Implement gemini cert store

This commit is contained in:
Brian Picciano 2023-07-27 16:09:44 +02:00
parent 4c1f843048
commit 795817f99d
6 changed files with 177 additions and 7 deletions

View File

@ -1,6 +1,7 @@
pub mod acme; pub mod acme;
pub mod checker; pub mod checker;
mod config; mod config;
pub mod gemini;
pub mod manager; pub mod manager;
mod name; mod name;
mod settings; mod settings;

View File

@ -106,8 +106,8 @@ impl Manager for ManagerImpl {
) -> util::BoxFuture<'mgr, Result<(), unexpected::Error>> { ) -> util::BoxFuture<'mgr, Result<(), unexpected::Error>> {
Box::pin(async move { Box::pin(async move {
// if there's an existing cert, and its expiry (determined by the soonest value of // if there's an existing cert, and its expiry (determined by the soonest value of
// not_after amongst its parts) is later than 30 days from now, then we consider it to be // not_after amongst its parts) is later than 30 days from now, then we consider it to
// synced. // be synced.
if let Ok((_, cert)) = self.store.get_certificate(domain.as_str()) { if let Ok((_, cert)) = self.store.get_certificate(domain.as_str()) {
let thirty_days = openssl::asn1::Asn1Time::days_from_now(30) let thirty_days = openssl::asn1::Asn1Time::days_from_now(30)
.expect("parsed thirty days from now as Asn1Time"); .expect("parsed thirty days from now as Asn1Time");

101
src/domain/gemini.rs Normal file
View File

@ -0,0 +1,101 @@
use crate::domain::tls::{Certificate, PrivateKey};
use crate::error::unexpected::{self, Mappable};
use crate::{domain, util};
use serde::{Deserialize, Serialize};
use std::{fs, path, sync};
#[derive(Debug, Serialize, Deserialize)]
struct StoredPKeyCert {
private_key: PrivateKey,
cert: Certificate,
}
pub struct FSStore {
cert_dir_path: path::PathBuf,
}
impl FSStore {
pub fn new(dir_path: &path::Path) -> unexpected::Result<Self> {
let cert_dir_path = dir_path.join("certificates");
fs::create_dir_all(&cert_dir_path)
.map_unexpected_while(|| format!("creating dir {}", cert_dir_path.display()))?;
Ok(Self { cert_dir_path })
}
fn pkey_cert_path(&self, domain: &domain::Name) -> path::PathBuf {
let mut domain = domain.as_str().to_string();
domain.push_str(".json");
self.cert_dir_path.join(domain)
}
fn get_certificate(
&self,
domain: &domain::Name,
) -> unexpected::Result<(PrivateKey, Certificate)> {
let path = self.pkey_cert_path(domain);
let file = match util::open_file(path.as_path())
.map_unexpected_while(|| format!("opening file {}", path.display()))?
{
Some(file) => file,
None => {
let pkey = PrivateKey::new();
let cert = Certificate::new_self_signed(&pkey, domain)
.or_unexpected_while("creating self-signed cert")?;
let file = fs::File::create(path.as_path())
.map_unexpected_while(|| format!("creating file {}", path.display()))?;
let stored = StoredPKeyCert {
private_key: pkey,
cert,
};
serde_json::to_writer(file, &stored).or_unexpected_while("writing cert to file")?;
return Ok((stored.private_key, stored.cert));
}
};
let stored: StoredPKeyCert =
serde_json::from_reader(file).or_unexpected_while("parsing json")?;
Ok((stored.private_key, stored.cert))
}
}
impl rustls::server::ResolvesServerCert for FSStore {
fn resolve(
&self,
client_hello: rustls::server::ClientHello<'_>,
) -> Option<sync::Arc<rustls::sign::CertifiedKey>> {
let domain = client_hello.server_name()?;
let res: unexpected::Result<Option<sync::Arc<rustls::sign::CertifiedKey>>> = (|| {
let domain: domain::Name = domain
.parse()
.map_unexpected_while(|| format!("parsing domain {domain}"))?;
let (pkey, cert) = self
.get_certificate(&domain)
.or_unexpected_while("fetching pkey/cert")?;
let pkey = rustls::sign::any_supported_type(&pkey.into()).or_unexpected()?;
Ok(Some(sync::Arc::new(rustls::sign::CertifiedKey {
cert: vec![cert.into()],
key: pkey,
ocsp: None,
sct_list: None,
})))
})();
res.unwrap_or_else(|err| {
log::error!("Unexpected error getting cert for domain {domain}: {err}");
None
})
}
}

