Add some protections against the incorrect cert type being used

2020-08-10 10:48:00 -05:00 · 2020-08-10 10:48:00 -05:00 · 50d50f690b
parent ca05eff124
commit 50d50f690b
4 changed files with 18 additions and 7 deletions
--- a/ios/NebulaNetworkExtension/Site.swift
+++ b/ios/NebulaNetworkExtension/Site.swift
@ -362,11 +362,7 @@ struct IncomingSite: Codable {
        }
        
        proto.providerConfiguration = ["config": rawConfig]
-
-        //TODO: proto is a subclass and we should probably set some settings on the parents
-        //TODO: set these to meaningful values, or not at all
-        proto.serverAddress = "TODO"
-        proto.username = "TEST USERNAME"
+        proto.serverAddress = "Nebula"
        
        // Finish up the manager, this is what stores everything at the system level
        manager.protocolConfiguration = proto
--- a/lib/components/SiteItem.dart
+++ b/lib/components/SiteItem.dart
@ -28,7 +28,7 @@ class SiteItem extends StatelessWidget {
  Widget _buildContent(BuildContext context) {
    final border = BorderSide(color: Utils.configSectionBorder(context));
    var ip = "Error";
-    if (site.cert != null) {
+    if (site.cert != null && site.cert.cert.details.ips.length > 0) {
      ip = site.cert.cert.details.ips[0];
    }

--- a/lib/screens/siteConfig/CAListScreen.dart
+++ b/lib/screens/siteConfig/CAListScreen.dart
@ -99,12 +99,22 @@ class _CAListScreenState extends State<CAListScreen> {
    //TODO: show an error popup
    try {
      var rawCerts = await platform.invokeMethod("nebula.parseCerts", <String, String>{"certs": ca});
+      var ignored = 0;
+
      List<dynamic> certs = jsonDecode(rawCerts);
      certs.forEach((rawCert) {
        final info = CertificateInfo.fromJson(rawCert);
+        if (!info.cert.details.isCa) {
+          ignored++;
+          return;
+        }
        cas[info.cert.fingerprint] = info;
      });

+      if (ignored > 0) {
+        error = 'One or more certificates were ignored because they were not certificate authorities.';
+      }
+
      changed = true;
    } on PlatformException catch (err) {
      //TODO: fix this message
--- a/lib/screens/siteConfig/CertificateScreen.dart
+++ b/lib/screens/siteConfig/CertificateScreen.dart
@ -285,7 +285,12 @@ class _CertificateScreenState extends State<CertificateScreen> {
      var rawCerts = await platform.invokeMethod("nebula.parseCerts", <String, String>{"certs": rawCert});
      List<dynamic> certs = jsonDecode(rawCerts);
      if (certs.length > 0) {
-        cert = CertificateInfo.fromJson(certs.first);
+        var tryCert = CertificateInfo.fromJson(certs.first);
+        if (tryCert.cert.details.isCa) {
+          return callback('A certificate authority is not appropriate for a client certificate.');
+        }
+        //TODO: test that the pubkey matches the privkey
+        cert = tryCert;
      }
    } on PlatformException catch (err) {
      error = err.details ?? err.message;