general/detee-sgx
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

commented self signed certificate

Browse Source
This commit is contained in:
Valentyn Faychuk 2024-08-19 16:31:25 +02:00
parent b77605fc6f
commit 682d8ddd6e
Signed by: valy
GPG Key ID: F1AB995E20FEADC5
6 changed files with 75 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.idea
target
Cargo.lock
client_instance

2
src/client.rs
View File

@ -1,7 +1,7 @@
use std::sync::Arc;
use crate::{
cert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
};
use rustls::{

3
src/lib.rs
View File

@ -1,4 +1,4 @@
mod cert;
mod racert;
mod client;
mod config;
mod error;
@ -8,6 +8,7 @@ mod server;
mod utils;
pub mod prelude;
//mod sscert;
pub use crate::config::RaTlsConfig;

5
src/cert.rs → src/racert.rs
View File

@ -58,7 +58,7 @@ impl RaTlsCertificateBuilder {
distinguished_name.push(rcgen::DnType::CommonName, self.common_name.clone());
distinguished_name.push(rcgen::DnType::CountryName, "US");
distinguished_name.push(rcgen::DnType::OrganizationName, "Aggregion");
distinguished_name.push(rcgen::DnType::OrganizationName, "DeTEE");
let mut params = CertificateParams::default();
let key_pair = KeyPair::generate(params.alg)?;
@ -129,6 +129,7 @@ impl RaTlsCertificate for rustls::Certificate {
if let Ok(Some(report)) = x509.get_extension_unique(&report_oid) {
let quote = SGXQuote::from_slice(report.value)?;
// ECDSA quote verification using SGX DCAP driver
quote.verify()?;
let public_key = x509.public_key().parsed()?;
@ -150,4 +151,4 @@ impl RaTlsCertificate for rustls::Certificate {
Err("Not found quote extension".into())
}
}
}
}

2
src/server.rs
View File

@ -2,7 +2,7 @@ use rustls::{server::{ClientCertVerified, ClientCertVerifier, ResolvesServerCert
use std::{sync::Arc, time::SystemTime};
use crate::{
cert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
};

67
src/sscert.rs Normal file
View File

@ -0,0 +1,67 @@
use rustls::{server::{ClientCertVerified, ClientCertVerifier, ResolvesServerCert}, sign::CertifiedKey, Certificate, Error, ServerConfig, DistinguishedNames};
use std::{sync::Arc, time::SystemTime};
use crate::{
racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
};
pub struct RaTlsClientCertVerifier {
config: RaTlsConfig,
}
impl RaTlsClientCertVerifier {
pub fn new(config: RaTlsConfig) -> Self {
Self { config }
}
}
impl ClientCertVerifier for RaTlsClientCertVerifier {
fn verify_client_cert(
&self,
end_entity: &Certificate,
_intermediates: &[Certificate],
_now: SystemTime,
) -> Result<ClientCertVerified, Error> {
end_entity.verify_quote(&self.config).map_err(|e| {
println!("{:?}", e);
rustls::Error::General(e.to_string())
})?;
Ok(ClientCertVerified::assertion())
}
fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
Some(DistinguishedNames::new())
}
}
pub struct RaTlsServerCertResolver {
cert: Arc<CertifiedKey>,
}
impl RaTlsServerCertResolver {
pub fn new() -> Result<Self, RaTlsError> {
let builder = RaTlsCertificateBuilder::new().with_common_name("Client".to_string());
let cert = builder.build().map(Arc::new)?;
Ok(Self { cert })
}
}
impl ResolvesServerCert for RaTlsServerCertResolver {
fn resolve(
&self,
_client_hello: rustls::server::ClientHello,
) -> Option<std::sync::Arc<CertifiedKey>> {
Some(self.cert.clone())
}
}
impl RaTlsConfigBuilder<ServerConfig> for ServerConfig {
fn from_ratls_config(config: RaTlsConfig) -> Result<Self, RaTlsError> {
Ok(Self::builder()
.with_safe_defaults()
.with_client_cert_verifier(Arc::new(RaTlsClientCertVerifier::new(config)))
.with_cert_resolver(Arc::new(RaTlsServerCertResolver::new()?)))
}
}