Improve certificates issuance
This commit is contained in:
parent
716e524bf4
commit
8bac181552
@ -67,6 +67,11 @@ impl AppConfig {
|
|||||||
self.pki_path().join("root_ca.pem")
|
self.pki_path().join("root_ca.pem")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Get PKI root CA CRL path
|
||||||
|
pub fn root_ca_crl_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("root_ca.crl")
|
||||||
|
}
|
||||||
|
|
||||||
/// Get PKI root CA private key path
|
/// Get PKI root CA private key path
|
||||||
pub fn root_ca_priv_key_path(&self) -> PathBuf {
|
pub fn root_ca_priv_key_path(&self) -> PathBuf {
|
||||||
self.pki_path().join("root_ca.key")
|
self.pki_path().join("root_ca.key")
|
||||||
@ -77,6 +82,11 @@ impl AppConfig {
|
|||||||
self.pki_path().join("web_ca.pem")
|
self.pki_path().join("web_ca.pem")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Get PKI web CA CRL path
|
||||||
|
pub fn web_ca_crl_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("web_ca.crl")
|
||||||
|
}
|
||||||
|
|
||||||
/// Get PKI web CA private key path
|
/// Get PKI web CA private key path
|
||||||
pub fn web_ca_priv_key_path(&self) -> PathBuf {
|
pub fn web_ca_priv_key_path(&self) -> PathBuf {
|
||||||
self.pki_path().join("web_ca.key")
|
self.pki_path().join("web_ca.key")
|
||||||
@ -87,6 +97,11 @@ impl AppConfig {
|
|||||||
self.pki_path().join("devices_ca.pem")
|
self.pki_path().join("devices_ca.pem")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Get PKI devices CA CRL path
|
||||||
|
pub fn devices_ca_crl_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("devices_ca.crl")
|
||||||
|
}
|
||||||
|
|
||||||
/// Get PKI devices CA private key path
|
/// Get PKI devices CA private key path
|
||||||
pub fn devices_ca_priv_key_path(&self) -> PathBuf {
|
pub fn devices_ca_priv_key_path(&self) -> PathBuf {
|
||||||
self.pki_path().join("devices_ca.key")
|
self.pki_path().join("devices_ca.key")
|
||||||
|
43
central_backend/src/crypto/crl_extension.rs
Normal file
43
central_backend/src/crypto/crl_extension.rs
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
use asn1::Tag;
|
||||||
|
use openssl::asn1::{Asn1Object, Asn1OctetString};
|
||||||
|
use openssl::x509::X509Extension;
|
||||||
|
|
||||||
|
pub struct CRLDistributionPointExt {
|
||||||
|
pub url: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl CRLDistributionPointExt {
|
||||||
|
pub fn as_extension(&self) -> anyhow::Result<X509Extension> {
|
||||||
|
let crl_obj = Asn1Object::from_str("2.5.29.31")?;
|
||||||
|
|
||||||
|
let tag_a0 = Tag::from_bytes(&[0xa0]).unwrap().0;
|
||||||
|
let tag_86 = Tag::from_bytes(&[0x86]).unwrap().0;
|
||||||
|
|
||||||
|
let crl_bytes = asn1::write(|w| {
|
||||||
|
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
||||||
|
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
||||||
|
w.write_tlv(tag_a0, |w| {
|
||||||
|
w.push_slice(&asn1::write(|w| {
|
||||||
|
w.write_tlv(tag_a0, |w| {
|
||||||
|
w.push_slice(&asn1::write(|w| {
|
||||||
|
w.write_tlv(tag_86, |b| b.push_slice(self.url.as_bytes()))?;
|
||||||
|
Ok(())
|
||||||
|
})?)
|
||||||
|
})?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
})?)
|
||||||
|
})?;
|
||||||
|
Ok(())
|
||||||
|
}))?;
|
||||||
|
Ok(())
|
||||||
|
}))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
Ok(X509Extension::new_from_der(
|
||||||
|
crl_obj.as_ref(),
|
||||||
|
false,
|
||||||
|
Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
|
||||||
|
)?)
