WIP cert authorities
This commit is contained in:
parent
e0801661eb
commit
f4e2bb69b6
21
central_backend/Cargo.lock
generated
21
central_backend/Cargo.lock
generated
@ -66,6 +66,26 @@ version = "1.0.86"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
|
||||
|
||||
[[package]]
|
||||
name = "asn1"
|
||||
version = "0.16.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd"
|
||||
dependencies = [
|
||||
"asn1_derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "asn1_derive"
|
||||
version = "0.16.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bitflags"
|
||||
version = "2.6.0"
|
||||
@ -83,6 +103,7 @@ name = "central_backend"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"asn1",
|
||||
"clap",
|
||||
"env_logger",
|
||||
"lazy_static",
|
||||
|
@ -11,3 +11,4 @@ clap = { version = "4.5.7", features = ["derive", "env"] }
|
||||
anyhow = "1.0.86"
|
||||
thiserror = "1.0.61"
|
||||
openssl = { version = "0.10.64" }
|
||||
asn1 = "0.16"
|
@ -1,5 +1,5 @@
|
||||
use std::path::{Path, PathBuf};
|
||||
use clap::Parser;
|
||||
use std::path::{Path, PathBuf};
|
||||
|
||||
/// Solar system central backend
|
||||
#[derive(Parser, Debug)]
|
||||
@ -9,6 +9,14 @@ pub struct AppConfig {
|
||||
#[arg(short, long, env, default_value = "0.0.0.0:8443")]
|
||||
listen_address: String,
|
||||
|
||||
/// The port the server will listen to (using HTTP, for unsecure connections)
|
||||
#[arg(short, long, env, default_value = "0.0.0.0:8080")]
|
||||
unsecure_listen_address: String,
|
||||
|
||||
/// Public server hostname (assuming that the ports used are the same for listen address)
|
||||
#[arg(short('H'), long, env, default_value = "localhost")]
|
||||
hostname: String,
|
||||
|
||||
/// Server storage path
|
||||
#[arg(short, long, env, default_value = "storage")]
|
||||
storage: String,
|
||||
@ -26,6 +34,23 @@ impl AppConfig {
|
||||
&ARGS
|
||||
}
|
||||
|
||||
/// URL for unsecure connections
|
||||
pub fn unsecure_origin(&self) -> String {
|
||||
format!(
|
||||
"http://{}:{}",
|
||||
self.hostname,
|
||||
self.unsecure_listen_address.split_once(':').unwrap().1
|
||||
)
|
||||
}
|
||||
|
||||
/// URL for secure connections
|
||||
pub fn secure_origin(&self) -> String {
|
||||
format!(
|
||||
"https://{}:{}",
|
||||
self.hostname,
|
||||
self.listen_address.split_once(':').unwrap().1
|
||||
)
|
||||
}
|
||||
|
||||
/// Get storage path
|
||||
pub fn storage_path(&self) -> PathBuf {
|
||||
@ -46,6 +71,26 @@ impl AppConfig {
|
||||
pub fn root_ca_priv_key_path(&self) -> PathBuf {
|
||||
self.pki_path().join("root_ca.key")
|
||||
}
|
||||
|
||||
/// Get PKI web CA cert path
|
||||
pub fn web_ca_cert_path(&self) -> PathBuf {
|
||||
self.pki_path().join("web_ca.pem")
|
||||
}
|
||||
|
||||
/// Get PKI web CA private key path
|
||||
pub fn web_ca_priv_key_path(&self) -> PathBuf {
|
||||
self.pki_path().join("web_ca.key")
|
||||
}
|
||||
|
||||
/// Get PKI devices CA cert path
|
||||
pub fn devices_ca_cert_path(&self) -> PathBuf {
|
||||
self.pki_path().join("devices_ca.pem")
|
||||
}
|
||||
|
||||
/// Get PKI devices CA private key path
|
||||
pub fn devices_ca_priv_key_path(&self) -> PathBuf {
|
||||
self.pki_path().join("devices_ca.key")
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
|
@ -10,4 +10,6 @@ fn main() {
|
||||
|
||||
// Initialize PKI
|
||||
pki::initialize_root_ca().expect("Failed to initialize Root CA!");
|
||||
pki::initialize_web_ca().expect("Failed to initialize web CA!");
|
||||
pki::initialize_devices_ca().expect("Failed to initialize devices CA!");
|
||||
}
|
||||
|
@ -1,31 +1,71 @@
|
||||
use openssl::asn1::Asn1Time;
|
||||
use crate::app_config::AppConfig;
|
||||
use asn1::{
|
||||
parse_single, Asn1Readable, Asn1Writable, Implicit, OctetStringEncoded, ParseResult,
|
||||
SimpleAsn1Readable, SimpleAsn1Writable, Tag, WriteBuf, WriteResult, Writer,
