func (v *basicTLSVerifier) hasPinned(certs []*x509.Certificate) error {
savedHash := v.shaSum
if len(savedHash) == 0 {
return nil
}
if digest := digests.Sha256(certs[0].Raw); !bytes.Equal(digest, savedHash) {
return fmt.Errorf("tls: server certificate does not match expected hash (got: %x, want: %x)", digest, savedHash)
}
return nil
}
// Matches returns true if this pin matches the given certificate
func (v *CertificatePin) Matches(cert *x509.Certificate) bool {
r := cert.Raw
var dig []byte
switch v.FingerprintType {
case "SHA1":
dig = digests.Sha1(r)
case "SHA256":
dig = digests.Sha256(r)
case "SHA3-256":
dig = digests.Sha3_256(r)
default:
return false
}
return bytes.Equal(dig, v.Fingerprint)
}
func (u *gtkUI) certificateFailedToVerifyDisplayDialog(a *account, certs []*x509.Certificate, c chan<- bool, tp, extra string) {
doInUIThread(func() {
builder := newBuilder("CertificateDialog")
var md gtki.Dialog
var message gtki.Label
var issuedToCN, issuedToO, snis, issuedToOU, serial gtki.Label
var issuedByCN, issuedByO, issuedByOU gtki.Label
var issuedOn, expiresOn gtki.Label
var sha1Fingerprint, sha256Fingerprint, sha3_256Fingerprint gtki.Label
builder.getItems(
"dialog", &md,
"message", &message,
"issuedToCnValue", &issuedToCN,
"issuedToOValue", &issuedToO,
"issuedToOUValue", &issuedToOU,
"snisValue", &snis,
"SNValue", &serial,
"issuedByCnValue", &issuedByCN,
"issuedByOValue", &issuedByO,
"issuedByOUValue", &issuedByOU,
"issuedOnValue", &issuedOn,
"expiresOnValue", &expiresOn,
"sha1FingerprintValue", &sha1Fingerprint,
"sha256FingerprintValue", &sha256Fingerprint,
"sha3_256FingerprintValue", &sha3_256Fingerprint,
)
issuedToCN.SetLabel(certs[0].Subject.CommonName)
issuedToO.SetLabel(strings.Join(certs[0].Subject.Organization, ", "))
issuedToOU.SetLabel(strings.Join(certs[0].Subject.OrganizationalUnit, ", "))
serial.SetLabel(certs[0].SerialNumber.String())
ss := certs[0].DNSNames[:]
sort.Strings(ss)
snis.SetLabel(strings.Join(ss, ", "))
issuedByCN.SetLabel(certs[0].Issuer.CommonName)
issuedByO.SetLabel(strings.Join(certs[0].Issuer.Organization, ", "))
issuedByOU.SetLabel(strings.Join(certs[0].Issuer.OrganizationalUnit, ", "))
issuedOn.SetLabel(certs[0].NotBefore.Format(time.RFC822))
expiresOn.SetLabel(certs[0].NotAfter.Format(time.RFC822))
sha1Fingerprint.SetLabel(displayChunked(digests.Sha1(certs[0].Raw)))
sha256Fingerprint.SetLabel(displayChunked(digests.Sha256(certs[0].Raw)))
sha3_256Fingerprint.SetLabel(displayChunked(digests.Sha3_256(certs[0].Raw)))
accountName := "this account"
if a != nil {
accountName = a.session.GetConfig().Account
}
md.SetTitle(strings.Replace(md.GetTitle(), "ACCOUNT_NAME", accountName, -1))
switch tp {
case "verify":
message.SetLabel(fmt.Sprintf("We couldn't verify the certificate for the connection to account %s. This can happen if the server you are connecting to doesn't use the traditional certificate hierarchies. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName))
case "hostname":
message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct, but the names for it doesn't match. We need a certificate for the name %s, but this wasn't provided. This can happen if the server is configured incorrectly or there are other reasons the proper name couldn't be used. This is very common for corporate Google accounts. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName, extra))
case "pinning":
message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct - but you have a pinning policy that requires us to ask whether you would like to continue connecting using this certificate, save it for the future, or stop connecting.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName))
}
md.SetTransientFor(u.window)
md.ShowAll()
switch gtki.ResponseType(md.Run()) {
case gtki.RESPONSE_OK:
c <- true
case gtki.RESPONSE_ACCEPT:
if a != nil {
a.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw))
u.SaveConfig()
}
c <- true
case gtki.RESPONSE_CANCEL:
if a != nil {
a.session.SetWantToBeOnline(false)
}
c <- false
default:
a.session.SetWantToBeOnline(false)
c <- false
}
md.Destroy()
})
}