SSL certificate generation

Cargo.toml

@@ -9,6 +9,7 @@ members = [
     "chia-protocol/fuzz",
     "chia_py_streamable_macro",
     "chia_streamable_macro",
+    "chia-ssl",
     "chia-tools",
     "chia-traits",
     "chia-wallet",

chia-ssl/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "chia-ssl"
+version = "0.2.12"
+edition = "2021"
+license = "Apache-2.0"
+description = "Chia SSL X.509 certificate generator"
+authors = ["Brandon Haggstrom <[email protected]>"]
+homepage = "https://github.com/Chia-Network/chia_rs/chia-ssl/"
+repository = "https://github.com/Chia-Network/chia_rs/chia-ssl/"
+
+[dependencies]
+lazy_static = "1.4.0"
+rand = "0.8.5"
+rcgen = { version = "0.11.1", features = ["pem", "x509-parser"] }
+rsa = "0.9.2"
+rustls = "0.21.2"
+thiserror = "1.0.50"
+time = "0.3.22"

chia-ssl/chia_ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAhGgAwIBAgIUXIpxI5MoZQ65/vhc7DK/d5ymoMUwDQYJKoZIhvcNAQEL
+BQAwRDENMAsGA1UECgwEQ2hpYTEQMA4GA1UEAwwHQ2hpYSBDQTEhMB8GA1UECwwY
+T3JnYW5pYyBGYXJtaW5nIERpdmlzaW9uMB4XDTIxMDEyMzA4NTEwNloXDTMxMDEy
+MTA4NTEwNlowRDENMAsGA1UECgwEQ2hpYTEQMA4GA1UEAwwHQ2hpYSBDQTEhMB8G
+A1UECwwYT3JnYW5pYyBGYXJtaW5nIERpdmlzaW9uMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzz/L219Zjb5CIKnUkpd2julGC+j3E97KUiuOalCH9wdq
+gpJi9nBqLccwPCSFXFew6CNBIBM+CW2jT3UVwgzjdXJ7pgtu8gWj0NQ6NqSLiXV2
+WbpZovfrVh3x7Z4bjPgI3ouWjyehUfmK1GPIld4BfUSQtPlUJ53+XT32GRizUy+b
+0CcJ84jp1XvyZAMajYnclFRNNJSw9WXtTlMUu+Z1M4K7c4ZPwEqgEnCgRc0TCaXj
+180vo7mCHJQoDiNSCRATwfH+kWxOOK/nePkq2t4mPSFaX8xAS4yILISIOWYn7sNg
+dy9D6gGNFo2SZ0FR3x9hjUjYEV3cPqg3BmNE3DDynQIDAQABoxMwETAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAEugnFQjzHhS0eeCqUwOHmP3ww
+/rXPkKF+bJ6uiQgXZl+B5W3m3zaKimJeyatmuN+5ST1gUET+boMhbA/7grXAsRsk
+SFTHG0T9CWfPiuimVmGCzoxLGpWDMJcHZncpQZ72dcy3h7mjWS+U59uyRVHeiprE
+hvSyoNSYmfvh7vplRKS1wYeA119LL5fRXvOQNW6pSsts17auu38HWQGagSIAd1UP
+5zEvDS1HgvaU1E09hlHzlpdSdNkAx7si0DMzxKHUg9oXeRZedt6kcfyEmryd52Mj
+1r1R9mf4iMIUv1zc2sHVc1omxnCw9+7U4GMWLtL5OgyJyfNyoxk3tC+D3KNU
+-----END CERTIFICATE-----

chia-ssl/chia_ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPP8vbX1mNvkIg
+qdSSl3aO6UYL6PcT3spSK45qUIf3B2qCkmL2cGotxzA8JIVcV7DoI0EgEz4JbaNP
+dRXCDON1cnumC27yBaPQ1Do2pIuJdXZZulmi9+tWHfHtnhuM+Ajei5aPJ6FR+YrU
+Y8iV3gF9RJC0+VQnnf5dPfYZGLNTL5vQJwnziOnVe/JkAxqNidyUVE00lLD1Ze1O
+UxS75nUzgrtzhk/ASqAScKBFzRMJpePXzS+juYIclCgOI1IJEBPB8f6RbE44r+d4
++Sra3iY9IVpfzEBLjIgshIg5Zifuw2B3L0PqAY0WjZJnQVHfH2GNSNgRXdw+qDcG
+Y0TcMPKdAgMBAAECggEAa6lLgEl3HyAQACHZUNGoADOEdNlvyP26gpcn42i0SQqs
+NOpQyI67Sc6o6wVZ1g+j0ePGiCAW4RT4emVriSPi4Xc4bpiP6OAvKmOlXg96gUzo
+z1H0EKnTsifaLsMssr2C9gDzlKhUsF3+1biEUf5DLcz5k1nWcsIrikqO1pizR2mL
+nMuhW+kRwR6bY75pGlQ8JmqQ3BTS6YBMJ+BkZ8XOBcj9c8mvxTL4tVk4Wnc9dcd+
+dlkP1PkCM79WIF6pswW5ZDwGlU6pqk08qPzENjei/De6IBg8Lt4uJve79agV6Uxz
+Y4xfRCWMunlj4VJwUcAzGhyjcBB1ZJi9JDBvnFmaDQKBgQDrMoBJ+vDcS0+2GQtH
+k0GZ6wjhFttjqIVWFLmWgtvNO1K2+y6zwQjpFCAuAAUXXgfbVhIfFvp0HUxujjkE
+3zeCYOlS8o9ESyWoPdg8woWjkZcya/4mE2jlj1+GI4SfHMska0EHUd4aaDk1en2a
+vYKH27zD+yV+4IdyRsD0Bi93EwKBgQDhlHnODvf5QDVro+b3dsthkaP6F/s5oH/o
+eLD1jEIGAN9Yz10njyLPfzaeiNPm6LSsKVXlgCjxQIuHTU2n0BsFke4F1ib0jOK4
+o3NN4rfVRb5O9vP50THv4+VhB9806FwiB371JeOhmitCSwiYp0wZmV3WURF4e4Fr
+Cr3YlC+1jwKBgQC03BTCzvFAtbkKMp/13krn7VDaphT2wbQmybEdCGu1mhS1GNqE
+57/OW+eS9/jySyCHjdxJhAX8HDuWGE/Ia03oOFWzr0p0HcVLZqNNtdfGPEKkR18c
+MHjNbj7qi42EPUQJMWDEHDRK4jJ76UGFKI2jo1m46vueYVJGkhn2jHsbeQKBgDim
+/Ew20Col6QSmfhwKFpvjYsYtfaeEWns8zFxupCozz+PS+Dc2KGzqKwJ3pJgqOy29
+l9fybtXf+uq5DFan2hF1C80lclUaiNoMGqol1TtXr6rPNIi59AumNXY/7tuvu2vE
+bCsPH/L28ARPKdKEuYT4Umu/ol6aze7fHLymwrCbAoGAbm4vMLIy8wHYrAj5/een
+YthUYbQ+XWOrrI1dJoGiwCIXTL4iBSO1ZjkR6M7yg9Zxv0BuqA+2tZqImLXsqIq/
+g7Jtrn7LfogS3KOiVa3QAHoXegMrRf4S3DyP/GW8E27MMvqBEkdCDX53h07wvPng
+0NRspbyMaX43/tp8ZWkaZf0=
+-----END PRIVATE KEY-----

