Improve certificates issuance

central_backend/src/crypto/crl_extension.rs

@@ -0,0 +1,43 @@
+use asn1::Tag;
+use openssl::asn1::{Asn1Object, Asn1OctetString};
+use openssl::x509::X509Extension;
+
+pub struct CRLDistributionPointExt {
+    pub url: String,
+}
+
+impl CRLDistributionPointExt {
+    pub fn as_extension(&self) -> anyhow::Result<X509Extension> {
+        let crl_obj = Asn1Object::from_str("2.5.29.31")?;
+
+        let tag_a0 = Tag::from_bytes(&[0xa0]).unwrap().0;
+        let tag_86 = Tag::from_bytes(&[0x86]).unwrap().0;
+
+        let crl_bytes = asn1::write(|w| {
+            w.write_element(&asn1::SequenceWriter::new(&|w| {
+                w.write_element(&asn1::SequenceWriter::new(&|w| {
+                    w.write_tlv(tag_a0, |w| {
+                        w.push_slice(&asn1::write(|w| {
+                            w.write_tlv(tag_a0, |w| {
+                                w.push_slice(&asn1::write(|w| {
+                                    w.write_tlv(tag_86, |b| b.push_slice(self.url.as_bytes()))?;
+                                    Ok(())
+                                })?)
+                            })?;
+
+                            Ok(())
+                        })?)
+                    })?;
+                    Ok(())
+                }))?;
+                Ok(())
+            }))
+        })?;
+
+        Ok(X509Extension::new_from_der(
+            crl_obj.as_ref(),
+            false,
+            Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
+        )?)
+    }
+}

central_backend/src/crypto/mod.rs

@@ -0,0 +1,2 @@
+pub mod crl_extension;
+pub mod pki;

