Cleanup
This commit is contained in:
parent
d2814b5c33
commit
c788fc9f9e
@ -31,7 +31,7 @@ reduce = "0.1.2"
|
|||||||
serde_json = "1.0"
|
serde_json = "1.0"
|
||||||
|
|
||||||
rustls = "0.17"
|
rustls = "0.17"
|
||||||
tokio-rustls = { version = "0.13", features = ["dangerous_configuration"] }
|
tokio-rustls = "0.13"
|
||||||
hyper-rustls = { version = "0.20", default-features = false }
|
hyper-rustls = { version = "0.20", default-features = false }
|
||||||
webpki = "0.21"
|
webpki = "0.21"
|
||||||
|
|
||||||
|
35
genkeys.sh
35
genkeys.sh
@ -7,6 +7,8 @@ cd $(dirname $0)
|
|||||||
mkdir -p pki
|
mkdir -p pki
|
||||||
cd pki
|
cd pki
|
||||||
|
|
||||||
|
# Create a certificate authority that both the client side and the server side of
|
||||||
|
# the RPC protocol will use to authenticate the other side.
|
||||||
if [ ! -f garage-ca.key ]; then
|
if [ ! -f garage-ca.key ]; then
|
||||||
echo "Generating Garage CA keys..."
|
echo "Generating Garage CA keys..."
|
||||||
openssl genrsa -out garage-ca.key 4096
|
openssl genrsa -out garage-ca.key 4096
|
||||||
@ -14,6 +16,9 @@ if [ ! -f garage-ca.key ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Generate a certificate that can be used either as a server certificate
|
||||||
|
# or a client certificate. This is what the RPC client and server will use
|
||||||
|
# to prove that they are authenticated by the CA.
|
||||||
if [ ! -f garage.crt ]; then
|
if [ ! -f garage.crt ]; then
|
||||||
echo "Generating Garage agent keys..."
|
echo "Generating Garage agent keys..."
|
||||||
if [ ! -f garage.key ]; then
|
if [ ! -f garage.key ]; then
|
||||||
@ -46,3 +51,33 @@ EOF
|
|||||||
-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
|
-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
|
||||||
-out garage.crt -days 365
|
-out garage.crt -days 365
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Client-only certificate used for the CLI
|
||||||
|
if [ ! -f garage-client.crt ]; then
|
||||||
|
echo "Generating Garage client keys..."
|
||||||
|
if [ ! -f garage-client.key ]; then
|
||||||
|
openssl genrsa -out garage-client.key 4096
|
||||||
|
fi
|
||||||
|
openssl req -new -sha256 -key garage-client.key -subj "/C=FR/O=Garage" \
|
||||||
|
-out garage-client.csr
|
||||||
|
openssl req -in garage-client.csr -noout -text
|
||||||
|
openssl x509 -req -in garage-client.csr \
|
||||||
|
-extensions v3_req \
|
||||||
|
-extfile <(cat <<EOF
|
||||||
|
[req]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
req_extensions = v3_req
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = FR
|
||||||
|
O = Garage
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
keyUsage = keyEncipherment, dataEncipherment
|
||||||
|
extendedKeyUsage = clientAuth
|
||||||
|
EOF
|
||||||
|
) \
|
||||||
|
-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
|
||||||
|
-out garage-client.crt -days 365
|
||||||
|
fi
|
||||||
|
@ -109,7 +109,6 @@ impl RpcClient {
|
|||||||
}
|
}
|
||||||
|
|
||||||
config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?;
|
config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?;
|
||||||
// config.dangerous().set_certificate_verifier(Arc::new(tls_util::NoHostnameCertVerifier));
|
|
||||||
|
|
||||||
let connector =
|
let connector =
|
||||||
tls_util::HttpsConnectorFixedDnsname::<HttpConnector>::new(config, "garage");
|
tls_util::HttpsConnectorFixedDnsname::<HttpConnector>::new(config, "garage");
|
||||||
@ -143,7 +142,7 @@ impl RpcClient {
|
|||||||
let resp = tokio::time::timeout(timeout, resp_fut)
|
let resp = tokio::time::timeout(timeout, resp_fut)
|
||||||
.await?
|
.await?