|
||||||
|
}
|
||||||
|
}
|
2
central_backend/src/crypto/mod.rs
Normal file
2
central_backend/src/crypto/mod.rs
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
pub mod crl_extension;
|
||||||
|
pub mod pki;
|
@ -1,29 +1,30 @@
|
|||||||
use crate::app_config::AppConfig;
|
use crate::app_config::AppConfig;
|
||||||
use asn1::{
|
use crate::crypto::crl_extension::CRLDistributionPointExt;
|
||||||
parse_single, Asn1Readable, Asn1Writable, Explicit, Implicit, OctetStringEncoded, ParseResult,
|
use openssl::asn1::Asn1Time;
|
||||||
SimpleAsn1Readable, SimpleAsn1Writable, Tag, WriteBuf, WriteResult, Writer,
|
|
||||||
};
|
|
||||||
use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1OctetStringRef, Asn1Time};
|
|
||||||
use openssl::bn::{BigNum, MsbOption};
|
use openssl::bn::{BigNum, MsbOption};
|
||||||
use openssl::ec::EcGroup;
|
use openssl::ec::EcGroup;
|
||||||
use openssl::hash::MessageDigest;
|
use openssl::hash::MessageDigest;
|
||||||
use openssl::nid::Nid;
|
use openssl::nid::Nid;
|
||||||
use openssl::pkey::{PKey, Private};
|
use openssl::pkey::{PKey, Private};
|
||||||
use openssl::x509;
|
|
||||||
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
||||||
use openssl::x509::{X509Extension, X509NameBuilder, X509};
|
use openssl::x509::{X509NameBuilder, X509};
|
||||||
use std::path::Path;
|
use std::path::{Path, PathBuf};
|
||||||
|
|
||||||
/// Certificate and private key
|
/// Certificate and private key
|
||||||
struct CertAndKey(X509, PKey<Private>);
|
struct CertData {
|
||||||
|
cert: X509,
|
||||||
|
key: PKey<Private>,
|
||||||
|
crl: Option<PathBuf>,
|
||||||
|
}
|
||||||
|
|
||||||
impl CertAndKey {
|
impl CertData {
|
||||||
/// Load root CA
|
/// Load root CA
|
||||||
fn load_root_ca() -> anyhow::Result<Self> {
|
fn load_root_ca() -> anyhow::Result<Self> {
|
||||||
Ok(Self(
|
Ok(Self {
|
||||||
load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
|
cert: load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
|
||||||
load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
|
key: load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
|
||||||
))
|
crl: Some(AppConfig::get().root_ca_crl_path()),
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -47,17 +48,21 @@ fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
|
|||||||
Ok(X509::from_pem(&std::fs::read(path)?)?)
|
Ok(X509::from_pem(&std::fs::read(path)?)?)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Generate intermediate or root CA
|
#[derive(Default)]
|
||||||
fn gen_intermediate_or_root_ca(
|
struct GenCertificateReq<'a> {
|
||||||
cn: &str,
|
cn: &'a str,
|
||||||
issuer: Option<&CertAndKey>,
|
issuer: Option<&'a CertData>,
|
||||||
) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
|
ca: bool,
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Generate certificate
|
||||||
|
fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
|
||||||
// Generate root private key
|
// Generate root private key
|
||||||
let key_pair = gen_private_key()?;
|
