Feat/peer certificates

client.go

@@ -5,6 +5,7 @@ package coap
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"net"
@@ -322,6 +323,11 @@ func (co *ClientConn) RemoteAddr() net.Addr {
 	return co.commander.RemoteAddr()
 }
 
+// PeerCertificates implements the networkSession.PeerCertificates method.
+func (co *ClientConn) PeerCertificates() []*x509.Certificate {
+	return co.commander.PeerCertificates()
+}
+
 func (co *ClientConn) Exchange(m Message) (Message, error) {
 	return co.commander.ExchangeWithContext(context.Background(), m)
 }

clientcommander.go

@@ -3,6 +3,7 @@ package coap
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"io"
 	"io/ioutil"
 	"net"
@@ -88,6 +89,11 @@ func (cc *ClientCommander) RemoteAddr() net.Addr {
 	return cc.networkSession.RemoteAddr()
 }
 
+// PeerCertificates implements the networkSession.PeerCertificates method.
+func (cc *ClientCommander) PeerCertificates() []*x509.Certificate {
+	return cc.networkSession.PeerCertificates()
+}
+
 // Equal compare two ClientCommanders
 func (cc *ClientCommander) Equal(cc1 *ClientCommander) bool {
 	return cc.RemoteAddr().String() == cc1.RemoteAddr().String() && cc.LocalAddr().String() == cc1.LocalAddr().String()

dtls_test.go

@@ -1,7 +1,10 @@
 package coap
 
 import (
+	"context"
+	"crypto"
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
@@ -11,9 +14,11 @@ import (
 	"fmt"
 	"math/big"
 	"os"
+	"sync"
 	"testing"
 	"time"
 
+	coapNet "github.com/go-ocf/go-coap/net"
 	dtls "github.com/pion/dtls/v2"
 	"github.com/stretchr/testify/require"
 )
@@ -77,8 +82,8 @@ func pemBlockForKey(priv interface{}) *pem.Block {
 	}
 }
 
-func generateRSACertsPEM(t *testing.T) ([]byte, []byte) {
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+func generateCertsPEM(t *testing.T, generateKeyFunc func() (crypto.PrivateKey, error)) ([]byte, []byte) {
+	priv, err := generateKeyFunc()
 	if err != nil {
 		require.NoError(t, err)
 	}
@@ -99,6 +104,18 @@ func generateRSACertsPEM(t *testing.T) ([]byte, []byte) {
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}), pem.EncodeToMemory(pemBlockForKey(priv))
 }
 
+func generateRSACertsPEM(t *testing.T) ([]byte, []byte) {
+	return generateCertsPEM(t, func() (crypto.PrivateKey, error) {
+		return rsa.GenerateKey(rand.Reader, 2048)
+	})
+}
+
+func generateECDSACertsPEM(t *testing.T) ([]byte, []byte) {
+	return generateCertsPEM(t, func() (crypto.PrivateKey, error) {
+		return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	})
+}
+
 func TestRSACerts(t *testing.T) {
 	cert, key := generateRSACertsPEM(t)
 	c, err := tls.X509KeyPair(cert, key)
@@ -120,3 +137,50 @@ func TestRSACerts(t *testing.T) {
 	err = s.ListenAndServe()
 	require.Error(t, err)
 }
+
+func TestECDSACerts_PeerCertificate(t *testing.T) {
+	cert, key := generateECDSACertsPEM(t)
+	c, err := tls.X509KeyPair(cert, key)
+	require.NoError(t, err)
+
+	config := dtls.Config{
+		Certificates:       []tls.Certificate{c},
+		CipherSuites:       []dtls.CipherSuiteID{dtls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8},
+		InsecureSkipVerify: true,
+		ClientAuth:         dtls.RequireAnyClientCert,
+		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			return nil
+		},
+	}
+	l, err := coapNet.NewDTLSListener("udp", ":", &config, time.Millisecond*100)
+	require.NoError(t, err)
+
+	s := &Server{
+		Net:       "udp-dtls",
+		Listener:  l,
+		KeepAlive: MustMakeKeepAlive(time.Second),
+	}
+	s.Handler = HandlerFunc(func(w ResponseWriter, r *Request) {
+		certs := r.Client.PeerCertificates()
+		require.NotEmpty(t, certs)
+		err := s.Shutdown()
+		require.NoError(t, err)
+	})
+	var wg sync.WaitGroup
+	wg.Add(1)
+	defer wg.Wait()
+	go func() {
+		defer wg.Done()
+		s.ActivateAndServe()
+	}()
+
+	conn, err := DialDTLS("udp-dtls", l.Addr().String(), &config)
+	require.NoError(t, err)
+	certs := conn.PeerCertificates()
+	require.NotEmpty(t, certs)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Millisecond*100)
+	defer cancel()
+	_, err = conn.GetWithContext(ctx, "/")
+	require.Error(t, err)
+	conn.Close()
+}

net/conn.go

@@ -34,6 +34,11 @@ func (c *Conn) LocalAddr() net.Addr {
 	return c.connection.LocalAddr()
 }
 
