2024-06-28 19:19:17 +02:00
|
|
|
use std::cmp::Ordering;
|
|
|
|
use std::path::{Path, PathBuf};
|
|
|
|
|
|
|
|
use foreign_types_shared::ForeignType;
|
|
|
|
use foreign_types_shared::ForeignTypeRef;
|
|
|
|
use libc::c_long;
|
2024-06-28 17:21:40 +02:00
|
|
|
use openssl::asn1::Asn1Time;
|
2024-06-27 18:55:09 +02:00
|
|
|
use openssl::bn::{BigNum, MsbOption};
|
|
|
|
use openssl::ec::EcGroup;
|
|
|
|
use openssl::hash::MessageDigest;
|
|
|
|
use openssl::nid::Nid;
|
2024-06-28 01:05:02 +02:00
|
|
|
use openssl::pkey::{PKey, Private};
|
2024-06-28 21:34:18 +02:00
|
|
|
use openssl::x509::extension::{
|
|
|
|
BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier,
|
|
|
|
};
|
2024-06-28 19:29:18 +02:00
|
|
|
use openssl::x509::{X509Crl, X509NameBuilder, X509};
|
|
|
|
use openssl_sys::{
|
|
|
|
X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate,
|
|
|
|
X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup,
|
|
|
|
};
|
2024-06-28 19:19:17 +02:00
|
|
|
|
|
|
|
use crate::app_config::AppConfig;
|
|
|
|
use crate::crypto::crl_extension::CRLDistributionPointExt;
|
|
|
|
|
|
|
|
#[derive(thiserror::Error, Debug)]
|
|
|
|
pub enum PKIError {
|
|
|
|
#[error("Certification Authority does not have a CRL")]
|
|
|
|
MissingCRL,
|
|
|
|
#[error("Certification Authority does not have a CRL next update time")]
|
|
|
|
MissingCRLNextUpdate,
|
|
|
|
#[error("Failed to initialize CRL! {0}")]
|
|
|
|
GenCRLError(&'static str),
|
|
|
|
}
|
2024-06-27 18:55:09 +02:00
|
|
|
|
2024-06-28 01:05:02 +02:00
|
|
|
/// Certificate and private key
|
2024-06-28 21:34:18 +02:00
|
|
|
pub struct CertData {
|
2024-06-28 17:21:40 +02:00
|
|
|
cert: X509,
|
|
|
|
key: PKey<Private>,
|
|
|
|
crl: Option<PathBuf>,
|
|
|
|
}
|
2024-06-27 18:55:09 +02:00
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
impl CertData {
|
2024-06-28 01:05:02 +02:00
|
|
|
/// Load root CA
|
|
|
|
fn load_root_ca() -> anyhow::Result<Self> {
|
2024-06-28 17:21:40 +02:00
|
|
|
Ok(Self {
|
|
|
|
cert: load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
|
|
|
|
key: load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
|
|
|
|
crl: Some(AppConfig::get().root_ca_crl_path()),
|
|
|
|
})
|
2024-06-28 01:05:02 +02:00
|
|
|
}
|
2024-06-28 19:43:33 +02:00
|
|
|
|
|
|
|
/// Load web CA
|
|
|
|
fn load_web_ca() -> anyhow::Result<Self> {
|
|
|
|
Ok(Self {
|
|
|
|
cert: load_certificate_from_file(AppConfig::get().web_ca_cert_path())?,
|
|
|
|
key: load_priv_key_from_file(AppConfig::get().web_ca_priv_key_path())?,
|
|
|
|
crl: Some(AppConfig::get().web_ca_crl_path()),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Load devices CA
|
|
|
|
fn load_devices_ca() -> anyhow::Result<Self> {
|
|
|
|
Ok(Self {
|
|
|
|
