trifid-pki changes and config work

This commit is contained in:
c0repwn3r 2023-03-28 13:10:11 -04:00
parent b291d47459
commit 05d452bc50
Signed by: core
GPG key ID: FDBF740DADDCEECF
7 changed files with 57 additions and 11 deletions

4
Cargo.lock generated
View file

@ -2427,6 +2427,7 @@ dependencies = [
"dirs 5.0.0",
"flate2",
"hex",
"ipnet",
"log",
"reqwest",
"serde",
@ -2748,7 +2749,7 @@ dependencies = [
[[package]]
name = "trifid-pki"
version = "0.1.5"
version = "0.1.6"
dependencies = [
"ed25519-dalek",
"hex",
@ -2757,6 +2758,7 @@ dependencies = [
"quick-protobuf",
"rand",
"rand_core 0.6.4",
"serde",
"sha2",
"x25519-dalek",
]

View file

@ -8,7 +8,7 @@ description = "An open-source reimplementation of a Defined Networking-compatibl
[dependencies]
clap = { version = "4.1.10", features = ["derive"] }
trifid-pki = { version = "0.1.5", path = "../trifid-pki" }
trifid-pki = { version = "0.1.6", path = "../trifid-pki", features = ["serde_derive"] }
dirs = "5.0.0"
log = "0.4.17"
simple_logger = "4.1.0"
@ -22,6 +22,8 @@ ctrlc = "3.2.5"
reqwest = { version = "0.11.16", features = ["blocking"] }
base64 = "0.21.0"
chrono = "0.4.24"
ipnet = "2.7.1"
[build-dependencies]
serde = { version = "1.0.157", features = ["derive"] }

View file

@ -3,6 +3,7 @@ use base64::Engine;
use chrono::Local;
use log::{error, info, warn};
use url::Url;
use trifid_pki::ca::NebulaCAPool;
use trifid_pki::cert::{serialize_ed25519_public, serialize_x25519_public};
use trifid_pki::ed25519_dalek::{SecretKey, SigningKey};
use trifid_pki::rand_core::OsRng;
@ -106,15 +107,34 @@ pub fn apiworker_main(config: TFClientConfig, instance: String, url: String, _tr
};
info!("Enrolled with server. Host-ID {} config count {}", resp.data.host_id, resp.data.counter);
info!("NebulaCAPool {}, org {} {}", resp.data.trusted_keys, resp.data.organization.name, resp.data.organization.id);
info!("KeyPool {}, org {} {}", resp.data.trusted_keys, resp.data.organization.name, resp.data.organization.id);
info!("Config: {}", resp.data.config);
// Decode the CAPool and config
let key_pool_pem = match base64::engine::general_purpose::STANDARD.decode(resp.data.trusted_keys) {
Ok(p) => p,
Err(e) => {
error!("error with enrollment: {}", e);
continue;
}
};
let config = match base64::engine::general_purpose::STANDARD.decode(resp.data.config) {
Ok(p) => p,
Err(e) => {
error!("error with enrollment: {}", e);
continue;
}
};
let config_str = String::from_utf8(config).unwrap();
cdata.host_id = Some(resp.data.host_id);
cdata.counter = resp.data.counter as i32;
cdata.ca_pool = Some(resp.data.trusted_keys);
cdata.key_pool = Some(String::from_utf8(key_pool_pem).unwrap());
cdata.org_name = Some(resp.data.organization.name);
cdata.org_id = Some(resp.data.organization.id);
cdata.config = Some(resp.data.config);
cdata.config = Some(config_str);
// Save vardata
match save_cdata(&instance, cdata) {

