387 lines
12 KiB
Rust
Raw Normal View History

2024-06-28 19:19:17 +02:00
use std::cmp::Ordering;
use std::path::{Path, PathBuf};
use foreign_types_shared::ForeignType;
use foreign_types_shared::ForeignTypeRef;
use libc::c_long;
2024-06-28 17:21:40 +02:00
use openssl::asn1::Asn1Time;
2024-06-27 18:55:09 +02:00
use openssl::bn::{BigNum, MsbOption};
use openssl::ec::EcGroup;
use openssl::hash::MessageDigest;
use openssl::nid::Nid;
2024-06-28 01:05:02 +02:00
use openssl::pkey::{PKey, Private};
2024-06-28 21:34:18 +02:00
use openssl::x509::extension::{
BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier,
};
2024-06-28 19:29:18 +02:00
use openssl::x509::{X509Crl, X509NameBuilder, X509};
use openssl_sys::{
X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate,
X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup,
};
2024-06-28 19:19:17 +02:00
use crate::app_config::AppConfig;
use crate::crypto::crl_extension::CRLDistributionPointExt;
#[derive(thiserror::Error, Debug)]
pub enum PKIError {
#[error("Certification Authority does not have a CRL")]
MissingCRL,
#[error("Certification Authority does not have a CRL next update time")]
MissingCRLNextUpdate,
#[error("Failed to initialize CRL! {0}")]
GenCRLError(&'static str),
}
2024-06-27 18:55:09 +02:00
2024-06-28 01:05:02 +02:00
/// Certificate and private key
2024-06-28 21:34:18 +02:00
pub struct CertData {
2024-06-28 17:21:40 +02:00
cert: X509,
key: PKey<Private>,
crl: Option<PathBuf>,
}
2024-06-27 18:55:09 +02:00
2024-06-28 17:21:40 +02:00
impl CertData {
2024-06-28 01:05:02 +02:00
/// Load root CA
fn load_root_ca() -> anyhow::Result<Self> {
2024-06-28 17:21:40 +02:00
Ok(Self {
cert: load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
key: load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
crl: Some(AppConfig::get().root_ca_crl_path()),
})
2024-06-28 01:05:02 +02:00
}
2024-06-28 19:43:33 +02:00
/// Load web CA
fn load_web_ca() -> anyhow::Result<Self> {
Ok(Self {
cert: load_certificate_from_file(AppConfig::get().web_ca_cert_path())?,
key: load_priv_key_from_file(AppConfig::get().web_ca_priv_key_path())?,
crl: Some(AppConfig::get().web_ca_crl_path()),
})
}
/// Load devices CA
fn load_devices_ca() -> anyhow::Result<Self> {
Ok(Self {
cert: load_certificate_from_file(AppConfig::get().devices_ca_cert_path())?,
key: load_priv_key_from_file(AppConfig::get().devices_ca_priv_key_path())?,
crl: Some(AppConfig::get().devices_ca_crl_path()),
})
}
2024-06-28 21:34:18 +02:00
/// Load server CA
pub fn load_server() -> anyhow::Result<Self> {
Ok(Self {
cert: load_certificate_from_file(AppConfig::get().server_cert_path())?,
key: load_priv_key_from_file(AppConfig::get().server_priv_key_path())?,
crl: None,
})
}
2024-06-28 01:05:02 +02:00
}
2024-06-27 18:55:09 +02:00
2024-06-28 01:05:02 +02:00
/// Generate private key
fn gen_private_key() -> anyhow::Result<PKey<Private>> {
2024-06-27 18:55:09 +02:00
let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
let group = EcGroup::from_curve_name(nid)?;
let key = openssl::ec::EcKey::generate(&group)?;
let key_pair = PKey::from_ec_key(key.clone())?;
2024-06-28 01:05:02 +02:00
Ok(key_pair)
}
/// Load private key from PEM file
fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
}
/// Load certificate from PEM file
fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
Ok(X509::from_pem(&std::fs::read(path)?)?)
}
2024-06-28 19:19:17 +02:00
/// Load CRL from PEM file
fn load_crl_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509Crl> {
Ok(X509Crl::from_pem(&std::fs::read(path)?)?)
}
2024-06-28 17:21:40 +02:00
#[derive(Default)]
struct GenCertificateReq<'a> {
cn: &'a str,
issuer: Option<&'a CertData>,
ca: bool,
2024-06-28 21:34:18 +02:00
web_server: bool,
subject_alternative_names: Vec<&'a str>,
2024-06-28 17:21:40 +02:00
}
/// Generate certificate
fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
2024-06-28 01:05:02 +02:00
// Generate root private key
let key_pair = gen_private_key()?;
2024-06-27 18:55:09 +02:00
let mut x509_name = X509NameBuilder::new()?;
x509_name.append_entry_by_text("C", "FR")?;
2024-06-28 17:21:40 +02:00
x509_name.append_entry_by_text("CN", req.cn)?;
2024-06-27 18:55:09 +02:00
let x509_name = x509_name.build();
let mut cert_builder = X509::builder()?;
cert_builder.set_version(2)?;
let serial_number = {
let mut serial = BigNum::new()?;
serial.rand(159, MsbOption::MAYBE_ZERO, false)?;
serial.to_asn1_integer()?
