commented self signed certificate

.gitignore

@@ -1,3 +1,4 @@
+.idea
 target
 Cargo.lock
 client_instance

src/client.rs

@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use crate::{
-    cert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
+    racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
     RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
 };
 use rustls::{

src/lib.rs

@@ -1,4 +1,4 @@
-mod cert;
+mod racert;
 mod client;
 mod config;
 mod error;
@@ -8,6 +8,7 @@ mod server;
 mod utils;
 
 pub mod prelude;
+//mod sscert;
 
 pub use crate::config::RaTlsConfig;
 

src/racert.rs

@@ -58,7 +58,7 @@ impl RaTlsCertificateBuilder {
 
         distinguished_name.push(rcgen::DnType::CommonName, self.common_name.clone());
         distinguished_name.push(rcgen::DnType::CountryName, "US");
-        distinguished_name.push(rcgen::DnType::OrganizationName, "Aggregion");
+        distinguished_name.push(rcgen::DnType::OrganizationName, "DeTEE");
 
         let mut params = CertificateParams::default();
         let key_pair = KeyPair::generate(params.alg)?;
@@ -129,6 +129,7 @@ impl RaTlsCertificate for rustls::Certificate {
         if let Ok(Some(report)) = x509.get_extension_unique(&report_oid) {
             let quote = SGXQuote::from_slice(report.value)?;
 
+            // ECDSA quote verification using SGX DCAP driver
             quote.verify()?;
 
             let public_key = x509.public_key().parsed()?;

src/server.rs

@@ -2,7 +2,7 @@ use rustls::{server::{ClientCertVerified, ClientCertVerifier, ResolvesServerCert
 use std::{sync::Arc, time::SystemTime};
 
 use crate::{
-    cert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
+    racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
     RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
 };
 

src/sscert.rs

@@ -0,0 +1,67 @@
+use rustls::{server::{ClientCertVerified, ClientCertVerifier, ResolvesServerCert}, sign::CertifiedKey, Certificate, Error, ServerConfig, DistinguishedNames};
+use std::{sync::Arc, time::SystemTime};
+
+use crate::{
+    racert::{CertificateBuilder, RaTlsCertificate, RaTlsCertificateBuilder},
+    RaTlsConfig, RaTlsConfigBuilder, RaTlsError,
+};
+
+pub struct RaTlsClientCertVerifier {
+    config: RaTlsConfig,
+}
+
+impl RaTlsClientCertVerifier {
+    pub fn new(config: RaTlsConfig) -> Self {
+        Self { config }
+    }
+}
+
+impl ClientCertVerifier for RaTlsClientCertVerifier {
+    fn verify_client_cert(
+        &self,
+        end_entity: &Certificate,
+        _intermediates: &[Certificate],
+        _now: SystemTime,
+    ) -> Result<ClientCertVerified, Error> {
+        end_entity.verify_quote(&self.config).map_err(|e| {
+            println!("{:?}", e);
+            rustls::Error::General(e.to_string())
+        })?;
+
+        Ok(ClientCertVerified::assertion())
+    }
+
+    fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
+        Some(DistinguishedNames::new())
+    }
+}
+
+pub struct RaTlsServerCertResolver {
+    cert: Arc<CertifiedKey>,
+}
+
+impl RaTlsServerCertResolver {
+    pub fn new() -> Result<Self, RaTlsError> {
+        let builder = RaTlsCertificateBuilder::new().with_common_name("Client".to_string());
+        let cert = builder.build().map(Arc::new)?;
+        Ok(Self { cert })
+    }
+}
+
+impl ResolvesServerCert for RaTlsServerCertResolver {
+    fn resolve(
+        &self,
+        _client_hello: rustls::server::ClientHello,
+    ) -> Option<std::sync::Arc<CertifiedKey>> {
+        Some(self.cert.clone())
+    }
+}
+
+impl RaTlsConfigBuilder<ServerConfig> for ServerConfig {
+    fn from_ratls_config(config: RaTlsConfig) -> Result<Self, RaTlsError> {
+        Ok(Self::builder()
+            .with_safe_defaults()
+            .with_client_cert_verifier(Arc::new(RaTlsClientCertVerifier::new(config)))
+            .with_cert_resolver(Arc::new(RaTlsServerCertResolver::new()?)))
+    }
+}