cert: load_certificate_from_file(AppConfig::get().devices_ca_cert_path())?,
|
|
|
|
key: load_priv_key_from_file(AppConfig::get().devices_ca_priv_key_path())?,
|
|
|
|
crl: Some(AppConfig::get().devices_ca_crl_path()),
|
|
|
|
})
|
|
|
|
}
|
2024-06-28 21:34:18 +02:00
|
|
|
|
|
|
|
/// Load server CA
|
|
|
|
pub fn load_server() -> anyhow::Result<Self> {
|
|
|
|
Ok(Self {
|
|
|
|
cert: load_certificate_from_file(AppConfig::get().server_cert_path())?,
|
|
|
|
key: load_priv_key_from_file(AppConfig::get().server_priv_key_path())?,
|
|
|
|
crl: None,
|
|
|
|
})
|
|
|
|
}
|
2024-06-28 01:05:02 +02:00
|
|
|
}
|
2024-06-27 18:55:09 +02:00
|
|
|
|
2024-06-28 01:05:02 +02:00
|
|
|
/// Generate private key
|
|
|
|
fn gen_private_key() -> anyhow::Result<PKey<Private>> {
|
2024-06-27 18:55:09 +02:00
|
|
|
let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
|
|
|
|
let group = EcGroup::from_curve_name(nid)?;
|
|
|
|
let key = openssl::ec::EcKey::generate(&group)?;
|
|
|
|
let key_pair = PKey::from_ec_key(key.clone())?;
|
|
|
|
|
2024-06-28 01:05:02 +02:00
|
|
|
Ok(key_pair)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Load private key from PEM file
|
|
|
|
fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
|
|
|
|
Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Load certificate from PEM file
|
|
|
|
fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
|
|
|
|
Ok(X509::from_pem(&std::fs::read(path)?)?)
|
|
|
|
}
|
|
|
|
|
2024-06-28 19:19:17 +02:00
|
|
|
/// Load CRL from PEM file
|
|
|
|
fn load_crl_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509Crl> {
|
|
|
|
Ok(X509Crl::from_pem(&std::fs::read(path)?)?)
|
|
|
|
}
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
#[derive(Default)]
|
|
|
|
struct GenCertificateReq<'a> {
|
|
|
|
cn: &'a str,
|
|
|
|
issuer: Option<&'a CertData>,
|
|
|
|
ca: bool,
|
2024-06-28 21:34:18 +02:00
|
|
|
web_server: bool,
|
|
|
|
subject_alternative_names: Vec<&'a str>,
|
2024-06-28 17:21:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Generate certificate
|
|
|
|
fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
|
2024-06-28 01:05:02 +02:00
|
|
|
// Generate root private key
|
|
|
|
let key_pair = gen_private_key()?;
|
|
|
|
|
2024-06-27 18:55:09 +02:00
|
|
|
let mut x509_name = X509NameBuilder::new()?;
|
|
|
|
x509_name.append_entry_by_text("C", "FR")?;
|
2024-06-28 17:21:40 +02:00
|
|
|
x509_name.append_entry_by_text("CN", req.cn)?;
|
2024-06-27 18:55:09 +02:00
|
|
|
let x509_name = x509_name.build();
|
|
|
|
|
|
|
|
let mut cert_builder = X509::builder()?;
|
|
|
|
cert_builder.set_version(2)?;
|
|
|
|
let serial_number = {
|
|
|
|
let mut serial = BigNum::new()?;
|
|
|
|
serial.rand(159, MsbOption::MAYBE_ZERO, false)?;
|
|
|
|
serial.to_asn1_integer()?