let key_pair = gen_private_key()?;
|
||||||
|
|
||||||
let mut x509_name = X509NameBuilder::new()?;
|
let mut x509_name = X509NameBuilder::new()?;
|
||||||
x509_name.append_entry_by_text("C", "FR")?;
|
x509_name.append_entry_by_text("C", "FR")?;
|
||||||
x509_name.append_entry_by_text("CN", cn)?;
|
x509_name.append_entry_by_text("CN", req.cn)?;
|
||||||
let x509_name = x509_name.build();
|
let x509_name = x509_name.build();
|
||||||
|
|
||||||
let mut cert_builder = X509::builder()?;
|
let mut cert_builder = X509::builder()?;
|
||||||
@ -69,77 +74,58 @@ fn gen_intermediate_or_root_ca(
|
|||||||
};
|
};
|
||||||
cert_builder.set_serial_number(&serial_number)?;
|
cert_builder.set_serial_number(&serial_number)?;
|
||||||
cert_builder.set_subject_name(&x509_name)?;
|
cert_builder.set_subject_name(&x509_name)?;
|
||||||
match issuer {
|
|
||||||
|
match req.issuer {
|
||||||
// Self-signed certificate
|
// Self-signed certificate
|
||||||
None => cert_builder.set_issuer_name(&x509_name)?,
|
None => cert_builder.set_issuer_name(&x509_name)?,
|
||||||
// Certificate signed by another CA
|
// Certificate signed by another CA
|
||||||
Some(i) => cert_builder.set_issuer_name(i.0.issuer_name())?,
|
Some(i) => cert_builder.set_issuer_name(i.cert.issuer_name())?,
|
||||||
}
|
}
|
||||||
|
|
||||||
cert_builder.set_pubkey(&key_pair)?;
|
cert_builder.set_pubkey(&key_pair)?;
|
||||||
|
|
||||||
let not_before = Asn1Time::days_from_now(0)?;
|
let not_before = Asn1Time::days_from_now(0)?;
|
||||||
cert_builder.set_not_before(¬_before)?;
|
cert_builder.set_not_before(¬_before)?;
|
||||||
|
|
||||||
let not_after = Asn1Time::days_from_now(365 * 30)?;
|
let not_after = Asn1Time::days_from_now(365 * 30)?;
|
||||||
cert_builder.set_not_after(¬_after)?;
|
cert_builder.set_not_after(¬_after)?;
|
||||||
|
|
||||||
if let Some(issuer) = issuer {
|
// Specify CRL URL
|
||||||
|
if let Some(issuer) = req.issuer {
|
||||||
|
if let Some(crl) = &issuer.crl {
|
||||||
let crl_url = format!(
|
let crl_url = format!(
|
||||||
"{}/crl/{}.crl",
|
"{}/crl/{}",
|
||||||
AppConfig::get().unsecure_origin(),
|
AppConfig::get().unsecure_origin(),
|
||||||
"FIXME_TODO"
|
crl.file_name().unwrap().to_string_lossy()
|
||||||
);
|
);
|
||||||
|
|
||||||
let crl_obj = Asn1Object::from_str("2.5.29.31")?;
|
cert_builder
|
||||||
|
.append_extension(CRLDistributionPointExt { url: crl_url }.as_extension()?)?;
|
||||||
let TAG_A0 = Tag::from_bytes(&[0xa0]).unwrap().0;
|
}
|
||||||
let TAG_86 = Tag::from_bytes(&[0x86]).unwrap().0;
|
|
||||||
|
|
||||||
let crl_bytes = asn1::write(|w| {
|
|
||||||
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
|
||||||
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
|
||||||
w.write_tlv(TAG_A0, |w| {
|
|
||||||
w.push_slice(&asn1::write(|w| {
|
|
||||||
w.write_tlv(TAG_A0, |w| {
|
|
||||||
w.push_slice(&asn1::write(|w| {
|
|
||||||
w.write_tlv(TAG_86, |b| b.push_slice(crl_url.as_bytes()))?;
|
|
||||||
Ok(())
|
|
||||||
})?)
|
|
||||||
})?;
|
|
||||||
|
|
||||||
Ok(())
|
|
||||||
})?)