|
||||
};
|
||||
use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1OctetStringRef, Asn1Time};
|
||||
use openssl::bn::{BigNum, MsbOption};
|
||||
use openssl::ec::EcGroup;
|
||||
use openssl::hash::MessageDigest;
|
||||
use openssl::nid::Nid;
|
||||
use openssl::pkey::PKey;
|
||||
use openssl::pkey::{PKey, Private};
|
||||
use openssl::x509;
|
||||
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
||||
use openssl::x509::{X509, X509NameBuilder};
|
||||
use crate::app_config::AppConfig;
|
||||
use openssl::x509::{X509Extension, X509NameBuilder, X509};
|
||||
use std::path::Path;
|
||||
|
||||
/// Initialize Root CA, if required
|
||||
pub fn initialize_root_ca() -> anyhow::Result<()> {
|
||||
if AppConfig::get().root_ca_cert_path().exists()
|
||||
&& AppConfig::get().root_ca_priv_key_path().exists() {
|
||||
return Ok(());
|
||||
/// Certificate and private key
|
||||
struct CertAndKey(X509, PKey<Private>);
|
||||
|
||||
impl CertAndKey {
|
||||
/// Load root CA
|
||||
fn load_root_ca() -> anyhow::Result<Self> {
|
||||
Ok(Self(
|
||||
load_certificate_from_file(AppConfig::get().root_ca_cert_path())?,
|
||||
load_priv_key_from_file(AppConfig::get().root_ca_priv_key_path())?,
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
log::info!("Generating root ca...");
|
||||
|
||||
// Generate root private key
|
||||
/// Generate private key
|
||||
fn gen_private_key() -> anyhow::Result<PKey<Private>> {
|
||||
let nid = Nid::X9_62_PRIME256V1; // NIST P-256 curve
|
||||
let group = EcGroup::from_curve_name(nid)?;
|
||||
let key = openssl::ec::EcKey::generate(&group)?;
|
||||
let key_pair = PKey::from_ec_key(key.clone())?;
|
||||
|
||||
Ok(key_pair)
|
||||
}
|
||||
|
||||
/// Load private key from PEM file
|
||||
fn load_priv_key_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<PKey<Private>> {
|
||||
Ok(PKey::private_key_from_pem(&std::fs::read(path)?)?)
|
||||
}
|
||||
|
||||
/// Load certificate from PEM file
|
||||
fn load_certificate_from_file<P: AsRef<Path>>(path: P) -> anyhow::Result<X509> {
|
||||
Ok(X509::from_pem(&std::fs::read(path)?)?)
|
||||
}
|
||||
|
||||
struct CustomOctetStringEncoded<T>(OctetStringEncoded<T>);
|
||||
impl<T: Asn1Writable> SimpleAsn1Writable for CustomOctetStringEncoded<T> {
|
||||
const TAG: Tag = Tag::primitive(0x86);
|
||||
fn write_data(&self, dest: &mut WriteBuf) -> WriteResult {
|
||||
self.0.write(&mut Writer::new(dest))
|
||||
}
|
||||
}
|
||||
|
||||
/// Generate intermediate or root CA
|
||||
fn gen_intermediate_or_root_ca(
|
||||
cn: &str,
|
||||
issuer: Option<&CertAndKey>,
|
||||
) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
|
||||
// Generate root private key
|
||||
let key_pair = gen_private_key()?;
|
||||
|
||||
let mut x509_name = X509NameBuilder::new()?;
|
||||
x509_name.append_entry_by_text("C", "FR")?;
|
||||
x509_name.append_entry_by_text("CN", "SolarEnergy Root CA")?;
|
||||
x509_name.append_entry_by_text("CN", cn)?;
|
||||
let x509_name = x509_name.build();
|
||||
|
||||
let mut cert_builder = X509::builder()?;
|
||||
@ -37,14 +77,50 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
|
||||
};
|
||||
cert_builder.set_serial_number(&serial_number)?;
|
||||
cert_builder.set_subject_name(&x509_name)?;
|
||||
cert_builder.set_issuer_name(&x509_name)?;
|
||||
match issuer {
|
||||
// Self-signed certificate
|
||||
None => cert_builder.set_issuer_name(&x509_name)?,
|
||||
// Certificate signed by another CA
|
||||
Some(i) => cert_builder.set_issuer_name(i.0.issuer_name())?,
|
||||
}
|
||||
cert_builder.set_pubkey(&key_pair)?;
|
||||
let not_before = Asn1Time::days_from_now(0)?;
|
||||
cert_builder.set_not_before(¬_before)?;
|
||||
let not_after = Asn1Time::days_from_now(365 * 30)?;
|
||||
cert_builder.set_not_after(¬_after)?;
|
||||
|
||||
if let Some(issuer) = issuer {
|
||||