View File

@ -1,3 +1,7 @@
use crate::domain;
use crate::domain::tls::PrivateKey;
use crate::error::unexpected::{self, Mappable};
use std::convert::{From, TryFrom}; use std::convert::{From, TryFrom};
use std::fmt; use std::fmt;
use std::str::FromStr; use std::str::FromStr;
@ -8,6 +12,66 @@ use serde_with::{DeserializeFromStr, SerializeDisplay};
/// DER-encoded X.509, like rustls::Certificate. /// DER-encoded X.509, like rustls::Certificate.
pub struct Certificate(Vec<u8>); pub struct Certificate(Vec<u8>);
impl Certificate {
pub fn new_self_signed(
pkey: &PrivateKey,
domain: &domain::Name,
) -> unexpected::Result<Certificate> {
use openssl::asn1::*;
use openssl::pkey::*;
use openssl::x509::extension::SubjectAlternativeName;
use openssl::x509::*;
let name = {
let mut builder = X509Name::builder().expect("initializing x509 name builder");
builder
.append_entry_by_text("CN", domain.as_str())
.or_unexpected_while("adding CN")?;
builder.build()
};
let mut builder = X509::builder().expect("initializing x509 builder");
builder
.set_subject_name(&name)
.or_unexpected_while("setting subject name")?;
// 9999/07/23
let not_after = Asn1Time::from_unix(253388296800).expect("initializing not_after");
builder
.set_not_after(not_after.as_ref())
.or_unexpected_while("setting not_after")?;
// Add domain as SAN
let san_extension = {
let mut san = SubjectAlternativeName::new();
san.dns(domain.as_str());
san.build(&builder.x509v3_context(None, None))
.or_unexpected_while("building SAN")?
};
builder
.append_extension(san_extension)
.or_unexpected_while("appending SAN")?;
let pkey: PKey<Private> = pkey.try_into().or_unexpected_while("converting PKey")?;
builder
.set_pubkey(pkey.as_ref())
.or_unexpected_while("setting pubkey")?;
builder
.sign(pkey.as_ref(), openssl::hash::MessageDigest::sha256())
.or_unexpected_while("signing with private key")?;
let cert = builder.build();
Ok(cert
.as_ref()
.try_into()
.or_unexpected_while("converting to cert")?)
}
}
impl FromStr for Certificate { impl FromStr for Certificate {
type Err = pem::PemError; type Err = pem::PemError;

View File

@ -11,9 +11,9 @@ pub struct PrivateKey(Vec<u8>);
impl PrivateKey { impl PrivateKey {
#[allow(clippy::new_without_default)] #[allow(clippy::new_without_default)]
pub fn new() -> PrivateKey { pub fn new() -> PrivateKey {
acme2::gen_rsa_private_key(4096) let rsa = openssl::rsa::Rsa::generate(4096).expect("generating RSA");
.expect("RSA private key generated") let key = openssl::pkey::PKey::from_rsa(rsa).expect("creating private key from RSA");
.as_ref() key.as_ref()
.try_into() .try_into()
.expect("RSA private key converted to internal representation") .expect("RSA private key converted to internal representation")
} }

View File

@ -4,7 +4,7 @@ use clap::Parser;
use futures::stream::StreamExt; use futures::stream::StreamExt;
use signal_hook_tokio::Signals; use signal_hook_tokio::Signals;
use std::path; use std::{path, sync};
#[derive(Parser, Debug)] #[derive(Parser, Debug)]
#[command(version)] #[command(version)]
@ -128,6 +128,10 @@ async fn main() {
None None
}; };
let domain_gemini_store =
domani::domain::gemini::FSStore::new(&config.domain.store_dir_path.join("gemini"))
.unwrap_or_else(|e| panic!("domain gemini store initialization failed: {e}"));
let mut task_stack = domani::task_stack::TaskStack::new(); let mut task_stack = domani::task_stack::TaskStack::new();
let domain_manager = domani::domain::manager::ManagerImpl::new( let domain_manager = domani::domain::manager::ManagerImpl::new(
@ -147,7 +151,7 @@ async fn main() {
let _ = domani::service::gemini::Service::new( let _ = domani::service::gemini::Service::new(
&mut task_stack, &mut task_stack,
domain_manager.clone(), sync::Arc::new(domain_gemini_store),
config.service, config.service,
); );