pierre/SolarEnergy
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases 3 Wiki Activity

Can issue certificate for devices

Browse Source
This commit is contained in:
Pierre HUBERT
2024-07-01 22:24:03 +02:00
parent 9ba4aa5194
commit e64a444bd0
6 changed files with 181 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
central_backend/src/crypto/pki.rs
View File

@ -13,7 +13,7 @@ use openssl::pkey::{PKey, Private};
use openssl::x509::extension::{
BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier,
};
use openssl::x509::{X509Crl, X509NameBuilder, X509};
use openssl::x509::{X509Crl, X509Name, X509NameBuilder, X509Req, X509};
use openssl_sys::{
X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate,
X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup,
@ -102,25 +102,30 @@ fn load_crl_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509Crl> {
Ok(X509Crl::from_pem(&std::fs::read(path)?)?)
}
#[allow(clippy::upper_case_acronyms)]
enum GenCertificatSubjectReq<'a> {
Subject { cn: &'a str },
CSR { csr: &'a X509Req },
}
impl<'a> Default for GenCertificatSubjectReq<'a> {
fn default() -> Self {
Self::Subject { cn: "" }
}
}
#[derive(Default)]
struct GenCertificateReq<'a> {
cn: &'a str,
issuer: Option<&'a CertData>,
ca: bool,
web_server: bool,
subject_alternative_names: Vec<&'a str>,
pub sub: GenCertificatSubjectReq<'a>,
pub issuer: Option<&'a CertData>,
pub ca: bool,
pub web_server: bool,
pub web_client: bool,
pub subject_alternative_names: Vec<&'a str>,
}
/// Generate certificate
fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
// Generate root private key
let key_pair = gen_private_key()?;
let mut x509_name = X509NameBuilder::new()?;
x509_name.append_entry_by_text("C", "FR")?;
x509_name.append_entry_by_text("CN", req.cn)?;
let x509_name = x509_name.build();
fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Option<Vec<u8>>, Vec<u8>)> {
let mut cert_builder = X509::builder()?;
cert_builder.set_version(2)?;
let serial_number = {
@ -129,6 +134,18 @@ fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)>
serial.to_asn1_integer()?
};
cert_builder.set_serial_number(&serial_number)?;
// Process subject
let x509_name = match req.sub {
GenCertificatSubjectReq::Subject { cn } => {
let mut x509_name = X509NameBuilder::new()?;
x509_name.append_entry_by_text("C", "FR")?;
x509_name.append_entry_by_text("CN", cn)?;
x509_name.build()
}
GenCertificatSubjectReq::CSR { csr } => X509Name::from_der(&csr.subject_name().to_der()?)?,
};
cert_builder.set_subject_name(&x509_name)?;
match req.issuer {
@ -138,8 +155,6 @@ fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)>
Some(i) => cert_builder.set_issuer_name(i.cert.subject_name())?,
}
cert_builder.set_pubkey(&key_pair)?;
let not_before = Asn1Time::days_from_now(0)?;
cert_builder.set_not_before(&not_before)?;
@ -182,6 +197,11 @@ fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)>
.build()?,
);
}
if req.web_client {
key_usage.digital_signature().key_encipherment();
eku = Some(ExtendedKeyUsage::new().client_auth().build()?);
}
cert_builder.append_extension(key_usage.critical().build()?)?;
if let Some(eku) = eku {
@ -202,17 +222,42 @@ fn gen_certificate(req: GenCertificateReq) -> anyhow::Result<(Vec<u8>, Vec<u8>)>
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
cert_builder.append_extension(subject_key_identifier)?;
// Sign certificate
cert_builder.sign(
match req.issuer {
None => &key_pair,
Some(i) => &i.key,
},
MessageDigest::sha256(),
)?;
let cert = cert_builder.build();
// Public key
match req.sub {
// Private key known
GenCertificatSubjectReq::Subject { .. } => {
let key_pair = gen_private_key()?;
cert_builder.set_pubkey(&key_pair)?;
Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
// Sign certificate
cert_builder.sign(
match req.issuer {
None => &key_pair,
Some(i) => &i.key,
},
MessageDigest::sha256(),
)?;
let cert = cert_builder.build();
Ok((Some(key_pair.private_key_to_pem_pkcs8()?), cert.to_pem()?))
}
// Private key unknown
GenCertificatSubjectReq::CSR { csr } => {
let pub_key = csr.public_key()?;
cert_builder.set_pubkey(pub_key.as_ref())?;
// Sign certificate
cert_builder.sign(
&req.issuer
.expect("Cannot issue certificate for CSR if issuer is not specified!")
.key,
MessageDigest::sha256(),
)?;
let cert = cert_builder.build();
Ok((None, cert.to_pem()?))
}
}
}
/// Initialize Root CA, if required
@ -226,14 +271,16 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
log::info!("Generating root ca...");
let (key, cert) = gen_certificate(GenCertificateReq {
cn: "SolarEnergy Root CA",
sub: GenCertificatSubjectReq::Subject {
cn: "SolarEnergy Root CA",
},
issuer: None,
ca: true,
..Default::default()
})?;
// Serialize generated web CA
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key.unwrap())?;
std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
Ok(())
@ -250,14 +297,16 @@ pub fn initialize_web_ca() -> anyhow::Result<()> {
log::info!("Generating web ca...");
let (key, cert) = gen_certificate(GenCertificateReq {
cn: "SolarEnergy Web CA",
sub: GenCertificatSubjectReq::Subject {
cn: "SolarEnergy Web CA",
},
issuer: Some(&CertData::load_root_ca()?),
ca: true,
..Default::default()
})?;
// Serialize generated web CA
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key.unwrap())?;
std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
Ok(())
@ -274,14 +323,16 @@ pub fn initialize_devices_ca() -> anyhow::Result<()> {
log::info!("Generating devices ca...");
let (key, cert) = gen_certificate(GenCertificateReq {
cn: "SolarEnergy Devices CA",
sub: GenCertificatSubjectReq::Subject {
cn: "SolarEnergy Devices CA",
},
issuer: Some(&CertData::load_root_ca()?),
ca: true,
..Default::default()
})?;
// Serialize generated devices CA
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key.unwrap())?;
std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
Ok(())
@ -298,14 +349,16 @@ pub fn initialize_server_ca() -> anyhow::Result<()> {
log::info!("Generating server certificate...");
let (key, cert) = gen_certificate(GenCertificateReq {
cn: &AppConfig::get().hostname,
sub: GenCertificatSubjectReq::Subject {
cn: AppConfig::get().hostname.as_str(),
},
issuer: Some(&CertData::load_web_ca()?),
web_server: true,
subject_alternative_names: vec![AppConfig::get().hostname.as_str()],
..Default::default()
})?;
std::fs::write(AppConfig::get().server_priv_key_path(), key)?;
std::fs::write(AppConfig::get().server_priv_key_path(), key.unwrap())?;
std::fs::write(AppConfig::get().server_cert_path(), cert)?;
Ok(())
@ -386,3 +439,15 @@ pub fn refresh_crls() -> anyhow::Result<()> {
refresh_crl(&CertData::load_devices_ca()?)?;
Ok(())
}
/// Generate a certificate for a device
pub fn gen_certificate_for_device(csr: &X509Req) -> anyhow::Result<String> {
let (_, cert) = gen_certificate(GenCertificateReq {
sub: GenCertificatSubjectReq::CSR { csr },
issuer: Some(&CertData::load_devices_ca()?),
web_client: true,
..Default::default()
})?;
Ok(String::from_utf8(cert)?)
}