+internal openssl cert provider

Cargo.lock

@@ -26,6 +26,21 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "android-tzdata"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
+
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "anstream"
 version = "0.6.15"
@@ -124,18 +139,53 @@ dependencies = [
  "windows-targets",
 ]
 
+[[package]]
+name = "bitflags"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+
+[[package]]
+name = "bumpalo"
+version = "3.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+
 [[package]]
 name = "bytes"
 version = "1.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3"
 
+[[package]]
+name = "cc"
+version = "1.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f"
+dependencies = [
+ "shlex",
+]
+
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
+[[package]]
+name = "chrono"
+version = "0.4.38"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401"
+dependencies = [
+ "android-tzdata",
+ "iana-time-zone",
+ "js-sys",
+ "num-traits",
+ "wasm-bindgen",
+ "windows-targets",
+]
+
 [[package]]
 name = "clap"
 version = "4.5.20"
@@ -182,6 +232,12 @@ version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0"
 
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
 [[package]]
 name = "encoding"
 version = "0.2.33"
@@ -246,6 +302,21 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569"
 
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "futures"
 version = "0.3.31"
@@ -353,18 +424,62 @@ version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
 
+[[package]]
+name = "iana-time-zone"
+version = "0.1.61"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
 
+[[package]]
+name = "js-sys"
+version = "0.3.72"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9"
+dependencies = [
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+
 [[package]]
 name = "libc"
 version = "0.2.161"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1"
 
+[[package]]
+name = "log"
+version = "0.4.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+
 [[package]]
 name = "memchr"
 version = "2.7.4"
@@ -392,6 +507,15 @@ dependencies = [
  "windows-sys",
 ]
 
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "object"
 version = "0.36.5"
@@ -401,17 +525,64 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "once_cell"
+version = "1.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775"
+
+[[package]]
+name = "openssl"
+version = "0.10.68"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.104"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "peazyrsa"
 version = "0.1.0"
 dependencies = [
  "anyhow",
  "async-stream",
+ "chrono",
  "clap",
  "encoding",
  "futures",
  "futures-core",
  "futures-util",
+ "lazy_static",
+ "openssl",
  "regex",
  "tokio",
 ]
@@ -428,6 +599,12 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "pkg-config"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.88"
@@ -481,6 +658,12 @@ version = "0.1.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
 
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.2"
@@ -555,12 +738,82 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
 
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
 [[package]]
 name = "wasi"
 version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.95"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.95"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358"
+dependencies = [
+ "bumpalo",
+ "log",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.95"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.95"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.95"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d"
+
+[[package]]
+name = "windows-core"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
+dependencies = [
+ "windows-targets",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"

Cargo.toml

@@ -6,11 +6,14 @@ edition = "2021"
 [dependencies]
 anyhow = "1.0.90"
 async-stream = "0.3.6"
+chrono = "0.4.38"
 clap = { version = "4.5.20", features = ["derive"] }
 encoding = "0.2.33"
 futures = "0.3.31"
 futures-core = "0.3.31"
 futures-util = "0.3.31"
+lazy_static = "1.5.0"
+openssl = { version="0.10.68" }
 regex = "1.11.0"
 tokio = { version = "1.40.0", features = ["fs", "rt", "process", "macros", "io-util"] }
 

src/certs.rs

@@ -1,9 +1,9 @@
-use anyhow::{anyhow, Result};
+use anyhow::{anyhow, Context, Result};
 
 use std::{path::PathBuf, sync::Arc};
 
-use crate::common::{is_file_exist, read_file, write_file, AppConfig};
+use crate::common::{is_file_exist, read_file, write_file, AppConfig, OpenSSLProviderArg, VarsMap};
-use crate::crypto::ICryptoProvider;
+use crate::crypto::{ICryptoProvider, OpenSSLBinProvider, OpenSSLLibProvider};
 
 pub(crate) struct Certs<T>
 where
@@ -56,8 +56,8 @@ where
             return Ok(false);
         }
 
