feat: enable TLS cert verification extensions (#425)

Author: fortuna

transport/tls/stream_dialer.go

@@ -84,16 +84,25 @@ func normalizeHost(host string) string {
 	return strings.ToLower(host)
 }
 
-// ClientConfig encodes the parameters for a TLS client connection.
+// ClientConfig holds configuration parameters used for establishing a TLS client connection.
 type ClientConfig struct {
-	// The host name for the Server Name Indication (SNI).
+	// ServerName specifies the hostname sent for Server Name Indication (SNI).
+	// This is often the same as the dialed hostname but can be overridden using [WithSNI].
 	ServerName string
-	// The hostname to use for certificate validation.
-	CertificateName string
-	// The protocol id list for protocol negotiation (ALPN).
+
+	// NextProtos lists the application-layer protocols (e.g., "h2", "http/1.1")
+	// supported by the client for Application-Layer Protocol Negotiation (ALPN).
+	// See [WithALPN].
 	NextProtos []string
-	// The cache for sessin resumption.
+
+	// SessionCache enables TLS session resumption by providing a cache for session tickets.
+	// If nil, session resumption is disabled. See [WithSessionCache].
 	SessionCache tls.ClientSessionCache
+
+	// CertVerifier specifies a custom verifier for the peer's certificate chain.
+	// If nil, [StandardCertVerifier] is used by default, validating against the dialed
+	// server name. See [WithCertVerifier].
+	CertVerifier CertVerifier
 }
 
 // toStdConfig creates a [tls.Config] based on the configured parameters.
@@ -106,33 +115,25 @@ func (cfg *ClientConfig) toStdConfig() *tls.Config {
 		// replacing. This will not disable VerifyConnection.
 		InsecureSkipVerify: true,
 		VerifyConnection: func(cs tls.ConnectionState) error {
-			// This replicates the logic in the standard library verification:
-			// https://cs.opensource.google/go/go/+/master:src/crypto/tls/handshake_client.go;l=982;drc=b5f87b5407916c4049a3158cc944cebfd7a883a9
-			// And the documentation example:
-			// https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
-			opts := x509.VerifyOptions{
-				DNSName:       cfg.CertificateName,
-				Intermediates: x509.NewCertPool(),
-			}
-			for _, cert := range cs.PeerCertificates[1:] {
-				opts.Intermediates.AddCert(cert)
-			}
-			_, err := cs.PeerCertificates[0].Verify(opts)
-			return err
+			return cfg.CertVerifier.VerifyCertificate(&CertVerificationContext{
+				PeerCertificates: cs.PeerCertificates,
+			})
 		},
 	}
 }
 
-// ClientOption allows configuring the parameters to be used for a client TLS connection.
-type ClientOption func(serverName string, config *ClientConfig)
-
 // WrapConn wraps a [transport.StreamConn] in a TLS connection.
 func WrapConn(ctx context.Context, conn transport.StreamConn, serverName string, options ...ClientOption) (transport.StreamConn, error) {
-	cfg := ClientConfig{ServerName: serverName, CertificateName: serverName}
+	cfg := ClientConfig{ServerName: serverName}
 	normName := normalizeHost(serverName)
 	for _, option := range options {
 		option(normName, &cfg)
 	}
+	if cfg.CertVerifier == nil {
+		// If CertVerifier is not provided, use the default verification logic,
+		// which validates the peer certificate against the provided serverName.
+		cfg.CertVerifier = &StandardCertVerifier{CertificateName: serverName}
+	}
 	tlsConn := tls.Client(conn, cfg.toStdConfig())
 	err := tlsConn.HandshakeContext(ctx)
 	if err != nil {
@@ -181,10 +182,60 @@ func WithSessionCache(sessionCache tls.ClientSessionCache) ClientOption {
 	}
 }
 
-// WithCertificateName sets the hostname to be used for the certificate cerification.
-// If absent, defaults to the dialed hostname.
-func WithCertificateName(hostname string) ClientOption {
+// WithCertVerifier sets the verifier to be used for the certificate verification.
+func WithCertVerifier(verifier CertVerifier) ClientOption {
 	return func(_ string, config *ClientConfig) {
-		config.CertificateName = hostname
+		config.CertVerifier = verifier
 	}
 }
+
+// CertVerificationContext provides connection-time context for the certificate verification.
+type CertVerificationContext struct {
+	// PeerCertificates are the parsed certificates sent by the peer, in the
+	// order in which they were sent. The first element is the leaf certificate
+	// that the connection is verified against.
+	//
+	// On the client side, it can't be empty. On the server side, it can be
+	// empty if Config.ClientAuth is not RequireAnyClientCert or
+	// RequireAndVerifyClientCert.
+	//
+	// PeerCertificates and its contents should not be modified.
+	PeerCertificates []*x509.Certificate
+}
+
+// CertVerifier verifies peer certificates for TLS connections.
+type CertVerifier interface {
+	// VerifyCertificate verified a peer certificate given the context.
+	VerifyCertificate(info *CertVerificationContext) error
+}
+
+// StandardCertVerifier implements [CertVerifier] using standard TLS certificate chain verification.
+type StandardCertVerifier struct {
+	// CertificateName specifies the expected DNS name (or IP address) against which
+	// the peer's leaf certificate is verified.
+	CertificateName string
+	// Roots contains the set of trusted root certificate authorities.
+	// If nil, the host's default root CAs are used for certificate chain validation.
+	Roots *x509.CertPool
+}
+
+// VerifyCertificate implements [CertVerifier].
+func (v *StandardCertVerifier) VerifyCertificate(certContext *CertVerificationContext) error {
+	// This replicates the logic in the standard library verification:
+	// https://cs.opensource.google/go/go/+/master:src/crypto/tls/handshake_client.go;l=982;drc=b5f87b5407916c4049a3158cc944cebfd7a883a9
+	// And the documentation example:
+	// https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
+	opts := x509.VerifyOptions{
+		DNSName:       v.CertificateName,
+		Roots:         v.Roots,
+		Intermediates: x509.NewCertPool(),
+	}
+	for _, cert := range certContext.PeerCertificates[1:] {
+		opts.Intermediates.AddCert(cert)
+	}
+	_, err := certContext.PeerCertificates[0].Verify(opts)
+	return err
+}
+
+// ClientOption allows configuring the parameters to be used for a client TLS connection.
+type ClientOption func(serverName string, config *ClientConfig)

