mirror of
https://github.com/chirpstack/chirpstack.git
synced 2025-02-07 11:10:15 +00:00
Use PKCS#8 fallback for all private keys reads.
This fallback was already implemented for reading the private key when generating MQTT client-certificates, but it was not used when reading a private key for connecting to the MQTT broker. While it is recommended to use PKCS#8 private-keys, this will perform an auto conversion for RSA PKCS#1 and EC P256 SEC1 private-keys to PKCS#8.
This commit is contained in:
Orne Brocaar
parent
2c06edd6ff
commit
a66f085782
@ -8,6 +8,7 @@ use tokio::fs;
|
|||||||
use uuid::Uuid;
|
use uuid::Uuid;
|
||||||
|
|
||||||
use crate::config;
|
use crate::config;
|
||||||
|
use crate::helpers::tls::private_key_to_pkcs8;
|
||||||
use lrwn::EUI64;
|
use lrwn::EUI64;
|
||||||
|
|
||||||
fn gen_client_cert(id: &str, not_before: SystemTime, not_after: SystemTime) -> Result<Certificate> {
|
fn gen_client_cert(id: &str, not_before: SystemTime, not_after: SystemTime) -> Result<Certificate> {
|
||||||
@ -92,31 +93,3 @@ pub async fn client_cert_for_application_id(
|
|||||||
app_cert.serialize_private_key_pem(),
|
app_cert.serialize_private_key_pem(),
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
|
||||||
fn private_key_to_pkcs8(pem: &str) -> Result<String> {
|
|
||||||
if pem.contains("RSA PRIVATE KEY") {
|
|
||||||
use rsa::{
|
|
||||||
pkcs1::DecodeRsaPrivateKey,
|
|
||||||
pkcs8::{EncodePrivateKey, LineEnding},
|
|
||||||
RsaPrivateKey,
|
|
||||||
};
|
|
||||||
|
|
||||||
let pkey = RsaPrivateKey::from_pkcs1_pem(pem).context("Read RSA PKCS#1")?;
|
|
||||||
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
|
|
||||||
Ok(pkcs8_pem.as_str().to_owned())
|
|
||||||
} else if pem.contains("EC PRIVATE KEY") {
|
|
||||||
use elliptic_curve::{
|
|
||||||
pkcs8::{EncodePrivateKey, LineEnding},
|
|
||||||
SecretKey,
|
|
||||||
};
|
|
||||||
|
|
||||||
// We assume it is a P256 based secret-key, which is the most popular curve.
|
|
||||||
// Attempting to decode it as P256 is still better than just failing to read it.
|
|
||||||
let pkey: SecretKey<p256::NistP256> =
|
|
||||||
SecretKey::from_sec1_pem(pem).context("Read EC SEC1")?;
|
|
||||||
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
|
|
||||||
Ok(pkcs8_pem.as_str().to_owned())
|
|
||||||
} else {
|
|
||||||
Ok(pem.to_string())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|||||||
@ -148,7 +148,10 @@ impl<'a> MqttBackend<'a> {
|
|||||||
} else {
|
} else {
|
||||||
rustls::ClientConfig::builder()
|
rustls::ClientConfig::builder()
|
||||||
.with_root_certificates(root_certs.clone())
|
.with_root_certificates(root_certs.clone())
|
||||||
.with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
|
.with_client_auth_cert(
|
||||||
|
load_cert(&conf.tls_cert).await?,
|
||||||
|
load_key(&conf.tls_key).await?,
|
||||||
|
)?
|
||||||
};
|
};
|
||||||
|
|
||||||
mqtt_opts.set_transport(Transport::tls_with_config(client_conf.into()));
|
mqtt_opts.set_transport(Transport::tls_with_config(client_conf.into()));
|
||||||
|
|||||||
@ -3,6 +3,7 @@ use std::io::BufReader;
|
|||||||
|
|
||||||
use anyhow::{Context, Result};
|
use anyhow::{Context, Result};
|
||||||
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
||||||
|
use tokio::fs;
|
||||||
|
|
||||||
// Return root certificates, optionally with the provided ca_file appended.
|
// Return root certificates, optionally with the provided ca_file appended.
