Refactor Certificate management
This commit is contained in:
@@ -2,12 +2,13 @@ use std::io::{Error, ErrorKind};
|
||||
use std::sync::Arc;
|
||||
use futures::{SinkExt, StreamExt};
|
||||
use tokio::net::TcpStream;
|
||||
use tokio_rustls::rustls::{ClientConfig, RootCertStore};
|
||||
use tokio_rustls::rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer, ServerName};
|
||||
use tokio_rustls::rustls::ClientConfig;
|
||||
use tokio_rustls::rustls::pki_types::ServerName;
|
||||
use tokio_rustls::TlsConnector;
|
||||
use tokio_util::codec::{Framed, LengthDelimitedCodec};
|
||||
use libbonknet::*;
|
||||
use libbonknet::servermsg::*;
|
||||
use libbonknet::cert::*;
|
||||
use uuid::Uuid;
|
||||
use tracing::{error, info};
|
||||
|
||||
@@ -94,22 +95,26 @@ async fn main() -> std::io::Result<()> {
|
||||
tracing::subscriber::set_global_default(subscriber).unwrap();
|
||||
// Server Name
|
||||
let my_name = "cicciopizza";
|
||||
// Root certs to verify the server is the right one
|
||||
let mut broker_root_cert_store = RootCertStore::empty();
|
||||
let broker_root_cert_der = load_cert("certs/broker_root_cert.pem").unwrap();
|
||||
broker_root_cert_store.add(broker_root_cert_der).unwrap();
|
||||
// Public CA that will be used to generate the Server certificate
|
||||
let root_server_cert = load_cert("certs/server_root_cert.pem").unwrap();
|
||||
// Guest CA
|
||||
let root_guestserver_cert = load_cert("certs/guestserver_root_cert.pem").unwrap();
|
||||
// Certificate used to do the first authentication
|
||||
let guestserver_cert = load_cert("certs/guestserver_cert.pem").unwrap();
|
||||
let guestserver_prkey = load_prkey("certs/guestserver_key.pem").unwrap();
|
||||
// Load Identity files
|
||||
let guestserver_ident = LeafCertPair::load_from_file("certs_pem/guestserver.pem").unwrap();
|
||||
let broker_root = BrokerRootCerts::load_from_file("certs_pem/broker_root_ca_cert.pem").unwrap();
|
||||
// // Root certs to verify the server is the right one
|
||||
// let mut broker_root_cert_store = RootCertStore::empty();
|
||||
// let broker_root_cert_der = load_cert("certs/broker_root_cert.pem").unwrap();
|
||||
// broker_root_cert_store.add(broker_root_cert_der).unwrap();
|
||||
// // Public CA that will be used to generate the Server certificate
|
||||
// let root_server_cert = load_cert("certs/server_root_cert.pem").unwrap();
|
||||
// // Guest CA
|
||||
// let root_guestserver_cert = load_cert("certs/guestserver_root_cert.pem").unwrap();
|
||||
// // Certificate used to do the first authentication
|
||||
// let guestserver_cert = load_cert("certs/guestserver_cert.pem").unwrap();
|
||||
// let guestserver_prkey = load_prkey("certs/guestserver_key.pem").unwrap();
|
||||
// Load TLS Config
|
||||
let guest_cert_chain = guestserver_ident.fullchain();
|
||||
let tlsconfig = ClientConfig::builder()
|
||||
.with_root_certificates(broker_root_cert_store.clone())
|
||||
.with_root_certificates(broker_root.to_rootcertstore())
|
||||
// .with_no_client_auth();
|
||||
.with_client_auth_cert(vec![guestserver_cert, root_guestserver_cert], guestserver_prkey.into())
|
||||
.with_client_auth_cert(guest_cert_chain, guestserver_ident.clone_key().into())
|
||||
.unwrap();
|
||||
let connector = TlsConnector::from(Arc::new(tlsconfig));
|
||||
let dnsname = ServerName::try_from("localhost").unwrap();
|
||||
@@ -121,24 +126,20 @@ async fn main() -> std::io::Result<()> {
|
||||