};
cert_builder.set_serial_number(&serial_number)?;
cert_builder.set_subject_name(&x509_name)?;
2024-06-28 17:21:40 +02:00
match req.issuer {
2024-06-28 01:05:02 +02:00
// Self-signed certificate
None => cert_builder.set_issuer_name(&x509_name)?,
// Certificate signed by another CA
2024-06-28 21:34:18 +02:00
Some(i) => cert_builder.set_issuer_name(i.cert.subject_name())?,
2024-06-28 01:05:02 +02:00
}
2024-06-28 17:21:40 +02:00
2024-06-27 18:55:09 +02:00
cert_builder.set_pubkey(&key_pair)?;
2024-06-28 17:21:40 +02:00
2024-06-27 18:55:09 +02:00
let not_before = Asn1Time::days_from_now(0)?;
cert_builder.set_not_before(&not_before)?;
2024-06-28 17:21:40 +02:00
2024-06-27 18:55:09 +02:00
let not_after = Asn1Time::days_from_now(365 * 30)?;
cert_builder.set_not_after(&not_after)?;
2024-06-28 17:21:40 +02:00
// Specify CRL URL
if let Some(issuer) = req.issuer {
if let Some(crl) = &issuer.crl {
let crl_url = format!(
"{}/crl/{}",
AppConfig::get().unsecure_origin(),
crl.file_name().unwrap().to_string_lossy()
);
cert_builder
.append_extension(CRLDistributionPointExt { url: crl_url }.as_extension()?)?;
}
2024-06-28 01:05:02 +02:00
}
2024-06-28 17:21:40 +02:00
// If cert is a CA or not
if req.ca {
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
}
2024-06-28 01:05:02 +02:00
2024-06-28 17:21:40 +02:00
// Key usage
let mut key_usage = KeyUsage::new();
2024-06-28 21:34:18 +02:00
let mut eku = None;
2024-06-28 17:21:40 +02:00
if req.ca {
key_usage.key_cert_sign().crl_sign();
}
2024-06-28 21:34:18 +02:00
if req.web_server {
key_usage.digital_signature().key_encipherment();
eku = Some(
ExtendedKeyUsage::new()
.server_auth()
.client_auth()
.build()?,
);
}
2024-06-28 17:21:40 +02:00
cert_builder.append_extension(key_usage.critical().build()?)?;
2024-06-27 18:55:09 +02:00
2024-06-28 21:34:18 +02:00
if let Some(eku) = eku {
cert_builder.append_extension(eku)?;
}
// Subject alternative names
if !req.subject_alternative_names.is_empty() {
let mut ext = SubjectAlternativeName::new();
for subj in req.subject_alternative_names {
ext.dns(subj);
}
cert_builder.append_extension(ext.build(&cert_builder.x509v3_context(None, None))?)?;
}
2024-06-28 17:21:40 +02:00
// Subject key identifier
2024-06-27 18:55:09 +02:00
let subject_key_identifier =
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
cert_builder.append_extension(subject_key_identifier)?;
2024-06-28 17:21:40 +02:00
// Sign certificate
2024-06-28 01:05:02 +02:00
cert_builder.sign(
2024-06-28 17:21:40 +02:00
match req.issuer {
2024-06-28 01:05:02 +02:00
None => &key_pair,
2024-06-28 17:21:40 +02:00
Some(i) => &i.key,
2024-06-28 01:05:02 +02:00
},
MessageDigest::sha256(),
)?;
2024-06-27 18:55:09 +02:00
let cert = cert_builder.build();
2024-06-28 01:05:02 +02:00
Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
}
/// Initialize Root CA, if required
pub fn initialize_root_ca() -> anyhow::Result<()> {
if AppConfig::get().root_ca_cert_path().exists()
&& AppConfig::get().root_ca_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating root ca...");
2024-06-28 17:21:40 +02:00
let (key, cert) = gen_certificate(GenCertificateReq {
cn: "SolarEnergy Root CA",
issuer: None,
ca: true,
2024-06-28 21:34:18 +02:00
..Default::default()
2024-06-28 17:21:40 +02:00
})?;
2024-06-28 01:05:02 +02:00
// Serialize generated web CA
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
Ok(())
}
/// Initialize web CA, if required
pub fn initialize_web_ca() -> anyhow::Result<()> {
if AppConfig::get().web_ca_cert_path().exists()
&& AppConfig::get().web_ca_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating web ca...");
2024-06-28 17:21:40 +02:00
let (key, cert) = gen_certificate(GenCertificateReq {
cn: "SolarEnergy Web CA",
issuer: Some(&CertData::load_root_ca()?),
ca: true,
2024-06-28 21:34:18 +02:00
..Default::default()
2024-06-28 17:21:40 +02:00
})?;
2024-06-28 01:05:02 +02:00
