WIP cert authorities
This commit is contained in:
parent
e0801661eb
commit
f4e2bb69b6
21
central_backend/Cargo.lock
generated
21
central_backend/Cargo.lock
generated
@ -66,6 +66,26 @@ version = "1.0.86"
|
|||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
|
checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "asn1"
|
||||||
|
version = "0.16.2"
|
||||||
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
|
checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd"
|
||||||
|
dependencies = [
|
||||||
|
"asn1_derive",
|
||||||
|
]
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "asn1_derive"
|
||||||
|
version = "0.16.2"
|
||||||
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
|
checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987"
|
||||||
|
dependencies = [
|
||||||
|
"proc-macro2",
|
||||||
|
"quote",
|
||||||
|
"syn",
|
||||||
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "bitflags"
|
name = "bitflags"
|
||||||
version = "2.6.0"
|
version = "2.6.0"
|
||||||
@ -83,6 +103,7 @@ name = "central_backend"
|
|||||||
version = "0.1.0"
|
version = "0.1.0"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"anyhow",
|
"anyhow",
|
||||||
|
"asn1",
|
||||||
"clap",
|
"clap",
|
||||||
"env_logger",
|
"env_logger",
|
||||||
"lazy_static",
|
"lazy_static",
|
||||||
|
@ -11,3 +11,4 @@ clap = { version = "4.5.7", features = ["derive", "env"] }
|
|||||||
anyhow = "1.0.86"
|
anyhow = "1.0.86"
|
||||||
thiserror = "1.0.61"
|
thiserror = "1.0.61"
|
||||||
openssl = { version = "0.10.64" }
|
openssl = { version = "0.10.64" }
|
||||||
|
asn1 = "0.16"
|
@ -1,5 +1,5 @@
|
|||||||
use std::path::{Path, PathBuf};
|
|
||||||
use clap::Parser;
|
use clap::Parser;
|
||||||
|
use std::path::{Path, PathBuf};
|
||||||
|
|
||||||
/// Solar system central backend
|
/// Solar system central backend
|
||||||
#[derive(Parser, Debug)]
|
#[derive(Parser, Debug)]
|
||||||
@ -9,6 +9,14 @@ pub struct AppConfig {
|
|||||||
#[arg(short, long, env, default_value = "0.0.0.0:8443")]
|
#[arg(short, long, env, default_value = "0.0.0.0:8443")]
|
||||||
listen_address: String,
|
listen_address: String,
|
||||||
|
|
||||||
|
/// The port the server will listen to (using HTTP, for unsecure connections)
|
||||||
|
#[arg(short, long, env, default_value = "0.0.0.0:8080")]
|
||||||
|
unsecure_listen_address: String,
|
||||||
|
|
||||||
|
/// Public server hostname (assuming that the ports used are the same for listen address)
|
||||||
|
#[arg(short('H'), long, env, default_value = "localhost")]
|
||||||
|
hostname: String,
|
||||||
|
|
||||||
/// Server storage path
|
/// Server storage path
|
||||||
#[arg(short, long, env, default_value = "storage")]
|
#[arg(short, long, env, default_value = "storage")]
|
||||||
storage: String,
|
storage: String,
|
||||||
@ -26,6 +34,23 @@ impl AppConfig {
|
|||||||
&ARGS
|
&ARGS
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// URL for unsecure connections
|
||||||
|
pub fn unsecure_origin(&self) -> String {
|
||||||
|
format!(
|
||||||
|
"http://{}:{}",
|
||||||
|
self.hostname,
|
||||||
|
self.unsecure_listen_address.split_once(':').unwrap().1
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// URL for secure connections
|
||||||
|
pub fn secure_origin(&self) -> String {
|
||||||
|
format!(
|
||||||
|
"https://{}:{}",
|
||||||
|
self.hostname,
|
||||||
|
self.listen_address.split_once(':').unwrap().1
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
/// Get storage path
|
/// Get storage path
|
||||||
pub fn storage_path(&self) -> PathBuf {
|
pub fn storage_path(&self) -> PathBuf {
|
||||||
@ -46,6 +71,26 @@ impl AppConfig {
|
|||||||
pub fn root_ca_priv_key_path(&self) -> PathBuf {
|
pub fn root_ca_priv_key_path(&self) -> PathBuf {
|
||||||
self.pki_path().join("root_ca.key")
|
self.pki_path().join("root_ca.key")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Get PKI web CA cert path
