diff --git a/src/main/java/org/openautonomousconnection/protocol/packets/v1_0_0/beta/AuthPacket.java b/src/main/java/org/openautonomousconnection/protocol/packets/v1_0_0/beta/AuthPacket.java index e2a5d2d..6c9d3ee 100644 --- a/src/main/java/org/openautonomousconnection/protocol/packets/v1_0_0/beta/AuthPacket.java +++ b/src/main/java/org/openautonomousconnection/protocol/packets/v1_0_0/beta/AuthPacket.java @@ -13,7 +13,6 @@ import org.openautonomousconnection.protocol.side.server.CustomConnectedClient; import org.openautonomousconnection.protocol.side.server.events.S_CustomClientConnectedEvent; import org.openautonomousconnection.protocol.versions.ProtocolVersion; import org.openautonomousconnection.protocol.versions.v1_0_0.beta.INSResponseStatus; -import org.openautonomousconnection.protocol.versions.v1_0_0.beta.TOFUFeedback; import java.io.DataInputStream; import java.io.DataOutputStream; @@ -140,10 +139,10 @@ public final class AuthPacket extends OACPacket { try { if (!protocolBridge.isVersionSupported(serverVersion)) { setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED); - if (protocolBridge.getProtocolClient() != null - && protocolBridge.getProtocolClient().getClientINSConnection() != null) { + if (protocolBridge.getProtocolClient() != null && protocolBridge.getProtocolClient().getClientINSConnection() != null) { protocolBridge.getProtocolClient().getClientINSConnection().disconnect(); } + return; } @@ -152,15 +151,9 @@ public final class AuthPacket extends OACPacket { String caPrefix = objectInputStream.readUTF(); String caPem = objectInputStream.readUTF(); - if (!caPrefix.matches("^[a-zA-Z0-9_-]+$")) { - setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED); - return; - } - if (caPem.equalsIgnoreCase("N/A")) { setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED); } else { - byte[] caBytes = caPem.getBytes(java.nio.charset.StandardCharsets.UTF_8); java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA-256"); String fp = java.util.HexFormat.of().formatHex(md.digest(caBytes)); @@ -176,24 +169,20 @@ public final class AuthPacket extends OACPacket { if (fpFile.exists()) { String existing = FileUtils.readFileFull(fpFile).trim(); - TOFUFeedback feedback = protocolBridge.getProtocolClient().insFingerprintChanged(existing, fp); - if (feedback == TOFUFeedback.DISCONNECT) { + if (!protocolBridge.getProtocolClient().trustNewINSFingerprint(existing, fp)) { setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED); protocolBridge.getProtocolClient().getClientINSConnection().disconnect(); return; - } - if (feedback == TOFUFeedback.TRUST) { + } else { FileUtils.writeFile(fpFile, fp + System.lineSeparator()); allowWritePem = true; } } else { - TOFUFeedback feedback = protocolBridge.getProtocolClient().trustINS(fp); - if (feedback == TOFUFeedback.DISCONNECT) { + if (protocolBridge.getProtocolClient().trustINS(fp)) { setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED); protocolBridge.getProtocolClient().getClientINSConnection().disconnect(); return; - } - if (feedback == TOFUFeedback.TRUST) { + } else { FileUtils.writeFile(fpFile, fp + System.lineSeparator()); allowWritePem = true; } diff --git a/src/main/java/org/openautonomousconnection/protocol/side/client/ProtocolClient.java b/src/main/java/org/openautonomousconnection/protocol/side/client/ProtocolClient.java index a5fd567..e543927 100644 --- a/src/main/java/org/openautonomousconnection/protocol/side/client/ProtocolClient.java +++ b/src/main/java/org/openautonomousconnection/protocol/side/client/ProtocolClient.java @@ -16,7 +16,6 @@ import org.openautonomousconnection.protocol.versions.ProtocolVersion; import org.openautonomousconnection.protocol.versions.v1_0_0.beta.INSRecord; import org.openautonomousconnection.protocol.versions.v1_0_0.beta.INSRecordType; import org.openautonomousconnection.protocol.versions.v1_0_0.beta.INSResponseStatus; -import org.openautonomousconnection.protocol.versions.v1_0_0.beta.TOFUFeedback; import java.io.File; import java.io.FileNotFoundException; @@ -325,9 +324,22 @@ public abstract class ProtocolClient extends EventListener { public void onQuerySent(String tln, String name, String sub, INSRecordType type) { } - public abstract TOFUFeedback trustINS(String caFingerprint); + /** + * Called when no stored INS fingerprint exists yet (trust-on-first-use). + * + * @param caFingerprint received fingerprint of the INS CA certificate + * @return {@code true} to allow the connection; {@code false} to reject it + */ + public abstract boolean trustINS(String caFingerprint); - public abstract TOFUFeedback insFingerprintChanged(String oldCAFingerprint, String newCAFingerprint); + /** + * Called when a stored INS fingerprint does not match the received one. + * + * @param oldCAFingerprint previously stored fingerprint + * @param newCAFingerprint received fingerprint of the INS CA certificate + * @return {@code true} to accept the new fingerprint; {@code false} to reject it + */ + public abstract boolean trustNewINSFingerprint(String oldCAFingerprint, String newCAFingerprint); public static final class ClientCertificateFolderStructure { public final File certificatesFolder; diff --git a/src/main/java/org/openautonomousconnection/protocol/versions/v1_0_0/beta/TOFUFeedback.java b/src/main/java/org/openautonomousconnection/protocol/versions/v1_0_0/beta/TOFUFeedback.java deleted file mode 100644 index e23c54f..0000000 --- a/src/main/java/org/openautonomousconnection/protocol/versions/v1_0_0/beta/TOFUFeedback.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.openautonomousconnection.protocol.versions.v1_0_0.beta; - -public enum TOFUFeedback { - - TRUST, DISCONNECT - -}