-        self.request().await?;
+        self.request().await.context("req error")?;
-        self.sign().await?;
+        self.sign().await.context("sign error")?;
 
         let (template_file, ca_file, cert_file, key_file) = (
             self.template_file.clone(),
@@ -87,3 +87,35 @@ where
         }
     }
 }
+
+pub async fn build_client_config(config: &AppConfig, vars: VarsMap) -> Result<()> {
+    let result_file: PathBuf;
+    let created: bool;
+
+    if let OpenSSLProviderArg::ExternalBin(_) = config.openssl {
+        let certs = Certs::new(config, OpenSSLBinProvider::from_cfg(config, vars));
+        created = certs
+            .build_client_config()
+            .await
+            .context("external openssl error")?;
+        result_file = certs.config_file;
+    } else {
+        let certs = Certs::new(config, OpenSSLLibProvider::from_cfg(config, vars));
+        created = certs
+            .build_client_config()
+            .await
+            .context("internal openssl error")?;
+        result_file = certs.config_file;
+    }
+
+    let result_file = result_file
+        .to_str()
+        .ok_or(anyhow!("result_file PathBuf to str convert error"))?;
+
+    if created {
+        println!("created: {result_file}");
+        Ok(())
+    } else {
+        Err(anyhow!("file exists: {result_file}"))
+    }
+}

src/common.rs

@@ -4,7 +4,9 @@ use clap::Parser;
 use encoding::{label::encoding_from_whatwg_label, EncoderTrap};
 use std::{
     collections::BTreeMap,
+    fmt::Display,
     path::{Path, PathBuf},
+    str::FromStr,
 };
 use tokio::{
     fs::{self, File},
@@ -15,6 +17,31 @@ use futures_core::stream::Stream;
 
 pub(crate) type VarsMap = BTreeMap<String, String>;
 
+#[derive(Debug, Clone, PartialEq)]
+pub enum OpenSSLProviderArg {
+    Internal,
+    ExternalBin(String),
+}
+
+impl FromStr for OpenSSLProviderArg {
+    type Err = anyhow::Error;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s.to_ascii_lowercase().as_str() {
+            "internal" => Ok(OpenSSLProviderArg::Internal),
+            x => Ok(OpenSSLProviderArg::ExternalBin(x.to_string())),
+        }
+    }
+}
+
+impl Display for OpenSSLProviderArg {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            OpenSSLProviderArg::ExternalBin(x) => write!(f, "{}", x),
+            _ => write!(f, "internal"),
+        }
+    }
+}
+
 #[derive(Parser)]
 #[command(author, version, about, long_about = None)]
 pub(crate) struct Args {
@@ -42,12 +69,12 @@ pub(crate) struct Args {
     pub(crate) config_dir: String,
 
     /// valid days
-    #[arg(long, default_value = "30650")]
+    #[arg(long, default_value = "3650")]
     pub(crate) days: u32,
 
-    /// openssl binary
+    /// openssl binary or (internal)
-    #[arg(long, default_value = "openssl")]
+    #[arg(long, short, default_value = "internal")]
-    pub(crate) openssl: String,
+    pub(crate) openssl: OpenSSLProviderArg,
 
     /// template file
     #[arg(long, default_value = "template.ovpn")]
@@ -64,7 +91,7 @@ pub(crate) struct AppConfig {
     pub(crate) openssl_cnf_env: String,
     pub(crate) ca_filename: String,
     pub(crate) default_email_domain: String,
-    pub(crate) openssl: String,
+    pub(crate) openssl: OpenSSLProviderArg,
     pub(crate) base_directory: String,
     pub(crate) email: String,
     pub(crate) name: String,
@@ -82,7 +109,7 @@ impl Default for AppConfig {
             openssl_cnf_env: "KEY_CONFIG".into(),
             ca_filename: "ca.crt".into(),
             default_email_domain: "example.com".into(),
-            openssl: "openssl".into(),
+            openssl: OpenSSLProviderArg::Internal,
             base_directory: ".".into(),
             email: "name@example.com".into(),
             name: "user".into(),

