WIP cert authorities

This commit is contained in:
Pierre HUBERT 2024-06-28 01:05:02 +02:00
parent e0801661eb
commit f4e2bb69b6
8 changed files with 232 additions and 25 deletions

View File

@ -66,6 +66,26 @@ version = "1.0.86"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da" checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
[[package]]
name = "asn1"
version = "0.16.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd"
dependencies = [
"asn1_derive",
]
[[package]]
name = "asn1_derive"
version = "0.16.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]] [[package]]
name = "bitflags" name = "bitflags"
version = "2.6.0" version = "2.6.0"
@ -83,6 +103,7 @@ name = "central_backend"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"asn1",
"clap", "clap",
"env_logger", "env_logger",
"lazy_static", "lazy_static",

View File

@ -10,4 +10,5 @@ lazy_static = "1.5.0"
clap = { version = "4.5.7", features = ["derive", "env"] } clap = { version = "4.5.7", features = ["derive", "env"] }
anyhow = "1.0.86" anyhow = "1.0.86"
thiserror = "1.0.61" thiserror = "1.0.61"
openssl = { version = "0.10.64" } openssl = { version = "0.10.64" }
asn1 = "0.16"

View File

@ -1,5 +1,5 @@
use std::path::{Path, PathBuf};
use clap::Parser; use clap::Parser;
use std::path::{Path, PathBuf};
/// Solar system central backend /// Solar system central backend
#[derive(Parser, Debug)] #[derive(Parser, Debug)]
@ -9,6 +9,14 @@ pub struct AppConfig {
#[arg(short, long, env, default_value = "0.0.0.0:8443")] #[arg(short, long, env, default_value = "0.0.0.0:8443")]
listen_address: String, listen_address: String,
/// The port the server will listen to (using HTTP, for unsecure connections)
#[arg(short, long, env, default_value = "0.0.0.0:8080")]
unsecure_listen_address: String,
/// Public server hostname (assuming that the ports used are the same for listen address)
#[arg(short('H'), long, env, default_value = "localhost")]
hostname: String,
/// Server storage path /// Server storage path
#[arg(short, long, env, default_value = "storage")] #[arg(short, long, env, default_value = "storage")]
storage: String, storage: String,
@ -26,6 +34,23 @@ impl AppConfig {
&ARGS &ARGS
} }
/// URL for unsecure connections
pub fn unsecure_origin(&self) -> String {
format!(
"http://{}:{}",
self.hostname,
self.unsecure_listen_address.split_once(':').unwrap().1
)
}
/// URL for secure connections
pub fn secure_origin(&self) -> String {
format!(
"https://{}:{}",
self.hostname,
self.listen_address.split_once(':').unwrap().1
)
}
/// Get storage path /// Get storage path
pub fn storage_path(&self) -> PathBuf { pub fn storage_path(&self) -> PathBuf {
@ -46,6 +71,26 @@ impl AppConfig {
pub fn root_ca_priv_key_path(&self) -> PathBuf { pub fn root_ca_priv_key_path(&self) -> PathBuf {
self.pki_path().join("root_ca.key") self.pki_path().join("root_ca.key")
} }
/// Get PKI web CA cert path
pub fn web_ca_cert_path(&self) -> PathBuf {
self.pki_path().join("web_ca.pem")
}
/// Get PKI web CA private key path
pub fn web_ca_priv_key_path(&self) -> PathBuf {
self.pki_path().join("web_ca.key")
}
/// Get PKI devices CA cert path
pub fn devices_ca_cert_path(&self) -> PathBuf {
self.pki_path().join("devices_ca.pem")
}
/// Get PKI devices CA private key path
pub fn devices_ca_priv_key_path(&self) -> PathBuf {
self.pki_path().join("devices_ca.key")
}
} }
#[cfg(test)] #[cfg(test)]
@ -57,4 +102,4 @@ mod test {
use clap::CommandFactory; use clap::CommandFactory;
AppConfig::command().debug_assert() AppConfig::command().debug_assert()
} }
} }

View File

@ -1,3 +1,3 @@
pub mod app_config; pub mod app_config;
pub mod pki; pub mod pki;
pub mod utils; pub mod utils;

