Add transport.dtlsRemoteCert

versatica · May 10, 2016 · 85e698b · 85e698b
1 parent ab72651
commit 85e698b
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 10 deletions.
diff --git a/lib/Transport.js b/lib/Transport.js
@@ -33,6 +33,7 @@ class Transport extends EventEmitter
 		//   - .type
 		//   - .protocol
 		//   - .tcpType
+		// - .iceState
 		// - .iceSelectedTuple
 		//   - .local
 		//     - .ip
@@ -42,7 +43,6 @@ class Transport extends EventEmitter
 		//     - .ip
 		//     - .port
 		//     - .protocol
-		// - .iceState
 		// - .dtlsLocalParameters
 		//   - .role
 		//   - .fingerprints
@@ -52,6 +52,7 @@ class Transport extends EventEmitter
 		//     - .sha-384
 		//     - .sha-512
 		// - .dtlsState
+		// - .dtlsRemoteCert
 		this._data = data;
 
 		// Channel instance
@@ -90,6 +91,8 @@ class Transport extends EventEmitter
 				case 'dtlsstatechange':
 				{
 					this._data.dtlsState = data.dtlsState;
+					if (data.dtlsState === 'connected')
+						this._data.dtlsRemoteCert = data.dtlsRemoteCert;
 					// Emit it to the app
 					this.emit(event, data.dtlsState);
 					break;
@@ -121,14 +124,14 @@ class Transport extends EventEmitter
 		return this._data.iceLocalCandidates;
 	}
 
-	get iceSelectedTuple()
+	get iceState()
 	{
-		return this._data.iceSelectedTuple;
+		return this._data.iceState;
 	}
 
-	get iceState()
+	get iceSelectedTuple()
 	{
-		return this._data.iceState;
+		return this._data.iceSelectedTuple;
 	}
 
 	get dtlsLocalParameters()
@@ -141,6 +144,11 @@ class Transport extends EventEmitter
 		return this._data.dtlsState;
 	}
 
+	get dtlsRemoteCert()
+	{
+		return this._data.dtlsRemoteCert;
+	}
+
 	/**
 	 * Close the Transport
 	 */

diff --git a/worker/include/RTC/DtlsTransport.h b/worker/include/RTC/DtlsTransport.h
@@ -73,7 +73,7 @@ namespace RTC
 			// DTLS has completed negotiation of a secure connection (including DTLS-SRTP
 			// and remote fingerprint verification). Outgoing media can now flow through.
 			// NOTE: The caller MUST NOT call any method during this callback.
-			virtual void onDtlsConnected(DtlsTransport* dtlsTransport, RTC::SrtpSession::Profile srtp_profile, uint8_t* srtp_local_key, size_t srtp_local_key_len, uint8_t* srtp_remote_key, size_t srtp_remote_key_len) = 0;
+			virtual void onDtlsConnected(DtlsTransport* dtlsTransport, RTC::SrtpSession::Profile srtp_profile, uint8_t* srtp_local_key, size_t srtp_local_key_len, uint8_t* srtp_remote_key, size_t srtp_remote_key_len, std::string& remoteCert) = 0;
 			// The DTLS connection has been closed as the result of an error (such as a
 			// DTLS alert or a failure to validate the remote fingerprint).
 			// NOTE: The caller MUST NOT call Close() during this callback.
@@ -159,6 +159,7 @@ namespace RTC
 		Fingerprint remoteFingerprint = { FingerprintAlgorithm::NONE, "" };
 		bool handshakeDone = false;
 		bool handshakeDoneNow = false;
+		std::string remoteCert;
 	};
 
 	/* Inline static methods. */

diff --git a/worker/include/RTC/Transport.h b/worker/include/RTC/Transport.h
@@ -95,7 +95,7 @@ namespace RTC
 	/* Pure virtual methods inherited from RTC::DtlsTransport::Listener. */
 	public:
 		virtual void onDtlsConnecting(DtlsTransport* dtlsTransport) override;
-		virtual void onDtlsConnected(DtlsTransport* dtlsTransport, RTC::SrtpSession::Profile srtp_profile, uint8_t* srtp_local_key, size_t srtp_local_key_len, uint8_t* srtp_remote_key, size_t srtp_remote_key_len) override;
+		virtual void onDtlsConnected(DtlsTransport* dtlsTransport, RTC::SrtpSession::Profile srtp_profile, uint8_t* srtp_local_key, size_t srtp_local_key_len, uint8_t* srtp_remote_key, size_t srtp_remote_key_len, std::string& remoteCert) override;
 		virtual void onDtlsFailed(DtlsTransport* dtlsTransport) override;
 		virtual void onDtlsClosed(DtlsTransport* dtlsTransport) override;
 		virtual void onOutgoingDtlsData(RTC::DtlsTransport* dtlsTransport, const uint8_t* data, size_t len) override;

diff --git a/worker/src/RTC/DtlsTransport.cpp b/worker/src/RTC/DtlsTransport.cpp
@@ -999,12 +999,15 @@ namespace RTC
 				MS_ABORT("unknown algorithm");
 		}
 