|
||||||
|
pub fn web_ca_cert_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("web_ca.pem")
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Get PKI web CA private key path
|
||||||
|
pub fn web_ca_priv_key_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("web_ca.key")
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Get PKI devices CA cert path
|
||||||
|
pub fn devices_ca_cert_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("devices_ca.pem")
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Get PKI devices CA private key path
|
||||||
|
pub fn devices_ca_priv_key_path(&self) -> PathBuf {
|
||||||
|
self.pki_path().join("devices_ca.key")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
|
@ -10,4 +10,6 @@ fn main() {
|
|||||||
|
|
||||||
// Initialize PKI
|
// Initialize PKI
|
||||||
pki::initialize_root_ca().expect("Failed to initialize Root CA!");
|
pki::initialize_root_ca().expect("Failed to initialize Root CA!");
|
||||||
|
pki::initialize_web_ca().expect("Failed to initialize web CA!");
|
||||||
|
pki::initialize_devices_ca().expect("Failed to initialize devices CA!");
|
||||||
}
|
}
|
||||||
|
@ -1,31 +1,71 @@
|
|||||||
use openssl::asn1::Asn1Time;
|
use crate::app_config::AppConfig;
|
||||||
|
use asn1::{
|
||||||
|
parse_single, Asn1Readable, Asn1Writable, Implicit, OctetStringEncoded, ParseResult,
|
||||||
|
SimpleAsn1Readable, SimpleAsn1Writable, Tag, WriteBuf, WriteResult, Writer,
|
||||||
|
};
|
||||||
|
use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1OctetStringRef, Asn1Time};
|
||||||
use openssl::bn::{BigNum, MsbOption};
|
use openssl::bn::{BigNum, MsbOption};
|
||||||
use openssl::ec::EcGroup;
|
use openssl::ec::EcGroup;
|
||||||
use openssl::hash::MessageDigest;
|
use openssl::hash::MessageDigest;
|
||||||
use openssl::nid::Nid;
|
use openssl::nid::Nid;
|
||||||
use openssl::pkey::PKey;
|
use openssl::pkey::{PKey, Private};
|
||||||
|
use openssl::x509;
|
||||||
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
||||||
use openssl::x509::{X509, X509NameBuilder};
|
use openssl::x509::{X509Extension, X509NameBuilder, X509};
|
||||||
use crate::app_config::AppConfig;
|
use std::path::Path;
|
||||||
|
|
||||||
/// Initialize Root CA, if required
|
/// Certificate and private key
|
||||||
pub fn initialize_root_ca() -> anyhow::Result<()> {
|
struct CertAndKey(X509, PKey<Private>);
|
||||||
if AppConfig::get().root_ca_cert_path().exists()
|
|
||||||
&& AppConfig::get().root_ca_priv_key_path().exists() {
|
impl CertAndKey {
|
||||||
return Ok(());
|
/// Load root CA
|
||||||
|
fn load_root_ca() -> anyhow::Result<Self> {
|
||||||
|
Ok(Self(
|
||||||
|
load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
|
||||||
|
load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
|
||||||
|
))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
log::info!("Generating root ca...");
|
/// Generate private key
|
||||||
|
fn gen_private_key() -> anyhow::Result<PKey<Private>> {
|
||||||
// Generate root private key
|
|
||||||
let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
|
let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
|
||||||
let group = EcGroup::from_curve_name(nid)?;
|
let group = EcGroup::from_curve_name(nid)?;
|
||||||
let key = openssl::ec::EcKey::generate(&group)?;
|
let key = openssl::ec::EcKey::generate(&group)?;
|
||||||
let key_pair = PKey::from_ec_key(key.clone())?;
|
let key_pair = PKey::from_ec_key(key.clone())?;
|
||||||
|
|
||||||
|
Ok(key_pair)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Load private key from PEM file
|
||||||
|
fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
|
||||||
|
Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Load certificate from PEM file
|
||||||
|
fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
|
||||||
|
Ok(X509::from_pem(&std::fs::read(path)?)?)