src/crypto.rs

@@ -1,146 +1,444 @@
-use anyhow::{anyhow, Result};
+use anyhow::{anyhow, Context, Result};
-use std::path::PathBuf;
+use openssl::{
-
+    asn1::Asn1Time,
-use tokio::process::Command;
+    conf::{Conf, ConfMethod},
-
+    hash::MessageDigest,
-use crate::common::{is_file_exist, AppConfig, VarsMap};
+    pkey::{PKey, Private},
-
+    rsa::Rsa,
-pub(crate) trait ICryptoProvider {
+    stack::Stack,
-    async fn request(&self) -> Result<()>;
+    x509::{
-    async fn sign(&self) -> Result<()>;
+        extension::{ExtendedKeyUsage, KeyUsage, SubjectAlternativeName},
-}
+        X509Name, X509NameBuilder, X509Req, X509ReqBuilder, X509,
-
+    },
-pub(crate) fn make_certs_provider(cfg: &AppConfig, vars: VarsMap) -> impl ICryptoProvider {
+};
-    OpenSSLProvider::from_cfg(cfg, vars)
+use std::path::PathBuf;
-}
+
-
+use tokio::{fs, process::Command};
-pub(crate) struct OpenSSLProvider {
+
-    vars: VarsMap,
+use crate::common::{is_file_exist, read_file, AppConfig, VarsMap};
-    base_dir: PathBuf,
+
-    openssl_cnf: PathBuf,
+use lazy_static::lazy_static;
-    openssl: String,
+use std::collections::HashMap;
-    ca_file: PathBuf,
+
-    req_file: PathBuf,
+use chrono::{Datelike, Days, Timelike, Utc};
-    key_file: PathBuf,
+
-    cert_file: PathBuf,
+lazy_static! {
-    req_days: u32,
+    static ref KEYMAP: HashMap<&'static str, &'static str> = {
-}
+        let mut m = HashMap::new();
-
+        m.insert("C", "KEY_COUNTRY");
-impl OpenSSLProvider {
+        m.insert("ST", "KEY_PROVINCE");
-    async fn is_ca_exists(&self) -> bool {
+        m.insert("O", "KEY_ORG");
-        is_file_exist(&self.ca_file).await
+        m.insert("OU", "KEY_OU");
-    }
+        m.insert("CN", "KEY_CN");
-
+        m.insert("name", "KEY_NAME");
-    async fn is_cert_exists(&self) -> bool {
+        m
-        is_file_exist(&self.cert_file).await
+    };
-    }
+}
-
+
-    async fn is_req_exists(&self) -> bool {
+fn get_time_str_x509(days: u32) -> Result<String> {
-        is_file_exist(&self.req_file).await
+    let dt = Utc::now();
-    }
+    let dt = dt
-
+        .checked_add_days(Days::new(days as u64))
-    pub(crate) fn from_cfg(cfg: &AppConfig, vars: VarsMap) -> Self {
+        .ok_or(anyhow!("failed to add days"))
-        let base_dir = PathBuf::from(&cfg.base_directory);
+        .context("checked_add_days")?;
-        let keys_dir = base_dir.clone().join(cfg.keys_subdir.clone());
+
-        let name = cfg.name.clone();
+    let year = dt.year() % 10000;
-        let mut vars = vars;
+    let month = dt.month() % 13;
-
+    let day = dt.day() % 32;
-        vars.insert("KEY_CN".into(), name.clone());
+    let hour = dt.hour() % 25;
-        vars.insert("KEY_NAME".into(), name.clone());
+    let minute = dt.minute() % 60;
-        vars.insert("KEY_EMAIL".into(), cfg.email.clone());
+    let second = dt.second() % 60;
-
+    let s = format!("{year:04}{month:02}{day:02}{hour:02}{minute:02}{second:02}Z");
-        let ca_file = keys_dir.join(cfg.ca_filename.clone());
+    Ok(s)
-        let req_file = keys_dir.join(format!("{}.csr", &name));
+}
-        let key_file = keys_dir.join(format!("{}.key", &name));
+
-        let cert_file = keys_dir.join(format!("{}.crt", &name));
+pub(crate) trait ICryptoProvider {
-        let openssl_cnf = base_dir.clone().join(
+    async fn request(&self) -> Result<()>;
-            std::env::var(cfg.openssl_cnf_env.clone()).unwrap_or(cfg.openssl_default_cnf.clone()),
+    async fn sign(&self) -> Result<()>;
-        );
+}
-
+
-        Self {
+pub(crate) struct OpenSSLBinProvider {
-            vars,
+    vars: VarsMap,
-            base_dir,
+    base_dir: PathBuf,
-            openssl_cnf,
+    openssl_cnf: PathBuf,
-            openssl: cfg.openssl.clone(),
+    openssl: String,
-            ca_file,
+    ca_file: PathBuf,
-            req_file,
+    req_file: PathBuf,
-            key_file,
+    key_file: PathBuf,
-            cert_file,
+    cert_file: PathBuf,
-            req_days: cfg.req_days,
+    req_days: u32,
-        }
+}
-    }
+
-}
+impl OpenSSLBinProvider {
-
+    async fn is_ca_exists(&self) -> bool {
-impl ICryptoProvider for OpenSSLProvider {
+        is_file_exist(&self.ca_file).await
-    async fn request(&self) -> Result<()> {
+    }
-        if self.is_req_exists().await {
+
-            return Ok(());
+    async fn is_cert_exists(&self) -> bool {
-        }
+        is_file_exist(&self.cert_file).await
-
+    }
-        if !self.is_ca_exists().await {
+
-            return Err(anyhow!(
+    async fn is_req_exists(&self) -> bool {
-                "ca file not found: {}",
+        is_file_exist(&self.req_file).await
-                &self.ca_file.to_str().unwrap()
+    }
-            ));
+
-        }
+    pub(crate) fn from_cfg(cfg: &AppConfig, vars: VarsMap) -> Self {
-
+        let base_dir = PathBuf::from(&cfg.base_directory);
-        let status = Command::new(&self.openssl)
+        let keys_dir = base_dir.clone().join(cfg.keys_subdir.clone());
-            .args([
+        let name = cfg.name.clone();
-                "req",
+        let mut vars = vars;
-                "-nodes",
+
-                "-new",
+        vars.insert("KEY_CN".into(), name.clone());
-                "-keyout",
+        vars.insert("KEY_NAME".into(), name.clone());
-                self.key_file.to_str().unwrap(),
+        vars.insert("KEY_EMAIL".into(), cfg.email.clone());
-                "-out",
+
-                self.req_file.to_str().unwrap(),
+        let ca_file = keys_dir.join(cfg.ca_filename.clone());
-                "-config",
+        let req_file = keys_dir.join(format!("{}.csr", &name));
-                self.openssl_cnf.to_str().unwrap(),
+        let key_file = keys_dir.join(format!("{}.key", &name));
-                "-batch",
+        let cert_file = keys_dir.join(format!("{}.crt", &name));
-            ])
+        let openssl_cnf = base_dir.clone().join(
-            .current_dir(&self.base_dir)
+            std::env::var(cfg.openssl_cnf_env.clone()).unwrap_or(cfg.openssl_default_cnf.clone()),
-            .envs(&self.vars)
+        );
-            .status()
+
-            .await?;
+        Self {
-
+            vars,
-        match status.success() {
+            base_dir,
-            true => Ok(()),
+            openssl_cnf,
-            false => Err(anyhow!("openssl req execution failed")),
+            openssl: cfg.openssl.to_string(),
-        }
+            ca_file,
-    }
+            req_file,
-
+            key_file,
-    async fn sign(&self) -> Result<()> {
+            cert_file,
-        if self.is_cert_exists().await {
+            req_days: cfg.req_days,
-            return Ok(());
+        }
-        }
+    }
-
+}
-        if !self.is_ca_exists().await {
+
-            return Err(anyhow!(
+impl ICryptoProvider for OpenSSLBinProvider {
-                "ca file not found: {}",
+    async fn request(&self) -> Result<()> {
-                &self.ca_file.to_str().unwrap()
+        if self.is_req_exists().await {
-            ));
+            return Ok(());
-        }
+        }
-
+
-        let status = Command::new(&self.openssl)
+        if !self.is_ca_exists().await {
-            .args([
+            return Err(anyhow!(
-                "ca",
+                "ca file not found: {}",
-                "-days",
+                &self.ca_file.to_str().unwrap()
-                format!("{}", self.req_days).as_str(),
+            ));
-                "-out",
+        }
-                self.cert_file.to_str().unwrap(),
+
-                "-in",
+        let status = Command::new(&self.openssl)
-                self.req_file.to_str().unwrap(),
+            .args([
-                "-config",
+                "req",
-                self.openssl_cnf.to_str().unwrap(),
+                "-nodes",
-                "-batch",
