From f15fe48fa9653e5e9951bf8d4ebff52e8708b517 Mon Sep 17 00:00:00 2001 From: John Knox Date: Fri, 30 Nov 2018 06:18:15 -0800 Subject: [PATCH] Clean on-device sonar dir between certificate exchanges Summary: During certificate exchange, the mobile device creates a public/private key pair, and then requests a certificate from flipper to match it's public key. Flipper responds with the cert and it's written to the sonar dir along side the key pair files. If certificate exchange happens again for any reason, the mobile device will regenerate the key pair and request a new cert. If for any reason that cert never arrives, then the device is in a state where it has the new key pair, but the old certificate that doesn't match its new credentials. This would never work, but it means you get a strange SSL error because you're using inconsistent files. To improve error messaging, I'm making the client wipe all files before starting the certificate exchange step, so you should never get key/cert mismatches. Now the device can tell it doesn't have all the necessary files and won't even attempt to connect until it does. Reviewed By: passy Differential Revision: D13256369 fbshipit-source-id: 28f3cb5ba5938c17f01294683ba86c418f651376 --- xplat/Flipper/ConnectionContextStore.cpp | 21 ++++++++++++++------- xplat/Flipper/ConnectionContextStore.h | 13 +++++++++---- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/xplat/Flipper/ConnectionContextStore.cpp b/xplat/Flipper/ConnectionContextStore.cpp index 0b14c375c..f6d32fffc 100644 --- a/xplat/Flipper/ConnectionContextStore.cpp +++ b/xplat/Flipper/ConnectionContextStore.cpp @@ -1,13 +1,13 @@ -/* - * Copyright (c) Facebook, Inc. - * - * This source code is licensed under the MIT license found in the LICENSE - * file in the root directory of this source tree. +/** + * Copyright (c) Facebook, Inc. and its affiliates. * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. */ #include "ConnectionContextStore.h" #include #include +#include #include #include #include "CertificateUtils.h" @@ -43,7 +43,7 @@ bool ConnectionContextStore::hasRequiredFiles() { } std::string ConnectionContextStore::createCertificateSigningRequest() { - ensureFlipperDirExists(); + resetFlipperDir(); bool success = generateCertSigningRequest( deviceData_.appId.c_str(), absoluteFilePath(CSR_FILE_NAME).c_str(), @@ -100,13 +100,20 @@ std::string ConnectionContextStore::getCertificateDirectoryPath() { return absoluteFilePath(""); } -bool ConnectionContextStore::ensureFlipperDirExists() { +bool ConnectionContextStore::resetFlipperDir() { std::string dirPath = absoluteFilePath(""); struct stat info; if (stat(dirPath.c_str(), &info) != 0) { int ret = mkdir(dirPath.c_str(), S_IRUSR | S_IWUSR | S_IXUSR); return ret == 0; } else if (info.st_mode & S_IFDIR) { + for (auto file : {CSR_FILE_NAME, + FLIPPER_CA_FILE_NAME, + CLIENT_CERT_FILE_NAME, + PRIVATE_KEY_FILE, + CONNECTION_CONFIG_FILE}) { + std::remove(absoluteFilePath(file).c_str()); + } return true; } else { log("ERROR: Flipper path exists but is not a directory: " + dirPath); diff --git a/xplat/Flipper/ConnectionContextStore.h b/xplat/Flipper/ConnectionContextStore.h index 07870147d..9e850272c 100644 --- a/xplat/Flipper/ConnectionContextStore.h +++ b/xplat/Flipper/ConnectionContextStore.h @@ -1,3 +1,9 @@ +/** + * Copyright (c) Facebook, Inc. and its affiliates. + * + * This source code is licensed under the MIT license found in the LICENSE + * file in the root directory of this source tree. + */ #pragma once #include @@ -21,13 +27,12 @@ public: std::string getDeviceId(); void storeConnectionConfig(folly::dynamic& config); -private: + private: DeviceData deviceData_; std::string absoluteFilePath(const char* filename); - bool ensureFlipperDirExists(); - + bool resetFlipperDir(); }; } // namespace flipper -} //namespace facebook +} // namespace facebook