|
||||||
|
}
|
||||||
|
|
||||||
|
struct CustomOctetStringEncoded<T>(OctetStringEncoded<T>);
|
||||||
|
impl<T: Asn1Writable> SimpleAsn1Writable for CustomOctetStringEncoded<T> {
|
||||||
|
const TAG: Tag = Tag::primitive(0x86);
|
||||||
|
fn write_data(&self, dest: &mut WriteBuf) -> WriteResult {
|
||||||
|
self.0.write(&mut Writer::new(dest))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Generate intermediate or root CA
|
||||||
|
fn gen_intermediate_or_root_ca(
|
||||||
|
cn: &str,
|
||||||
|
issuer: Option<&CertAndKey>,
|
||||||
|
) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
|
||||||
|
// Generate root private key
|
||||||
|
let key_pair = gen_private_key()?;
|
||||||
|
|
||||||
let mut x509_name = X509NameBuilder::new()?;
|
let mut x509_name = X509NameBuilder::new()?;
|
||||||
x509_name.append_entry_by_text("C", "FR")?;
|
x509_name.append_entry_by_text("C", "FR")?;
|
||||||
x509_name.append_entry_by_text("CN", "SolarEnergy Root CA")?;
|
x509_name.append_entry_by_text("CN", cn)?;
|
||||||
let x509_name = x509_name.build();
|
let x509_name = x509_name.build();
|
||||||
|
|
||||||
let mut cert_builder = X509::builder()?;
|
let mut cert_builder = X509::builder()?;
|
||||||
@ -37,14 +77,50 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
|
|||||||
};
|
};
|
||||||
cert_builder.set_serial_number(&serial_number)?;
|
cert_builder.set_serial_number(&serial_number)?;
|
||||||
cert_builder.set_subject_name(&x509_name)?;
|
cert_builder.set_subject_name(&x509_name)?;
|
||||||
cert_builder.set_issuer_name(&x509_name)?;
|
match issuer {
|
||||||
|
// Self-signed certificate
|
||||||
|
None => cert_builder.set_issuer_name(&x509_name)?,
|
||||||
|
// Certificate signed by another CA
|
||||||
|
Some(i) => cert_builder.set_issuer_name(i.0.issuer_name())?,
|
||||||
|
}
|
||||||
cert_builder.set_pubkey(&key_pair)?;
|
cert_builder.set_pubkey(&key_pair)?;
|
||||||
let not_before = Asn1Time::days_from_now(0)?;
|
let not_before = Asn1Time::days_from_now(0)?;
|
||||||
cert_builder.set_not_before(¬_before)?;
|
cert_builder.set_not_before(¬_before)?;
|
||||||
let not_after = Asn1Time::days_from_now(365 * 30)?;
|
let not_after = Asn1Time::days_from_now(365 * 30)?;
|
||||||
cert_builder.set_not_after(¬_after)?;
|
cert_builder.set_not_after(¬_after)?;
|
||||||
|
|
||||||
|
if let Some(issuer) = issuer {
|
||||||
|
let crl_url = format!(
|
||||||
|
"{}/crl/{}.crl",
|
||||||
|
AppConfig::get().unsecure_origin(),
|
||||||
|
"FIXME_TODO"
|
||||||
|
);
|
||||||
|
|
||||||
|
let crl_obj = Asn1Object::from_str("2.5.29.31")?;
|
||||||
|
|
||||||
|
let content: Implicit<CustomOctetStringEncoded<&[u8]>, 0xa0> = asn1::Implicit::new(
|
||||||
|
CustomOctetStringEncoded(OctetStringEncoded::new(crl_url.as_bytes())),
|
||||||
|
);
|
||||||
|
|
||||||
|
let crl_bytes = asn1::write(|w| {
|
||||||
|
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
||||||
|
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
||||||
|
w.write_implicit_element(&content, 0xa0)?;
|
||||||
|
Ok(())
|
||||||
|
}))?;
|
||||||
|
Ok(())
|
||||||
|
}))
|
||||||
|
})?;
|
||||||
|
|
||||||
|
cert_builder.append_extension(X509Extension::new_from_der(
|
||||||
|
crl_obj.as_ref(),
|
||||||
|
false,
|
||||||
|
Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
|
||||||
|
)?)?;
|
||||||
|
}
|
||||||
|
|
||||||