View file

@ -1,7 +1,11 @@
use std::collections::HashMap;
use std::error::Error;
use std::fs;
use std::net::{Ipv4Addr, SocketAddrV4};
use ipnet::Ipv4Net;
use log::{debug, info};
use serde::{Deserialize, Serialize};
use trifid_pki::ca::NebulaCAPool;
use crate::dirs::{get_cdata_dir, get_cdata_file, get_config_dir, get_config_file, get_data_dir};
pub const DEFAULT_PORT: u16 = 8157;
@ -19,7 +23,7 @@ pub struct TFClientData {
pub ed_privkey: Option<[u8; 32]>,
pub dh_privkey: Option<[u8; 32]>,
pub counter: i32,
pub ca_pool: Option<String>,
pub key_pool: Option<String>,
pub org_id: Option<String>,
pub org_name: Option<String>,
pub config: Option<String>
@ -57,7 +61,7 @@ pub fn create_cdata(instance: &str) -> Result<(), Box<dyn Error>> {
info!("Creating data directory...");
fs::create_dir_all(get_cdata_dir(instance).ok_or("Unable to load data dir")?)?;
info!("Copying default data file to config directory...");
let config = TFClientData { host_id: None, ed_privkey: None, dh_privkey: None, counter: 0, ca_pool: None, org_id: None, org_name: None, config: None };
let config = TFClientData { host_id: None, ed_privkey: None, dh_privkey: None, counter: 0, key_pool: None, org_id: None, org_name: None, config: None };
let config_str = toml::to_string(&config)?;
fs::write(get_cdata_file(instance).ok_or("Unable to load data dir")?, config_str)?;
Ok(())

View file

@ -1,6 +1,6 @@
[package]
name = "trifid-pki"
version = "0.1.5"
version = "0.1.6"
edition = "2021"
description = "A rust implementation of the Nebula PKI system"
license = "AGPL-3.0-or-later"
@ -19,4 +19,9 @@ quick-protobuf = "0.8.1"
hex = "0.4.3"
sha2 = "0.10.6"
rand_core = "0.6.4"
rand = "0.8.5"
rand = "0.8.5"
serde = { version = "1", features = ["derive"], optional = true }
[features]
default = []
serde_derive = ["serde", "ipnet/serde"]

View file

@ -7,9 +7,13 @@ use std::time::SystemTime;
use ed25519_dalek::VerifyingKey;
use crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate};
#[cfg(feature = "serde_derive")]
use serde::{Serialize, Deserialize};
/// A pool of trusted CA certificates, and certificates that should be blocked.
/// This is equivalent to the `pki` section in a typical Nebula config.yml.
#[derive(Default)]
#[derive(Default, Clone)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub struct NebulaCAPool {
/// The list of CA root certificates that should be trusted.
pub cas: HashMap<String, NebulaCertificate>,
@ -102,8 +106,9 @@ impl NebulaCAPool {
}
}
#[derive(Debug)]
/// A list of errors that can happen when working with a CA Pool
#[derive(Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum CaPoolError {
/// Tried to add a non-CA cert to the CA pool
NotACA,

View file

@ -15,6 +15,9 @@ use crate::ca::NebulaCAPool;
use crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};
use sha2::Digest;
#[cfg(feature = "serde_derive")]
use serde::{Serialize, Deserialize};
/// The length, in bytes, of public keys
pub const PUBLIC_KEY_LENGTH: i32 = 32;
@ -31,6 +34,7 @@ pub const ED25519_PUBLIC_KEY_BANNER: &str = "NEBULA ED25519 PUBLIC KEY";
/// A Nebula PKI certificate
#[derive(Debug, Clone)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub struct NebulaCertificate {
/// The signed data of this certificate
pub details: NebulaCertificateDetails,
@ -40,6 +44,7 @@ pub struct NebulaCertificate {
/// The signed details contained in a Nebula PKI certificate
#[derive(Debug, Clone)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub struct NebulaCertificateDetails {
/// The name of the identity this certificate was issued for
pub name: String,
@ -63,6 +68,7 @@ pub struct NebulaCertificateDetails {
/// A list of errors that can occur parsing certificates
#[derive(Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum CertificateError {
/// Attempted to deserialize a certificate from an empty byte array
EmptyByteArray,
@ -186,6 +192,7 @@ pub fn deserialize_nebula_certificate(bytes: &[u8]) -> Result<NebulaCertificate,
/// A list of errors that can occur parsing keys
#[derive(Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum KeyError {
/// Keys should have their associated PEM tags but this had the wrong one
WrongPemTag,
@ -520,6 +527,7 @@ impl NebulaCertificate {
/// A list of possible errors that can happen validating a certificate
#[derive(Eq, PartialEq, Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum CertificateValidity {
/// There are no issues with this certificate
Ok,