ExternalVendorCode/chirpstack
1
0
Fork 0
mirror of https://github.com/chirpstack/chirpstack.git synced 2025-01-31 07:55:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Use PKCS#8 fallback for all private keys reads.

Browse Source 
This fallback was already implemented for reading the private key when
generating MQTT client-certificates, but it was not used when reading a
private key for connecting to the MQTT broker.

While it is recommended to use PKCS#8 private-keys, this will perform an
auto conversion for RSA PKCS#1 and EC P256 SEC1 private-keys to PKCS#8.
This commit is contained in:
Orne Brocaar 2024-03-27 10:25:22 +00:00
parent 2c06edd6ff
commit a66f085782
4 changed files with 51 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
chirpstack/src/certificate.rs
View File

@ -8,6 +8,7 @@ use tokio::fs;
use uuid::Uuid;
use crate::config;
use crate::helpers::tls::private_key_to_pkcs8;
use lrwn::EUI64;
fn gen_client_cert(id: &str, not_before: SystemTime, not_after: SystemTime) -> Result<Certificate> {
@ -92,31 +93,3 @@ pub async fn client_cert_for_application_id(
app_cert.serialize_private_key_pem(),
))
}
fn private_key_to_pkcs8(pem: &str) -> Result<String> {
if pem.contains("RSA PRIVATE KEY") {
use rsa::{
pkcs1::DecodeRsaPrivateKey,
pkcs8::{EncodePrivateKey, LineEnding},
RsaPrivateKey,
};
let pkey = RsaPrivateKey::from_pkcs1_pem(pem).context("Read RSA PKCS#1")?;
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
Ok(pkcs8_pem.as_str().to_owned())
} else if pem.contains("EC PRIVATE KEY") {
use elliptic_curve::{
pkcs8::{EncodePrivateKey, LineEnding},
SecretKey,
};
// We assume it is a P256 based secret-key, which is the most popular curve.
// Attempting to decode it as P256 is still better than just failing to read it.
let pkey: SecretKey<p256::NistP256> =
SecretKey::from_sec1_pem(pem).context("Read EC SEC1")?;
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
Ok(pkcs8_pem.as_str().to_owned())
} else {
Ok(pem.to_string())
}
}

5
chirpstack/src/gateway/backend/mqtt.rs
View File

@ -148,7 +148,10 @@ impl<'a> MqttBackend<'a> {
} else {
rustls::ClientConfig::builder()
.with_root_certificates(root_certs.clone())
.with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
.with_client_auth_cert(
load_cert(&conf.tls_cert).await?,
load_key(&conf.tls_key).await?,
)?
};
mqtt_opts.set_transport(Transport::tls_with_config(client_conf.into()));

50
chirpstack/src/helpers/tls.rs
View File

@ -3,6 +3,7 @@ use std::io::BufReader;
use anyhow::{Context, Result};
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
use tokio::fs;
// Return root certificates, optionally with the provided ca_file appended.
pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore> {
@ -23,10 +24,12 @@ pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore>
Ok(roots)
}
pub fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
let f = File::open(cert_file).context("Open TLS certificate")?;
let mut reader = BufReader::new(f);
let certs = rustls_pemfile::certs(&mut reader);
pub async fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
let cert_s = fs::read_to_string(cert_file)
.await
.context("Read TLS certificate")?;
let mut cert_b = cert_s.as_bytes();
let certs = rustls_pemfile::certs(&mut cert_b);
let mut out = Vec::new();
for cert in certs {
out.push(cert?.into_owned());
@ -34,10 +37,13 @@ pub fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
Ok(out)
}
pub fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
let f = File::open(key_file).context("Open private key")?;
let mut reader = BufReader::new(f);
let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader);
pub async fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
let key_s = fs::read_to_string(key_file)
.await
.context("Read private key")?;
let key_s = private_key_to_pkcs8(&key_s)?;
let mut key_b = key_s.as_bytes();
let mut keys = rustls_pemfile::pkcs8_private_keys(&mut key_b);
if let Some(key) = keys.next() {
match key {
Ok(v) => return Ok(PrivateKeyDer::Pkcs8(v.clone_key())),
@ -49,3 +55,31 @@ pub fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
Err(anyhow!("No private key found"))
}
pub fn private_key_to_pkcs8(pem: &str) -> Result<String> {
if pem.contains("RSA PRIVATE KEY") {
use rsa::{
pkcs1::DecodeRsaPrivateKey,
pkcs8::{EncodePrivateKey, LineEnding},
RsaPrivateKey,
};
let pkey = RsaPrivateKey::from_pkcs1_pem(pem).context("Read RSA PKCS#1")?;
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
Ok(pkcs8_pem.as_str().to_owned())
} else if pem.contains("EC PRIVATE KEY") {
use elliptic_curve::{
pkcs8::{EncodePrivateKey, LineEnding},
SecretKey,
};
// We assume it is a P256 based secret-key, which is the most popular curve.
// Attempting to decode it as P256 is still better than just failing to read it.
let pkey: SecretKey<p256::NistP256> =
SecretKey::from_sec1_pem(pem).context("Read EC SEC1")?;
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
Ok(pkcs8_pem.as_str().to_owned())
} else {
Ok(pem.to_string())
}
}

5
chirpstack/src/integration/mqtt.rs
View File

@ -115,7 +115,10 @@ impl<'a> Integration<'a> {
} else {
rustls::ClientConfig::builder()
.with_root_certificates(root_certs.clone())
.with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
.with_client_auth_cert(
load_cert(&conf.tls_cert).await?,
load_key(&conf.tls_key).await?,
)?
};
mqtt_opts.set_transport(Transport::tls_with_config(client_conf.into()));