core
/
trifid
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 7 Releases Wiki Activity

trifid-pki changes and config work

This commit is contained in:
c0repwn3r 2023-03-28 13:10:11 -04:00
parent b291d47459
commit 05d452bc50
Signed by: core
GPG Key ID: FDBF740DADDCEECF
7 changed files with 57 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Cargo.lock generated
View File

@ -2427,6 +2427,7 @@ dependencies = [
"dirs 5.0.0", "dirs 5.0.0",
"flate2", "flate2",
"hex", "hex",
"ipnet",
"log", "log",
"reqwest", "reqwest",
"serde", "serde",
@ -2748,7 +2749,7 @@ dependencies = [
[[package]] [[package]]
name = "trifid-pki" name = "trifid-pki"
version = "0.1.5" version = "0.1.6"
dependencies = [ dependencies = [
"ed25519-dalek", "ed25519-dalek",
"hex", "hex",
@ -2757,6 +2758,7 @@ dependencies = [
"quick-protobuf", "quick-protobuf",
"rand", "rand",
"rand_core 0.6.4", "rand_core 0.6.4",
"serde",
"sha2", "sha2",
"x25519-dalek", "x25519-dalek",
] ]

4
tfclient/Cargo.toml
View File

@ -8,7 +8,7 @@ description = "An open-source reimplementation of a Defined Networking-compatibl
[dependencies] [dependencies]
clap = { version = "4.1.10", features = ["derive"] } clap = { version = "4.1.10", features = ["derive"] }
trifid-pki = { version = "0.1.5", path = "../trifid-pki" } trifid-pki = { version = "0.1.6", path = "../trifid-pki", features = ["serde_derive"] }
dirs = "5.0.0" dirs = "5.0.0"
log = "0.4.17" log = "0.4.17"
simple_logger = "4.1.0" simple_logger = "4.1.0"
@ -22,6 +22,8 @@ ctrlc = "3.2.5"
reqwest = { version = "0.11.16", features = ["blocking"] } reqwest = { version = "0.11.16", features = ["blocking"] }
base64 = "0.21.0" base64 = "0.21.0"
chrono = "0.4.24" chrono = "0.4.24"
ipnet = "2.7.1"
[build-dependencies] [build-dependencies]
serde = { version = "1.0.157", features = ["derive"] } serde = { version = "1.0.157", features = ["derive"] }

26
tfclient/src/apiworker.rs
View File

@ -3,6 +3,7 @@ use base64::Engine;
use chrono::Local; use chrono::Local;
use log::{error, info, warn}; use log::{error, info, warn};
use url::Url; use url::Url;
use trifid_pki::ca::NebulaCAPool;
use trifid_pki::cert::{serialize_ed25519_public, serialize_x25519_public}; use trifid_pki::cert::{serialize_ed25519_public, serialize_x25519_public};
use trifid_pki::ed25519_dalek::{SecretKey, SigningKey}; use trifid_pki::ed25519_dalek::{SecretKey, SigningKey};
use trifid_pki::rand_core::OsRng; use trifid_pki::rand_core::OsRng;
@ -106,15 +107,34 @@ pub fn apiworker_main(config: TFClientConfig, instance: String, url: String, _tr
}; };
info!("Enrolled with server. Host-ID {} config count {}", resp.data.host_id, resp.data.counter); info!("Enrolled with server. Host-ID {} config count {}", resp.data.host_id, resp.data.counter);
info!("NebulaCAPool {}, org {} {}", resp.data.trusted_keys, resp.data.organization.name, resp.data.organization.id); info!("KeyPool {}, org {} {}", resp.data.trusted_keys, resp.data.organization.name, resp.data.organization.id);
info!("Config: {}", resp.data.config); info!("Config: {}", resp.data.config);
// Decode the CAPool and config
let key_pool_pem = match base64::engine::general_purpose::STANDARD.decode(resp.data.trusted_keys) {
Ok(p) => p,
Err(e) => {
error!("error with enrollment: {}", e);
continue;
}
};
let config = match base64::engine::general_purpose::STANDARD.decode(resp.data.config) {
Ok(p) => p,
Err(e) => {
error!("error with enrollment: {}", e);
continue;
}
};
let config_str = String::from_utf8(config).unwrap();
cdata.host_id = Some(resp.data.host_id); cdata.host_id = Some(resp.data.host_id);
cdata.counter = resp.data.counter as i32; cdata.counter = resp.data.counter as i32;
cdata.ca_pool = Some(resp.data.trusted_keys); cdata.key_pool = Some(String::from_utf8(key_pool_pem).unwrap());
cdata.org_name = Some(resp.data.organization.name); cdata.org_name = Some(resp.data.organization.name);
cdata.org_id = Some(resp.data.organization.id); cdata.org_id = Some(resp.data.organization.id);
cdata.config = Some(resp.data.config); cdata.config = Some(config_str);
// Save vardata // Save vardata
match save_cdata(&instance, cdata) { match save_cdata(&instance, cdata) {