View File

@ -10,4 +10,6 @@ fn main() {
// Initialize PKI // Initialize PKI
pki::initialize_root_ca().expect("Failed to initialize Root CA!"); pki::initialize_root_ca().expect("Failed to initialize Root CA!");
pki::initialize_web_ca().expect("Failed to initialize web CA!");
pki::initialize_devices_ca().expect("Failed to initialize devices CA!");
} }

View File

@ -1,31 +1,71 @@
use openssl::asn1::Asn1Time; use crate::app_config::AppConfig;
use asn1::{
parse_single, Asn1Readable, Asn1Writable, Implicit, OctetStringEncoded, ParseResult,
SimpleAsn1Readable, SimpleAsn1Writable, Tag, WriteBuf, WriteResult, Writer,
};
use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1OctetStringRef, Asn1Time};
use openssl::bn::{BigNum, MsbOption}; use openssl::bn::{BigNum, MsbOption};
use openssl::ec::EcGroup; use openssl::ec::EcGroup;
use openssl::hash::MessageDigest; use openssl::hash::MessageDigest;
use openssl::nid::Nid; use openssl::nid::Nid;
use openssl::pkey::PKey; use openssl::pkey::{PKey, Private};
use openssl::x509;
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier}; use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
use openssl::x509::{X509, X509NameBuilder}; use openssl::x509::{X509Extension, X509NameBuilder, X509};
use crate::app_config::AppConfig; use std::path::Path;
/// Initialize Root CA, if required /// Certificate and private key
pub fn initialize_root_ca() -> anyhow::Result<()> { struct CertAndKey(X509, PKey<Private>);
if AppConfig::get().root_ca_cert_path().exists()
&& AppConfig::get().root_ca_priv_key_path().exists() { impl CertAndKey {
return Ok(()); /// Load root CA
fn load_root_ca() -> anyhow::Result<Self> {
Ok(Self(
load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
))
} }
}
log::info!("Generating root ca..."); /// Generate private key
fn gen_private_key() -> anyhow::Result<PKey<Private>> {
// Generate root private key
let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
let group = EcGroup::from_curve_name(nid)?; let group = EcGroup::from_curve_name(nid)?;
let key = openssl::ec::EcKey::generate(&group)?; let key = openssl::ec::EcKey::generate(&group)?;
let key_pair = PKey::from_ec_key(key.clone())?; let key_pair = PKey::from_ec_key(key.clone())?;
Ok(key_pair)
}
/// Load private key from PEM file
fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
}
/// Load certificate from PEM file
fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
Ok(X509::from_pem(&std::fs::read(path)?)?)
}
struct CustomOctetStringEncoded<T>(OctetStringEncoded<T>);
impl<T: Asn1Writable> SimpleAsn1Writable for CustomOctetStringEncoded<T> {
const TAG: Tag = Tag::primitive(0x86);
fn write_data(&self, dest: &mut WriteBuf) -> WriteResult {
self.0.write(&mut Writer::new(dest))
}
}
/// Generate intermediate or root CA
fn gen_intermediate_or_root_ca(
cn: &str,
issuer: Option<&CertAndKey>,
) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
// Generate root private key
let key_pair = gen_private_key()?;
let mut x509_name = X509NameBuilder::new()?; let mut x509_name = X509NameBuilder::new()?;
x509_name.append_entry_by_text("C", "FR")?; x509_name.append_entry_by_text("C", "FR")?;
x509_name.append_entry_by_text("CN", "SolarEnergy Root CA")?; x509_name.append_entry_by_text("CN", cn)?;
let x509_name = x509_name.build(); let x509_name = x509_name.build();
let mut cert_builder = X509::builder()?; let mut cert_builder = X509::builder()?;
@ -37,14 +77,50 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
}; };
cert_builder.set_serial_number(&serial_number)?; cert_builder.set_serial_number(&serial_number)?;
cert_builder.set_subject_name(&x509_name)?; cert_builder.set_subject_name(&x509_name)?;
cert_builder.set_issuer_name(&x509_name)?; match issuer {
// Self-signed certificate
None => cert_builder.set_issuer_name(&x509_name)?,
