switch to onion v3 ids

oml/node/server.py

@@ -12,18 +12,20 @@ import socket
 import socketserver
 import time
 
-from Crypto.PublicKey import RSA
-from Crypto.Util.asn1 import DerSequence
-from OpenSSL.crypto import dump_privatekey, FILETYPE_ASN1
 from OpenSSL.SSL import (
-    Context, Connection, TLSv1_2_METHOD,
-    VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE
+    Connection,
+    Context,
+    TLSv1_2_METHOD,
+    VERIFY_CLIENT_ONCE,
+    VERIFY_FAIL_IF_NO_PEER_CERT,
+    VERIFY_PEER,
 )
 
 import db
 import settings
 import state
 import user
+import utils
 from changelog import changelog_size, changelog_path
 from websocket import trigger_event
 
@@ -34,16 +36,15 @@ import logging
 logger = logging.getLogger(__name__)
 
 
-def get_service_id(key):
-    '''
-    service_id is the first half of the sha1 of the rsa public key encoded in base32
-    '''
-    # compute sha1 of public key and encode first half in base32
-    pub_der = DerSequence()
-    pub_der.decode(dump_privatekey(FILETYPE_ASN1, key))
-    public_key = RSA.construct((pub_der._seq[1], pub_der._seq[2])).exportKey('DER')[22:]
-    service_id = base64.b32encode(hashlib.sha1(public_key).digest()[:10]).lower().decode()
-    return service_id
+def get_service_id(connection):
+    certs = connection.get_peer_cert_chain()
+    for cert in certs:
+        if cert.get_signature_algorithm().decode() == "ED25519":
+            pubkey = cert.get_pubkey()
+            public_key = pubkey.to_cryptography_key().public_bytes_raw()
+            service_id = utils.get_onion(public_key)
+            return service_id
+    raise Exception("connection with invalid certificate")
 
 class TLSTCPServer(socketserver.TCPServer):
 
@@ -55,7 +56,7 @@ class TLSTCPServer(socketserver.TCPServer):
         socketserver.TCPServer.__init__(self, server_address, HandlerClass)
         ctx = Context(TLSv1_2_METHOD)
         ctx.use_privatekey_file(settings.ssl_key_path)
-        ctx.use_certificate_file(settings.ssl_cert_path)
+        ctx.use_certificate_chain_file(settings.ssl_cert_path)
         # only allow clients with cert:
         ctx.set_verify(VERIFY_PEER | VERIFY_CLIENT_ONCE | VERIFY_FAIL_IF_NO_PEER_CERT, self._accept)
         #ctx.set_verify(VERIFY_PEER | VERIFY_CLIENT_ONCE, self._accept)
@@ -111,8 +112,7 @@ class Handler(http.server.SimpleHTTPRequestHandler):
         return self.do_GET()
 
     def do_GET(self):
-        #x509 = self.connection.get_peer_certificate()
-        #user_id = get_service_id(x509.get_pubkey()) if x509 else None
+        user_id = get_service_id(self.connection)
         import item.models
         parts = self.path.split('/')
         if len(parts) == 3 and parts[1] in ('get', 'preview'):
@@ -185,8 +185,7 @@ class Handler(http.server.SimpleHTTPRequestHandler):
         self.end_headers()
 
     def _changelog(self):
-        x509 = self.connection.get_peer_certificate()
-        user_id = get_service_id(x509.get_pubkey()) if x509 else None
+        user_id = get_service_id(self.connection)
         with db.session():
             u = user.models.User.get(user_id)
             if not u:
@@ -257,8 +256,7 @@ class Handler(http.server.SimpleHTTPRequestHandler):
 
             ping            responds public ip
         '''
-        x509 = self.connection.get_peer_certificate()
-        user_id = get_service_id(x509.get_pubkey()) if x509 else None
+        user_id = get_service_id(self.connection)
 
         content = {}
         try: