diff --git a/Cargo.lock b/Cargo.lock index 1b565dd..1bfbd2d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -26,6 +26,21 @@ dependencies = [ "memchr", ] +[[package]] +name = "android-tzdata" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0" + +[[package]] +name = "android_system_properties" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311" +dependencies = [ + "libc", +] + [[package]] name = "anstream" version = "0.6.15" @@ -124,18 +139,53 @@ dependencies = [ "windows-targets", ] +[[package]] +name = "bitflags" +version = "2.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" + +[[package]] +name = "bumpalo" +version = "3.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c" + [[package]] name = "bytes" version = "1.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3" +[[package]] +name = "cc" +version = "1.1.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" +dependencies = [ + "shlex", +] + [[package]] name = "cfg-if" version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +[[package]] +name = "chrono" +version = "0.4.38" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401" +dependencies = [ + "android-tzdata", + "iana-time-zone", + "js-sys", + "num-traits", + "wasm-bindgen", + "windows-targets", +] + [[package]] name = "clap" version = "4.5.20" @@ -182,6 +232,12 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" +[[package]] +name = "core-foundation-sys" +version = "0.8.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" + [[package]] name = "encoding" version = "0.2.33" @@ -246,6 +302,21 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "futures" version = "0.3.31" @@ -353,18 +424,62 @@ version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" +[[package]] +name = "iana-time-zone" +version = "0.1.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220" +dependencies = [ + "android_system_properties", + "core-foundation-sys", + "iana-time-zone-haiku", + "js-sys", + "wasm-bindgen", + "windows-core", +] + +[[package]] +name = "iana-time-zone-haiku" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f" +dependencies = [ + "cc", +] + [[package]] name = "is_terminal_polyfill" version = "1.70.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" +[[package]] +name = "js-sys" +version = "0.3.72" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" +dependencies = [ + "wasm-bindgen", +] + +[[package]] +name = "lazy_static" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" + [[package]] name = "libc" version = "0.2.161" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" +[[package]] +name = "log" +version = "0.4.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" + [[package]] name = "memchr" version = "2.7.4" @@ -392,6 +507,15 @@ dependencies = [ "windows-sys", ] +[[package]] +name = "num-traits" +version = "0.2.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" +dependencies = [ + "autocfg", +] + [[package]] name = "object" version = "0.36.5" @@ -401,17 +525,64 @@ dependencies = [ "memchr", ] +[[package]] +name = "once_cell" +version = "1.20.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" + +[[package]] +name = "openssl" +version = "0.10.68" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "openssl-sys" +version = "0.9.104" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + [[package]] name = "peazyrsa" version = "0.1.0" dependencies = [ "anyhow", "async-stream", + "chrono", "clap", "encoding", "futures", "futures-core", "futures-util", + "lazy_static", + "openssl", "regex", "tokio", ] @@ -428,6 +599,12 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkg-config" +version = "0.3.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" + [[package]] name = "proc-macro2" version = "1.0.88" @@ -481,6 +658,12 @@ version = "0.1.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f" +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + [[package]] name = "signal-hook-registry" version = "1.4.2" @@ -555,12 +738,82 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "wasi" version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +[[package]] +name = "wasm-bindgen" +version = "0.2.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" +dependencies = [ + "cfg-if", + "once_cell", + "wasm-bindgen-macro", +] + +[[package]] +name = "wasm-bindgen-backend" +version = "0.2.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" +dependencies = [ + "bumpalo", + "log", + "once_cell", + "proc-macro2", + "quote", + "syn", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "wasm-bindgen-backend", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.95" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" + +[[package]] +name = "windows-core" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" +dependencies = [ + "windows-targets", +] + [[package]] name = "windows-sys" version = "0.52.0" diff --git a/Cargo.toml b/Cargo.toml index 92a03b4..c12bf73 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -6,11 +6,14 @@ edition = "2021" [dependencies] anyhow = "1.0.90" async-stream = "0.3.6" +chrono = "0.4.38" clap = { version = "4.5.20", features = ["derive"] } encoding = "0.2.33" futures = "0.3.31" futures-core = "0.3.31" futures-util = "0.3.31" +lazy_static = "1.5.0" +openssl = { version="0.10.68" } regex = "1.11.0" tokio = { version = "1.40.0", features = ["fs", "rt", "process", "macros", "io-util"] } diff --git a/src/certs.rs b/src/certs.rs index 7408c80..35fd385 100644 --- a/src/certs.rs +++ b/src/certs.rs @@ -1,9 +1,9 @@ -use anyhow::{anyhow, Result}; +use anyhow::{anyhow, Context, Result}; use std::{path::PathBuf, sync::Arc}; -use crate::common::{is_file_exist, read_file, write_file, AppConfig}; -use crate::crypto::ICryptoProvider; +use crate::common::{is_file_exist, read_file, write_file, AppConfig, OpenSSLProviderArg, VarsMap}; +use crate::crypto::{ICryptoProvider, OpenSSLBinProvider, OpenSSLLibProvider}; pub(crate) struct Certs where @@ -56,8 +56,8 @@ where return Ok(false); } - self.request().await?; - self.sign().await?; + self.request().await.context("req error")?; + self.sign().await.context("sign error")?; let (template_file, ca_file, cert_file, key_file) = ( self.template_file.clone(), @@ -87,3 +87,35 @@ where } } } + +pub async fn build_client_config(config: &AppConfig, vars: VarsMap) -> Result<()> { + let result_file: PathBuf; + let created: bool; + + if let OpenSSLProviderArg::ExternalBin(_) = config.openssl { + let certs = Certs::new(config, OpenSSLBinProvider::from_cfg(config, vars)); + created = certs + .build_client_config() + .await + .context("external openssl error")?; + result_file = certs.config_file; + } else { + let certs = Certs::new(config, OpenSSLLibProvider::from_cfg(config, vars)); + created = certs + .build_client_config() + .await + .context("internal openssl error")?; + result_file = certs.config_file; + } + + let result_file = result_file + .to_str() + .ok_or(anyhow!("result_file PathBuf to str convert error"))?; + + if created { + println!("created: {result_file}"); + Ok(()) + } else { + Err(anyhow!("file exists: {result_file}")) + } +} diff --git a/src/common.rs b/src/common.rs index 93949f4..0165c18 100644 --- a/src/common.rs +++ b/src/common.rs @@ -4,7 +4,9 @@ use clap::Parser; use encoding::{label::encoding_from_whatwg_label, EncoderTrap}; use std::{ collections::BTreeMap, + fmt::Display, path::{Path, PathBuf}, + str::FromStr, }; use tokio::{ fs::{self, File}, @@ -15,6 +17,31 @@ use futures_core::stream::Stream; pub(crate) type VarsMap = BTreeMap; +#[derive(Debug, Clone, PartialEq)] +pub enum OpenSSLProviderArg { + Internal, + ExternalBin(String), +} + +impl FromStr for OpenSSLProviderArg { + type Err = anyhow::Error; + fn from_str(s: &str) -> Result { + match s.to_ascii_lowercase().as_str() { + "internal" => Ok(OpenSSLProviderArg::Internal), + x => Ok(OpenSSLProviderArg::ExternalBin(x.to_string())), + } + } +} + +impl Display for OpenSSLProviderArg { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + OpenSSLProviderArg::ExternalBin(x) => write!(f, "{}", x), + _ => write!(f, "internal"), + } + } +} + #[derive(Parser)] #[command(author, version, about, long_about = None)] pub(crate) struct Args { @@ -42,12 +69,12 @@ pub(crate) struct Args { pub(crate) config_dir: String, /// valid days - #[arg(long, default_value = "30650")] + #[arg(long, default_value = "3650")] pub(crate) days: u32, - /// openssl binary - #[arg(long, default_value = "openssl")] - pub(crate) openssl: String, + /// openssl binary or (internal) + #[arg(long, short, default_value = "internal")] + pub(crate) openssl: OpenSSLProviderArg, /// template file #[arg(long, default_value = "template.ovpn")] @@ -64,7 +91,7 @@ pub(crate) struct AppConfig { pub(crate) openssl_cnf_env: String, pub(crate) ca_filename: String, pub(crate) default_email_domain: String, - pub(crate) openssl: String, + pub(crate) openssl: OpenSSLProviderArg, pub(crate) base_directory: String, pub(crate) email: String, pub(crate) name: String, @@ -82,7 +109,7 @@ impl Default for AppConfig { openssl_cnf_env: "KEY_CONFIG".into(), ca_filename: "ca.crt".into(), default_email_domain: "example.com".into(), - openssl: "openssl".into(), + openssl: OpenSSLProviderArg::Internal, base_directory: ".".into(), email: "name@example.com".into(), name: "user".into(), diff --git a/src/crypto.rs b/src/crypto.rs index ae4ff31..380dd68 100644 --- a/src/crypto.rs +++ b/src/crypto.rs @@ -1,146 +1,444 @@ -use anyhow::{anyhow, Result}; -use std::path::PathBuf; - -use tokio::process::Command; - -use crate::common::{is_file_exist, AppConfig, VarsMap}; - -pub(crate) trait ICryptoProvider { - async fn request(&self) -> Result<()>; - async fn sign(&self) -> Result<()>; -} - -pub(crate) fn make_certs_provider(cfg: &AppConfig, vars: VarsMap) -> impl ICryptoProvider { - OpenSSLProvider::from_cfg(cfg, vars) -} - -pub(crate) struct OpenSSLProvider { - vars: VarsMap, - base_dir: PathBuf, - openssl_cnf: PathBuf, - openssl: String, - ca_file: PathBuf, - req_file: PathBuf, - key_file: PathBuf, - cert_file: PathBuf, - req_days: u32, -} - -impl OpenSSLProvider { - async fn is_ca_exists(&self) -> bool { - is_file_exist(&self.ca_file).await - } - - async fn is_cert_exists(&self) -> bool { - is_file_exist(&self.cert_file).await - } - - async fn is_req_exists(&self) -> bool { - is_file_exist(&self.req_file).await - } - - pub(crate) fn from_cfg(cfg: &AppConfig, vars: VarsMap) -> Self { - let base_dir = PathBuf::from(&cfg.base_directory); - let keys_dir = base_dir.clone().join(cfg.keys_subdir.clone()); - let name = cfg.name.clone(); - let mut vars = vars; - - vars.insert("KEY_CN".into(), name.clone()); - vars.insert("KEY_NAME".into(), name.clone()); - vars.insert("KEY_EMAIL".into(), cfg.email.clone()); - - let ca_file = keys_dir.join(cfg.ca_filename.clone()); - let req_file = keys_dir.join(format!("{}.csr", &name)); - let key_file = keys_dir.join(format!("{}.key", &name)); - let cert_file = keys_dir.join(format!("{}.crt", &name)); - let openssl_cnf = base_dir.clone().join( - std::env::var(cfg.openssl_cnf_env.clone()).unwrap_or(cfg.openssl_default_cnf.clone()), - ); - - Self { - vars, - base_dir, - openssl_cnf, - openssl: cfg.openssl.clone(), - ca_file, - req_file, - key_file, - cert_file, - req_days: cfg.req_days, - } - } -} - -impl ICryptoProvider for OpenSSLProvider { - async fn request(&self) -> Result<()> { - if self.is_req_exists().await { - return Ok(()); - } - - if !self.is_ca_exists().await { - return Err(anyhow!( - "ca file not found: {}", - &self.ca_file.to_str().unwrap() - )); - } - - let status = Command::new(&self.openssl) - .args([ - "req", - "-nodes", - "-new", - "-keyout", - self.key_file.to_str().unwrap(), - "-out", - self.req_file.to_str().unwrap(), - "-config", - self.openssl_cnf.to_str().unwrap(), - "-batch", - ]) - .current_dir(&self.base_dir) - .envs(&self.vars) - .status() - .await?; - - match status.success() { - true => Ok(()), - false => Err(anyhow!("openssl req execution failed")), - } - } - - async fn sign(&self) -> Result<()> { - if self.is_cert_exists().await { - return Ok(()); - } - - if !self.is_ca_exists().await { - return Err(anyhow!( - "ca file not found: {}", - &self.ca_file.to_str().unwrap() - )); - } - - let status = Command::new(&self.openssl) - .args([ - "ca", - "-days", - format!("{}", self.req_days).as_str(), - "-out", - self.cert_file.to_str().unwrap(), - "-in", - self.req_file.to_str().unwrap(), - "-config", - self.openssl_cnf.to_str().unwrap(), - "-batch", - ]) - .current_dir(&self.base_dir) - .envs(&self.vars) - .status() - .await?; - - match status.success() { - true => Ok(()), - false => Err(anyhow!("ssl ca execution failed")), - } - } -} +use anyhow::{anyhow, Context, Result}; +use openssl::{ + asn1::Asn1Time, + conf::{Conf, ConfMethod}, + hash::MessageDigest, + pkey::{PKey, Private}, + rsa::Rsa, + stack::Stack, + x509::{ + extension::{ExtendedKeyUsage, KeyUsage, SubjectAlternativeName}, + X509Name, X509NameBuilder, X509Req, X509ReqBuilder, X509, + }, +}; +use std::path::PathBuf; + +use tokio::{fs, process::Command}; + +use crate::common::{is_file_exist, read_file, AppConfig, VarsMap}; + +use lazy_static::lazy_static; +use std::collections::HashMap; + +use chrono::{Datelike, Days, Timelike, Utc}; + +lazy_static! { + static ref KEYMAP: HashMap<&'static str, &'static str> = { + let mut m = HashMap::new(); + m.insert("C", "KEY_COUNTRY"); + m.insert("ST", "KEY_PROVINCE"); + m.insert("O", "KEY_ORG"); + m.insert("OU", "KEY_OU"); + m.insert("CN", "KEY_CN"); + m.insert("name", "KEY_NAME"); + m + }; +} + +fn get_time_str_x509(days: u32) -> Result { + let dt = Utc::now(); + let dt = dt + .checked_add_days(Days::new(days as u64)) + .ok_or(anyhow!("failed to add days")) + .context("checked_add_days")?; + + let year = dt.year() % 10000; + let month = dt.month() % 13; + let day = dt.day() % 32; + let hour = dt.hour() % 25; + let minute = dt.minute() % 60; + let second = dt.second() % 60; + let s = format!("{year:04}{month:02}{day:02}{hour:02}{minute:02}{second:02}Z"); + Ok(s) +} + +pub(crate) trait ICryptoProvider { + async fn request(&self) -> Result<()>; + async fn sign(&self) -> Result<()>; +} + +pub(crate) struct OpenSSLBinProvider { + vars: VarsMap, + base_dir: PathBuf, + openssl_cnf: PathBuf, + openssl: String, + ca_file: PathBuf, + req_file: PathBuf, + key_file: PathBuf, + cert_file: PathBuf, + req_days: u32, +} + +impl OpenSSLBinProvider { + async fn is_ca_exists(&self) -> bool { + is_file_exist(&self.ca_file).await + } + + async fn is_cert_exists(&self) -> bool { + is_file_exist(&self.cert_file).await + } + + async fn is_req_exists(&self) -> bool { + is_file_exist(&self.req_file).await + } + + pub(crate) fn from_cfg(cfg: &AppConfig, vars: VarsMap) -> Self { + let base_dir = PathBuf::from(&cfg.base_directory); + let keys_dir = base_dir.clone().join(cfg.keys_subdir.clone()); + let name = cfg.name.clone(); + let mut vars = vars; + + vars.insert("KEY_CN".into(), name.clone()); + vars.insert("KEY_NAME".into(), name.clone()); + vars.insert("KEY_EMAIL".into(), cfg.email.clone()); + + let ca_file = keys_dir.join(cfg.ca_filename.clone()); + let req_file = keys_dir.join(format!("{}.csr", &name)); + let key_file = keys_dir.join(format!("{}.key", &name)); + let cert_file = keys_dir.join(format!("{}.crt", &name)); + let openssl_cnf = base_dir.clone().join( + std::env::var(cfg.openssl_cnf_env.clone()).unwrap_or(cfg.openssl_default_cnf.clone()), + ); + + Self { + vars, + base_dir, + openssl_cnf, + openssl: cfg.openssl.to_string(), + ca_file, + req_file, + key_file, + cert_file, + req_days: cfg.req_days, + } + } +} + +impl ICryptoProvider for OpenSSLBinProvider { + async fn request(&self) -> Result<()> { + if self.is_req_exists().await { + return Ok(()); + } + + if !self.is_ca_exists().await { + return Err(anyhow!( + "ca file not found: {}", + &self.ca_file.to_str().unwrap() + )); + } + + let status = Command::new(&self.openssl) + .args([ + "req", + "-nodes", + "-new", + "-keyout", + self.key_file.to_str().unwrap(), + "-out", + self.req_file.to_str().unwrap(), + "-config", + self.openssl_cnf.to_str().unwrap(), + "-batch", + ]) + .current_dir(&self.base_dir) + .envs(&self.vars) + .status() + .await?; + + match status.success() { + true => Ok(()), + false => Err(anyhow!("openssl req execution failed")), + } + } + + async fn sign(&self) -> Result<()> { + if self.is_cert_exists().await { + return Ok(()); + } + + if !self.is_ca_exists().await { + return Err(anyhow!( + "ca file not found: {}", + &self.ca_file.to_str().unwrap() + )); + } + + let status = Command::new(&self.openssl) + .args([ + "ca", + "-days", + format!("{}", self.req_days).as_str(), + "-out", + self.cert_file.to_str().unwrap(), + "-in", + self.req_file.to_str().unwrap(), + "-config", + self.openssl_cnf.to_str().unwrap(), + "-batch", + ]) + .current_dir(&self.base_dir) + .envs(&self.vars) + .status() + .await?; + + match status.success() { + true => Ok(()), + false => Err(anyhow!("ssl ca execution failed")), + } + } +} + +pub(crate) struct OpenSSLLibProvider { + vars: VarsMap, + #[allow(unused)] + base_dir: PathBuf, + #[allow(unused)] + openssl_cnf: PathBuf, + ca_file: PathBuf, + ca_key_file: PathBuf, + req_file: PathBuf, + key_file: PathBuf, + cert_file: PathBuf, + req_days: u32, + key_size: u32, + encoding: String, +} + +impl OpenSSLLibProvider { + async fn is_ca_exists(&self) -> bool { + is_file_exist(&self.ca_file).await + } + + async fn is_cert_exists(&self) -> bool { + is_file_exist(&self.cert_file).await + } + + async fn is_req_exists(&self) -> bool { + is_file_exist(&self.req_file).await + } + + pub(crate) fn from_cfg(cfg: &AppConfig, vars: VarsMap) -> Self { + let base_dir = PathBuf::from(&cfg.base_directory); + let keys_dir = base_dir.clone().join(cfg.keys_subdir.clone()); + let name = cfg.name.clone(); + let mut vars = vars; + + vars.insert("KEY_CN".into(), name.clone()); + vars.insert("KEY_NAME".into(), name.clone()); + vars.insert("KEY_EMAIL".into(), cfg.email.clone()); + + let ca_file = keys_dir.join(cfg.ca_filename.clone()); + let ca_key_file = ca_file.with_extension("key"); + let req_file = keys_dir.join(format!