// Serialize generated web CA
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
Ok(())
}
/// Initialize devices CA, if required
pub fn initialize_devices_ca() -> anyhow::Result<()> {
if AppConfig::get().devices_ca_cert_path().exists()
&& AppConfig::get().devices_ca_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating devices ca...");
2024-06-28 17:21:40 +02:00
let (key, cert) = gen_certificate(GenCertificateReq {
cn: "SolarEnergy Devices CA",
issuer: Some(&CertData::load_root_ca()?),
ca: true,
2024-06-28 21:34:18 +02:00
..Default::default()
2024-06-28 17:21:40 +02:00
})?;
2024-06-28 01:05:02 +02:00
// Serialize generated devices CA
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
2024-06-27 18:55:09 +02:00
Ok(())
2024-06-28 01:05:02 +02:00
}
2024-06-28 19:19:17 +02:00
2024-06-28 21:34:18 +02:00
/// Initialize server certificate, if required
pub fn initialize_server_ca() -> anyhow::Result<()> {
if AppConfig::get().server_cert_path().exists()
&& AppConfig::get().server_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating server certificate...");
let (key, cert) = gen_certificate(GenCertificateReq {
cn: &AppConfig::get().hostname,
issuer: Some(&CertData::load_web_ca()?),
web_server: true,
subject_alternative_names: vec![AppConfig::get().hostname.as_str()],
..Default::default()
})?;
std::fs::write(AppConfig::get().server_priv_key_path(), key)?;
std::fs::write(AppConfig::get().server_cert_path(), cert)?;
Ok(())
}
/// Initialize or refresh a CRL
2024-06-28 19:19:17 +02:00
fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?;
2024-06-28 19:29:18 +02:00
let old_crl = if crl_path.exists() {
2024-06-28 19:19:17 +02:00
let crl = load_crl_from_file(crl_path)?;
// Check if revocation is un-needed
let next_update = crl.next_update().ok_or(PKIError::MissingCRLNextUpdate)?;
2024-06-28 19:39:07 +02:00
if next_update.compare(Asn1Time::days_from_now(0)?.as_ref())? == Ordering::Greater {
2024-06-28 19:19:17 +02:00
return Ok(());
}
2024-06-28 19:29:18 +02:00
Some(crl)
2024-06-28 19:19:17 +02:00
} else {
None
};
log::info!("Generating a new CRL...");
// based on https://github.com/openssl/openssl/blob/master/crypto/x509/x509_vfy.c
unsafe {
let crl = openssl_sys::X509_CRL_new();
if crl.is_null() {
return Err(PKIError::GenCRLError("Could not construct CRL!").into());
}
const X509_CRL_VERSION_2: c_long = 1;
if X509_CRL_set_version(crl, X509_CRL_VERSION_2) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_set_version").into());
}
2024-06-28 19:43:33 +02:00
if X509_CRL_set_issuer_name(crl, d.cert.subject_name().as_ptr()) == 0 {
2024-06-28 19:19:17 +02:00
return Err(PKIError::GenCRLError("X509_CRL_set_issuer_name").into());
}
let last_update = Asn1Time::days_from_now(0)?;
if X509_CRL_set1_lastUpdate(crl, last_update.as_ptr()) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_set1_lastUpdate").into());
}
let next_update = Asn1Time::days_from_now(10)?;
if X509_CRL_set1_nextUpdate(crl, next_update.as_ptr()) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into());
}
2024-06-28 19:29:18 +02:00
// Add old entries
if let Some(old_crl) = old_crl {
if let Some(entries) = old_crl.get_revoked() {
for entry in entries {
if X509_CRL_add0_revoked(crl, X509_REVOKED_dup(entry.as_ptr())) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_add0_revoked").into());
}
}
}
}
let md = MessageDigest::sha256();
if X509_CRL_sign(crl, d.key.as_ptr(), md.as_ptr()) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_sign").into());
}
let crl = X509Crl::from_ptr(crl);
std::fs::write(crl_path, crl.to_pem()?)?;
2024-06-28 19:19:17 +02:00
}
Ok(())
}
2024-06-28 19:43:33 +02:00
/// Refresh revocation lists
pub fn refresh_crls() -> anyhow::Result<()> {
refresh_crl(&CertData::load_root_ca()?)?;
refresh_crl(&CertData::load_web_ca()?)?;
refresh_crl(&CertData::load_devices_ca()?)?;
Ok(())
2024-06-28 19:19:17 +02:00
}