|
|
|
|
};
|
|
|
|
cert_builder.set_serial_number(&serial_number)?;
|
|
|
|
cert_builder.set_subject_name(&x509_name)?;
|
2024-06-28 17:21:40 +02:00
|
|
|
|
|
|
|
match req.issuer {
|
2024-06-28 01:05:02 +02:00
|
|
|
// Self-signed certificate
|
|
|
|
None => cert_builder.set_issuer_name(&x509_name)?,
|
|
|
|
// Certificate signed by another CA
|
2024-06-28 21:34:18 +02:00
|
|
|
Some(i) => cert_builder.set_issuer_name(i.cert.subject_name())?,
|
2024-06-28 01:05:02 +02:00
|
|
|
}
|
2024-06-28 17:21:40 +02:00
|
|
|
|
2024-06-27 18:55:09 +02:00
|
|
|
cert_builder.set_pubkey(&key_pair)?;
|
2024-06-28 17:21:40 +02:00
|
|
|
|
2024-06-27 18:55:09 +02:00
|
|
|
let not_before = Asn1Time::days_from_now(0)?;
|
|
|
|
cert_builder.set_not_before(¬_before)?;
|
2024-06-28 17:21:40 +02:00
|
|
|
|
2024-06-27 18:55:09 +02:00
|
|
|
let not_after = Asn1Time::days_from_now(365 * 30)?;
|
|
|
|
cert_builder.set_not_after(¬_after)?;
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
// Specify CRL URL
|
|
|
|
if let Some(issuer) = req.issuer {
|
|
|
|
if let Some(crl) = &issuer.crl {
|
|
|
|
let crl_url = format!(
|
|
|
|
"{}/crl/{}",
|
|
|
|
AppConfig::get().unsecure_origin(),
|
|
|
|
crl.file_name().unwrap().to_string_lossy()
|
|
|
|
);
|
|
|
|
|
|
|
|
cert_builder
|
|
|
|
.append_extension(CRLDistributionPointExt { url: crl_url }.as_extension()?)?;
|
|
|
|
}
|
2024-06-28 01:05:02 +02:00
|
|
|
}
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
// If cert is a CA or not
|
|
|
|
if req.ca {
|
|
|
|
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
|
|
|
|
}
|
2024-06-28 01:05:02 +02:00
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
// Key usage
|
|
|
|
let mut key_usage = KeyUsage::new();
|
2024-06-28 21:34:18 +02:00
|
|
|
let mut eku = None;
|
2024-06-28 17:21:40 +02:00
|
|
|
if req.ca {
|
|
|
|
key_usage.key_cert_sign().crl_sign();
|
|
|
|
}
|
2024-06-28 21:34:18 +02:00
|
|
|
if req.web_server {
|
|
|
|
key_usage.digital_signature().key_encipherment();
|
|
|
|
eku = Some(
|
|
|
|
ExtendedKeyUsage::new()
|
|
|
|
.server_auth()
|
|
|
|
.client_auth()
|
|
|
|
.build()?,
|
|
|
|
);
|
|
|
|
}
|
2024-06-28 17:21:40 +02:00
|
|
|
cert_builder.append_extension(key_usage.critical().build()?)?;
|
2024-06-27 18:55:09 +02:00
|
|
|
|
2024-06-28 21:34:18 +02:00
|
|
|
if let Some(eku) = eku {
|
|
|
|
cert_builder.append_extension(eku)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Subject alternative names
|
|
|
|
if !req.subject_alternative_names.is_empty() {
|
|
|
|
let mut ext = SubjectAlternativeName::new();
|
|
|
|
for subj in req.subject_alternative_names {
|
|
|
|
ext.dns(subj);
|
|
|
|
}
|
|
|
|
cert_builder.append_extension(ext.build(&cert_builder.x509v3_context(None, None))?)?;
|
|
|
|
}
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
// Subject key identifier
|
2024-06-27 18:55:09 +02:00
|
|
|
let subject_key_identifier =
|
|
|
|
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
|
|
|
|
cert_builder.append_extension(subject_key_identifier)?;
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
// Sign certificate
|
2024-06-28 01:05:02 +02:00
|
|
|
cert_builder.sign(
|
2024-06-28 17:21:40 +02:00
|
|
|
match req.issuer {
|
2024-06-28 01:05:02 +02:00
|
|
|
None => &key_pair,
|
2024-06-28 17:21:40 +02:00
|
|
|
Some(i) => &i.key,
|
2024-06-28 01:05:02 +02:00
