API keys are now provided in config fileconfig-api-key

Also added CA cert verification for internal TLS connections.

3 files changed, 23 insertions, 32 deletions

diff --git a/src/http_auth.erl b/src/http_auth.erl
index a187e05..16d7dfa 100644
--- a/src/http_auth.erl
+++ b/src/http_auth.erl
@@ -17,24 +17,10 @@ init_key_table() ->
     read_key_table().
 
 read_key_table() ->
-    PublickeyDir = application:get_env(plop, publickey_path, none),
-    ServersACL = application:get_env(plop, allowed_servers, []),
-    ClientsACL = application:get_env(plop, allowed_clients, []),
-    Keys = sets:from_list(
-             lists:flatmap(fun ({_, Keys}) ->
-                                   case Keys of
-                                       noauth ->
-                                           [];
-                                       _ when is_list(Keys) ->
-                                           Keys
-                                   end
-                           end, ServersACL ++ ClientsACL)),
     lists:foreach(
-      fun (KeyName) ->
-              Key = sign:read_keyfile_ec(PublickeyDir ++ "/" ++
-                                             KeyName ++ ".pem"),
-              true = ets:insert(?KEY_TABLE, {KeyName, Key})
-      end, sets:to_list(Keys)),
+      fun ({KeyName, Der}) ->
+              true = ets:insert(?KEY_TABLE, {KeyName, sign:pem_entry_decode({'SubjectPublicKeyInfo', Der, []})})
+      end, application:get_env(plop, apikeys, [])),
     case application:get_env(plop, own_key, none) of
         {_OwnKeyName, OwnKeyFile} ->
             OwnKey = sign:read_keyfile_ec(OwnKeyFile),
diff --git a/src/plop_httputil.erl b/src/plop_httputil.erl
index 37e25c1..af4a5d1 100644
--- a/src/plop_httputil.erl
+++ b/src/plop_httputil.erl
@@ -59,15 +59,25 @@ verify_fun(Cert, valid_peer, UserState) ->
             {valid, UserState}
     end.
 
+read_and_verify_cacertfile(Filename) ->
+    {ok, PemBin} = file:read_file(Filename),
+    [KeyPem] = public_key:pem_decode(PemBin),
+    {'Certificate', Der, _} = KeyPem,
+    CalculatedHash = crypto:hash(sha256, Der),
+    CorrectHash = application:get_env(catlfish, https_cacert_fingerprint, none),
+    CorrectHash = CalculatedHash,
+    Der.
+
 request(DebugTag, URL, Headers, RequestBody) ->
     Starttime = os:timestamp(),
     ParsedURL = hackney_url:parse_url(URL),
     CACertFile = application:get_env(catlfish, https_cacertfile, none),
+    CACert = read_and_verify_cacertfile(CACertFile),
     #hackney_url{path = Path, host = Host} = ParsedURL,
     lager:debug("~s: sending http request to ~p",
                 [DebugTag, URL]),
     case hackney:connect(ParsedURL,
-                         [{ssl_options, [{cacertfile, CACertFile},
+                         [{ssl_options, [{cacerts, [CACert]},
                                          {verify, verify_peer},
                                          {verify_fun, {fun verify_fun/3,
                                                        [{check_hostname, Host}]}}
diff --git a/src/sign.erl b/src/sign.erl
index 2c55429..492279f 100644
--- a/src/sign.erl
+++ b/src/sign.erl
@@ -9,7 +9,7 @@
 %% API.
 -export([start_link/0, stop/0]).
 -export([sign_sct/1, sign_sth/1, get_pubkey/0, get_logid/0, verify_sth/2]).
--export([read_keyfile_ec/1]).
+-export([read_keyfile_ec/1, pem_entry_decode/1]).
 %% API for tests.
 -export([read_keyfile_rsa/2]).
 %% gen_server callbacks.
@@ -37,6 +37,9 @@ start_link() ->
 stop() ->
     call(?MODULE, stop).
 
+get_log_public_key() ->
+    Der = application:get_env(plop, log_public_key, none),
+    pem_entry_decode({'SubjectPublicKeyInfo', Der, []}).
 
 init([]) ->
     %% Read RSA keypair.
@@ -44,9 +47,8 @@ init([]) ->
     %% LogID = crypto:hash(sha256,
     %%                     public_key:der_encode('RSAPublicKey', Public_key)),
     %% Read EC keypair.
-    PubKeyfile = application:get_env(plop, log_public_key, none),
-    Public_key = read_keyfile_ec(PubKeyfile),
-    LogID = read_keyfile_ec_logid(PubKeyfile),
+    Public_key = get_log_public_key(),
+    LogID = get_logid(),
 
     case application:get_env(plop, hsm) of
         {ok, Args} ->
@@ -84,12 +86,6 @@ read_keyfile_ec(KeyFile) ->
     [KeyPem] = filter_pem_types(public_key:pem_decode(PemBin), ['ECPrivateKey', 'SubjectPublicKeyInfo']),
     decode_key(KeyPem).
 
-read_keyfile_ec_logid(KeyFile) ->
-    lager:debug("reading file ~p", [KeyFile]),
-    {ok, PemBin} = file:read_file(KeyFile),
-    [{'SubjectPublicKeyInfo', Der, _}] = filter_pem_types(public_key:pem_decode(PemBin), ['SubjectPublicKeyInfo']),
-    crypto:hash(sha256, Der).
-
 pem_entry_decode({'SubjectPublicKeyInfo', Der, _}) ->
     SPKI = public_key:der_decode('SubjectPublicKeyInfo', Der),
     {Octets, Algorithm} = plop_compat:unpack_spki(SPKI),
@@ -182,13 +178,12 @@ get_pubkey() ->
     call(?MODULE, {get, pubkey}).
 
 get_logid() ->
-    PubKeyfile = application:get_env(plop, log_public_key, none),
-    read_keyfile_ec_logid(PubKeyfile).
+    Der = application:get_env(plop, log_public_key, none),
+    crypto:hash(sha256, Der).
 
 verify_sth(STH, Signature) ->
     lager:debug("verifying ~p: ~p", [STH, Signature]),
-    PubKeyfile = application:get_env(plop, log_public_key, none),
-    PublicKey = read_keyfile_ec(PubKeyfile),
+    PublicKey = get_log_public_key(),
     public_key:verify(STH, sha256, Signature, PublicKey).
 
 encode_ec_signature(RawSignature, SignatureLength) ->