8
tfclient/src/config.rs
View File

@ -1,7 +1,11 @@
use std::collections::HashMap;
use std::error::Error; use std::error::Error;
use std::fs; use std::fs;
use std::net::{Ipv4Addr, SocketAddrV4};
use ipnet::Ipv4Net;
use log::{debug, info}; use log::{debug, info};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use trifid_pki::ca::NebulaCAPool;
use crate::dirs::{get_cdata_dir, get_cdata_file, get_config_dir, get_config_file, get_data_dir}; use crate::dirs::{get_cdata_dir, get_cdata_file, get_config_dir, get_config_file, get_data_dir};
pub const DEFAULT_PORT: u16 = 8157; pub const DEFAULT_PORT: u16 = 8157;
@ -19,7 +23,7 @@ pub struct TFClientData {
pub ed_privkey: Option<[u8; 32]>, pub ed_privkey: Option<[u8; 32]>,
pub dh_privkey: Option<[u8; 32]>, pub dh_privkey: Option<[u8; 32]>,
pub counter: i32, pub counter: i32,
pub ca_pool: Option<String>, pub key_pool: Option<String>,
pub org_id: Option<String>, pub org_id: Option<String>,
pub org_name: Option<String>, pub org_name: Option<String>,
pub config: Option<String> pub config: Option<String>
@ -57,7 +61,7 @@ pub fn create_cdata(instance: &str) -> Result<(), Box<dyn Error>> {
info!("Creating data directory..."); info!("Creating data directory...");
fs::create_dir_all(get_cdata_dir(instance).ok_or("Unable to load data dir")?)?; fs::create_dir_all(get_cdata_dir(instance).ok_or("Unable to load data dir")?)?;
info!("Copying default data file to config directory..."); info!("Copying default data file to config directory...");
let config = TFClientData { host_id: None, ed_privkey: None, dh_privkey: None, counter: 0, ca_pool: None, org_id: None, org_name: None, config: None }; let config = TFClientData { host_id: None, ed_privkey: None, dh_privkey: None, counter: 0, key_pool: None, org_id: None, org_name: None, config: None };
let config_str = toml::to_string(&config)?; let config_str = toml::to_string(&config)?;
fs::write(get_cdata_file(instance).ok_or("Unable to load data dir")?, config_str)?; fs::write(get_cdata_file(instance).ok_or("Unable to load data dir")?, config_str)?;
Ok(()) Ok(())

9
trifid-pki/Cargo.toml
View File

@ -1,6 +1,6 @@
[package] [package]
name = "trifid-pki" name = "trifid-pki"
version = "0.1.5" version = "0.1.6"
edition = "2021" edition = "2021"
description = "A rust implementation of the Nebula PKI system" description = "A rust implementation of the Nebula PKI system"
license = "AGPL-3.0-or-later" license = "AGPL-3.0-or-later"
@ -19,4 +19,9 @@ quick-protobuf = "0.8.1"
hex = "0.4.3" hex = "0.4.3"
sha2 = "0.10.6" sha2 = "0.10.6"
rand_core = "0.6.4" rand_core = "0.6.4"
rand = "0.8.5" rand = "0.8.5"
serde = { version = "1", features = ["derive"], optional = true }
[features]
default = []
serde_derive = ["serde", "ipnet/serde"]