+// Connection returns the network connection. The Conn returned is shared by all invocations of Connection, so do not modify it.
+func (c *Conn) Connection() net.Conn {
+	return c.connection
+}
+
 // RemoteAddr returns the remote network address. The Addr returned is shared by all invocations of RemoteAddr, so do not modify it.
 func (c *Conn) RemoteAddr() net.Addr {
 	return c.connection.RemoteAddr()

networksession.go

@@ -2,6 +2,7 @@ package coap
 
 import (
 	"context"
+	"crypto/x509"
 	"net"
 )
 
@@ -12,6 +13,9 @@ type networkSession interface {
 	LocalAddr() net.Addr
 	// RemoteAddr returns the net.Addr of the client that sent the current request.
 	RemoteAddr() net.Addr
+	// PeerCertificates returns the certificate chain presented by the remote
+	// peer of the current request.
+	PeerCertificates() []*x509.Certificate
 	// WriteContextMsg writes a reply back to the client.
 	WriteMsgWithContext(ctx context.Context, resp Message) error
 	// Close closes the connection.

request.go

@@ -1,6 +1,8 @@
 package coap
 
-import "context"
+import (
+	"context"
+)
 
 type Request struct {
 	Msg      Message

sessiondtls.go

@@ -3,16 +3,19 @@ package coap
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net"
 
 	"github.com/go-ocf/go-coap/codes"
 	coapNet "github.com/go-ocf/go-coap/net"
+	dtls "github.com/pion/dtls/v2"
 )
 
 type sessionDTLS struct {
 	*sessionBase
-	connection *coapNet.Conn
+	connection       *coapNet.Conn
+	peerCertificates []*x509.Certificate
 }
 
 // newSessionDTLS create new session for DTLS connection
@@ -31,8 +34,20 @@ func newSessionDTLS(connection *coapNet.Conn, srv *Server) (networkSession, erro
 	}
 
 	s := sessionDTLS{
-		connection:  connection,
 		sessionBase: newBaseSession(BlockWiseTransfer, BlockWiseTransferSzx, srv),
+		connection:  connection,
+	}
+
+	dtlsConn := connection.Connection().(*dtls.Conn)
+	cert := dtlsConn.RemoteCertificate()
+	if len(cert) > 0 {
+		flatCerts := bytes.Join(cert, nil)
+		peerCertificates, err := x509.ParseCertificates(flatCerts)
+		if err != nil {
+			return nil, err
+		}
+
+		s.peerCertificates = peerCertificates
 	}
 
 	return &s, nil
@@ -48,6 +63,11 @@ func (s *sessionDTLS) RemoteAddr() net.Addr {
 	return s.connection.RemoteAddr()
 }
 
+// PeerCertificates implements the networkSession.PeerCertificates method.
+func (s *sessionDTLS) PeerCertificates() []*x509.Certificate {
+	return s.peerCertificates
+}
+
 // BlockWiseTransferEnabled
 func (s *sessionDTLS) blockWiseEnabled() bool {
 	return s.blockWiseTransfer

sessiontcp.go

@@ -3,6 +3,7 @@ package coap
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"sync/atomic"
@@ -55,6 +56,11 @@ func (s *sessionTCP) RemoteAddr() net.Addr {
 	return s.connection.RemoteAddr()
 }
 
+// PeerCertificates implements the networkSession.PeerCertificates method.
+func (s *sessionTCP) PeerCertificates() []*x509.Certificate {
+	return nil
+}
+
 func (s *sessionTCP) blockWiseEnabled() bool {
 	return s.blockWiseTransfer /*&& atomic.LoadUint32(&s.peerBlockWiseTransfer) != 0*/
 }

sessionudp.go

@@ -3,6 +3,7 @@ package coap
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net"
 
@@ -57,6 +58,11 @@ func (s *sessionUDP) RemoteAddr() net.Addr {
 	return s.sessionUDPData.RemoteAddr()
 }
 
+// PeerCertificates implements the networkSession.PeerCertificates method.
+func (s *sessionUDP) PeerCertificates() []*x509.Certificate {
+	return nil
+}
+
 // BlockWiseTransferEnabled
 func (s *sessionUDP) blockWiseEnabled() bool {
 	return s.blockWiseTransfer