|
||||||
pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore> {
|
pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore> {
|
||||||
@ -23,10 +24,12 @@ pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore>
|
|||||||
Ok(roots)
|
Ok(roots)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
|
pub async fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
|
||||||
let f = File::open(cert_file).context("Open TLS certificate")?;
|
let cert_s = fs::read_to_string(cert_file)
|
||||||
let mut reader = BufReader::new(f);
|
.await
|
||||||
let certs = rustls_pemfile::certs(&mut reader);
|
.context("Read TLS certificate")?;
|
||||||
|
let mut cert_b = cert_s.as_bytes();
|
||||||
|
let certs = rustls_pemfile::certs(&mut cert_b);
|
||||||
let mut out = Vec::new();
|
let mut out = Vec::new();
|
||||||
for cert in certs {
|
for cert in certs {
|
||||||
out.push(cert?.into_owned());
|
out.push(cert?.into_owned());
|
||||||
@ -34,10 +37,13 @@ pub fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
|
|||||||
Ok(out)
|
Ok(out)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
|
pub async fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
|
||||||
let f = File::open(key_file).context("Open private key")?;
|
let key_s = fs::read_to_string(key_file)
|
||||||
let mut reader = BufReader::new(f);
|
.await
|
||||||
let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader);
|
.context("Read private key")?;
|
||||||
|
let key_s = private_key_to_pkcs8(&key_s)?;
|
||||||
|
let mut key_b = key_s.as_bytes();
|
||||||
|
let mut keys = rustls_pemfile::pkcs8_private_keys(&mut key_b);
|
||||||
if let Some(key) = keys.next() {
|
if let Some(key) = keys.next() {
|
||||||
match key {
|
match key {
|
||||||
Ok(v) => return Ok(PrivateKeyDer::Pkcs8(v.clone_key())),
|
Ok(v) => return Ok(PrivateKeyDer::Pkcs8(v.clone_key())),
|
||||||
@ -49,3 +55,31 @@ pub fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
|
|||||||
|
|
||||||
Err(anyhow!("No private key found"))
|
Err(anyhow!("No private key found"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn private_key_to_pkcs8(pem: &str) -> Result<String> {
|
||||||
|
if pem.contains("RSA PRIVATE KEY") {
|
||||||
|
use rsa::{
|
||||||
|
pkcs1::DecodeRsaPrivateKey,
|
||||||
|
pkcs8::{EncodePrivateKey, LineEnding},
|
||||||
|
RsaPrivateKey,
|
||||||
|
};
|
||||||
|
|
||||||
|
let pkey = RsaPrivateKey::from_pkcs1_pem(pem).context("Read RSA PKCS#1")?;
|
||||||
|
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
|
||||||
|
Ok(pkcs8_pem.as_str().to_owned())
|
||||||
|
} else if pem.contains("EC PRIVATE KEY") {
|
||||||
|
use elliptic_curve::{
|
||||||
|
pkcs8::{EncodePrivateKey, LineEnding},
|
||||||
|
SecretKey,
|
||||||
|
};
|
||||||
|
|
||||||
|
// We assume it is a P256 based secret-key, which is the most popular curve.
|
||||||
|
// Attempting to decode it as P256 is still better than just failing to read it.
|
||||||
|
let pkey: SecretKey<p256::NistP256> =
|
||||||
|
SecretKey::from_sec1_pem(pem).context("Read EC SEC1")?;
|
||||||
|
let pkcs8_pem = pkey.to_pkcs8_pem(LineEnding::default())?;
|
||||||
|
Ok(pkcs8_pem.as_str().to_owned())
|
||||||
|
} else {
|
||||||
|
Ok(pem.to_string())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@ -115,7 +115,10 @@ impl<'a> Integration<'a> {
|
|||||||
} else {
|
} else {
|
||||||
rustls::ClientConfig::builder()
|
rustls::ClientConfig::builder()
|
||||||
.with_root_certificates(root_certs.clone())
|
.with_root_certificates(root_certs.clone())
|
||||||
.with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
|
.with_client_auth_cert(
|
||||||
|
load_cert(&conf.tls_cert).await?,
|
||||||
|
load_key(&conf.tls_key).await?,
|
||||||
|
)?
|
||||||
};
|
};
|
||||||
|
|
||||||
mqtt_opts.set_transport(Transport::tls_with_config(client_conf.into()));
|
mqtt_opts.set_transport(Transport::tls_with_config(client_conf.into()));
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user