WIP cert authorities

central_backend/Cargo.lock

@@ -66,6 +66,26 @@ version = "1.0.86"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
 
+[[package]]
+name = "asn1"
+version = "0.16.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd"
+dependencies = [
+ "asn1_derive",
+]
+
+[[package]]
+name = "asn1_derive"
+version = "0.16.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "bitflags"
 version = "2.6.0"
@@ -83,6 +103,7 @@ name = "central_backend"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "asn1",
  "clap",
  "env_logger",
  "lazy_static",

central_backend/Cargo.toml

@@ -11,3 +11,4 @@ clap = { version = "4.5.7", features = ["derive", "env"] }
 anyhow = "1.0.86"
 thiserror = "1.0.61"
 openssl = { version = "0.10.64" }
+asn1 = "0.16"

central_backend/src/app_config.rs

@@ -1,5 +1,5 @@
-use std::path::{Path, PathBuf};
 use clap::Parser;
+use std::path::{Path, PathBuf};
 
 /// Solar system central backend
 #[derive(Parser, Debug)]
@@ -9,6 +9,14 @@ pub struct AppConfig {
     #[arg(short, long, env, default_value = "0.0.0.0:8443")]
     listen_address: String,
 
+    /// The port the server will listen to (using HTTP, for unsecure connections)
+    #[arg(short, long, env, default_value = "0.0.0.0:8080")]
+    unsecure_listen_address: String,
+
+    /// Public server hostname (assuming that the ports used are the same for listen address)
+    #[arg(short('H'), long, env, default_value = "localhost")]
+    hostname: String,
+
     /// Server storage path
     #[arg(short, long, env, default_value = "storage")]
     storage: String,
@@ -26,6 +34,23 @@ impl AppConfig {
         &ARGS
     }
 
+    /// URL for unsecure connections
+    pub fn unsecure_origin(&self) -> String {
+        format!(
+            "http://{}:{}",
+            self.hostname,
+            self.unsecure_listen_address.split_once(':').unwrap().1
+        )
+    }
+
+    /// URL for secure connections
+    pub fn secure_origin(&self) -> String {
+        format!(
+            "https://{}:{}",
+            self.hostname,
+            self.listen_address.split_once(':').unwrap().1
+        )
+    }
 
     /// Get storage path
     pub fn storage_path(&self) -> PathBuf {
@@ -46,6 +71,26 @@ impl AppConfig {
     pub fn root_ca_priv_key_path(&self) -> PathBuf {
         self.pki_path().join("root_ca.key")
     }
+
+    /// Get PKI web CA cert path
+    pub fn web_ca_cert_path(&self) -> PathBuf {
+        self.pki_path().join("web_ca.pem")
+    }
+
+    /// Get PKI web CA private key path
+    pub fn web_ca_priv_key_path(&self) -> PathBuf {
+        self.pki_path().join("web_ca.key")
+    }
+
+    /// Get PKI devices CA cert path
+    pub fn devices_ca_cert_path(&self) -> PathBuf {
+        self.pki_path().join("devices_ca.pem")
+    }
+
+    /// Get PKI devices CA private key path
+    pub fn devices_ca_priv_key_path(&self) -> PathBuf {
+        self.pki_path().join("devices_ca.key")
+    }
 }
 
 #[cfg(test)]

central_backend/src/main.rs

@@ -10,4 +10,6 @@ fn main() {
 
     // Initialize PKI
     pki::initialize_root_ca().expect("Failed to initialize Root CA!");
+    pki::initialize_web_ca().expect("Failed to initialize web CA!");
+    pki::initialize_devices_ca().expect("Failed to initialize devices CA!");
 }

central_backend/src/pki.rs

@@ -1,31 +1,71 @@
-use openssl::asn1::Asn1Time;
+use crate::app_config::AppConfig;
+use asn1::{
+    parse_single, Asn1Readable, Asn1Writable, Implicit, OctetStringEncoded, ParseResult,
+    SimpleAsn1Readable, SimpleAsn1Writable, Tag, WriteBuf, WriteResult, Writer,
+};
+use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1OctetStringRef, Asn1Time};
 use openssl::bn::{BigNum, MsbOption};
 use openssl::ec::EcGroup;
 use openssl::hash::MessageDigest;
 use openssl::nid::Nid;
-use openssl::pkey::PKey;
+use openssl::pkey::{PKey, Private};
+use openssl::x509;
 use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
-use openssl::x509::{X509, X509NameBuilder};
+use openssl::x509::{X509Extension, X509NameBuilder, X509};
-use crate::app_config::AppConfig;
+use std::path::Path;
 
-/// Initialize Root CA, if required
+/// Certificate and private key
-pub fn initialize_root_ca() -> anyhow::Result<()> {
+struct CertAndKey(X509, PKey<Private>);
-    if AppConfig::get().root_ca_cert_path().exists()
+
-        && AppConfig::get().root_ca_priv_key_path().exists() {
+impl CertAndKey {
-        return Ok(());
+    /// Load root CA
+    fn load_root_ca() -> anyhow::Result<Self> {
+        Ok(Self(
+            load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
+            load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
+        ))
+    }
 }
 
-    log::info!("Generating root ca...");
+/// Generate private key
-
+fn gen_private_key() -> anyhow::Result<PKey<Private>> {
-    // Generate root private key
     let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
     let group = EcGroup::from_curve_name(nid)?;
     let key = openssl::ec::EcKey::generate(&group)?;
     let key_pair = PKey::from_ec_key(key.clone())?;
 
