Finish up support for certfp

Author: Half-Shot

src/bridge/AdminRoomHandler.ts

@@ -28,6 +28,7 @@ import { getBridgeVersion } from "matrix-appservice-bridge";
 import { Provisioner } from "../provisioning/Provisioner";
 import { IrcProvisioningError } from "../provisioning/Schema";
 import { validateChannelName } from "../models/IrcRoom";
+import { X509Certificate, createPrivateKey } from "node:crypto";
 
 const log = logging("AdminRoomHandler");
 
@@ -61,6 +62,33 @@ export function parseCommandFromEvent(event: { content?: { body?: unknown }}, pr
     return { cmd, args };
 }
 
+
+
+export function getKeyPairFromString(keypairString: string) {
+    const keyStart = keypairString.indexOf('-----BEGIN PRIVATE KEY-----');
+    const keyEnd = keypairString.indexOf('-----END PRIVATE KEY-----');
+    const certStart = keypairString.indexOf('-----BEGIN CERTIFICATE-----');
+    const certEnd = keypairString.indexOf('-----END CERTIFICATE-----');
+    if (certStart === -1) {
+        throw Error('Missing BEGIN CERTIFICATE');
+    }
+    if (certEnd === -1) {
+        throw Error('Missing END CERTIFICATE');
+    }
+    if (keyStart === -1) {
+        throw Error('Missing BEGIN PRIVATE KEY');
+    }
+    if (keyEnd === -1) {
+        throw Error('Missing END PRIVATE KEY');
+    }
+    const certStr = keypairString.slice(certStart, certEnd + '-----END CERTIFICATE-----'.length);
+    const privateKeyStr = keypairString.slice(keyStart, keyEnd + '-----END CERTIFICATE-----'.length);
+    const privateKey = createPrivateKey(privateKeyStr);
+    const cert = new X509Certificate(certStr);
+    return { cert, privateKey };
+
+}
+
 // This is just a length to avoid silly long usernames
 const SANE_USERNAME_LENGTH = 64;
 
@@ -75,6 +103,8 @@ const SANE_USERNAME_LENGTH = 64;
 // (0x00 to 0x1F, plus DEL (0x7F)), as they are most likely mistakes.
 const SASL_USERNAME_INVALID_CHARS_PATTERN = /[\x00-\x20\x7F]+/; // eslint-disable-line
 
+const CERT_FP_TIMEOUT_MS = 90 * 1000;
+
 interface Command {
     example: string;
     summary: string;
@@ -87,6 +117,10 @@ interface Heading {
 
 const COMMANDS: {[command: string]: Command|Heading} = {
     'Actions': { heading: true },
+    "certfp": {
+        example: `!certfp [irc.example.net]`,
+        summary: `Store a certificate for authenticating with the remote network`,
+    },
     "cmd": {
         example: `!cmd [irc.example.net] COMMAND [arg0 [arg1 [...]]]`,
         summary: "Issue a raw IRC command. These will not produce a reply." +
@@ -166,19 +200,28 @@ class ServerRequiredError extends Error {
 const USER_FEATURES = ["mentions"];
 export class AdminRoomHandler {
     private readonly botUser: MatrixUser;
+    private readonly roomIdsExpectingCertFp = new Map<string, (certificate: string) => void>();
     constructor(private ircBridge: IrcBridge, private matrixHandler: MatrixHandler) {
         this.botUser = new MatrixUser(ircBridge.appServiceUserId, undefined, false);
     }
 
     public async onAdminMessage(req: BridgeRequest, event: MatrixSimpleMessage, adminRoom: MatrixRoom) {
         req.log.info("Handling admin command from %s", event.sender);
+
+        const certFpFunction = this.roomIdsExpectingCertFp.get(adminRoom.roomId);
+        if (certFpFunction) {
+            this.roomIdsExpectingCertFp.delete(adminRoom.roomId);
+            certFpFunction(event.content.body);
+            return;
+        }
+
         const parseResult = parseCommandFromEvent(event);
         let response: MatrixAction|void;
         if (parseResult) {
             const { cmd, args } = parseResult;
 
             try {
-                response = await this.handleCommand(cmd, args, req, event);
+                response = await this.handleCommand(cmd, args, req, event, adminRoom);
             }
             catch (err) {
                 if (err instanceof ServerRequiredError) {
@@ -203,7 +246,9 @@ export class AdminRoomHandler {
         }
     }
 