|
|
|
},
|
|
|
|
MessageDigest::sha256(),
|
|
|
|
)?;
|
2024-06-27 18:55:09 +02:00
|
|
|
let cert = cert_builder.build();
|
|
|
|
|
2024-06-28 01:05:02 +02:00
|
|
|
Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Initialize Root CA, if required
|
|
|
|
pub fn initialize_root_ca() -> anyhow::Result<()> {
|
|
|
|
if AppConfig::get().root_ca_cert_path().exists()
|
|
|
|
&& AppConfig::get().root_ca_priv_key_path().exists()
|
|
|
|
{
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
|
|
|
|
log::info!("Generating root ca...");
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
|
|
|
cn: "SolarEnergy Root CA",
|
|
|
|
issuer: None,
|
|
|
|
ca: true,
|
2024-06-28 21:34:18 +02:00
|
|
|
..Default::default()
|
2024-06-28 17:21:40 +02:00
|
|
|
})?;
|
2024-06-28 01:05:02 +02:00
|
|
|
|
|
|
|
// Serialize generated web CA
|
|
|
|
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
|
|
|
|
std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Initialize web CA, if required
|
|
|
|
pub fn initialize_web_ca() -> anyhow::Result<()> {
|
|
|
|
if AppConfig::get().web_ca_cert_path().exists()
|
|
|
|
&& AppConfig::get().web_ca_priv_key_path().exists()
|
|
|
|
{
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
|
|
|
|
log::info!("Generating web ca...");
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
|
|
|
cn: "SolarEnergy Web CA",
|
|
|
|
issuer: Some(&CertData::load_root_ca()?),
|
|
|
|
ca: true,
|
2024-06-28 21:34:18 +02:00
|
|
|
..Default::default()
|
2024-06-28 17:21:40 +02:00
|
|
|
})?;
|
2024-06-28 01:05:02 +02:00
|
|
|
|
|
|
|
// Serialize generated web CA
|
|
|
|
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
|
|
|
|
std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Initialize devices CA, if required
|
|
|
|
pub fn initialize_devices_ca() -> anyhow::Result<()> {
|
|
|
|
if AppConfig::get().devices_ca_cert_path().exists()
|
|
|
|
&& AppConfig::get().devices_ca_priv_key_path().exists()
|
|
|
|
{
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
|
|
|
|
log::info!("Generating devices ca...");
|
|
|
|
|
2024-06-28 17:21:40 +02:00
|
|
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
|
|
|
cn: "SolarEnergy Devices CA",
|
|
|
|
issuer: Some(&CertData::load_root_ca()?),
|
|
|
|
ca: true,
|
2024-06-28 21:34:18 +02:00
|
|
|
..Default::default()
|
2024-06-28 17:21:40 +02:00
|
|
|
})?;
|
2024-06-28 01:05:02 +02:00
|
|
|
|
|
|
|
// Serialize generated devices CA
|
|
|
|
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
|
|
|
|
std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
|
2024-06-27 18:55:09 +02:00
|
|
|
|
|
|
|
Ok(())
|
2024-06-28 01:05:02 +02:00
|
|
|
}
|
2024-06-28 19:19:17 +02:00
|
|
|
|
2024-06-28 21:34:18 +02:00
|
|
|
/// Initialize server certificate, if required
|
|
|
|
pub fn initialize_server_ca() -> anyhow::Result<()> {
|
|
|
|
if AppConfig::get().server_cert_path().exists()
|
|
|
|
&& AppConfig::get().server_priv_key_path().exists()
|
|
|
|
{
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
|
|
|
|
log::info!("Generating server certificate...");
|
|
|
|
|
|
|
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
|
|
|
cn: &AppConfig::get().hostname,
|
|
|
|
issuer: Some(&CertData::load_web_ca()?),
|
|
|
|
web_server: true,
|
|
|
|
subject_alternative_names: vec![AppConfig::get().hostname.as_str()],