transport/tls/stream_dialer_test.go

@@ -16,8 +16,15 @@ package tls
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"net"
 	"testing"
+	"time"
 
 	"github.com/Jigsaw-Code/outline-sdk/transport"
 	"github.com/stretchr/testify/require"
@@ -77,7 +84,7 @@ func TestIP(t *testing.T) {
 }
 
 func TestIPOverride(t *testing.T) {
-	sd, err := NewStreamDialer(&transport.TCPDialer{}, WithCertificateName("8.8.8.8"))
+	sd, err := NewStreamDialer(&transport.TCPDialer{}, WithCertVerifier(&StandardCertVerifier{CertificateName: "8.8.8.8"}))
 	require.NoError(t, err)
 	conn, err := sd.DialStream(context.Background(), "dns.google:443")
 	require.NoError(t, err)
@@ -101,7 +108,7 @@ func TestNoSNI(t *testing.T) {
 }
 
 func TestAllCustom(t *testing.T) {
-	sd, err := NewStreamDialer(&transport.TCPDialer{}, WithSNI("decoy.android.com"), WithCertificateName("www.youtube.com"))
+	sd, err := NewStreamDialer(&transport.TCPDialer{}, WithSNI("decoy.android.com"), WithCertVerifier(&StandardCertVerifier{CertificateName: "www.youtube.com"}))
 	require.NoError(t, err)
 	conn, err := sd.DialStream(context.Background(), "www.google.com:443")
 	require.NoError(t, err)
@@ -176,3 +183,80 @@ func (c countedStreamConn) Close() error {
 	c.counter.activeConns--
 	return c.StreamConn.Close()
 }
+
+// Helper function to create a self-signed certificate (Root CA)
+func createRootCA(t *testing.T) (*x509.Certificate, *ecdsa.PrivateKey) {
+	t.Helper()
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(1),
+		Subject:               pkix.Name{Organization: []string{"Test Root CA"}},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
+	require.NoError(t, err)
+
+	cert, err := x509.ParseCertificate(certDER)
+	require.NoError(t, err)
+
+	return cert, privKey
+}
+
+// Helper function to create a leaf certificate signed by a parent
+func createLeafCert(t *testing.T, dnsNames []string, ipAddresses []net.IP, parentCert *x509.Certificate, parentKey *ecdsa.PrivateKey, notBefore, notAfter time.Time) (*x509.Certificate, *ecdsa.PrivateKey) {
+	t.Helper()
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(2),
+		Subject:               pkix.Name{CommonName: dnsNames[0]}, // Use first DNS name as CN
+		DNSNames:              dnsNames,
+		IPAddresses:           ipAddresses,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, // Server cert
+		BasicConstraintsValid: true,
+		IsCA:                  false,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, parentCert, &privKey.PublicKey, parentKey)
+	require.NoError(t, err)
+
+	cert, err := x509.ParseCertificate(certDER)
+	require.NoError(t, err)
+
+	return cert, privKey
+}
+
+func TestGeneratedCert_Valid(t *testing.T) {
+	// 1. Generate Certs
+	rootCA, rootKey := createRootCA(t)
+	leafCert, _ := createLeafCert(t, []string{"test.local"}, nil, rootCA, rootKey, time.Now().Add(-1*time.Hour), time.Now().Add(1*time.Hour))
+
+	// 2. Setup Root Pool for Client
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCA)
+
+	verificationContext := &CertVerificationContext{PeerCertificates: []*x509.Certificate{leafCert}}
+
+	sysVerifier := &StandardCertVerifier{CertificateName: "test.local"}
+	require.Error(t, sysVerifier.VerifyCertificate(verificationContext))
+
+	customVerifier := &StandardCertVerifier{CertificateName: "test.local", Roots: rootPool}
+	require.NoError(t, customVerifier.VerifyCertificate(verificationContext))
+
+	wrongDomainVerifier := &StandardCertVerifier{CertificateName: "other.local", Roots: rootPool}
+	var hostErr x509.HostnameError
+	require.ErrorAs(t, wrongDomainVerifier.VerifyCertificate(verificationContext), &hostErr)
+	require.Equal(t, "other.local", hostErr.Host)
+	require.Equal(t, leafCert, hostErr.Certificate)
+}