chia-ssl/src/ca.rs

@@ -0,0 +1,16 @@
+use lazy_static::lazy_static;
+use rcgen::{Certificate, CertificateParams, KeyPair};
+
+pub const CHIA_CA_KEY: &str = include_str!("../chia_ca.key");
+pub const CHIA_CA_CRT: &str = include_str!("../chia_ca.crt");
+
+lazy_static! {
+    pub static ref CHIA_CA: Certificate = load_ca_cert();
+}
+
+fn load_ca_cert() -> Certificate {
+    let key_pair = KeyPair::from_pem(CHIA_CA_KEY).expect("could not load CA keypair");
+    let params = CertificateParams::from_ca_cert_pem(CHIA_CA_CRT, key_pair)
+        .expect("could not create CA params");
+    Certificate::from_params(params).expect("could not create certificate")
+}

chia-ssl/src/error.rs

@@ -0,0 +1,19 @@
+use rcgen::RcgenError;
+use time::error::ComponentRange;
+
+pub type Result<T> = std::result::Result<T, Error>;
+
+#[derive(thiserror::Error, Debug, PartialEq, Eq)]
+pub enum Error {
+    #[error("{0}")]
+    KeyGen(#[from] rsa::Error),
+
+    #[error("{0}")]
+    Pkcs8(#[from] rsa::pkcs8::Error),
+
+    #[error("{0}")]
+    CertGen(#[from] RcgenError),
+
+    #[error("{0}")]
+    DateRange(#[from] ComponentRange),
+}

chia-ssl/src/lib.rs

@@ -0,0 +1,52 @@
+use rcgen::{Certificate, CertificateParams, DistinguishedName, DnType, KeyPair, SanType};
+use rsa::{
+    pkcs8::{EncodePrivateKey, LineEnding},
+    RsaPrivateKey,
+};
+use time::{Date, Duration, Month, OffsetDateTime, PrimitiveDateTime, Time};
+
+mod ca;
+mod error;
+
+pub use ca::*;
+pub use error::*;
+
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub struct ChiaCertificate {
+    pub cert_pem: String,
+    pub key_pem: String,
+}
+
+impl ChiaCertificate {
+    pub fn generate() -> Result<ChiaCertificate> {
+        let mut rng = rand::thread_rng();
+
+        let key = RsaPrivateKey::new(&mut rng, 2048)?;
+        let key_pem = key.to_pkcs8_pem(LineEnding::default())?.to_string();
+
+        let mut params = CertificateParams::default();
+
+        params.alg = &rcgen::PKCS_RSA_SHA256;
+        params.key_pair = Some(KeyPair::from_pem(&key_pem)?);
+
+        let mut subject = DistinguishedName::new();
+        subject.push(DnType::CommonName, "Chia");
+        subject.push(DnType::OrganizationName, "Chia");
+        subject.push(DnType::OrganizationalUnitName, "Organic Farming Division");
+        params.distinguished_name = subject;
+
+        params.subject_alt_names = vec![SanType::DnsName("chia.net".to_string())];
+
+        params.not_before = OffsetDateTime::now_utc() - Duration::DAY;
+        params.not_after = PrimitiveDateTime::new(
+            Date::from_calendar_date(2100, Month::August, 2)?,
+            Time::MIDNIGHT,
+        )
+        .assume_utc();
+
+        let cert = Certificate::from_params(params)?;
+        let cert_pem = cert.serialize_pem_with_signer(&CHIA_CA)?;
+
+        Ok(ChiaCertificate { cert_pem, key_pem })
+    }
+}