Merge pull request #175 from plgd-dev/feature/dtlsPeerCertificate

feature/dtls peer certificate

Author: jkralik

dtls/options.go

@@ -188,6 +188,9 @@ func (o OnNewClientConnOpt) apply(opts *serverOptions) {
 }
 
 // WithOnNewClientConn server's notify about new client connection.
+//
+// Note: Calling `dtlsConn.Close()` is forbidden, and `dtlsConn` should be treated as a
+// "read-only" parameter, mainly used to get the peer certificate from the underlining connection
 func WithOnNewClientConn(onNewClientConn OnNewClientConnFunc) OnNewClientConnOpt {
 	return OnNewClientConnOpt{
 		onNewClientConn: onNewClientConn,

dtls/server.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/pion/dtls/v2"
 	"github.com/plgd-dev/go-coap/v2/message"
 	"github.com/plgd-dev/go-coap/v2/net/blockwise"
 	kitSync "github.com/plgd-dev/kit/sync"
@@ -36,7 +37,11 @@ type GoPoolFunc = func(func()) error
 
 type BlockwiseFactoryFunc = func(getSendedRequest func(token message.Token) (blockwise.Message, bool)) *blockwise.BlockWise
 
-type OnNewClientConnFunc = func(cc *client.ClientConn)
+// OnNewClientConnFunc is the callback for new connections.
+//
+// Note: Calling `dtlsConn.Close()` is forbidden, and `dtlsConn` should be treated as a
+// "read-only" parameter, mainly used to get the peer certificate from the underlining connection
+type OnNewClientConnFunc = func(cc *client.ClientConn, dtlsConn *dtls.Conn)
 
 type GetMIDFunc = func() uint16
 
@@ -59,7 +64,7 @@ var defaultServerOptions = serverOptions{
 	blockwiseEnable:                true,
 	blockwiseSZX:                   blockwise.SZX1024,
 	blockwiseTransferTimeout:       time.Second * 5,
-	onNewClientConn:                func(cc *client.ClientConn) {},
+	onNewClientConn:                func(cc *client.ClientConn, dtlsConn *dtls.Conn) {},
 	heartBeat:                      time.Millisecond * 100,
 	transmissionNStart:             time.Second,
 	transmissionAcknowledgeTimeout: time.Second * 2,
@@ -210,7 +215,8 @@ func (s *Server) Serve(l Listener) error {
 			wg.Add(1)
 			cc := s.createClientConn(coapNet.NewConn(rw, coapNet.WithHeartBeat(s.heartBeat)))
 			if s.onNewClientConn != nil {
-				s.onNewClientConn(cc)
+				dtlsConn := rw.(*dtls.Conn)
+				s.onNewClientConn(cc, dtlsConn)
 			}
 			go func() {
 				defer wg.Done()

dtls/server_test.go

@@ -1,16 +1,24 @@
 package dtls_test
 
 import (
+	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"math/big"
 	"sync"
 	"testing"
 	"time"
 
 	piondtls "github.com/pion/dtls/v2"
 	"github.com/plgd-dev/go-coap/v2/dtls"
+	"github.com/plgd-dev/go-coap/v2/examples/dtls/pki"
+	"github.com/plgd-dev/go-coap/v2/message"
+	"github.com/plgd-dev/go-coap/v2/message/codes"
 	coapNet "github.com/plgd-dev/go-coap/v2/net"
 	"github.com/plgd-dev/go-coap/v2/udp/client"
+	"github.com/plgd-dev/go-coap/v2/udp/message/pool"
 	"github.com/stretchr/testify/require"
 )
 