-    private async handleCommand(cmd: string, args: string[], req: BridgeRequest, event: MatrixSimpleMessage) {
+    private async handleCommand(
+        cmd: string, args: string[], req: BridgeRequest, event: MatrixSimpleMessage, adminRoom: MatrixRoom
+    ) {
         const userPermission = this.getUserPermission(event.sender);
         const requiredPermission = (COMMANDS[cmd] as Command|undefined)?.requiresPermission;
         if (requiredPermission && requiredPermission > userPermission) {
@@ -216,6 +261,8 @@ export class AdminRoomHandler {
                 return new MatrixAction(ActionType.Notice, "You have been marked as active by the bridge");
             case "join":
                 return await this.handleJoin(req, args, event.sender);
+            case "certfp":
+                return await this.handleCertfp(req, args, event.sender, adminRoom);
             case "cmd":
                 return await this.handleCmd(req, args, event.sender);
             case "whois":
@@ -252,6 +299,106 @@ export class AdminRoomHandler {
         }
     }
 
+    private async getOrCreateClientConfig(userId: string, server: IrcServer) {
+        const store = this.ircBridge.getStore();
+        const config = await store.getIrcClientConfig(userId, server.domain);
+        if (config) {
+            return config;
+        }
+        return IrcClientConfig.newConfig(
+            new MatrixUser(userId), server.domain
+        );
+    }
+
+    private async handleCertfp(
+        req: BridgeRequest, args: string[], sender: string, adminRoom: MatrixRoom): Promise<MatrixAction> {
+        const server = this.extractServerFromArgs(args);
+        req.log.info(`${sender} is attempting to store a cert for ${server.domain}`);
+        await this.ircBridge.sendMatrixAction(
+            adminRoom, this.botUser, new MatrixAction(
+                ActionType.Notice, `Please enter your certificate and private key (without formatting) for ${server.getReadableName()}.`
+            )
+        );
+        let certfp: string;
+        try {
+            certfp = await new Promise<string>((res, reject) => {
+                this.roomIdsExpectingCertFp.set(adminRoom.roomId, res)
+                setTimeout(() => {
+                    reject(new Error('Timeout'));
+                }, CERT_FP_TIMEOUT_MS);
+            });
+        }
+        catch (ex) {
+            return new MatrixAction(
+                ActionType.Notice, 'Timed out waiting for certificate',
+            );
+        }
+        finally {
+            this.roomIdsExpectingCertFp.delete(adminRoom.roomId);
+        }
+        let privateKey, cert;
+        try {
+            const pair = getKeyPairFromString(certfp);
+            privateKey = pair.privateKey;
+            cert = pair.cert;
+        }
+        catch (ex) {
+            return new MatrixAction(
+                ActionType.Notice, `Could not parse keypair: ${ex.message}`,
+            );
+        }
+        if (!cert.checkPrivateKey(privateKey)) {
+            return new MatrixAction(
+                ActionType.Notice, 'Public cert does not belong to private key.',
+            );
+        }
+        const now = new Date();
+        try {
+            const validFrom = new Date(cert.validFrom);
+            const validTo = new Date(cert.validTo);
+
+            if (isNaN(validFrom.getTime())) {
+                return new MatrixAction(
+                    ActionType.Notice, 'Certificate validFrom was invalid.',
+                );
+            }
+            if (isNaN(validTo.getTime())) {
+                return new MatrixAction(
+                    ActionType.Notice, 'Certificate validFrom was invalid.',
+                );
+            }
+
+            if (validFrom > now) {
+                return new MatrixAction(
+                    ActionType.Notice, 'Certificate is not valid yet.',
+                );
+            }
+            if (now > validTo) {
+                return new MatrixAction(
+                    ActionType.Notice, 'Certificate has expired.',
+                );
+            }
+        }
+        catch (ex) {
+            return new MatrixAction(
+                ActionType.Notice, 'Could not parse validFrom / validTo dates.',
+            );
+        }
+
+        const clientConfig = await this.getOrCreateClientConfig(sender, server);
+        clientConfig.setCertificate({
+            cert: cert.toString(),
+            key: privateKey.export({type: 'pkcs8', format: 'pem'}).toString(),
+        });
+        await this.ircBridge.getStore().storeIrcClientConfig(clientConfig);
+
+
+        return new MatrixAction(
+            ActionType.Notice,
+            `Successfully stored certificate for ${server.domain}. Use !reconnect to use this cert.`
+        );
+    }
+
     private async handlePlumb(args: string[], sender: string) {
         const [matrixRoomId, serverDomain, ircChannel] = args;
         const server = serverDomain && this.ircBridge.getServer(serverDomain);
@@ -557,12 +704,7 @@ export class AdminRoomHandler {
                 );
             }
             else {
-                let config = await store.getIrcClientConfig(userId, server.domain);
-                if (!config) {
-                    config = IrcClientConfig.newConfig(
-                        new MatrixUser(userId), server.domain
-                    );
-                }
+                const config = await this.getOrCreateClientConfig(userId, server);
                 config.setUsername(username);
                 await this.ircBridge.getStore().storeIrcClientConfig(config);
                 notice = new MatrixAction(