("{}.csr", &name)); + let key_file = keys_dir.join(format!("{}.key", &name)); + let cert_file = keys_dir.join(format!("{}.crt", &name)); + let openssl_cnf = base_dir.clone().join( + std::env::var(cfg.openssl_cnf_env.clone()).unwrap_or(cfg.openssl_default_cnf.clone()), + ); + + let default_key_size = "2048".to_string(); + let key_size_s = vars.get("KEY_SIZE").unwrap_or(&default_key_size); + let key_size: u32 = key_size_s.parse().unwrap(); + + let encoding = cfg.encoding.clone(); + + Self { + vars, + base_dir, + openssl_cnf, + ca_file, + ca_key_file, + req_file, + key_file, + cert_file, + req_days: cfg.req_days, + key_size, + encoding, + } + } + + fn generate_key_pair(&self) -> Result<(Rsa, PKey)> { + let rsa = Rsa::generate(self.key_size)?; + let pkey = PKey::from_rsa(rsa.clone())?; + Ok((rsa, pkey)) + } + + async fn get_ca_cert(&self) -> Result { + let text = read_file(self.ca_file.clone(), &self.encoding).await?; + Ok(X509::from_pem(text.as_bytes())?) + } + + async fn get_ca_key(&self) -> Result> { + let text = read_file(self.ca_key_file.clone(), &self.encoding).await?; + Ok(Rsa::private_key_from_pem(text.as_bytes())?) + } + + async fn get_key(&self) -> Result<(Rsa, PKey)> { + let text = read_file(self.key_file.clone(), &self.encoding).await?; + let rsa = Rsa::private_key_from_pem(text.as_bytes())?; + let pkey = PKey::from_rsa(rsa.clone())?; + Ok((rsa, pkey)) + } + + async fn get_req(&self) -> Result { + let text = read_file(self.req_file.clone(), &self.encoding).await?; + Ok(X509Req::from_pem(text.as_bytes())?) + } + + async fn ensure_key(&self) -> Result<(Rsa, PKey)> { + if is_file_exist(&self.key_file).await { + self.get_key().await + } else { + let (rsa, pkey) = self.generate_key_pair()?; + let key_data = pkey.private_key_to_pem_pkcs8()?; + tokio::fs::write(self.key_file.as_path(), key_data).await?; + Ok((rsa, pkey)) + } + } + + fn build_x509_name(&self) -> Result { + let mut name_builder = + X509NameBuilder::new().context("Failed to create X509 name builder")?; + for (&key, &var) in KEYMAP.iter() { + let value = self + .vars + .get(var) + .ok_or(anyhow!("variable not set: {}", var))?; + name_builder.append_entry_by_text(key, value).unwrap(); + } + Ok(name_builder.build()) + } +} + +impl ICryptoProvider for OpenSSLLibProvider { + async fn request(&self) -> Result<()> { + if self.is_req_exists().await { + return Ok(()); + } + + if !self.is_ca_exists().await { + return Err(anyhow!( + "ca file not found: {}", + &self.ca_file.to_str().unwrap() + )); + } + + let (_, pkey) = self.ensure_key().await?; + + let name = self.build_x509_name()?; + let key_usage = KeyUsage::new() + .key_agreement() + .digital_signature() + .build()?; + let key_extended_ext = ExtendedKeyUsage::new().client_auth().build()?; + let mut st = Stack::new()?; + st.push(key_usage).context("push key usage")?; + st.push(key_extended_ext).context("push key_extended_ext")?; + + let conf = Conf::new(ConfMethod::default()).context("conf new")?; + + // Create certificate signing request (CSR) + let mut csr_builder = X509ReqBuilder::new()?; + csr_builder.set_pubkey(&pkey).context("set pubkey")?; + csr_builder.set_version(2).context("set version")?; + + let context = csr_builder.x509v3_context(Some(&conf)); + let mut san_extension = SubjectAlternativeName::new(); + san_extension.dns(self.vars.get("KEY_NAME").unwrap()); + let san_ext = san_extension.build(&context).context("build san")?; + st.push(san_ext).context("push san")?; + + csr_builder + .set_subject_name(&name) + .context("set subject name")?; + csr_builder.add_extensions(&st)?; + csr_builder.sign(&pkey, MessageDigest::sha512())?; + let csr = csr_builder.build(); + let pem = csr.to_pem()?; + fs::write(self.req_file.as_path(), pem).await?; + + Ok(()) + } + + async fn sign(&self) -> Result<()> { + if self.is_cert_exists().await { + return Ok(()); + } + + if !self.is_ca_exists().await { + return Err(anyhow!