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
|
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
|
||||||
|
|
||||||
cert_builder.append_extension(
|
cert_builder.append_extension(
|
||||||
KeyUsage::new()
|
KeyUsage::new()
|
||||||
.critical()
|
.critical()
|
||||||
@ -55,14 +131,76 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
|
|||||||
|
|
||||||
let subject_key_identifier =
|
let subject_key_identifier =
|
||||||
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
|
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
|
||||||
|
|
||||||
cert_builder.append_extension(subject_key_identifier)?;
|
cert_builder.append_extension(subject_key_identifier)?;
|
||||||
|
|
||||||
cert_builder.sign(&key_pair, MessageDigest::sha256())?;
|
cert_builder.sign(
|
||||||
|
match issuer {
|
||||||
|
None => &key_pair,
|
||||||
|
Some(i) => &i.1,
|
||||||
|
},
|
||||||
|
MessageDigest::sha256(),
|
||||||
|
)?;
|
||||||
let cert = cert_builder.build();
|
let cert = cert_builder.build();
|
||||||
|
|
||||||
// Serialize generated root CA
|
Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
|
||||||
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key.private_key_to_pem()?)?;
|
}
|
||||||
std::fs::write(AppConfig::get().root_ca_cert_path(), cert.to_pem()?)?;
|
|
||||||
|
/// Initialize Root CA, if required
|
||||||
|
pub fn initialize_root_ca() -> anyhow::Result<()> {
|
||||||
|
if AppConfig::get().root_ca_cert_path().exists()
|
||||||
|
&& AppConfig::get().root_ca_priv_key_path().exists()
|
||||||
|
{
|
||||||
|
return Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
log::info!("Generating root ca...");
|
||||||
|
|
||||||
|
let (key, cert) = gen_intermediate_or_root_ca("SolarEnergy Root CA", None)?;
|
||||||
|
|
||||||
|
// Serialize generated web CA
|
||||||
|
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
|
||||||
|
std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Initialize web CA, if required
|
||||||
|
pub fn initialize_web_ca() -> anyhow::Result<()> {
|
||||||
|
if AppConfig::get().web_ca_cert_path().exists()
|
||||||
|
&& AppConfig::get().web_ca_priv_key_path().exists()
|
||||||
|
{
|
||||||
|
return Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
log::info!("Generating web ca...");
|
||||||
|
|
||||||
|
let (key, cert) =
|
||||||
|
gen_intermediate_or_root_ca("SolarEnergy Web CA", Some(&CertAndKey::load_root_ca()?))?;
|
||||||
|
|
||||||
|
// Serialize generated web CA
|
||||||
|
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
|
||||||
|
std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Initialize devices CA, if required
|
||||||
|
pub fn initialize_devices_ca() -> anyhow::Result<()> {
|
||||||
|
if AppConfig::get().devices_ca_cert_path().exists()
|
||||||
|
&& AppConfig::get().devices_ca_priv_key_path().exists()
|
||||||
|
{
|
||||||
|
return Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
log::info!("Generating devices ca...");
|
||||||
|
|
||||||
|
let (key, cert) =
|
||||||
|
gen_intermediate_or_root_ca("SolarEnergy Devices CA", Some(&CertAndKey::load_root_ca()?))?;
|
||||||
|
|
||||||
|
// Serialize generated devices CA
|
||||||
|
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
|
||||||
|
std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
Loading…
Reference in New Issue
Block a user