src/datastore/postgres/PgDataStore.ts

@@ -30,7 +30,7 @@ import {
 import { DataStore, RoomOrigin, ChannelMappings, UserFeatures } from "../DataStore";
 import { MatrixDirectoryVisibility } from "../../bridge/IrcHandler";
 import { IrcRoom } from "../../models/IrcRoom";
-import { IrcClientConfig } from "../../models/IrcClientConfig";
+import { IrcClientConfig, IrcClientConfigSeralized } from "../../models/IrcClientConfig";
 import { IrcServer, IrcServerConfig } from "../../irc/IrcServer";
 
 import { getLogger } from "../../logging";
@@ -504,7 +504,12 @@ export class PgDataStore implements DataStore, ProvisioningStore {
     }
 
     public async getIrcClientConfig(userId: string, domain: string): Promise<IrcClientConfig | null> {
-        const res = await this.pgPool.query(
+        const res = await this.pgPool.query<{
+            config: IrcClientConfigSeralized,
+            password: string,
+            cert: string,
+            key: string,
+        }>(
             "SELECT config, password, cert, key FROM client_config WHERE user_id = $1 and domain = $2",
             [
                 userId,
@@ -528,17 +533,15 @@ export class PgDataStore implements DataStore, ProvisioningStore {
             cert: row.cert,
             key: row.key,
         };
-        // TODO: Testing
-        if (row.cert && row.key && this.cryptoStore) {
-            // NOT fatal, but really worrying.
+        const cryptoStore = this.cryptoStore;
+        if (row.key && cryptoStore) {
             try {
-                config.certificate = {
-                    cert: this.cryptoStore.decrypt(row.cert),
-                    key:  this.cryptoStore.decrypt(row.key)
-                };
+                const keyParts = row.key.split(',').map(v => cryptoStore.decrypt(v));
+                config.certificate.key = `-----BEGIN PRIVATE KEY-----\n${keyParts.join('')}-----END PRIVATE KEY-----\n`;
+                console.log(keyParts);
             }
             catch (ex) {
-                log.warn(`Failed to decrypt certificate for ${userId} ${domain}`, ex);
+                log.warn(`Failed to decrypt TLS key for ${userId} ${domain}`, ex);
             }
         }
         return new IrcClientConfig(userId, domain, config);
@@ -553,23 +556,36 @@ export class PgDataStore implements DataStore, ProvisioningStore {
         // We need to make sure we have a matrix user in the store.
         await this.pgPool.query("INSERT INTO matrix_users VALUES ($1, NULL) ON CONFLICT DO NOTHING", [userId]);
         let password = config.getPassword();
-        const cert: {cert?: string, key?: string} = { };
+        const keypair: {cert?: string, key?: string} = { };
 
