Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-08 09:26:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

expire old SKPI hashes

Browse Source
This commit is contained in:
link2xt
2026-04-16 20:03:46 +02:00
parent 900cb7f7aa
commit 900d88c5eb
4 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/net/tls.rs
View File

@@ -7,6 +7,7 @@ use anyhow::Result;
use crate::net::session::SessionStream; use crate::net::session::SessionStream;
use crate::sql::Sql; use crate::sql::Sql;
use crate::tools::time;
use tokio_rustls::rustls; use tokio_rustls::rustls;
use tokio_rustls::rustls::client::ClientSessionStore; use tokio_rustls::rustls::client::ClientSessionStore;
@@ -164,9 +165,10 @@ pub async fn wrap_rustls<'a>(
.peer_certificates() .peer_certificates()
.and_then(|certs| certs.first()) .and_then(|certs| certs.first())
{ {
let now = time();
let parsed_certificate = ParsedCertificate::try_from(end_entity)?; let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
let spki = parsed_certificate.subject_public_key_info(); let spki = parsed_certificate.subject_public_key_info();
spki_hash_store.save_spki(hostname, &spki, sql).await?; spki_hash_store.save_spki(hostname, &spki, sql, now).await?;
} }
Ok(tls_stream) Ok(tls_stream)

5
src/net/tls/spki.rs
View File

@@ -77,14 +77,15 @@ impl SpkiHashStore {
hostname: &str, hostname: &str,
spki: &SubjectPublicKeyInfoDer<'_>, spki: &SubjectPublicKeyInfoDer<'_>,
sql: &Sql, sql: &Sql,
timestamp: i64,
) -> Result<()> { ) -> Result<()> {
let hash = spki_hash(spki); let hash = spki_hash(spki);
self.hash_store self.hash_store
.write() .write()
.insert(hostname.to_string(), hash.clone()); .insert(hostname.to_string(), hash.clone());
sql.execute( sql.execute(
"INSERT OR REPLACE INTO tls_spki (host, spki_hash) VALUES (?, ?)", "INSERT OR REPLACE INTO tls_spki (host, spki_hash, timestamp) VALUES (?, ?, ?)",
(hostname, hash), (hostname, hash, timestamp),
) )
.await?; .await?;
Ok(()) Ok(())

11
src/sql.rs
View File

@@ -874,6 +874,17 @@ pub async fn housekeeping(context: &Context) -> Result<()> {
.log_err(context) .log_err(context)
.ok(); .ok();
context
.sql
.execute(
"DELETE FROM tls_spki WHERE ? > timestamp + ?",
(time(), 30 * 24 * 60 * 60),
)
.await
.context("Failed to prune SPKI store")
.log_err(context)
.ok();
// Cleanup `imap` and `imap_sync` entries for deleted transports. // Cleanup `imap` and `imap_sync` entries for deleted transports.
// //
// Transports may be deleted directly or via sync messages, // Transports may be deleted directly or via sync messages,

3
src/sql/migrations.rs
View File

@@ -2365,7 +2365,8 @@ ALTER TABLE contacts ADD COLUMN name_normalized TEXT;
sql.execute_migration( sql.execute_migration(
"CREATE TABLE tls_spki ( "CREATE TABLE tls_spki (
host TEXT NOT NULL UNIQUE, host TEXT NOT NULL UNIQUE,
spki_hash TEXT NOT NULL -- base64 of SPKI SHA-256 hash spki_hash TEXT NOT NULL, -- base64 of SPKI SHA-256 hash
timestamp INTEGER NOT NULL -- timestamp of the last time we have seen this key
) STRICT", ) STRICT",
migration_version, migration_version,
) )