central_backend/src/crypto/pki.rs

@@ -0,0 +1,204 @@
+use crate::app_config::AppConfig;
+use crate::crypto::crl_extension::CRLDistributionPointExt;
+use openssl::asn1::Asn1Time;
+use openssl::bn::{BigNum, MsbOption};
+use openssl::ec::EcGroup;
+use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
+use openssl::pkey::{PKey, Private};
+use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
+use openssl::x509::{X509NameBuilder, X509};
+use std::path::{Path, PathBuf};
+
+/// Certificate and private key
+struct CertData {
+    cert: X509,
+    key: PKey<Private>,
+    crl: Option<PathBuf>,
+}
+
+impl CertData {
+    /// Load root CA
+    fn load_root_ca() -> anyhow::Result<Self> {
+        Ok(Self {
+            cert: load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
+            key: load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
+            crl: Some(AppConfig::get().root_ca_crl_path()),
+        })
+    }
+}
+
+/// Generate private key
+fn gen_private_key() -> anyhow::Result<PKey<Private>> {
+    let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
+    let group = EcGroup::from_curve_name(nid)?;
+    let key = openssl::ec::EcKey::generate(&group)?;
+    let key_pair = PKey::from_ec_key(key.clone())?;
+
+    Ok(key_pair)
+}
+
+/// Load private key from PEM file
+fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
+    Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
+}
+
+/// Load certificate from PEM file
+fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
+    Ok(X509::from_pem(&std::fs::read(path)?)?)
+}
+
+#[derive(Default)]
+struct GenCertificateReq<'a> {
+    cn: &'a str,
+    issuer: Option<&'a CertData>,
+    ca: bool,
+}
+
+/// Generate certificate
+fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
+    // Generate root private key
+    let key_pair = gen_private_key()?;
+
+    let mut x509_name = X509NameBuilder::new()?;
+    x509_name.append_entry_by_text("C", "FR")?;
+    x509_name.append_entry_by_text("CN", req.cn)?;
+    let x509_name = x509_name.build();
+
+    let mut cert_builder = X509::builder()?;
+    cert_builder.set_version(2)?;
+    let serial_number = {
+        let mut serial = BigNum::new()?;
+        serial.rand(159, MsbOption::MAYBE_ZERO, false)?;
+        serial.to_asn1_integer()?
+    };
+    cert_builder.set_serial_number(&serial_number)?;
+    cert_builder.set_subject_name(&x509_name)?;
+
+    match req.issuer {
+        // Self-signed certificate
+        None => cert_builder.set_issuer_name(&x509_name)?,
+        // Certificate signed by another CA
+        Some(i) => cert_builder.set_issuer_name(i.cert.issuer_name())?,
+    }
+
+    cert_builder.set_pubkey(&key_pair)?;
+
+    let not_before = Asn1Time::days_from_now(0)?;
+    cert_builder.set_not_before(&not_before)?;
+
+    let not_after = Asn1Time::days_from_now(365 * 30)?;
+    cert_builder.set_not_after(&not_after)?;
+
+    // Specify CRL URL
+    if let Some(issuer) = req.issuer {
+        if let Some(crl) = &issuer.crl {
+            let crl_url = format!(
+                "{}/crl/{}",
+                AppConfig::get().unsecure_origin(),
+                crl.file_name().unwrap().to_string_lossy()
+            );
+
+            cert_builder
+                .append_extension(CRLDistributionPointExt { url: crl_url }.as_extension()?)?;
+        }
+    }
+
+    // If cert is a CA or not
+    if req.ca {
+        cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
+    }
+
+    // Key usage
+    let mut key_usage = KeyUsage::new();
+    if req.ca {
+        key_usage.key_cert_sign().crl_sign();
+    }
+    cert_builder.append_extension(key_usage.critical().build()?)?;
+
+    // Subject key identifier
+    let subject_key_identifier =
+        SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
+    cert_builder.append_extension(subject_key_identifier)?;
+
+    // Sign certificate
+    cert_builder.sign(
+        match req.issuer {
+            None => &key_pair,
+            Some(i) => &i.key,
+        },
+        MessageDigest::sha256(),
+    )?;
+    let cert = cert_builder.build();
+
+    Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
+}
+
+/// Initialize Root CA, if required
+pub fn initialize_root_ca() -> anyhow::Result<()> {
+    if AppConfig::get().root_ca_cert_path().exists()
+        && AppConfig::get().root_ca_priv_key_path().exists()
+    {
+        return Ok(());
+    }
+
+    log::info!("Generating root ca...");
+
+    let (key, cert) = gen_certificate(GenCertificateReq {
+        cn: "SolarEnergy Root CA",
+        issuer: None,
+        ca: true,
+    })?;
+
+    // Serialize generated web CA
+    std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
+    std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
+
+    Ok(())
+}
+
+/// Initialize web CA, if required
+pub fn initialize_web_ca() -> anyhow::Result<()> {
+    if AppConfig::get().web_ca_cert_path().exists()
+        && AppConfig::get().web_ca_priv_key_path().exists()
+    {
+        return Ok(());
+    }
+
+    log::info!("Generating web ca...");
+
+    let (key, cert) = gen_certificate(GenCertificateReq {
+        cn: "SolarEnergy Web CA",
+        issuer: Some(&CertData::load_root_ca()?),
+        ca: true,
+    })?;
+
+    // Serialize generated web CA
+    std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
+    std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
+
+    Ok(())
+}
+
+/// Initialize devices CA, if required
+pub fn initialize_devices_ca() -> anyhow::Result<()> {
+    if AppConfig::get().devices_ca_cert_path().exists()
+        && AppConfig::get().devices_ca_priv_key_path().exists()
+    {
+        return Ok(());
+    }
+
+    log::info!("Generating devices ca...");
+
+    let (key, cert) = gen_certificate(GenCertificateReq {
+        cn: "SolarEnergy Devices CA",
+        issuer: Some(&CertData::load_root_ca()?),
+        ca: true,
+    })?;
+
+    // Serialize generated devices CA
+    std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
+    std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
+
+    Ok(())
+}