@@ -29,7 +37,7 @@ func TestServer_CleanUpConns(t *testing.T) {
 
 	var checkCloseWg sync.WaitGroup
 	defer checkCloseWg.Wait()
-	sd := dtls.NewServer(dtls.WithOnNewClientConn(func(cc *client.ClientConn) {
+	sd := dtls.NewServer(dtls.WithOnNewClientConn(func(cc *client.ClientConn, dtlsConn *piondtls.Conn) {
 		checkCloseWg.Add(1)
 		cc.AddOnClose(func() {
 			checkCloseWg.Done()
@@ -57,3 +65,98 @@ func TestServer_CleanUpConns(t *testing.T) {
 	err = cc.Ping(ctx)
 	require.NoError(t, err)
 }
+
+func createDTLSConfig(ctx context.Context) (serverConfig *piondtls.Config, clientConfig *piondtls.Config, clientSerial *big.Int, err error) {
+	// root cert
+	ca, rootBytes, _, caPriv, err := pki.GenerateCA()
+	if err != nil {
+		return
+	}
+	// server cert
+	certBytes, keyBytes, err := pki.GenerateCertificate(ca, caPriv, "server@test.com")
+	if err != nil {
+		return
+	}
+	certificate, err := pki.LoadKeyAndCertificate(keyBytes, certBytes)
+	if err != nil {
+		return
+	}
+	// cert pool
+	certPool, err := pki.LoadCertPool(rootBytes)
+	if err != nil {
+		return
+	}
+
+	serverConfig = &piondtls.Config{
+		Certificates:         []tls.Certificate{*certificate},
+		ExtendedMasterSecret: piondtls.RequireExtendedMasterSecret,
+		ClientCAs:            certPool,
+		ClientAuth:           piondtls.RequireAndVerifyClientCert,
+		ConnectContextMaker: func() (context.Context, func()) {
+			return context.WithTimeout(ctx, 30*time.Second)
+		},
+	}
+
+	// client cert
+	certBytes, keyBytes, err = pki.GenerateCertificate(ca, caPriv, "client@test.com")
+	if err != nil {
+		return
+	}
+	certificate, err = pki.LoadKeyAndCertificate(keyBytes, certBytes)
+	if err != nil {
+		return
+	}
+	clientInfo, err := x509.ParseCertificate(certificate.Certificate[0])
+	if err != nil {
+		return
+	}
+	clientSerial = clientInfo.SerialNumber
+
+	clientConfig = &piondtls.Config{
+		Certificates:         []tls.Certificate{*certificate},
+		ExtendedMasterSecret: piondtls.RequireExtendedMasterSecret,
+		RootCAs:              certPool,
+		InsecureSkipVerify:   true,
+	}
+
+	return
+}
+
+func TestServer_SetContextValueWithPKI(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*3600)
+	defer cancel()
+	serverCgf, clientCgf, clientSerial, err := createDTLSConfig(ctx)
+	require.NoError(t, err)
+
+	ld, err := coapNet.NewDTLSListener("udp4", "", serverCgf)
+	require.NoError(t, err)
+	defer ld.Close()
+
+	onNewConn := func(cc *client.ClientConn, dtlsConn *piondtls.Conn) {
+		// set connection context certificate
+		clientCert, err := x509.ParseCertificate(dtlsConn.ConnectionState().PeerCertificates[0])
+		require.NoError(t, err)
+		cc.Session().SetContextValue("client-cert", clientCert)
+	}
+	handle := func(w *client.ResponseWriter, r *pool.Message) {
+		// get certificate from connection context
+		clientCert := r.Context().Value("client-cert").(*x509.Certificate)
+		require.Equal(t, clientCert.SerialNumber, clientSerial)
+		require.NotNil(t, clientCert)
+		w.SetResponse(codes.Content, message.TextPlain, bytes.NewReader([]byte("done")))
+	}
+
+	sd := dtls.NewServer(dtls.WithHandlerFunc(handle), dtls.WithOnNewClientConn(onNewConn))
+	defer sd.Stop()
+	go func() {
+		err := sd.Serve(ld)
+		require.NoError(t, err)
+	}()
+
+	cc, err := dtls.Dial(ld.Addr().String(), clientCgf)
+	require.NoError(t, err)
+	defer cc.Close()
+
+	_, err = cc.Get(ctx, "/")
+	require.NoError(t, err)
+}

dtls/session.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"sync"
+	"sync/atomic"
 
 	coapNet "github.com/plgd-dev/go-coap/v2/net"
 	"github.com/plgd-dev/go-coap/v2/udp/client"
@@ -22,7 +23,7 @@ type Session struct {
 	onClose []EventFunc
 
 	cancel context.CancelFunc
-	ctx    context.Context
+	ctx    atomic.Value
 }
 
 func NewSession(
@@ -32,17 +33,18 @@ func NewSession(
 	closeSocket bool,
 ) *Session {
 	ctx, cancel := context.WithCancel(ctx)
-	return &Session{
-		ctx:            ctx,
+	s := &Session{
 		cancel:         cancel,
 		connection:     connection,
 		maxMessageSize: maxMessageSize,
 		closeSocket:    closeSocket,
 	}
+	s.ctx.Store(&ctx)
+	return s
 }
 
