Verify CN of client certificates with Basic Station backend (#129)

Author: faemittens

internal/backend/basicstation/backend.go

@@ -251,6 +251,16 @@ func (b *Backend) handleRouterInfo(r *http.Request, c *websocket.Conn) {
 		URI:    fmt.Sprintf("%s://%s/gateway/%s", b.scheme, r.Host, lorawan.EUI64(req.Router)),
 	}
 
+	if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+		var cn lorawan.EUI64
+
+		if err := cn.UnmarshalText([]byte(r.TLS.PeerCertificates[0].Subject.CommonName)); err != nil || cn != lorawan.EUI64(req.Router) {
+			resp.URI = ""
+			resp.Error = fmt.Sprintf("certificate CommonName %s does not match router %s",
+				r.TLS.PeerCertificates[0].Subject.CommonName, lorawan.EUI64(req.Router))
+		}
+	}
+
 	c.SetWriteDeadline(time.Now().Add(b.writeTimeout))
 	if err := c.WriteJSON(resp); err != nil {
 		log.WithError(err).Error("backend/basicstation: websocket send message error")
@@ -278,6 +288,18 @@ func (b *Backend) handleGateway(r *http.Request, c *websocket.Conn) {
 		return
 	}
 
+	if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+		var cn lorawan.EUI64
+		if err := cn.UnmarshalText([]byte(r.TLS.PeerCertificates[0].Subject.CommonName)); err != nil || cn != gatewayID {
+			log.WithFields(log.Fields{
+				"gateway_id": gatewayID,
+				"common_name": r.TLS.PeerCertificates[0].Subject.CommonName,
+			}).Error("backend/basicstation: CommonName verification failed")
+			return
+		}
+	}
+
+
 	// make sure we're not overwriting an existing connection
 	_, err := b.gateways.get(gatewayID)
 	if err == nil {