Merge branch 'xx-4413/received-cert' into 'release'

Add GetServerCert for getting certificate of server from web hosts See merge request !58

Merge branch 'xx-4413/received-cert' into 'release'
62f4ec17 · Jake Taylor · 6a0b2aac · a942768a · 62f4ec17 · 62f4ec17
Commit 62f4ec17 authored Dec 21, 2022 by Jake Taylor
--- a/connect/comms.go
+++ b/connect/comms.go
@@ -465,7 +465,7 @@ func parseTlsPacket(r io.Reader) (*tlshacks.ClientHelloInfo, bool) {
 // not be usable until this has been called at least once, unblocking the
 // listenHTTP func in ServeWithWeb.  Future calls will be handled by the
 // startUpdateCertificate thread.
-func (c *ProtoComms) ServeHttps(cert, key []byte) error {
+func (c *ProtoComms) ServeHttps(keyPair tls.Certificate) error {
 	if c.mux == nil {
 		return errors.New("mux does not exist; is https enabled?")
 	}
@@ -477,16 +477,17 @@ func (c *ProtoComms) ServeHttps(cert, key []byte) error {
 	httpL := c.mux.Match(c.matchWebTls)

 	grpcServer := c.grpcServer
-	keyPair, err := tls.X509KeyPair(
-		cert, key)
-	if err != nil {
-		return errors.WithMessage(err, "cert & key could not be parsed to valid tls certificate")
-	}
-
-	parsedLeafCert, err := x509.ParseCertificate(keyPair.Certificate[0])
+	var parsedLeafCert *x509.Certificate
+	var err error
+	if keyPair.Leaf == nil {
+		parsedLeafCert, err = x509.ParseCertificate(keyPair.Certificate[0])
 		if err != nil {
 			jww.FATAL.Panicf("Failed to load TLS certificate: %+v", err)
 		}
+	} else {
+		parsedLeafCert = keyPair.Leaf
+	}
+
 	c.httpsX509 = parsedLeafCert

 	listenHTTPS := func(l net.Listener) {

--- a/connect/connection.go
+++ b/connect/connection.go
 package connect

 import (
+	"crypto/x509"
 	"git.xx.network/elixxir/grpc-web-go-client/grpcweb"
 	jww "github.com/spf13/jwalterweatherman"
 	"google.golang.org/grpc"
@@ -51,6 +52,8 @@ type Connection interface {
 	Close() error

 	IsOnline() (time.Duration, bool)
+
+	GetServerCert() (*x509.Certificate, error)
 	clientConnHelpers
 }


--- a/connect/connection_test.go
+++ b/connect/connection_test.go
@@ -2,6 +2,7 @@ package connect

 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"gitlab.com/xx_network/comms/connect/token"
 	pb "gitlab.com/xx_network/comms/messages"
@@ -174,7 +175,11 @@ func TestWebConnection_TLS(t *testing.T) {
 			pb.RegisterGenericServer(pc.grpcServer, &TestGenericServer{resp: expectedResponse})

 			pc.ServeWithWeb()
-			err = pc.ServeHttps(httpsCertBytes, httpsKeyBytes)
+			tlsKeypair, err := tls.X509KeyPair(httpsCertBytes, httpsKeyBytes)
+			if err != nil {
+				t.Fatal(err)
+			}
+			err = pc.ServeHttps(tlsKeypair)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -209,6 +214,11 @@ func TestWebConnection_TLS(t *testing.T) {
 				t.Errorf("Did not receive expected payload")
 			}

+			_, err = h.GetServerCert()
+			if err != nil {
+				t.Errorf("Did not receive cert: %+v", err)
+			}
+
 			pc.Shutdown()
 			h.disconnect()
 			grpcHost.disconnect()
@@ -261,7 +271,11 @@ func TestServeWeb_Matchers(t *testing.T) {
 			hostParams := GetDefaultHostParams()
 			hostParams.ConnectionType = ct
 			pc.ServeWithWeb()
-			err = pc.ServeHttps(httpsCertBytes, httpsKeyBytes)
+			tlsKeypair, err := tls.X509KeyPair(httpsCertBytes, httpsKeyBytes)
+			if err != nil {
+				t.Fatal(err)
+			}
+			err = pc.ServeHttps(tlsKeypair)
 			if err != nil {
 				t.Fatal(err)
 			}