let msg = FromGuestServerMessage::Announce { name: my_name.into() };
|
||||
transport.send(rmp_serde::to_vec(&msg).unwrap().into()).await.unwrap();
|
||||
// TODO: Remove this two mutable option
|
||||
let mut myserver_cert: Option<CertificateDer> = None;
|
||||
let mut myserver_prkey: Option<PrivatePkcs8KeyDer> = None;
|
||||
let mut myserver_leaf: Option<LeafCertPair> = None;
|
||||
match transport.next().await {
|
||||
None => {
|
||||
panic!("None in the transport");
|
||||
}
|
||||
Some(item) => match item {
|
||||
Ok(buf) => {
|
||||
use libbonknet::servermsg::{okannounce_to_cert, ToGuestServerMessage};
|
||||
use libbonknet::servermsg::ToGuestServerMessage::*;
|
||||
let msg: ToGuestServerMessage = rmp_serde::from_slice(&buf).unwrap();
|
||||
info!("{:?}", msg);
|
||||
match msg {
|
||||
OkAnnounce { server_cert, server_prkey } => {
|
||||
OkAnnounce(payload) => {
|
||||
info!("Ok Announce");
|
||||
let (server_cert, server_prkey) = okannounce_to_cert(server_cert, server_prkey);
|
||||
myserver_cert = Some(server_cert);
|
||||
myserver_prkey = Some(server_prkey);
|
||||
myserver_leaf = Some(payload.parse());
|
||||
}
|
||||
FailedNameAlreadyOccupied => {
|
||||
error!("Failed Announce, name already occupied");
|
||||
@@ -152,10 +153,10 @@ async fn main() -> std::io::Result<()> {
|
||||
}
|
||||
}
|
||||
transport.close().await.unwrap();
|
||||
if let (Some(server_cert), Some(server_prkey)) = (myserver_cert, myserver_prkey) {
|
||||
if let Some(server_leaf) = myserver_leaf {
|
||||
let tlsconfig = Arc::new(ClientConfig::builder()
|
||||
.with_root_certificates(broker_root_cert_store)
|
||||
.with_client_auth_cert(vec![server_cert, root_server_cert], server_prkey.into())
|
||||
.with_root_certificates(broker_root.to_rootcertstore())
|
||||
.with_client_auth_cert(server_leaf.fullchain(), server_leaf.clone_key().into())
|
||||
.unwrap());
|
||||
let connector = TlsConnector::from(Arc::clone(&tlsconfig));
|
||||
let dnsname = ServerName::try_from("localhost").unwrap();
|
||||
|
||||
29
bonknet_server/src/main.rs
Normal file
29
bonknet_server/src/main.rs
Normal file
@@ -0,0 +1,29 @@
|
||||
use std::io::{Error, ErrorKind};
|
||||
use std::sync::Arc;
|
||||
use futures::{SinkExt, StreamExt};
|
||||
use tokio::net::TcpStream;
|
||||
use tokio_rustls::rustls::{ClientConfig, RootCertStore};
|
||||
use tokio_rustls::rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer, ServerName};
|
||||
use tokio_rustls::TlsConnector;
|
||||
use tokio_util::codec::{Framed, LengthDelimitedCodec};
|
||||
use libbonknet::*;
|
||||
use libbonknet::servermsg::*;
|
||||
use uuid::Uuid;
|
||||
use tracing::{error, info};
|
||||
use libbonknet::cert::{BrokerRootCerts, LeafCertPair};
|
||||
|
||||
|
||||
#[tokio::main]
|
||||
async fn main() -> std::io::Result<()> {
|
||||
// Tracing Subscriber
|
||||
let subscriber = tracing_subscriber::FmtSubscriber::new();
|
||||
tracing::subscriber::set_global_default(subscriber).unwrap();
|
||||
// Server Name
|
||||
// TODO: from config
|
||||
let my_name = "cicciopizza";
|
||||
// Load Identity files
|
||||
let guestserver_ident = LeafCertPair::load_from_file("certs_pem/guestserver.pem").unwrap();
|
||||
let broker_root = BrokerRootCerts::load_from_file("certs_pem/broker_root_ca_cert.pem").unwrap();
|
||||
// TODO: ACTOR MODEL per gestione transport in maniera intelligente?
|
||||
Ok(())
|
||||
}
|
||||
Reference in New Issue
Block a user