|
||||||
.map_err(|e| {
|
.map_err(|e| {
|
||||||
eprintln!("RPC client error: {}", e);
|
eprintln!("RPC HTTP client error when connecting to {}: {}", to_addr, e);
|
||||||
e
|
e
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
|
@ -7,7 +7,6 @@ use core::future::Future;
|
|||||||
use futures_util::future::*;
|
use futures_util::future::*;
|
||||||
use tokio::io::{AsyncRead, AsyncWrite};
|
use tokio::io::{AsyncRead, AsyncWrite};
|
||||||
use rustls::internal::pemfile;
|
use rustls::internal::pemfile;
|
||||||
use rustls::*;
|
|
||||||
use hyper::client::HttpConnector;
|
use hyper::client::HttpConnector;
|
||||||
use hyper::client::connect::Connection;
|
use hyper::client::connect::Connection;
|
||||||
use hyper::service::Service;
|
use hyper::service::Service;
|
||||||
@ -60,63 +59,6 @@ pub fn load_private_key(filename: &str) -> Result<rustls::PrivateKey, Error> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// ---- AWFUL COPYPASTA FROM rustls/verifier.rs
|
|
||||||
// ---- USED TO ALLOW TO VERIFY SERVER CERTIFICATE VALIDITY IN CHAIN
|
|
||||||
// ---- BUT DISREGARD HOSTNAME PARAMETER
|
|
||||||
|
|
||||||
pub struct NoHostnameCertVerifier;
|
|
||||||
|
|
||||||
type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
|
|
||||||
static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[
|
|
||||||
&webpki::ECDSA_P256_SHA256,
|
|
||||||
&webpki::ECDSA_P256_SHA384,
|
|
||||||
&webpki::ECDSA_P384_SHA256,
|
|
||||||
&webpki::ECDSA_P384_SHA384,
|
|
||||||
&webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
|
|
||||||
&webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
|
|
||||||
&webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
|
|
||||||
&webpki::RSA_PKCS1_2048_8192_SHA256,
|
|
||||||
&webpki::RSA_PKCS1_2048_8192_SHA384,
|
|
||||||
&webpki::RSA_PKCS1_2048_8192_SHA512,
|
|
||||||
&webpki::RSA_PKCS1_3072_8192_SHA384
|
|
||||||
];
|
|
||||||
|
|
||||||
impl rustls::ServerCertVerifier for NoHostnameCertVerifier {
|
|
||||||
fn verify_server_cert(&self,
|
|
||||||
roots: &RootCertStore,
|
|
||||||
presented_certs: &[Certificate],
|
|
||||||
_dns_name: webpki::DNSNameRef,
|
|
||||||
_ocsp_response: &[u8]) -> Result<rustls::ServerCertVerified, TLSError> {
|
|
||||||
|
|
||||||
if presented_certs.is_empty() {
|
|
||||||
return Err(TLSError::NoCertificatesPresented);
|
|
||||||
}
|
|
||||||
|
|
||||||
let cert = webpki::EndEntityCert::from(&presented_certs[0].0)
|
|
||||||
.map_err(TLSError::WebPKIError)?;
|
|
||||||
|
|
||||||
let chain = presented_certs.iter()
|
|
||||||
.skip(1)
|
|
||||||
.map(|cert| cert.0.as_ref())
|
|
||||||
.collect::<Vec<_>>();
|
|
||||||
|
|
||||||
let trustroots: Vec<webpki::TrustAnchor> = roots.roots
|
|
||||||
.iter()
|
|
||||||
.map(|x| x.to_trust_anchor())
|
|
||||||
.collect();
|
|
||||||
|
|
||||||
let now = webpki::Time::try_from(std::time::SystemTime::now())
|
|
||||||
.map_err( |_ | TLSError::FailedToGetCurrentTime)?;
|
|
||||||
|
|
||||||
cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS,
|
|
||||||
&webpki::TLSServerTrustAnchors(&trustroots), &chain, now)
|
|
||||||
.map_err(TLSError::WebPKIError)?;
|
|
||||||
|
|
||||||
Ok(rustls::ServerCertVerified::assertion())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
// ---- AWFUL COPYPASTA FROM HYPER-RUSTLS connector.rs
|
// ---- AWFUL COPYPASTA FROM HYPER-RUSTLS connector.rs
|
||||||
// ---- ALWAYS USE `garage` AS HOSTNAME FOR TLS VERIFICATION
|
// ---- ALWAYS USE `garage` AS HOSTNAME FOR TLS VERIFICATION
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user