// Certificate signed by another CA
Some(i) => cert_builder.set_issuer_name(i.0.issuer_name())?,
}
cert_builder.set_pubkey(&key_pair)?; cert_builder.set_pubkey(&key_pair)?;
let not_before = Asn1Time::days_from_now(0)?; let not_before = Asn1Time::days_from_now(0)?;
cert_builder.set_not_before(&not_before)?; cert_builder.set_not_before(&not_before)?;
let not_after = Asn1Time::days_from_now(365 * 30)?; let not_after = Asn1Time::days_from_now(365 * 30)?;
cert_builder.set_not_after(&not_after)?; cert_builder.set_not_after(&not_after)?;
if let Some(issuer) = issuer {
let crl_url = format!(
"{}/crl/{}.crl",
AppConfig::get().unsecure_origin(),
"FIXME_TODO"
);
let crl_obj = Asn1Object::from_str("2.5.29.31")?;
let content: Implicit<CustomOctetStringEncoded<&[u8]>, 0xa0> = asn1::Implicit::new(
CustomOctetStringEncoded(OctetStringEncoded::new(crl_url.as_bytes())),
);
let crl_bytes = asn1::write(|w| {
w.write_element(&asn1::SequenceWriter::new(&|w| {
w.write_element(&asn1::SequenceWriter::new(&|w| {
w.write_implicit_element(&content, 0xa0)?;
Ok(())
}))?;
Ok(())
}))
})?;
cert_builder.append_extension(X509Extension::new_from_der(
crl_obj.as_ref(),
false,
Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
)?)?;
}
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?; cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
cert_builder.append_extension( cert_builder.append_extension(
KeyUsage::new() KeyUsage::new()
.critical() .critical()
@ -55,14 +131,76 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
let subject_key_identifier = let subject_key_identifier =
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?; SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
cert_builder.append_extension(subject_key_identifier)?; cert_builder.append_extension(subject_key_identifier)?;
cert_builder.sign(&key_pair, MessageDigest::sha256())?; cert_builder.sign(
match issuer {
None => &key_pair,
Some(i) => &i.1,
},
MessageDigest::sha256(),
)?;
let cert = cert_builder.build(); let cert = cert_builder.build();
// Serialize generated root CA Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key.private_key_to_pem()?)?; }
std::fs::write(AppConfig::get().root_ca_cert_path(), cert.to_pem()?)?;
/// Initialize Root CA, if required
pub fn initialize_root_ca() -> anyhow::Result<()> {
if AppConfig::get().root_ca_cert_path().exists()
&& AppConfig::get().root_ca_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating root ca...");
let (key, cert) = gen_intermediate_or_root_ca("SolarEnergy Root CA", None)?;
// Serialize generated web CA
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
Ok(()) Ok(())
} }
/// Initialize web CA, if required
pub fn initialize_web_ca() -> anyhow::Result<()> {
if AppConfig::get().web_ca_cert_path().exists()
&& AppConfig::get().web_ca_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating web ca...");
let (key, cert) =
gen_intermediate_or_root_ca("SolarEnergy Web CA", Some(&CertAndKey::load_root_ca()?))?;
// Serialize generated web CA
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
Ok(())
}
/// Initialize devices CA, if required
pub fn initialize_devices_ca() -> anyhow::Result<()> {
if AppConfig::get().devices_ca_cert_path().exists()
&& AppConfig::get().devices_ca_priv_key_path().exists()
{
return Ok(());
}
log::info!("Generating devices ca...");
let (key, cert) =
gen_intermediate_or_root_ca("SolarEnergy Devices CA", Some(&CertAndKey::load_root_ca()?))?;
// Serialize generated devices CA
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
Ok(())
}

View File

@ -7,4 +7,4 @@ pub fn create_directory_if_missing<P: AsRef<Path>>(path: P) -> anyhow::Result<()
std::fs::create_dir_all(path)?; std::fs::create_dir_all(path)?;
} }
Ok(()) Ok(())
} }

View File

@ -1 +1 @@
pub mod files_utils; pub mod files_utils;