|
|
|
|
..Default::default()
|
|
|
|
})?;
|
|
|
|
|
|
|
|
std::fs::write(AppConfig::get().server_priv_key_path(), key)?;
|
|
|
|
std::fs::write(AppConfig::get().server_cert_path(), cert)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Initialize or refresh a CRL
|
2024-06-28 19:19:17 +02:00
|
|
|
fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
|
|
|
|
let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?;
|
|
|
|
|
2024-06-28 19:29:18 +02:00
|
|
|
let old_crl = if crl_path.exists() {
|
2024-06-28 19:19:17 +02:00
|
|
|
let crl = load_crl_from_file(crl_path)?;
|
|
|
|
|
|
|
|
// Check if revocation is un-needed
|
|
|
|
let next_update = crl.next_update().ok_or(PKIError::MissingCRLNextUpdate)?;
|
2024-06-28 19:39:07 +02:00
|
|
|
if next_update.compare(Asn1Time::days_from_now(0)?.as_ref())? == Ordering::Greater {
|
2024-06-28 19:19:17 +02:00
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
|
2024-06-28 19:29:18 +02:00
|
|
|
Some(crl)
|
2024-06-28 19:19:17 +02:00
|
|
|
} else {
|
|
|
|
None
|
|
|
|
};
|
|
|
|
|
|
|
|
log::info!("Generating a new CRL...");
|
|
|
|
|
|
|
|
// based on https://github.com/openssl/openssl/blob/master/crypto/x509/x509_vfy.c
|
|
|
|
unsafe {
|
|
|
|
let crl = openssl_sys::X509_CRL_new();
|
|
|
|
if crl.is_null() {
|
|
|
|
return Err(PKIError::GenCRLError("Could not construct CRL!").into());
|
|
|
|
}
|
|
|
|
|
|
|
|
const X509_CRL_VERSION_2: c_long = 1;
|
|
|
|
if X509_CRL_set_version(crl, X509_CRL_VERSION_2) == 0 {
|
|
|
|
return Err(PKIError::GenCRLError("X509_CRL_set_version").into());
|
|
|
|
}
|
2024-06-28 19:43:33 +02:00
|
|
|
if X509_CRL_set_issuer_name(crl, d.cert.subject_name().as_ptr()) == 0 {
|
2024-06-28 19:19:17 +02:00
|
|
|
return Err(PKIError::GenCRLError("X509_CRL_set_issuer_name").into());
|
|
|
|
}
|
|
|
|
|
|
|
|
let last_update = Asn1Time::days_from_now(0)?;
|
|
|
|
if X509_CRL_set1_lastUpdate(crl, last_update.as_ptr()) == 0 {
|
|
|
|
return Err(PKIError::GenCRLError("X509_CRL_set1_lastUpdate").into());
|
|
|
|
}
|
|
|
|
|
|
|
|
let next_update = Asn1Time::days_from_now(10)?;
|
|
|
|
if X509_CRL_set1_nextUpdate(crl, next_update.as_ptr()) == 0 {
|
|
|
|
return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into());
|
|
|
|
}
|
|
|
|
|
2024-06-28 19:29:18 +02:00
|
|
|
// Add old entries
|
|
|
|
if let Some(old_crl) = old_crl {
|
|
|
|
if let Some(entries) = old_crl.get_revoked() {
|
|
|
|
for entry in entries {
|
|
|
|
if X509_CRL_add0_revoked(crl, X509_REVOKED_dup(entry.as_ptr())) == 0 {
|
|
|
|
return Err(PKIError::GenCRLError("X509_CRL_add0_revoked").into());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
let md = MessageDigest::sha256();
|
|
|
|
if X509_CRL_sign(crl, d.key.as_ptr(), md.as_ptr()) == 0 {
|
|
|
|
return Err(PKIError::GenCRLError("X509_CRL_sign").into());
|
|
|
|
}
|
|
|
|
|
|
|
|
let crl = X509Crl::from_ptr(crl);
|
|
|
|
std::fs::write(crl_path, crl.to_pem()?)?;
|
2024-06-28 19:19:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2024-06-28 19:43:33 +02:00
|
|
|
/// Refresh revocation lists
|
|
|
|
pub fn refresh_crls() -> anyhow::Result<()> {
|
|
|
|
refresh_crl(&CertData::load_root_ca()?)?;
|
|
|
|
refresh_crl(&CertData::load_web_ca()?)?;
|
|
|
|
refresh_crl(&CertData::load_devices_ca()?)?;
|
|
|
|
Ok(())
|
2024-06-28 19:19:17 +02:00
|
|
|
}
|