+                "-new",
-            ])
+                "-keyout",
-            .current_dir(&self.base_dir)
+                self.key_file.to_str().unwrap(),
-            .envs(&self.vars)
+                "-out",
-            .status()
+                self.req_file.to_str().unwrap(),
-            .await?;
+                "-config",
-
+                self.openssl_cnf.to_str().unwrap(),
-        match status.success() {
+                "-batch",
-            true => Ok(()),
+            ])
-            false => Err(anyhow!("ssl ca execution failed")),
+            .current_dir(&self.base_dir)
-        }
+            .envs(&self.vars)
-    }
+            .status()
-}
+            .await?;
+
+        match status.success() {
+            true => Ok(()),
+            false => Err(anyhow!("openssl req execution failed")),
+        }
+    }
+
+    async fn sign(&self) -> Result<()> {
+        if self.is_cert_exists().await {
+            return Ok(());
+        }
+
+        if !self.is_ca_exists().await {
+            return Err(anyhow!(
+                "ca file not found: {}",
+                &self.ca_file.to_str().unwrap()
+            ));
+        }
+
+        let status = Command::new(&self.openssl)
+            .args([
+                "ca",
+                "-days",
+                format!("{}", self.req_days).as_str(),
+                "-out",
+                self.cert_file.to_str().unwrap(),
+                "-in",
+                self.req_file.to_str().unwrap(),
+                "-config",
+                self.openssl_cnf.to_str().unwrap(),
+                "-batch",
+            ])
+            .current_dir(&self.base_dir)
+            .envs(&self.vars)
+            .status()
+            .await?;
+
+        match status.success() {
+            true => Ok(()),
+            false => Err(anyhow!("ssl ca execution failed")),
+        }
+    }
+}
+
+pub(crate) struct OpenSSLLibProvider {
+    vars: VarsMap,
+    #[allow(unused)]
+    base_dir: PathBuf,
+    #[allow(unused)]
+    openssl_cnf: PathBuf,
+    ca_file: PathBuf,
+    ca_key_file: PathBuf,
+    req_file: PathBuf,
+    key_file: PathBuf,
+    cert_file: PathBuf,
+    req_days: u32,
+    key_size: u32,
+    encoding: String,
+}
+
+impl OpenSSLLibProvider {
+    async fn is_ca_exists(&self) -> bool {
+        is_file_exist(&self.ca_file).await
+    }
+
+    async fn is_cert_exists(&self) -> bool {
+        is_file_exist(&self.cert_file).await
+    }
+
+    async fn is_req_exists(&self) -> bool {
+        is_file_exist(&self.req_file).await
+    }
+
+    pub(crate) fn from_cfg(cfg: &AppConfig, vars: VarsMap) -> Self {
+        let base_dir = PathBuf::from(&cfg.base_directory);
+        let keys_dir = base_dir.clone().join(cfg.keys_subdir.clone());
+        let name = cfg.name.clone();
+        let mut vars = vars;
+
+        vars.insert("KEY_CN".into(), name.clone());
+        vars.insert("KEY_NAME".into(), name.clone());
+        vars.insert("KEY_EMAIL".into(), cfg.email.clone());
+
+        let ca_file = keys_dir.join(cfg.ca_filename.clone());
+        let ca_key_file = ca_file.with_extension("key");
+        let req_file = keys_dir.join(format!("{}.csr", &name));
+        let key_file = keys_dir.join(format!("{}.key", &name));
+        let cert_file = keys_dir.join(format!("{}.crt", &name));
+        let openssl_cnf = base_dir.clone().join(
+            std::env::var(cfg.openssl_cnf_env.clone()).unwrap_or(cfg.openssl_default_cnf.clone()),
+        );
+
+        let default_key_size = "2048".to_string();
+        let key_size_s = vars.get("KEY_SIZE").unwrap_or(&default_key_size);
+        let key_size: u32 = key_size_s.parse().unwrap();
+
+        let encoding = cfg.encoding.clone();
+
+        Self {
+            vars,
+            base_dir,
+            openssl_cnf,
+            ca_file,
+            ca_key_file,
+            req_file,
+            key_file,
+            cert_file,