+    Ok(key_pair)
+}
+
+/// Load private key from PEM file
+fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
+    Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
+}
+
+/// Load certificate from PEM file
+fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
+    Ok(X509::from_pem(&std::fs::read(path)?)?)
+}
+
+struct CustomOctetStringEncoded<T>(OctetStringEncoded<T>);
+impl<T: Asn1Writable> SimpleAsn1Writable for CustomOctetStringEncoded<T> {
+    const TAG: Tag = Tag::primitive(0x86);
+    fn write_data(&self, dest: &mut WriteBuf) -> WriteResult {
+        self.0.write(&mut Writer::new(dest))
+    }
+}
+
+/// Generate intermediate or root CA
+fn gen_intermediate_or_root_ca(
+    cn: &str,
+    issuer: Option<&CertAndKey>,
+) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
+    // Generate root private key
+    let key_pair = gen_private_key()?;
+
     let mut x509_name = X509NameBuilder::new()?;
     x509_name.append_entry_by_text("C", "FR")?;
-    x509_name.append_entry_by_text("CN", "SolarEnergy Root CA")?;
+    x509_name.append_entry_by_text("CN", cn)?;
     let x509_name = x509_name.build();
 
     let mut cert_builder = X509::builder()?;
@@ -37,14 +77,50 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
     };
     cert_builder.set_serial_number(&serial_number)?;
     cert_builder.set_subject_name(&x509_name)?;
-    cert_builder.set_issuer_name(&x509_name)?;
+    match issuer {
+        // Self-signed certificate
+        None => cert_builder.set_issuer_name(&x509_name)?,
+        // Certificate signed by another CA
+        Some(i) => cert_builder.set_issuer_name(i.0.issuer_name())?,
+    }
     cert_builder.set_pubkey(&key_pair)?;
     let not_before = Asn1Time::days_from_now(0)?;
     cert_builder.set_not_before(&not_before)?;
     let not_after = Asn1Time::days_from_now(365 * 30)?;
     cert_builder.set_not_after(&not_after)?;
 
+    if let Some(issuer) = issuer {
+        let crl_url = format!(
+            "{}/crl/{}.crl",
+            AppConfig::get().unsecure_origin(),
+            "FIXME_TODO"
+        );
+
+        let crl_obj = Asn1Object::from_str("2.5.29.31")?;
+
+        let content: Implicit<CustomOctetStringEncoded<&[u8]>, 0xa0> = asn1::Implicit::new(
+            CustomOctetStringEncoded(OctetStringEncoded::new(crl_url.as_bytes())),
+        );
+
+        let crl_bytes = asn1::write(|w| {
+            w.write_element(&asn1::SequenceWriter::new(&|w| {
+                w.write_element(&asn1::SequenceWriter::new(&|w| {
+                    w.write_implicit_element(&content, 0xa0)?;
+                    Ok(())
+                }))?;
+                Ok(())
+            }))
+        })?;
+
+        cert_builder.append_extension(X509Extension::new_from_der(
+            crl_obj.as_ref(),
+            false,
+            Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
+        )?)?;
+    }
+
     cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
+
     cert_builder.append_extension(
         KeyUsage::new()
             .critical()
@@ -55,14 +131,76 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
 
     let subject_key_identifier =
         SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
+
     cert_builder.append_extension(subject_key_identifier)?;
 
-    cert_builder.sign(&key_pair, MessageDigest::sha256())?;
+    cert_builder.sign(
+        match issuer {
+            None => &key_pair,
+            Some(i) => &i.1,
+        },
+        MessageDigest::sha256(),
+    )?;
     let cert = cert_builder.build();
 
-    // Serialize generated root CA
+    Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
-    std::fs::write(AppConfig::get().root_ca_priv_key_path(), key.private_key_to_pem()?)?;
+}
-    std::fs::write(AppConfig::get().root_ca_cert_path(), cert.to_pem()?)?;
+
+/// Initialize Root CA, if required
+pub fn initialize_root_ca() -> anyhow::Result<()> {
+    if AppConfig::get().root_ca_cert_path().exists()
+        && AppConfig::get().root_ca_priv_key_path().exists()
+    {
+        return Ok(());
+    }
+
+    log::info!("Generating root ca...");
+
+    let (key, cert) = gen_intermediate_or_root_ca("SolarEnergy Root CA", None)?;
+
+    // Serialize generated web CA
+    std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
+    std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
+
+    Ok(())
+}
+
+/// Initialize web CA, if required
+pub fn initialize_web_ca() -> anyhow::Result<()> {
+    if AppConfig::get().web_ca_cert_path().exists()
+        && AppConfig::get().web_ca_priv_key_path().exists()
+    {
+        return Ok(());
+    }
+
+    log::info!("Generating web ca...");
+
+    let (key, cert) =
+        gen_intermediate_or_root_ca("SolarEnergy Web CA", Some(&CertAndKey::load_root_ca()?))?;
+
+    // Serialize generated web CA
+    std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
+    std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
+
+    Ok(())
+}
+
+/// Initialize devices CA, if required
+pub fn initialize_devices_ca() -> anyhow::Result<()> {
+    if AppConfig::get().devices_ca_cert_path().exists()
+        && AppConfig::get().devices_ca_priv_key_path().exists()
+    {
+        return Ok(());
+    }
+
+    log::info!("Generating devices ca...");
+
+    let (key, cert) =
+        gen_intermediate_or_root_ca("SolarEnergy Devices CA", Some(&CertAndKey::load_root_ca()?))?;
+
+    // Serialize generated devices CA
+    std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
+    std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
 
     Ok(())
 }