e8bdb5
3 changed files with 0 additions and 367 deletions

View file

@ -40,7 +40,6 @@ namespace ircd::m
/// verify_keys Object, Public keys of the homeserver for verifying digital signatures.
/// old_verify_keys Object, The public keys that the server used to use and when it stopped using them.
/// signatures Object, Digital signatures for this object signed using the verify_keys.
/// tls_fingerprints Array of Objects, Hashes of X.509 TLS certificates used by this this server encoded as Unpadded Base64.
/// valid_until_ts Integer, POSIX timestamp when the list of valid keys should be refreshed.
///
struct ircd::m::keys
@ -49,7 +48,6 @@ struct ircd::m::keys
json::property<name::old_verify_keys, json::object>,
json::property<name::server_name, json::string>,
json::property<name::signatures, json::object>,
json::property<name::tls_fingerprints, json::array>,
json::property<name::valid_until_ts, time_t>,
json::property<name::verify_keys, json::object>
>

View file

@ -21,14 +21,6 @@ ircd::m::pretty_oneline(std::ostream &s,
<< " (" << json::get<"valid_until_ts"_>(keys) << ")"
<< ' ';
for(const json::object &fp : json::get<"tls_fingerprints"_>(keys))
{
s << "tls[ ";
for(const auto &[digest, fingerprint] : fp)
s << digest << ' ';
s << "] ";
}
for(const auto &[domain, signature_] : json::get<"signatures"_>(keys))
{
s << "sig[ " << domain << ' ';
@ -63,12 +55,6 @@ ircd::m::pretty(std::ostream &s,
<< " (" << json::get<"valid_until_ts"_>(keys) << ")"
<< '\n';
for(const json::object &fp : json::get<"tls_fingerprints"_>(keys))
for(const auto &[digest, fingerprint] : fp)
s << std::setw(16) << std::right << "[fingerprint] "
<< digest << ' ' << unquote(fingerprint)
<< '\n';
for(const auto &[domain, signature_] : json::get<"signatures"_>(keys))
for(const auto &[key_id, signature] : json::object(signature_))
s << std::setw(16) << std::right << "[signature] "
@ -666,353 +652,3 @@ catch(...)
std::current_exception()
};
}
///////////////////////////////////////////////////////////////////////////////
//
// m/self.h
//
//
// self::init
//
void
IRCD_MODULE_EXPORT
ircd::m::self::init::keys()
{
tls_certificate();
federation_ed25519();
}
namespace ircd::m::self
{
extern conf::item<std::string> tls_key_dir;
}
decltype(ircd::m::self::tls_key_dir)
ircd::m::self::tls_key_dir
{
{ "name", "ircd.keys.tls_key_dir" },
{ "default", fs::cwd() }
};
void
IRCD_MODULE_EXPORT
ircd::m::self::init::tls_certificate()
{
if(empty(self::origin))
throw error
{
"The m::self::origin must be set to init my ed25519 key."
};
const std::string private_key_path_parts[]
{
std::string{tls_key_dir},
self::origin + ".crt.key",
};
const std::string public_key_path_parts[]
{
std::string{tls_key_dir},
self::origin + ".crt.key.pub",
};
const std::string dhparam_path_parts[]
{
std::string{tls_key_dir},
self::origin + ".crt.dh",
};
const std::string certificate_path_parts[]
{
std::string{tls_key_dir},
self::origin + ".crt",
};
const std::string private_key_file
{
fs::path_string(private_key_path_parts)
};
const std::string public_key_file
{
fs::path_string(public_key_path_parts)
};
const std::string cert_file
{
fs::path_string(certificate_path_parts)
};
if(!fs::exists(private_key_file) && !ircd::write_avoid)
{
log::warning
{
"Failed to find certificate private key @ `%s'; creating...",
private_key_file
};
openssl::genrsa(private_key_file, public_key_file);
}
const json::object config{};
if(!fs::exists(cert_file) && !ircd::write_avoid)
{
const json::object &certificate
{
config.get("certificate")
};
const json::object &self_
{
certificate.get(self::origin)
};
std::string subject
{
self_.get("subject")
};
if(empty(subject))
subject = json::strung{json::members
{
{ "CN", self::origin }
}};
log::warning
{
"Failed to find SSL certificate @ `%s'; creating for '%s'...",
cert_file,
self::origin
};
const unique_buffer<mutable_buffer> buf
{
1_MiB
};
const json::strung opts{json::members
{
{ "private_key_pem_path", private_key_file },
{ "public_key_pem_path", public_key_file },
{ "subject", subject },
}};
