From 230933ee0e4bce6ddf25e0816fff0bd30e3c8864 Mon Sep 17 00:00:00 2001
From: tjp <tjp@ctrl-c.club>
Date: Fri, 5 Jan 2024 12:19:40 -0700
Subject: TOFU certificate validation

---
 tls.go | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 tls.go

(limited to 'tls.go')

diff --git a/tls.go b/tls.go
new file mode 100644
index 0000000..22a248e
--- /dev/null
+++ b/tls.go
@@ -0,0 +1,47 @@
+package main
+
+import (
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/hex"
+	"errors"
+)
+
+func tlsConfig() *tls.Config {
+	return &tls.Config{
+		InsecureSkipVerify: true,
+		VerifyConnection:   tofuVerify,
+	}
+}
+
+var tofuStore map[string]string
+
+var ErrTOFUViolation = errors.New("certificate for this domain has changed")
+
+func tofuVerify(connState tls.ConnectionState) error {
+	certhash, err := hashCert(connState.PeerCertificates[0])
+	if err != nil {
+		return err
+	}
+
+	expected, ok := tofuStore[connState.ServerName]
+	if !ok {
+		tofuStore[connState.ServerName] = certhash
+		return saveTofuStore(tofuStore)
+	}
+
+	if certhash != expected {
+		return ErrTOFUViolation
+	}
+	return nil
+}
+
+func hashCert(cert *x509.Certificate) (string, error) {
+	pubkeybytes, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
+	if err != nil {
+		return "", err
+	}
+	hash := sha256.Sum256(pubkeybytes)
+	return hex.EncodeToString(hash[:]), nil
+}
-- 
cgit v1.2.3