9
trifid-pki/src/ca.rs
View File

@ -7,9 +7,13 @@ use std::time::SystemTime;
use ed25519_dalek::VerifyingKey; use ed25519_dalek::VerifyingKey;
use crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate}; use crate::cert::{deserialize_nebula_certificate_from_pem, NebulaCertificate};
#[cfg(feature = "serde_derive")]
use serde::{Serialize, Deserialize};
/// A pool of trusted CA certificates, and certificates that should be blocked. /// A pool of trusted CA certificates, and certificates that should be blocked.
/// This is equivalent to the `pki` section in a typical Nebula config.yml. /// This is equivalent to the `pki` section in a typical Nebula config.yml.
#[derive(Default)] #[derive(Default, Clone)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub struct NebulaCAPool { pub struct NebulaCAPool {
/// The list of CA root certificates that should be trusted. /// The list of CA root certificates that should be trusted.
pub cas: HashMap<String, NebulaCertificate>, pub cas: HashMap<String, NebulaCertificate>,
@ -102,8 +106,9 @@ impl NebulaCAPool {
} }
} }
#[derive(Debug)]
/// A list of errors that can happen when working with a CA Pool /// A list of errors that can happen when working with a CA Pool
#[derive(Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum CaPoolError { pub enum CaPoolError {
/// Tried to add a non-CA cert to the CA pool /// Tried to add a non-CA cert to the CA pool
NotACA, NotACA,

8
trifid-pki/src/cert.rs
View File

@ -15,6 +15,9 @@ use crate::ca::NebulaCAPool;
use crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails}; use crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};
use sha2::Digest; use sha2::Digest;
#[cfg(feature = "serde_derive")]
use serde::{Serialize, Deserialize};
/// The length, in bytes, of public keys /// The length, in bytes, of public keys
pub const PUBLIC_KEY_LENGTH: i32 = 32; pub const PUBLIC_KEY_LENGTH: i32 = 32;
@ -31,6 +34,7 @@ pub const ED25519_PUBLIC_KEY_BANNER: &str = "NEBULA ED25519 PUBLIC KEY";
/// A Nebula PKI certificate /// A Nebula PKI certificate
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub struct NebulaCertificate { pub struct NebulaCertificate {
/// The signed data of this certificate /// The signed data of this certificate
pub details: NebulaCertificateDetails, pub details: NebulaCertificateDetails,
@ -40,6 +44,7 @@ pub struct NebulaCertificate {
/// The signed details contained in a Nebula PKI certificate /// The signed details contained in a Nebula PKI certificate
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub struct NebulaCertificateDetails { pub struct NebulaCertificateDetails {
/// The name of the identity this certificate was issued for /// The name of the identity this certificate was issued for
pub name: String, pub name: String,
@ -63,6 +68,7 @@ pub struct NebulaCertificateDetails {
/// A list of errors that can occur parsing certificates /// A list of errors that can occur parsing certificates
#[derive(Debug)] #[derive(Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum CertificateError { pub enum CertificateError {
/// Attempted to deserialize a certificate from an empty byte array /// Attempted to deserialize a certificate from an empty byte array
EmptyByteArray, EmptyByteArray,
@ -186,6 +192,7 @@ pub fn deserialize_nebula_certificate(bytes: &[u8]) -> Result<NebulaCertificate,
/// A list of errors that can occur parsing keys /// A list of errors that can occur parsing keys
#[derive(Debug)] #[derive(Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum KeyError { pub enum KeyError {
/// Keys should have their associated PEM tags but this had the wrong one /// Keys should have their associated PEM tags but this had the wrong one
WrongPemTag, WrongPemTag,
@ -520,6 +527,7 @@ impl NebulaCertificate {
/// A list of possible errors that can happen validating a certificate /// A list of possible errors that can happen validating a certificate
#[derive(Eq, PartialEq, Debug)] #[derive(Eq, PartialEq, Debug)]
#[cfg_attr(feature = "serde_derive", derive(Serialize, Deserialize))]
pub enum CertificateValidity { pub enum CertificateValidity {
/// There are no issues with this certificate /// There are no issues with this certificate
Ok, Ok,