|
|
||||||
})?;
|
|
||||||
Ok(())
|
|
||||||
}))?;
|
|
||||||
Ok(())
|
|
||||||
}))
|
|
||||||
})?;
|
|
||||||
|
|
||||||
cert_builder.append_extension(X509Extension::new_from_der(
|
|
||||||
crl_obj.as_ref(),
|
|
||||||
false,
|
|
||||||
Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
|
|
||||||
)?)?;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If cert is a CA or not
|
||||||
|
if req.ca {
|
||||||
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
|
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
|
||||||
|
}
|
||||||
|
|
||||||
cert_builder.append_extension(
|
// Key usage
|
||||||
KeyUsage::new()
|
let mut key_usage = KeyUsage::new();
|
||||||
.critical()
|
if req.ca {
|
||||||
.key_cert_sign()
|
key_usage.key_cert_sign().crl_sign();
|
||||||
.crl_sign()
|
}
|
||||||
.build()?,
|
cert_builder.append_extension(key_usage.critical().build()?)?;
|
||||||
)?;
|
|
||||||
|
|
||||||
|
// Subject key identifier
|
||||||
let subject_key_identifier =
|
let subject_key_identifier =
|
||||||
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
|
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
|
||||||
|
|
||||||
cert_builder.append_extension(subject_key_identifier)?;
|
cert_builder.append_extension(subject_key_identifier)?;
|
||||||
|
|
||||||
|
// Sign certificate
|
||||||
cert_builder.sign(
|
cert_builder.sign(
|
||||||
match issuer {
|
match req.issuer {
|
||||||
None => &key_pair,
|
None => &key_pair,
|
||||||
Some(i) => &i.1,
|
Some(i) => &i.key,
|
||||||
},
|
},
|
||||||
MessageDigest::sha256(),
|
MessageDigest::sha256(),
|
||||||
)?;
|
)?;
|
||||||
@ -158,7 +144,11 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
|
|||||||
|
|
||||||
log::info!("Generating root ca...");
|
log::info!("Generating root ca...");
|
||||||
|
|
||||||
let (key, cert) = gen_intermediate_or_root_ca("SolarEnergy Root CA", None)?;
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
||||||
|
cn: "SolarEnergy Root CA",
|
||||||
|
issuer: None,
|
||||||
|
ca: true,
|
||||||
|
})?;
|
||||||
|
|
||||||
// Serialize generated web CA
|
// Serialize generated web CA
|
||||||
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
|
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
|
||||||
@ -177,8 +167,11 @@ pub fn initialize_web_ca() -> anyhow::Result<()> {
|
|||||||
|
|
||||||
log::info!("Generating web ca...");
|
log::info!("Generating web ca...");
|
||||||
|
|
||||||
let (key, cert) =
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
||||||
gen_intermediate_or_root_ca("SolarEnergy Web CA", Some(&CertAndKey::load_root_ca()?))?;
|
cn: "SolarEnergy Web CA",
|
||||||
|
issuer: Some(&CertData::load_root_ca()?),
|
||||||
|
ca: true,
|
||||||
|
})?;
|
||||||
|
|
||||||
// Serialize generated web CA
|
// Serialize generated web CA
|
||||||
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
|
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
|
||||||
@ -197,8 +190,11 @@ pub fn initialize_devices_ca() -> anyhow::Result<()> {
|
|||||||
|
|
||||||
log::info!("Generating devices ca...");
|
log::info!("Generating devices ca...");
|
||||||
|
|
||||||
let (key, cert) =
|
let (key, cert) = gen_certificate(GenCertificateReq {
|
||||||
gen_intermediate_or_root_ca("SolarEnergy Devices CA", Some(&CertAndKey::load_root_ca()?))?;
|
cn: "SolarEnergy Devices CA",
|
||||||
|
issuer: Some(&CertData::load_root_ca()?),
|
||||||
|
ca: true,
|
||||||
|
})?;
|
||||||
|
|
||||||
// Serialize generated devices CA
|
// Serialize generated devices CA
|
||||||
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
|
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
|
@ -1,3 +1,3 @@
|
|||||||
pub mod app_config;
|
pub mod app_config;
|
||||||
pub mod pki;
|
pub mod crypto;
|
||||||
pub mod utils;
|
pub mod utils;
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
use central_backend::app_config::AppConfig;
|
use central_backend::app_config::AppConfig;
|
||||||
use central_backend::pki;
|
use central_backend::crypto::pki;
|
||||||
use central_backend::utils::files_utils::create_directory_if_missing;
|
use central_backend::utils::files_utils::create_directory_if_missing;
|
||||||
|
|
||||||
fn main() {
|
fn main() {
|
||||||
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
||||||
|
|
||||||
// Initialize storage
|
// Initialize storage
|
||||||
create_directory_if_missing(&AppConfig::get().pki_path()).unwrap();
|
create_directory_if_missing(AppConfig::get().pki_path()).unwrap();
|
||||||
|
|
||||||
// Initialize PKI
|
// Initialize PKI
|
||||||
pki::initialize_root_ca().expect("Failed to initialize Root CA!");
|
pki::initialize_root_ca().expect("Failed to initialize Root CA!");
|
||||||
|
Loading…
Reference in New Issue
Block a user