const auto cert
{
openssl::genX509_rsa(buf, opts)
};
fs::overwrite(cert_file, cert);
}
const auto cert_pem
{
fs::read(cert_file)
};
const unique_buffer<mutable_buffer> der_buf
{
8_KiB
};
const auto cert_der
{
openssl::cert2d(der_buf, cert_pem)
};
const fixed_buffer<const_buffer, crh::sha256::digest_size> hash
{
sha256{cert_der}
};
m::self::tls_cert_der_sha256_b64 =
{
b64encode_unpadded(hash)
};
log::info
{
m::log, "Certificate `%s' :PEM %zu bytes; DER %zu bytes; sha256b64 %s",
cert_file,
cert_pem.size(),
ircd::size(cert_der),
m::self::tls_cert_der_sha256_b64
};
const unique_buffer<mutable_buffer> print_buf
{
8_KiB
};
log::info
{
m::log, "Certificate `%s' :%s",
cert_file,
openssl::print_subject(print_buf, cert_pem)
};
}
//
// federation_ed25519
//
namespace ircd::m::self
{
extern conf::item<std::string> ed25519_key_dir;
}
decltype(ircd::m::self::ed25519_key_dir)
ircd::m::self::ed25519_key_dir
{
{ "name", "ircd.keys.ed25519_key_dir" },
{ "default", fs::cwd() }
};
void
IRCD_MODULE_EXPORT
ircd::m::self::init::federation_ed25519()
{
if(empty(m::self::origin))
throw error
{
"The m::self::origin must be set to init my ed25519 key."
};
const std::string path_parts[]
{
std::string{ed25519_key_dir},
m::self::origin + ".ed25519",
};
const std::string sk_file
{
ircd::string(fs::PATH_MAX_LEN, [&](const mutable_buffer &buf)
{
return fs::path(buf, path_parts);
})
};
if(fs::exists(sk_file) || ircd::write_avoid)
log::info
{
m::log, "Using ed25519 secret key @ `%s'", sk_file
};
else
log::notice
{
m::log, "Creating ed25519 secret key @ `%s'", sk_file
};
m::self::secret_key = ed25519::sk
{
sk_file, &m::self::public_key
};
m::self::public_key_b64 = b64encode_unpadded(m::self::public_key);
const fixed_buffer<const_buffer, sha256::digest_size> hash
{
sha256{m::self::public_key}
};
const auto public_key_hash_b58
{
b58encode(hash)
};
static const auto trunc_size{8};
m::self::public_key_id = fmt::snstringf
{
32, "ed25519:%s", trunc(public_key_hash_b58, trunc_size)
};
log::info
{
m::log, "Current key is '%s' and the public key is: %s",
m::self::public_key_id,
m::self::public_key_b64
};
}
//
// create_my_key
//
namespace ircd::m::self
{
extern m::hookfn<m::vm::eval &> create_my_key_hook;
}
decltype(ircd::m::self::create_my_key_hook)
ircd::m::self::create_my_key_hook
{
{
{ "_site", "vm.effect" },
{ "room_id", m::my_node.room_id() },
{ "type", "m.room.create" },
},
[](const m::event &, m::vm::eval &)
{
create_my_key();
}
};
void
IRCD_MODULE_EXPORT
ircd::m::self::create_my_key()
{
const json::members verify_keys_
{{
string_view{m::self::public_key_id},
{
{ "key", m::self::public_key_b64 }
}
}};
const json::members tlsfps
{
{ "sha256", m::self::tls_cert_der_sha256_b64 }
};
const json::value tlsfp[1]
{
{ tlsfps }
};
m::keys my_key;
json::get<"server_name"_>(my_key) = my_host();
json::get<"old_verify_keys"_>(my_key) = "{}";
//TODO: conf
json::get<"valid_until_ts"_>(my_key) =
ircd::time<milliseconds>() + milliseconds(1000UL * 60 * 60 * 24 * 180).count();
const json::strung verify_keys{verify_keys_}; // must be on stack until my_keys serialized.
json::get<"verify_keys"_>(my_key) = verify_keys;
const json::strung tls_fingerprints{json::value{tlsfp, 1}}; // must be on stack until my_keys serialized.
json::get<"tls_fingerprints"_>(my_key) = tls_fingerprints;
const json::strung presig
{
my_key
};
const ed25519::sig sig
{
m::self::secret_key.sign(const_buffer{presig})
};
char signature[256];
const json::strung signatures{json::members
{
{ my_host(),
{
{ string_view{m::self::public_key_id}, b64encode_unpadded(signature, sig) }
}}
}};
json::get<"signatures"_>(my_key) = signatures;
keys::cache::set(json::strung{my_key});
}

View file

@ -5892,7 +5892,6 @@ console_cmd__key(opt &out, const string_view &line)
out << "origin: " << m::my_host() << std::endl;
out << "public key ID: " << m::self::public_key_id << std::endl;
out << "public key base64: " << m::self::public_key_b64 << std::endl;
out << "TLS cert sha256 base64: " << m::self::tls_cert_der_sha256_b64 << std::endl;
return true;
}