This commit is contained in:
Alex Auvolat 2020-04-12 19:18:31 +02:00
parent d2814b5c33
commit c788fc9f9e
4 changed files with 37 additions and 61 deletions

View file

@ -31,7 +31,7 @@ reduce = "0.1.2"
serde_json = "1.0" serde_json = "1.0"
rustls = "0.17" rustls = "0.17"
tokio-rustls = { version = "0.13", features = ["dangerous_configuration"] } tokio-rustls = "0.13"
hyper-rustls = { version = "0.20", default-features = false } hyper-rustls = { version = "0.20", default-features = false }
webpki = "0.21" webpki = "0.21"

View file

@ -7,6 +7,8 @@ cd $(dirname $0)
mkdir -p pki mkdir -p pki
cd pki cd pki
# Create a certificate authority that both the client side and the server side of
# the RPC protocol will use to authenticate the other side.
if [ ! -f garage-ca.key ]; then if [ ! -f garage-ca.key ]; then
echo "Generating Garage CA keys..." echo "Generating Garage CA keys..."
openssl genrsa -out garage-ca.key 4096 openssl genrsa -out garage-ca.key 4096
@ -14,6 +16,9 @@ if [ ! -f garage-ca.key ]; then
fi fi
# Generate a certificate that can be used either as a server certificate
# or a client certificate. This is what the RPC client and server will use
# to prove that they are authenticated by the CA.
if [ ! -f garage.crt ]; then if [ ! -f garage.crt ]; then
echo "Generating Garage agent keys..." echo "Generating Garage agent keys..."
if [ ! -f garage.key ]; then if [ ! -f garage.key ]; then
@ -46,3 +51,33 @@ EOF
-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \ -CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
-out garage.crt -days 365 -out garage.crt -days 365
fi fi
# Client-only certificate used for the CLI
if [ ! -f garage-client.crt ]; then
echo "Generating Garage client keys..."
if [ ! -f garage-client.key ]; then
openssl genrsa -out garage-client.key 4096
fi
openssl req -new -sha256 -key garage-client.key -subj "/C=FR/O=Garage" \
-out garage-client.csr
openssl req -in garage-client.csr -noout -text
openssl x509 -req -in garage-client.csr \
-extensions v3_req \
-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
O = Garage
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
EOF
) \
-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
-out garage-client.crt -days 365
fi

View file

@ -109,7 +109,6 @@ impl RpcClient {
} }
config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?; config.set_single_client_cert([&node_certs[..], &ca_certs[..]].concat(), node_key)?;
// config.dangerous().set_certificate_verifier(Arc::new(tls_util::NoHostnameCertVerifier));
let connector = let connector =
tls_util::HttpsConnectorFixedDnsname::<HttpConnector>::new(config, "garage"); tls_util::HttpsConnectorFixedDnsname::<HttpConnector>::new(config, "garage");
@ -143,7 +142,7 @@ impl RpcClient {
let resp = tokio::time::timeout(timeout, resp_fut) let resp = tokio::time::timeout(timeout, resp_fut)
.await? .await?
.map_err(|e| { .map_err(|e| {
eprintln!("RPC client error: {}", e); eprintln!("RPC HTTP client error when connecting to {}: {}", to_addr, e);
e e
})?; })?;

View file

@ -7,7 +7,6 @@ use core::future::Future;
use futures_util::future::*; use futures_util::future::*;
use tokio::io::{AsyncRead, AsyncWrite}; use tokio::io::{AsyncRead, AsyncWrite};
use rustls::internal::pemfile; use rustls::internal::pemfile;
use rustls::*;
use hyper::client::HttpConnector; use hyper::client::HttpConnector;
use hyper::client::connect::Connection; use hyper::client::connect::Connection;
use hyper::service::Service; use hyper::service::Service;
@ -60,63 +59,6 @@ pub fn load_private_key(filename: &str) -> Result<rustls::PrivateKey, Error> {
} }
// ---- AWFUL COPYPASTA FROM rustls/verifier.rs
// ---- USED TO ALLOW TO VERIFY SERVER CERTIFICATE VALIDITY IN CHAIN
// ---- BUT DISREGARD HOSTNAME PARAMETER
pub struct NoHostnameCertVerifier;
type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[
&webpki::ECDSA_P256_SHA256,
&webpki::ECDSA_P256_SHA384,
&webpki::ECDSA_P384_SHA256,
&webpki::ECDSA_P384_SHA384,
&webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
&webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
&webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
&webpki::RSA_PKCS1_2048_8192_SHA256,
&webpki::RSA_PKCS1_2048_8192_SHA384,
&webpki::RSA_PKCS1_2048_8192_SHA512,
&webpki::RSA_PKCS1_3072_8192_SHA384
];
impl rustls::ServerCertVerifier for NoHostnameCertVerifier {
fn verify_server_cert(&self,
roots: &RootCertStore,
presented_certs: &[Certificate],
_dns_name: webpki::DNSNameRef,
_ocsp_response: &[u8]) -> Result<rustls::ServerCertVerified, TLSError> {
if presented_certs.is_empty() {
return Err(TLSError::NoCertificatesPresented);
}
let cert = webpki::EndEntityCert::from(&presented_certs[0].0)
.map_err(TLSError::WebPKIError)?;
let chain = presented_certs.iter()
.skip(1)
.map(|cert| cert.0.as_ref())
.collect::<Vec<_>>();
let trustroots: Vec<webpki::TrustAnchor> = roots.roots
.iter()
.map(|x| x.to_trust_anchor())
.collect();
let now = webpki::Time::try_from(std::time::SystemTime::now())
.map_err( |_ | TLSError::FailedToGetCurrentTime)?;
cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS,
&webpki::TLSServerTrustAnchors(&trustroots), &chain, now)
.map_err(TLSError::WebPKIError)?;
Ok(rustls::ServerCertVerified::assertion())
}
}
// ---- AWFUL COPYPASTA FROM HYPER-RUSTLS connector.rs // ---- AWFUL COPYPASTA FROM HYPER-RUSTLS connector.rs
// ---- ALWAYS USE `garage` AS HOSTNAME FOR TLS VERIFICATION // ---- ALWAYS USE `garage` AS HOSTNAME FOR TLS VERIFICATION