+            req_days: cfg.req_days,
+            key_size,
+            encoding,
+        }
+    }
+
+    fn generate_key_pair(&self) -> Result<(Rsa<Private>, PKey<Private>)> {
+        let rsa = Rsa::generate(self.key_size)?;
+        let pkey = PKey::from_rsa(rsa.clone())?;
+        Ok((rsa, pkey))
+    }
+
+    async fn get_ca_cert(&self) -> Result<X509> {
+        let text = read_file(self.ca_file.clone(), &self.encoding).await?;
+        Ok(X509::from_pem(text.as_bytes())?)
+    }
+
+    async fn get_ca_key(&self) -> Result<Rsa<Private>> {
+        let text = read_file(self.ca_key_file.clone(), &self.encoding).await?;
+        Ok(Rsa::private_key_from_pem(text.as_bytes())?)
+    }
+
+    async fn get_key(&self) -> Result<(Rsa<Private>, PKey<Private>)> {
+        let text = read_file(self.key_file.clone(), &self.encoding).await?;
+        let rsa = Rsa::private_key_from_pem(text.as_bytes())?;
+        let pkey = PKey::from_rsa(rsa.clone())?;
+        Ok((rsa, pkey))
+    }
+
+    async fn get_req(&self) -> Result<X509Req> {
+        let text = read_file(self.req_file.clone(), &self.encoding).await?;
+        Ok(X509Req::from_pem(text.as_bytes())?)
+    }
+
+    async fn ensure_key(&self) -> Result<(Rsa<Private>, PKey<Private>)> {
+        if is_file_exist(&self.key_file).await {
+            self.get_key().await
+        } else {
+            let (rsa, pkey) = self.generate_key_pair()?;
+            let key_data = pkey.private_key_to_pem_pkcs8()?;
+            tokio::fs::write(self.key_file.as_path(), key_data).await?;
+            Ok((rsa, pkey))
+        }
+    }
+
+    fn build_x509_name(&self) -> Result<X509Name> {
+        let mut name_builder =
+            X509NameBuilder::new().context("Failed to create X509 name builder")?;
+        for (&key, &var) in KEYMAP.iter() {
+            let value = self
+                .vars
+                .get(var)
+                .ok_or(anyhow!("variable not set: {}", var))?;
+            name_builder.append_entry_by_text(key, value).unwrap();
+        }
+        Ok(name_builder.build())
+    }
+}
+
+impl ICryptoProvider for OpenSSLLibProvider {
+    async fn request(&self) -> Result<()> {
+        if self.is_req_exists().await {
+            return Ok(());
+        }
+
+        if !self.is_ca_exists().await {
+            return Err(anyhow!(
+                "ca file not found: {}",
+                &self.ca_file.to_str().unwrap()
+            ));
+        }
+
+        let (_, pkey) = self.ensure_key().await?;
+
+        let name = self.build_x509_name()?;
+        let key_usage = KeyUsage::new()
+            .key_agreement()
+            .digital_signature()
+            .build()?;
+        let key_extended_ext = ExtendedKeyUsage::new().client_auth().build()?;
+        let mut st = Stack::new()?;
+        st.push(key_usage).context("push key usage")?;
+        st.push(key_extended_ext).context("push key_extended_ext")?;
+
+        let conf = Conf::new(ConfMethod::default()).context("conf new")?;
+
+        // Create certificate signing request (CSR)
+        let mut csr_builder = X509ReqBuilder::new()?;
+        csr_builder.set_pubkey(&pkey).context("set pubkey")?;
+        csr_builder.set_version(2).context("set version")?;
+
+        let context = csr_builder.x509v3_context(Some(&conf));
+        let mut san_extension = SubjectAlternativeName::new();
+        san_extension.dns(self.vars.get("KEY_NAME").unwrap());
+        let san_ext = san_extension.build(&context).context("build san")?;
+        st.push(san_ext).context("push san")?;
+
+        csr_builder
+            .set_subject_name(&name)
+            .context("set subject name")?;
+        csr_builder.add_extensions(&st)?;
+        csr_builder.sign(&pkey, MessageDigest::sha512())?;
+        let csr = csr_builder.build();
+        let pem = csr.to_pem()?;
+        fs::write(self.req_file.as_path(), pem).await?;
+
+        Ok(())
+    }
+