 func (s *Session) Done() <-chan struct{} {
-	return s.ctx.Done()
+	return s.Context().Done()
 }
 
 func (s *Session) AddOnClose(f EventFunc) {
@@ -75,7 +77,14 @@ func (s *Session) Close() error {
 }
 
 func (s *Session) Context() context.Context {
-	return s.ctx
+	return *s.ctx.Load().(*context.Context)
+}
+
+func (s *Session) SetContextValue(key interface{}, val interface{}) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+	ctx := context.WithValue(s.Context(), key, val)
+	s.ctx.Store(&ctx)
 }
 
 func (s *Session) WriteMessage(req *pool.Message) error {
@@ -109,7 +118,7 @@ func (s *Session) Run(cc *client.ClientConn) (err error) {
 	m := make([]byte, s.maxMessageSize)
 	for {
 		readBuf := m
-		readLen, err := s.connection.ReadWithContext(s.ctx, readBuf)
+		readLen, err := s.connection.ReadWithContext(s.Context(), readBuf)
 		if err != nil {
 			return err
 		}

examples/dtls/pki/cert_gen.go

@@ -0,0 +1,119 @@
+package pki
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"io"
+	"math/big"
+	"net"
+	"time"
+)
+
+var (
+	algo      = elliptic.P256()
+	notBefore = time.Now()
+	notAfter  = notBefore.Add(time.Hour)
+	subject   = pkix.Name{
+		Country:      []string{"BR"},
+		Province:     []string{"Parana"},
+		Locality:     []string{"Curitiba"},
+		Organization: []string{"Test"},
+		CommonName:   "test.com",
+	}
+)
+
+func sequentialBytes(n int) io.Reader {
+	sequence := make([]byte, n)
+	for i := 0; i < n; i++ {
+		sequence[i] = byte(i)
+	}
+	return bytes.NewReader(sequence)
+}
+
+// GenerateCA creates a deterministic certificate authority (for test purposes only)
+func GenerateCA() (ca *x509.Certificate, cert, key []byte, priv *ecdsa.PrivateKey, err error) {
+	priv, err = ecdsa.GenerateKey(algo, sequentialBytes(64))
+	if err != nil {
+		return
+	}
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(sequentialBytes(128), serialNumberLimit)
+
+	ca = &x509.Certificate{
+		NotBefore:    notBefore,
+		NotAfter:     notAfter,
+		SerialNumber: serialNumber,
+
+		Subject:        subject,
+		EmailAddresses: []string{"ca@test.com"},
+		IPAddresses:    []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+
+		IsCA:                  true,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &priv.PublicKey, priv)
+	if err != nil {
+		return
+	}
+	cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return
+	}
+	key = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: privBytes})
+
+	return
+}
+
+// GenerateCertificate creates a certificate
+func GenerateCertificate(ca *x509.Certificate, caPriv *ecdsa.PrivateKey, email string) (cert, key []byte, err error) {
+	priv, err := ecdsa.GenerateKey(algo, rand.Reader)
+	if err != nil {
+		return
+	}
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return
+	}
+
+	template := x509.Certificate{
+		NotBefore:    notBefore,
+		NotAfter:     notAfter,
+		SerialNumber: serialNumber,
+
+		Subject:        subject,
+		EmailAddresses: []string{email},
+		IPAddresses:    []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, ca, &priv.PublicKey, caPriv)
+	if err != nil {
+		return
+	}
+
+	cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return
+	}
+	key = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: privBytes})
+
+	return
+}

examples/dtls/pki/cert_gen_test.go

@@ -0,0 +1,19 @@
+package pki
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateCA(t *testing.T) {
+	ca, cert, key, caPriv, err := GenerateCA()
+	require.NoError(t, err)
+	require.Contains(t, string(cert), "-----BEGIN CERTIFICATE-----")
+	require.Contains(t, string(key), "-----BEGIN EC PRIVATE KEY-----")
+
+	cert, key, err = GenerateCertificate(ca, caPriv, "cert@test.com")
+	require.NoError(t, err)
+	require.Contains(t, string(cert), "-----BEGIN CERTIFICATE-----")
+	require.Contains(t, string(key), "-----BEGIN EC PRIVATE KEY-----")
+}