( + "ca file not found: {}", + &self.ca_file.to_str().unwrap() + )); + } + + if !self.is_req_exists().await { + return Err(anyhow!( + "csr file not found: {}", + &self.req_file.to_str().unwrap() + )); + } + + let ca_key = self.get_ca_key().await?; + let ca_cert = self.get_ca_cert().await?; + let ca_pkey = PKey::from_rsa(ca_key.clone())?; + + let req = self.get_req().await?; + let pub_key = req.public_key()?; + let subject_name = req.subject_name(); + + let key_usage = KeyUsage::new() + .key_agreement() + .digital_signature() + .build() + .context("new key_usage")?; + let key_extended_ext = ExtendedKeyUsage::new() + .client_auth() + .build() + .context("new key_extended_ext")?; + + let mut builder = openssl::x509::X509Builder::new().context("new builder")?; + let not_before = Asn1Time::days_from_now(0).context("days_from_now 0")?; + let na_s = get_time_str_x509(self.req_days).context("na_s get_time_str_x509")?; + let not_after = Asn1Time::from_str_x509(&na_s) + .context(format!("not_after from_str_x509: {}", &na_s))?; + builder.set_version(2).context("set version")?; + builder + .set_not_before(¬_before) + .context("set not_before")?; + builder.set_not_after(¬_after).context("set not_after")?; + builder + .set_issuer_name(ca_cert.issuer_name()) + .context("set_issuer_name")?; + builder.set_pubkey(&pub_key).context("set_pubkey")?; + builder + .set_subject_name(subject_name) + .context("set_subject_name")?; + + let context = builder.x509v3_context(Some(&ca_cert), None); + let mut san_extension = SubjectAlternativeName::new(); + san_extension.dns(self.vars.get("KEY_NAME").unwrap()); + let san_ext = san_extension.build(&context).context("build san")?; + builder + .append_extension(san_ext) + .context("append san ext")?; + builder + .append_extension(key_usage) + .context("append key_usage ext")?; + builder + .append_extension(key_extended_ext) + .context("append key_extended_ext ext")?; + + builder + .sign(&ca_pkey, MessageDigest::sha512()) + .context("builder.sign")?; + let cert = builder.build(); + + let pem = cert.to_pem().context("cert.to_pem()")?; + fs::write(self.cert_file.as_path(), pem) + .await + .context("fs::write")?; + + Ok(()) + } +} diff --git a/src/main.rs b/src/main.rs index d5b2608..9d621b2 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,9 +6,8 @@ mod common; mod crypto; mod vars; -use crate::certs::Certs; +use crate::certs::build_client_config; use crate::common::{AppConfig, Args}; -use crate::crypto::make_certs_provider; use crate::vars::VarsFile; #[tokio::main(flavor = "current_thread")] @@ -21,16 +20,6 @@ async fn main() -> Result<()> { println!("found vars: {}", vars.filepath.to_str().expect("fff")); println!("loaded: {:#?}", &vars.vars); - let provider = make_certs_provider(&config, vars.vars.unwrap()); - let certs = Certs::new(&config, provider); - let created = certs.build_client_config().await?; - - let result_file = certs.config_file.to_str().unwrap(); - - if created { - println!("created: {result_file}"); - Ok(()) - } else { - Err(anyhow!("file exists: {result_file}")) - } + let vars = vars.vars.ok_or(anyhow!("no vars loaded"))?; + build_client_config(&config, vars).await }