From f4e2bb69b6dcd717d91d82beaef229b1ef939d4e Mon Sep 17 00:00:00 2001 From: Pierre HUBERT Date: Fri, 28 Jun 2024 01:05:02 +0200 Subject: [PATCH] WIP cert authorities --- central_backend/Cargo.lock | 21 +++ central_backend/Cargo.toml | 3 +- central_backend/src/app_config.rs | 49 ++++++- central_backend/src/lib.rs | 2 +- central_backend/src/main.rs | 2 + central_backend/src/pki.rs | 176 ++++++++++++++++++++--- central_backend/src/utils/files_utils.rs | 2 +- central_backend/src/utils/mod.rs | 2 +- 8 files changed, 232 insertions(+), 25 deletions(-) diff --git a/central_backend/Cargo.lock b/central_backend/Cargo.lock index db3c3ee..9c35800 100644 --- a/central_backend/Cargo.lock +++ b/central_backend/Cargo.lock @@ -66,6 +66,26 @@ version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da" +[[package]] +name = "asn1" +version = "0.16.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd" +dependencies = [ + "asn1_derive", +] + +[[package]] +name = "asn1_derive" +version = "0.16.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "bitflags" version = "2.6.0" @@ -83,6 +103,7 @@ name = "central_backend" version = "0.1.0" dependencies = [ "anyhow", + "asn1", "clap", "env_logger", "lazy_static", diff --git a/central_backend/Cargo.toml b/central_backend/Cargo.toml index d664cff..d3646fe 100644 --- a/central_backend/Cargo.toml +++ b/central_backend/Cargo.toml @@ -10,4 +10,5 @@ lazy_static = "1.5.0" clap = { version = "4.5.7", features = ["derive", "env"] } anyhow = "1.0.86" thiserror = "1.0.61" -openssl = { version = "0.10.64" } \ No newline at end of file +openssl = { version = "0.10.64" } +asn1 = "0.16" \ No newline at end of file diff --git a/central_backend/src/app_config.rs b/central_backend/src/app_config.rs index ed66295..5fc3c53 100644 --- a/central_backend/src/app_config.rs +++ b/central_backend/src/app_config.rs @@ -1,5 +1,5 @@ -use std::path::{Path, PathBuf}; use clap::Parser; +use std::path::{Path, PathBuf}; /// Solar system central backend #[derive(Parser, Debug)] @@ -9,6 +9,14 @@ pub struct AppConfig { #[arg(short, long, env, default_value = "0.0.0.0:8443")] listen_address: String, + /// The port the server will listen to (using HTTP, for unsecure connections) + #[arg(short, long, env, default_value = "0.0.0.0:8080")] + unsecure_listen_address: String, + + /// Public server hostname (assuming that the ports used are the same for listen address) + #[arg(short('H'), long, env, default_value = "localhost")] + hostname: String, + /// Server storage path #[arg(short, long, env, default_value = "storage")] storage: String, @@ -26,6 +34,23 @@ impl AppConfig { &ARGS } + /// URL for unsecure connections + pub fn unsecure_origin(&self) -> String { + format!( + "http://{}:{}", + self.hostname, + self.unsecure_listen_address.split_once(':').unwrap().1 + ) + } + + /// URL for secure connections + pub fn secure_origin(&self) -> String { + format!( + "https://{}:{}", + self.hostname, + self.listen_address.split_once(':').unwrap().1 + ) + } /// Get storage path pub fn storage_path(&self) -> PathBuf { @@ -46,6 +71,26 @@ impl AppConfig { pub fn root_ca_priv_key_path(&self) -> PathBuf { self.pki_path().join("root_ca.key") } + + /// Get PKI web CA cert path + pub fn web_ca_cert_path(&self) -> PathBuf { + self.pki_path().join("web_ca.pem") + } + + /// Get PKI web CA private key path + pub fn web_ca_priv_key_path(&self) -> PathBuf { + self.pki_path().join("web_ca.key") + } + + /// Get PKI devices CA cert path + pub fn devices_ca_cert_path(&self) -> PathBuf { + self.pki_path().join("devices_ca.pem") + } + + /// Get PKI devices CA private key path + pub fn devices_ca_priv_key_path(&self) -> PathBuf { + self.pki_path().join("devices_ca.key") + } } #[cfg(test)] @@ -57,4 +102,4 @@ mod test { use clap::CommandFactory; AppConfig::command().debug_assert() } -} \ No newline at end of file +} diff --git a/central_backend/src/lib.rs b/central_backend/src/lib.rs index 452d557..bb4e167 100644 --- a/central_backend/src/lib.rs +++ b/central_backend/src/lib.rs @@ -1,3 +1,3 @@ pub mod app_config; pub mod pki; -pub mod utils; \ No newline at end of file +pub mod utils; diff --git a/central_backend/src/main.rs b/central_backend/src/main.rs index d3b0322..a4a03e9 100644 --- a/central_backend/src/main.rs +++ b/central_backend/src/main.rs @@ -10,4 +10,6 @@ fn main() { // Initialize PKI pki::initialize_root_ca().expect("Failed to initialize Root CA!"); + pki::initialize_web_ca().expect("Failed to initialize web CA!"); + pki::initialize_devices_ca().expect("Failed to initialize devices CA!"); } diff --git a/central_backend/src/pki.rs b/central_backend/src/pki.rs index c8d7dab..b92418c 100644 --- a/central_backend/src/pki.rs +++ b/central_backend/src/pki.rs @@ -1,31 +1,71 @@ -use openssl::asn1::Asn1Time; +use crate::app_config::AppConfig; +use asn1::{ + parse_single, Asn1Readable, Asn1Writable, Implicit, OctetStringEncoded, ParseResult, + SimpleAsn1Readable, SimpleAsn1Writable, Tag, WriteBuf, WriteResult, Writer, +}; +use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1OctetStringRef, Asn1Time}; use openssl::bn::{BigNum, MsbOption}; use openssl::ec::EcGroup; use openssl::hash::MessageDigest; use openssl::nid::Nid; -use openssl::pkey::PKey; +use openssl::pkey::{PKey, Private}; +use openssl::x509; use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier}; -use openssl::x509::{X509, X509NameBuilder}; -use crate::app_config::AppConfig; +use openssl::x509::{X509Extension, X509NameBuilder, X509}; +use std::path::Path; -/// Initialize Root CA, if required -pub fn initialize_root_ca() -> anyhow::Result<()> { - if AppConfig::get().root_ca_cert_path().exists() - && AppConfig::get().root_ca_priv_key_path().exists() { - return Ok(()); +/// Certificate and private key +struct CertAndKey(X509, PKey); + +impl CertAndKey { + /// Load root CA + fn load_root_ca() -> anyhow::Result { + Ok(Self( + load_certificate_from_file(AppConfig::get().root_ca_cert_path())?, + load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?, + )) } +} - log::info!("Generating root ca..."); - - // Generate root private key +/// Generate private key +fn gen_private_key() -> anyhow::Result> { let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve let group = EcGroup::from_curve_name(nid)?; let key = openssl::ec::EcKey::generate(&group)?; let key_pair = PKey::from_ec_key(key.clone())?; + Ok(key_pair) +} + +/// Load private key from PEM file +fn load_priv_key_from_file>(path: P) -> anyhow::Result> { + Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?) +} + +/// Load certificate from PEM file +fn load_certificate_from_file>(path: P) -> anyhow::Result { + Ok(X509::from_pem(&std::fs::read(path)?)?) +} + +struct CustomOctetStringEncoded(OctetStringEncoded); +impl SimpleAsn1Writable for CustomOctetStringEncoded { + const TAG: Tag = Tag::primitive(0x86); + fn write_data(&self, dest: &mut WriteBuf) -> WriteResult { + self.0.write(&mut Writer::new(dest)) + } +} + +/// Generate intermediate or root CA +fn gen_intermediate_or_root_ca( + cn: &str, + issuer: Option<&CertAndKey>, +) -> anyhow::Result<(Vec, Vec)> { + // Generate root private key + let key_pair = gen_private_key()?; + let mut x509_name = X509NameBuilder::new()?; x509_name.append_entry_by_text("C", "FR")?; - x509_name.append_entry_by_text("CN", "SolarEnergy Root CA")?; + x509_name.append_entry_by_text("CN", cn)?; let x509_name = x509_name.build(); let mut cert_builder = X509::builder()?; @@ -37,14 +77,50 @@ pub fn initialize_root_ca() -> anyhow::Result<()> { }; cert_builder.set_serial_number(&serial_number)?; cert_builder.set_subject_name(&x509_name)?; - cert_builder.set_issuer_name(&x509_name)?; + match issuer { + // Self-signed certificate + None => cert_builder.set_issuer_name(&x509_name)?, + // Certificate signed by another CA + Some(i) => cert_builder.set_issuer_name(i.0.issuer_name())?, + } cert_builder.set_pubkey(&key_pair)?; let not_before = Asn1Time::days_from_now(0)?; cert_builder.set_not_before(¬_before)?; let not_after = Asn1Time::days_from_now(365 * 30)?; cert_builder.set_not_after(¬_after)?; + if let Some(issuer) = issuer { + let crl_url = format!