From 50d50f690b7fc1b5225b815a91ceeb34502c232a Mon Sep 17 00:00:00 2001 From: Nate Brown Date: Mon, 10 Aug 2020 10:48:00 -0500 Subject: [PATCH] Add some protections against the incorrect cert type being used --- ios/NebulaNetworkExtension/Site.swift | 6 +----- lib/components/SiteItem.dart | 2 +- lib/screens/siteConfig/CAListScreen.dart | 10 ++++++++++ lib/screens/siteConfig/CertificateScreen.dart | 7 ++++++- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/ios/NebulaNetworkExtension/Site.swift b/ios/NebulaNetworkExtension/Site.swift index 8adfcb8..815533b 100644 --- a/ios/NebulaNetworkExtension/Site.swift +++ b/ios/NebulaNetworkExtension/Site.swift @@ -362,11 +362,7 @@ struct IncomingSite: Codable { } proto.providerConfiguration = ["config": rawConfig] - - //TODO: proto is a subclass and we should probably set some settings on the parents - //TODO: set these to meaningful values, or not at all - proto.serverAddress = "TODO" - proto.username = "TEST USERNAME" + proto.serverAddress = "Nebula" // Finish up the manager, this is what stores everything at the system level manager.protocolConfiguration = proto diff --git a/lib/components/SiteItem.dart b/lib/components/SiteItem.dart index 60150a6..8048e0f 100644 --- a/lib/components/SiteItem.dart +++ b/lib/components/SiteItem.dart @@ -28,7 +28,7 @@ class SiteItem extends StatelessWidget { Widget _buildContent(BuildContext context) { final border = BorderSide(color: Utils.configSectionBorder(context)); var ip = "Error"; - if (site.cert != null) { + if (site.cert != null && site.cert.cert.details.ips.length > 0) { ip = site.cert.cert.details.ips[0]; } diff --git a/lib/screens/siteConfig/CAListScreen.dart b/lib/screens/siteConfig/CAListScreen.dart index 37762ec..9b236de 100644 --- a/lib/screens/siteConfig/CAListScreen.dart +++ b/lib/screens/siteConfig/CAListScreen.dart @@ -99,12 +99,22 @@ class _CAListScreenState extends State { //TODO: show an error popup try { var rawCerts = await platform.invokeMethod("nebula.parseCerts", {"certs": ca}); + var ignored = 0; + List certs = jsonDecode(rawCerts); certs.forEach((rawCert) { final info = CertificateInfo.fromJson(rawCert); + if (!info.cert.details.isCa) { + ignored++; + return; + } cas[info.cert.fingerprint] = info; }); + if (ignored > 0) { + error = 'One or more certificates were ignored because they were not certificate authorities.'; + } + changed = true; } on PlatformException catch (err) { //TODO: fix this message diff --git a/lib/screens/siteConfig/CertificateScreen.dart b/lib/screens/siteConfig/CertificateScreen.dart index 9ef3403..1e19767 100644 --- a/lib/screens/siteConfig/CertificateScreen.dart +++ b/lib/screens/siteConfig/CertificateScreen.dart @@ -285,7 +285,12 @@ class _CertificateScreenState extends State { var rawCerts = await platform.invokeMethod("nebula.parseCerts", {"certs": rawCert}); List certs = jsonDecode(rawCerts); if (certs.length > 0) { - cert = CertificateInfo.fromJson(certs.first); + var tryCert = CertificateInfo.fromJson(certs.first); + if (tryCert.cert.details.isCa) { + return callback('A certificate authority is not appropriate for a client certificate.'); + } + //TODO: test that the pubkey matches the privkey + cert = tryCert; } } on PlatformException catch (err) { error = err.details ?? err.message;