-
-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
wip: implemented crypto reloader, as separated object from proxy itself
- Loading branch information
1 parent
3c6e4e5
commit 5576389
Showing
13 changed files
with
468 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
use crate::{ | ||
certs::CryptoSource, | ||
crypto::CryptoSource, | ||
error::*, | ||
log::*, | ||
name_exp::{ByteName, ServerName}, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
use async_trait::async_trait; | ||
use rustc_hash::FxHashSet as HashSet; | ||
use rustls::{ | ||
sign::{any_supported_type, CertifiedKey}, | ||
Certificate, OwnedTrustAnchor, PrivateKey, | ||
}; | ||
use std::io; | ||
use x509_parser::prelude::*; | ||
|
||
#[async_trait] | ||
// Trait to read certs and keys anywhere from KVS, file, sqlite, etc. | ||
pub trait CryptoSource { | ||
type Error; | ||
|
||
/// read crypto materials from source | ||
async fn read(&self) -> Result<CertsAndKeys, Self::Error>; | ||
|
||
/// Returns true when mutual tls is enabled | ||
fn is_mutual_tls(&self) -> bool; | ||
} | ||
|
||
/// Certificates and private keys in rustls loaded from files | ||
#[derive(Debug, PartialEq, Eq, Clone)] | ||
pub struct CertsAndKeys { | ||
pub certs: Vec<Certificate>, | ||
pub cert_keys: Vec<PrivateKey>, | ||
pub client_ca_certs: Option<Vec<Certificate>>, | ||
} | ||
|
||
impl CertsAndKeys { | ||
pub fn parse_server_certs_and_keys(&self) -> Result<CertifiedKey, anyhow::Error> { | ||
// for (server_name_bytes_exp, certs_and_keys) in self.inner.iter() { | ||
let signing_key = self | ||
.cert_keys | ||
.iter() | ||
.find_map(|k| { | ||
if let Ok(sk) = any_supported_type(k) { | ||
Some(sk) | ||
} else { | ||
None | ||
} | ||
}) | ||
.ok_or_else(|| { | ||
io::Error::new( | ||
io::ErrorKind::InvalidInput, | ||
"Unable to find a valid certificate and key", | ||
) | ||
})?; | ||
Ok(CertifiedKey::new(self.certs.clone(), signing_key)) | ||
} | ||
|
||
pub fn parse_client_ca_certs(&self) -> Result<(Vec<OwnedTrustAnchor>, HashSet<Vec<u8>>), anyhow::Error> { | ||
let certs = self.client_ca_certs.as_ref().ok_or(anyhow::anyhow!("No client cert"))?; | ||
|
||
let owned_trust_anchors: Vec<_> = certs | ||
.iter() | ||
.map(|v| { | ||
// let trust_anchor = tokio_rustls::webpki::TrustAnchor::try_from_cert_der(&v.0).unwrap(); | ||
let trust_anchor = webpki::TrustAnchor::try_from_cert_der(&v.0).unwrap(); | ||
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( | ||
trust_anchor.subject, | ||
trust_anchor.spki, | ||
trust_anchor.name_constraints, | ||
) | ||
}) | ||
.collect(); | ||
|
||
// TODO: SKID is not used currently | ||
let subject_key_identifiers: HashSet<_> = certs | ||
.iter() | ||
.filter_map(|v| { | ||
// retrieve ca key id (subject key id) | ||
let cert = parse_x509_certificate(&v.0).unwrap().1; | ||
let subject_key_ids = cert | ||
.iter_extensions() | ||
.filter_map(|ext| match ext.parsed_extension() { | ||
ParsedExtension::SubjectKeyIdentifier(skid) => Some(skid), | ||
_ => None, | ||
}) | ||
.collect::<Vec<_>>(); | ||
if !subject_key_ids.is_empty() { | ||
Some(subject_key_ids[0].0.to_owned()) | ||
} else { | ||
None | ||
} | ||
}) | ||
.collect(); | ||
|
||
Ok((owned_trust_anchors, subject_key_identifiers)) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
mod certs; | ||
mod service; | ||
|
||
use crate::{ | ||
backend::BackendAppManager, | ||
constants::{CERTS_WATCH_DELAY_SECS, LOAD_CERTS_ONLY_WHEN_UPDATED}, | ||
error::RpxyResult, | ||
}; | ||
use hot_reload::{ReloaderReceiver, ReloaderService}; | ||
use service::CryptoReloader; | ||
use std::sync::Arc; | ||
|
||
pub use certs::{CertsAndKeys, CryptoSource}; | ||
pub use service::ServerCryptoBase; | ||
|
||
/// Result type inner of certificate reloader service | ||
type ReloaderServiceResultInner<T> = ( | ||
ReloaderService<CryptoReloader<T>, ServerCryptoBase>, | ||
ReloaderReceiver<ServerCryptoBase>, | ||
); | ||
/// Build certificate reloader service | ||
pub(crate) async fn build_cert_reloader<T>( | ||
app_manager: &Arc<BackendAppManager<T>>, | ||
) -> RpxyResult<ReloaderServiceResultInner<T>> | ||
where | ||
T: CryptoSource + Clone + Send + Sync + 'static, | ||
{ | ||
let (cert_reloader_service, cert_reloader_rx) = ReloaderService::< | ||
service::CryptoReloader<T>, | ||
service::ServerCryptoBase, | ||
>::new( | ||
app_manager, CERTS_WATCH_DELAY_SECS, !LOAD_CERTS_ONLY_WHEN_UPDATED | ||
) | ||
.await?; | ||
Ok((cert_reloader_service, cert_reloader_rx)) | ||
} |
Oops, something went wrong.