+    async fn sign(&self) -> Result<()> {
+        if self.is_cert_exists().await {
+            return Ok(());
+        }
+
+        if !self.is_ca_exists().await {
+            return Err(anyhow!(
+                "ca file not found: {}",
+                &self.ca_file.to_str().unwrap()
+            ));
+        }
+
+        if !self.is_req_exists().await {
+            return Err(anyhow!(
+                "csr file not found: {}",
+                &self.req_file.to_str().unwrap()
+            ));
+        }
+
+        let ca_key = self.get_ca_key().await?;
+        let ca_cert = self.get_ca_cert().await?;
+        let ca_pkey = PKey::from_rsa(ca_key.clone())?;
+
+        let req = self.get_req().await?;
+        let pub_key = req.public_key()?;
+        let subject_name = req.subject_name();
+
+        let key_usage = KeyUsage::new()
+            .key_agreement()
+            .digital_signature()
+            .build()
+            .context("new key_usage")?;
+        let key_extended_ext = ExtendedKeyUsage::new()
+            .client_auth()
+            .build()
+            .context("new key_extended_ext")?;
+
+        let mut builder = openssl::x509::X509Builder::new().context("new builder")?;
+        let not_before = Asn1Time::days_from_now(0).context("days_from_now 0")?;
+        let na_s = get_time_str_x509(self.req_days).context("na_s get_time_str_x509")?;
+        let not_after = Asn1Time::from_str_x509(&na_s)
+            .context(format!("not_after from_str_x509: {}", &na_s))?;
+        builder.set_version(2).context("set version")?;
+        builder
+            .set_not_before(&not_before)
+            .context("set not_before")?;
+        builder.set_not_after(&not_after).context("set not_after")?;
+        builder
+            .set_issuer_name(ca_cert.issuer_name())
+            .context("set_issuer_name")?;
+        builder.set_pubkey(&pub_key).context("set_pubkey")?;
+        builder
+            .set_subject_name(subject_name)
+            .context("set_subject_name")?;
+
+        let context = builder.x509v3_context(Some(&ca_cert), None);
+        let mut san_extension = SubjectAlternativeName::new();
+        san_extension.dns(self.vars.get("KEY_NAME").unwrap());
+        let san_ext = san_extension.build(&context).context("build san")?;
+        builder
+            .append_extension(san_ext)
+            .context("append san ext")?;
+        builder
+            .append_extension(key_usage)
+            .context("append key_usage ext")?;
+        builder
+            .append_extension(key_extended_ext)
+            .context("append key_extended_ext ext")?;
+
+        builder
+            .sign(&ca_pkey, MessageDigest::sha512())
+            .context("builder.sign")?;
+        let cert = builder.build();
+
+        let pem = cert.to_pem().context("cert.to_pem()")?;
+        fs::write(self.cert_file.as_path(), pem)
+            .await
+            .context("fs::write")?;
+
+        Ok(())
+    }
+}

src/main.rs

@@ -6,9 +6,8 @@ mod common;
 mod crypto;
 mod vars;
 
-use crate::certs::Certs;
+use crate::certs::build_client_config;
 use crate::common::{AppConfig, Args};
-use crate::crypto::make_certs_provider;
 use crate::vars::VarsFile;
 
 #[tokio::main(flavor = "current_thread")]
@@ -21,16 +20,6 @@ async fn main() -> Result<()> {
     println!("found vars: {}", vars.filepath.to_str().expect("fff"));
     println!("loaded: {:#?}", &vars.vars);
 
-    let provider = make_certs_provider(&config, vars.vars.unwrap());
+    let vars = vars.vars.ok_or(anyhow!("no vars loaded"))?;
-    let certs = Certs::new(&config, provider);
+    build_client_config(&config, vars).await
-    let created = certs.build_client_config().await?;
-
-    let result_file = certs.config_file.to_str().unwrap();
-
-    if created {
-        println!("created: {result_file}");
-        Ok(())
-    } else {
-        Err(anyhow!("file exists: {result_file}"))
-    }
 }