From 682d8ddd6eb032b38f746af08461c3d9b64aa632 Mon Sep 17 00:00:00 2001
From: Valentyn Faychuk <valy@detee.ltd>
Date: Mon, 19 Aug 2024 16:31:25 +0200
Subject: [PATCH] commented self signed certificate

---
 .gitignore                 |  1 +
 src/client.rs              |  2 +-
 src/lib.rs                 |  3 +-
 src/{cert.rs => racert.rs} |  5 +--
 src/server.rs              |  2 +-
 src/sscert.rs              | 67 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 75 insertions(+), 5 deletions(-)
 rename src/{cert.rs => racert.rs} (98%)
 create mode 100644 src/sscert.rs

diff --git a/.gitignore b/.gitignore
index 53a7646..ecd78e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.idea
 target
 Cargo.lock
 client_instance
diff --git a/src/client.rs b/src/client.rs
index db16013..aabfda4 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use crate::{
-    cert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
+    racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
     RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
 };
 use rustls::{
diff --git a/src/lib.rs b/src/lib.rs
index b869f32..d34889d 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,4 +1,4 @@
-mod cert;
+mod racert;
 mod client;
 mod config;
 mod error;
@@ -8,6 +8,7 @@ mod server;
 mod utils;
 
 pub mod prelude;
+//mod sscert;
 
 pub use crate::config::RaTlsConfig;
 
diff --git a/src/cert.rs b/src/racert.rs
similarity index 98%
rename from src/cert.rs
rename to src/racert.rs
index 861ec52..d3a2023 100644
--- a/src/cert.rs
+++ b/src/racert.rs
@@ -58,7 +58,7 @@ impl RaTlsCertificateBuilder {
 
         distinguished_name.push(rcgen::DnType::CommonName, self.common_name.clone());
         distinguished_name.push(rcgen::DnType::CountryName, "US");
-        distinguished_name.push(rcgen::DnType::OrganizationName, "Aggregion");
+        distinguished_name.push(rcgen::DnType::OrganizationName, "DeTEE");
 
         let mut params = CertificateParams::default();
         let key_pair = KeyPair::generate(params.alg)?;
@@ -129,6 +129,7 @@ impl RaTlsCertificate for rustls::Certificate {
         if let Ok(Some(report)) = x509.get_extension_unique(&report_oid) {
             let quote = SGXQuote::from_slice(report.value)?;
 
+            // ECDSA quote verification using SGX DCAP driver
             quote.verify()?;
 
             let public_key = x509.public_key().parsed()?;
@@ -150,4 +151,4 @@ impl RaTlsCertificate for rustls::Certificate {
             Err("Not found quote extension".into())
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/server.rs b/src/server.rs
index f0f07a4..03a370c 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -2,7 +2,7 @@ use rustls::{server::{ClientCertVerified, ClientCertVerifier, ResolvesServerCert
 use std::{sync::Arc, time::SystemTime};
 
 use crate::{
-    cert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
+    racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
     RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
 };
 
diff --git a/src/sscert.rs b/src/sscert.rs
new file mode 100644
index 0000000..03a370c
--- /dev/null
+++ b/src/sscert.rs
@@ -0,0 +1,67 @@
+use rustls::{server::{ClientCertVerified, ClientCertVerifier, ResolvesServerCert}, sign::CertifiedKey, Certificate, Error, ServerConfig, DistinguishedNames};
+use std::{sync::Arc, time::SystemTime};
+
+use crate::{
+    racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
+    RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
+};
+
+pub struct RaTlsClientCertVerifier {
+    config: RaTlsConfig,
+}
+
+impl RaTlsClientCertVerifier {
+    pub fn new(config: RaTlsConfig) -> Self {
+        Self { config }
+    }
+}
+
+impl ClientCertVerifier for RaTlsClientCertVerifier {
+    fn verify_client_cert(
+        &self,
+        end_entity: &Certificate,
+        _intermediates: &[Certificate],
+        _now: SystemTime,
+    ) -> Result<ClientCertVerified, Error> {
+        end_entity.verify_quote(&self.config).map_err(|e| {
+            println!("{:?}", e);
+            rustls::Error::General(e.to_string())
+        })?;
+
+        Ok(ClientCertVerified::assertion())
+    }
+
+    fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
+        Some(DistinguishedNames::new())
+    }
+}
+
+pub struct RaTlsServerCertResolver {
+    cert: Arc<CertifiedKey>,
+}
+
+impl RaTlsServerCertResolver {
+    pub fn new() -> Result<Self, RaTlsError> {
+        let builder = RaTlsCertificateBuilder::new().with_common_name("Client".to_string());
+        let cert = builder.build().map(Arc::new)?;
+        Ok(Self { cert })
+    }
+}
+
+impl ResolvesServerCert for RaTlsServerCertResolver {
+    fn resolve(
+        &self,
+        _client_hello: rustls::server::ClientHello,
+    ) -> Option<std::sync::Arc<CertifiedKey>> {
+        Some(self.cert.clone())
+    }
+}
+
+impl RaTlsConfigBuilder<ServerConfig> for ServerConfig {
+    fn from_ratls_config(config: RaTlsConfig) -> Result<Self, RaTlsError> {
+        Ok(Self::builder()
+            .with_safe_defaults()
+            .with_client_cert_verifier(Arc::new(RaTlsClientCertVerifier::new(config)))
+            .with_cert_resolver(Arc::new(RaTlsServerCertResolver::new()?)))
+    }
+}