--- a/connect/grpcConn.go
+++ b/connect/grpcConn.go
 package connect

 import (
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"git.xx.network/elixxir/grpc-web-go-client/grpcweb"
@@ -40,6 +41,11 @@ func (gc *grpcConn) IsWeb() bool {
 	return false
 }

+// GetServerCert returns an error on grpc hosts
+func (gc *grpcConn) GetServerCert() (*x509.Certificate, error) {
+	return nil, errors.New("GetServerCert not implemented for GRPC hosts")
+}
+
 // connectGrpcHelper creates a connection while not under a write lock.
 // undefined behavior if the caller has not taken the write lock
 func (gc *grpcConn) connectGrpcHelper() (err error) {

--- a/connect/host.go
+++ b/connect/host.go
@@ -11,6 +11,7 @@ package connect

 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"github.com/pkg/errors"
 	jww "github.com/spf13/jwalterweatherman"
@@ -215,6 +216,13 @@ func (h *Host) IsWeb() bool {
 	return h.connection.IsWeb()
 }

+// GetServerCert returns the tls certificate from the server for web hosts
+// Note that this will return an error when used on grpc hosts, and will not
+// have a certificate ready until something has been sent over the connection.
+func (h *Host) GetServerCert() (*x509.Certificate, error) {
+	return h.connection.GetServerCert()
+}
+
 // SetMetricsTesting sets the host metrics to an arbitrary value. Used for testing
 // purposes only
 func (h *Host) SetMetricsTesting(m *Metric, face interface{}) {

--- a/connect/webConn.go
+++ b/connect/webConn.go
@@ -2,6 +2,7 @@ package connect

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/http/httptrace"
@@ -66,6 +67,11 @@ func (wc *webConn) IsWeb() bool {
 	return true
 }

+// GetServerCert returns the server tls certificate stored by the web connection
+func (wc *webConn) GetServerCert() (*x509.Certificate, error) {
+	return wc.connection.GetReceivedCertificate()
+}
+
 // connectWebHelper initializes the grpcweb ClientConn object
 // Note that until the downstream repo is fixed, this doesn't actually
 // establish a connection past creating the http object.

--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module gitlab.com/xx_network/comms
 go 1.19

 require (
-	git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221215181401-0b8a26d47532
+	git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221220161254-68bee4d4a516
 	github.com/golang/protobuf v1.5.2
 	github.com/improbable-eng/grpc-web v0.15.0
 	github.com/pkg/errors v0.9.1

--- a/go.sum
+++ b/go.sum
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221215181401-0b8a26d47532 h1:EH4TFLgXGgofV2MsUOgNDmn3X+qfhbQ2RV6zOYRaSdU=
-git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221215181401-0b8a26d47532/go.mod h1:uFKw2wmgtlYMdiIm08dM0Vj4XvX9ZKVCj71c8O7SAPo=
+git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221220131901-1a7cdcec1831 h1:PQuiXn5EDCJ20q90KSPefHJwiNWGmvuvluNF2vAWcDw=
+git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221220131901-1a7cdcec1831/go.mod h1:uFKw2wmgtlYMdiIm08dM0Vj4XvX9ZKVCj71c8O7SAPo=
+git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221220161254-68bee4d4a516 h1:Z1AimDI/+3ZZGcmkQaprDKiDn8oGmha7yyPvkDzIuMI=
+git.xx.network/elixxir/grpc-web-go-client v0.0.0-20221220161254-68bee4d4a516/go.mod h1:uFKw2wmgtlYMdiIm08dM0Vj4XvX9ZKVCj71c8O7SAPo=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=