+		// Compare the remote fingerprint with the value given via signaling.
+
 		ret = X509_digest(certificate, hash_function, binary_fingerprint, &size);
-		X509_free(certificate);
 		if (ret == 0)
 		{
 			MS_ERROR("X509_digest() failed");
 
+			X509_free(certificate);
+
 			return false;
 		}
 
@@ -1019,11 +1022,48 @@ namespace RTC
 		{
 			MS_WARN("fingerprint in the remote certificate (%s) does not match the announced one (%s)", hex_fingerprint, this->remoteFingerprint.value.c_str());
 
+			X509_free(certificate);
+
 			return false;
 		}
 
 		MS_DEBUG("valid remote fingerprint");
 
+		// Get the remote certificate in PEM format.
+
+		BIO* bio = BIO_new(BIO_s_mem());
+		// Ensure the underlying BUF_MEM structure is also freed.
+		BIO_set_close(bio, BIO_CLOSE);
+
+		ret = PEM_write_bio_X509(bio, certificate);
+		if (ret != 1)
+		{
+			LOG_OPENSSL_ERROR("PEM_write_bio_X509() failed");
+
+			X509_free(certificate);
+			BIO_free(bio);
+
+			return false;
+		}
+
+		BUF_MEM* mem;
+
+		BIO_get_mem_ptr(bio, &mem);
+		if (!mem || !mem->data || !mem->length)
+		{
+			LOG_OPENSSL_ERROR("BIO_get_mem_ptr() failed");
+
+			X509_free(certificate);
+			BIO_free(bio);
+
+			return false;
+		}
+
+		this->remoteCert = std::string(mem->data, mem->length);
+
+		X509_free(certificate);
+		BIO_free(bio);
+
 		return true;
 	}
 
@@ -1072,7 +1112,7 @@ namespace RTC
 
 		// Set state and notify the listener.
 		this->state = DtlsState::CONNECTED;
-		this->listener->onDtlsConnected(this, srtp_profile, srtp_local_master_key, MS_SRTP_MASTER_LENGTH, srtp_remote_master_key, MS_SRTP_MASTER_LENGTH);
+		this->listener->onDtlsConnected(this, srtp_profile, srtp_local_master_key, MS_SRTP_MASTER_LENGTH, srtp_remote_master_key, MS_SRTP_MASTER_LENGTH, this->remoteCert);
 	}
 
 	inline

diff --git a/worker/src/RTC/Transport.cpp b/worker/src/RTC/Transport.cpp
@@ -989,12 +989,13 @@ namespace RTC
 		this->notifier->Emit(this->transportId, "dtlsstatechange", event_data);
 	}
 
-	void Transport::onDtlsConnected(RTC::DtlsTransport* dtlsTransport, RTC::SrtpSession::Profile srtp_profile, uint8_t* srtp_local_key, size_t srtp_local_key_len, uint8_t* srtp_remote_key, size_t srtp_remote_key_len)
+	void Transport::onDtlsConnected(RTC::DtlsTransport* dtlsTransport, RTC::SrtpSession::Profile srtp_profile, uint8_t* srtp_local_key, size_t srtp_local_key_len, uint8_t* srtp_remote_key, size_t srtp_remote_key_len, std::string& remoteCert)
 	{
 		MS_TRACE();
 
 		static const Json::StaticString k_dtlsState("dtlsState");
 		static const Json::StaticString v_connected("connected");
+		static const Json::StaticString k_dtlsRemoteCert("dtlsRemoteCert");
 
 		Json::Value event_data(Json::objectValue);
 
@@ -1037,6 +1038,7 @@ namespace RTC
 
 		// Notify.
 		event_data[k_dtlsState] = v_connected;
+		event_data[k_dtlsRemoteCert] = remoteCert;
 		this->notifier->Emit(this->transportId, "dtlsstatechange", event_data);
 	}