         // This implies without a cryptostore these will be stored plain.
         if (password && this.cryptoStore) {
             password = this.cryptoStore.encrypt(password);
         }
+
+
         if (config.certificate && this.cryptoStore) {
-            cert.cert = this.cryptoStore.encrypt(config.certificate.cert);
-            cert.key = this.cryptoStore.encrypt(config.certificate.key);
+            keypair.cert = config.certificate.cert;
+            const cryptoParts = [];
+            let key = config.certificate.key;
+            // We can't store these as our encryption system doesn't support spaces.
+            key = key.replace('-----BEGIN PRIVATE KEY-----\n', '').replace('-----END PRIVATE KEY-----\n', '');
+            while (key.length > 0) {
+                const part = key.slice(0, 64);
+                console.log(part);
+                cryptoParts.push(this.cryptoStore.encrypt(part));
+                key = key.slice(64);
+            }
+            keypair.key = cryptoParts.join(',');
+            console.log(cryptoParts);
         }
         const parameters = {
             user_id: userId,
             domain: config.getDomain(),
             // either use the decrypted password, or whatever is stored already.
             password,
-            cert: cert?.cert,
-            key: cert?.key,
+            cert: keypair.cert,
+            key: keypair.key,
             config: JSON.stringify(config.serialize(true)),
         };
         const statement = PgDataStore.BuildUpsertStatement(

src/irc/ConnectionInstance.ts

@@ -422,8 +422,6 @@ export class ConnectionInstance {
             saslType = "EXTERNAL";
         }
 
-        console.log("secure:", secure, saslType);
-
         const connectionOpts: IrcClientOpts = {
             userName: opts.username,
             realName: opts.realname,
@@ -439,12 +437,15 @@ export class ConnectionInstance {
             retryCount: 0,
             family: (server.getIpv6Prefix() || server.getIpv6Only() ? 6 : null) as 6|null,
             bustRfc3484: true,
-            sasl: opts.password ? server.useSasl() : false,
+            sasl: saslType ? server.useSasl() : false,
             saslType: saslType,
             secure: secure,
             encodingFallback: opts.encodingFallback,
+            debug: true,
         };
 
+        console.log(connectionOpts);
+
 
         // Returns: A promise which resolves to a ConnectionInstance
         const retryConnection = async () => {

src/models/IrcClientConfig.ts

@@ -16,13 +16,15 @@ limitations under the License.
 
 import { MatrixUser } from "matrix-appservice-bridge";
 
+export interface IrcClientCertKeypair {
+    cert: string;
+    key: string;
+}
+
 export interface IrcClientConfigSeralized {
     username?: string;
     password?: string;
-    certificate?: {
-        key: string;
-        cert: string;
-    };
+    certificate?: IrcClientCertKeypair;
     nick?: string;
     ipv6?: string;
 }
@@ -70,11 +72,11 @@ export class IrcClientConfig {
         return this.config.password;
     }
 
-    public setCertificate(certificate: {cert: string, key: string}) {
-        this.config.certificate = certificate;
+    public setCertificate(keypair: IrcClientCertKeypair) {
+        this.config.certificate = keypair;
     }
 
-    public get certificate(): {cert: string, key: string}|undefined {
+    public get certificate(): IrcClientCertKeypair|undefined {
         return this.config.certificate;
     }
 
@@ -94,10 +96,11 @@ export class IrcClientConfig {
         return this.config.ipv6;
     }
 
-    public serialize(removePassword = false) {
+    public serialize(removePassword = false): IrcClientConfigSeralized {
         if (removePassword) {
-            const clone = JSON.parse(JSON.stringify(this.config));
+            const clone: IrcClientConfigSeralized = JSON.parse(JSON.stringify(this.config));
             delete clone.password;
+            delete clone.certificate;
             return clone;
         }
         return this.config;