( + "{}/crl/{}.crl", + AppConfig::get().unsecure_origin(), + "FIXME_TODO" + ); + + let crl_obj = Asn1Object::from_str("2.5.29.31")?; + + let content: Implicit, 0xa0> = asn1::Implicit::new( + CustomOctetStringEncoded(OctetStringEncoded::new(crl_url.as_bytes())), + ); + + let crl_bytes = asn1::write(|w| { + w.write_element(&asn1::SequenceWriter::new(&|w| { + w.write_element(&asn1::SequenceWriter::new(&|w| { + w.write_implicit_element(&content, 0xa0)?; + Ok(()) + }))?; + Ok(()) + })) + })?; + + cert_builder.append_extension(X509Extension::new_from_der( + crl_obj.as_ref(), + false, + Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(), + )?)?; + } + cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?; + cert_builder.append_extension( KeyUsage::new() .critical() @@ -55,14 +131,76 @@ pub fn initialize_root_ca() -> anyhow::Result<()> { let subject_key_identifier = SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?; + cert_builder.append_extension(subject_key_identifier)?; - cert_builder.sign(&key_pair, MessageDigest::sha256())?; + cert_builder.sign( + match issuer { + None => &key_pair, + Some(i) => &i.1, + }, + MessageDigest::sha256(), + )?; let cert = cert_builder.build(); - // Serialize generated root CA - std::fs::write(AppConfig::get().root_ca_priv_key_path(), key.private_key_to_pem()?)?; - std::fs::write(AppConfig::get().root_ca_cert_path(), cert.to_pem()?)?; + Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?)) +} + +/// Initialize Root CA, if required +pub fn initialize_root_ca() -> anyhow::Result<()> { + if AppConfig::get().root_ca_cert_path().exists() + && AppConfig::get().root_ca_priv_key_path().exists() + { + return Ok(()); + } + + log::info!("Generating root ca..."); + + let (key, cert) = gen_intermediate_or_root_ca("SolarEnergy Root CA", None)?; + + // Serialize generated web CA + std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?; + std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?; Ok(()) -} \ No newline at end of file +} + +/// Initialize web CA, if required +pub fn initialize_web_ca() -> anyhow::Result<()> { + if AppConfig::get().web_ca_cert_path().exists() + && AppConfig::get().web_ca_priv_key_path().exists() + { + return Ok(()); + } + + log::info!("Generating web ca..."); + + let (key, cert) = + gen_intermediate_or_root_ca("SolarEnergy Web CA", Some(&CertAndKey::load_root_ca()?))?; + + // Serialize generated web CA + std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?; + std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?; + + Ok(()) +} + +/// Initialize devices CA, if required +pub fn initialize_devices_ca() -> anyhow::Result<()> { + if AppConfig::get().devices_ca_cert_path().exists() + && AppConfig::get().devices_ca_priv_key_path().exists() + { + return Ok(()); + } + + log::info!("Generating devices ca..."); + + let (key, cert) = + gen_intermediate_or_root_ca("SolarEnergy Devices CA", Some(&CertAndKey::load_root_ca()?))?; + + // Serialize generated devices CA + std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?; + std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?; + + Ok(()) +} diff --git a/central_backend/src/utils/files_utils.rs b/central_backend/src/utils/files_utils.rs index cabc25f..4eaa780 100644 --- a/central_backend/src/utils/files_utils.rs +++ b/central_backend/src/utils/files_utils.rs @@ -7,4 +7,4 @@ pub fn create_directory_if_missing>(path: P) -> anyhow::Result<() std::fs::create_dir_all(path)?; } Ok(()) -} \ No newline at end of file +} diff --git a/central_backend/src/utils/mod.rs b/central_backend/src/utils/mod.rs index 1582910..b68ecd0 100644 --- a/central_backend/src/utils/mod.rs +++ b/central_backend/src/utils/mod.rs @@ -1 +1 @@ -pub mod files_utils; \ No newline at end of file +pub mod files_utils;