let crl_url = format!(
|
||||
"{}/crl/{}.crl",
|
||||
AppConfig::get().unsecure_origin(),
|
||||
"FIXME_TODO"
|
||||
);
|
||||
|
||||
let crl_obj = Asn1Object::from_str("2.5.29.31")?;
|
||||
|
||||
let content: Implicit<CustomOctetStringEncoded<&[u8]>, 0xa0> = asn1::Implicit::new(
|
||||
CustomOctetStringEncoded(OctetStringEncoded::new(crl_url.as_bytes())),
|
||||
);
|
||||
|
||||
let crl_bytes = asn1::write(|w| {
|
||||
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
||||
w.write_element(&asn1::SequenceWriter::new(&|w| {
|
||||
w.write_implicit_element(&content, 0xa0)?;
|
||||
Ok(())
|
||||
}))?;
|
||||
Ok(())
|
||||
}))
|
||||
})?;
|
||||
|
||||
cert_builder.append_extension(X509Extension::new_from_der(
|
||||
crl_obj.as_ref(),
|
||||
false,
|
||||
Asn1OctetString::new_from_bytes(&crl_bytes)?.as_ref(),
|
||||
)?)?;
|
||||
}
|
||||
|
||||
cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
|
||||
|
||||
cert_builder.append_extension(
|
||||
KeyUsage::new()
|
||||
.critical()
|
||||
@ -55,14 +131,76 @@ pub fn initialize_root_ca() -> anyhow::Result<()> {
|
||||
|
||||
let subject_key_identifier =
|
||||
SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
|
||||
|
||||
cert_builder.append_extension(subject_key_identifier)?;
|
||||
|
||||
cert_builder.sign(&key_pair, MessageDigest::sha256())?;
|
||||
cert_builder.sign(
|
||||
match issuer {
|
||||
None => &key_pair,
|
||||
Some(i) => &i.1,
|
||||
},
|
||||
MessageDigest::sha256(),
|
||||
)?;
|
||||
let cert = cert_builder.build();
|
||||
|
||||
// Serialize generated root CA
|
||||
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key.private_key_to_pem()?)?;
|
||||
std::fs::write(AppConfig::get().root_ca_cert_path(), cert.to_pem()?)?;
|
||||
Ok((key_pair.private_key_to_pem_pkcs8()?, cert.to_pem()?))
|
||||
}
|
||||
|
||||
/// Initialize Root CA, if required
|
||||
pub fn initialize_root_ca() -> anyhow::Result<()> {
|
||||
if AppConfig::get().root_ca_cert_path().exists()
|
||||
&& AppConfig::get().root_ca_priv_key_path().exists()
|
||||
{
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
log::info!("Generating root ca...");
|
||||
|
||||
let (key, cert) = gen_intermediate_or_root_ca("SolarEnergy Root CA", None)?;
|
||||
|
||||
// Serialize generated web CA
|
||||
std::fs::write(AppConfig::get().root_ca_priv_key_path(), key)?;
|
||||
std::fs::write(AppConfig::get().root_ca_cert_path(), cert)?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Initialize web CA, if required
|
||||
pub fn initialize_web_ca() -> anyhow::Result<()> {
|
||||
if AppConfig::get().web_ca_cert_path().exists()
|
||||
&& AppConfig::get().web_ca_priv_key_path().exists()
|
||||
{
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
log::info!("Generating web ca...");
|
||||
|
||||
let (key, cert) =
|
||||
gen_intermediate_or_root_ca("SolarEnergy Web CA", Some(&CertAndKey::load_root_ca()?))?;
|
||||
|
||||
// Serialize generated web CA
|
||||
std::fs::write(AppConfig::get().web_ca_priv_key_path(), key)?;
|
||||
std::fs::write(AppConfig::get().web_ca_cert_path(), cert)?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Initialize devices CA, if required
|
||||
pub fn initialize_devices_ca() -> anyhow::Result<()> {
|
||||
if AppConfig::get().devices_ca_cert_path().exists()
|
||||
&& AppConfig::get().devices_ca_priv_key_path().exists()
|
||||
{
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
log::info!("Generating devices ca...");
|
||||
|
||||
let (key, cert) =
|
||||
gen_intermediate_or_root_ca("SolarEnergy Devices CA", Some(&CertAndKey::load_root_ca()?))?;
|
||||
|
||||
// Serialize generated devices CA
|
||||
std::fs::write(AppConfig::get().devices_ca_priv_key_path(), key)?;
|
||||
std::fs::write(AppConfig::get().devices_ca_cert_path(), cert)?;
|
||||
|
||||
Ok(())
|
||||
}
|
Loading…
Reference in New Issue
Block a user