added support for self signed TLS certs

.gitignore

@@ -1 +1,3 @@
 /target
+secrets
+tmp

Cargo.lock

@@ -1578,7 +1578,9 @@ version = "0.23.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "822ee9188ac4ec04a2f0531e55d035fb2de73f18b41a63c70c2712503b6fb13c"
 dependencies = [
+ "log",
  "once_cell",
+ "ring",
  "rustls-pki-types",
  "rustls-webpki",
  "subtle",
@@ -1999,8 +2001,10 @@ dependencies = [
  "percent-encoding",
  "pin-project",
  "prost",
+ "rustls-pemfile",
  "socket2",
  "tokio",
+ "tokio-rustls",
  "tokio-stream",
  "tower 0.4.13",
  "tower-layer",

Cargo.toml

@@ -18,7 +18,7 @@ serde_yaml = "0.9.34"
 thiserror = "2.0.11"
 tokio = { version = "1.42.0", features = ["macros", "rt-multi-thread"] }
 tokio-stream = "0.1.17"
-tonic = "0.12"
+tonic = { version = "0.12", features = ["tls"] }
 uuid = { version = "1.11.0", features = ["v4"] }
 
 detee-shared = { git = "ssh://git@gitea.detee.cloud/testnet/proto", branch = "main" }

scripts/ca_cert.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIF/TCCA+WgAwIBAgIULPbWfncT/qhqcWgA+ryYqubND78wDQYJKoZIhvcNAQEL
+BQAwgY0xCzAJBgNVBAYTAlZHMRAwDgYDVQQIDAdUb3J0b2xhMRIwEAYDVQQHDAlS
+b2FkIFRvd24xEjAQBgNVBAoMCURlVEVFIEx0ZDENMAsGA1UECwwEV2ViMzETMBEG
+A1UEAwwKZGV0ZWUtcm9vdDEgMB4GCSqGSIb3DQEJARYRc3VwcG9ydEBkZXRlZS5s
+dGQwHhcNMjUwMzI3MTQ1OTQxWhcNMzUwMzI1MTQ1OTQxWjCBjTELMAkGA1UEBhMC
+VkcxEDAOBgNVBAgMB1RvcnRvbGExEjAQBgNVBAcMCVJvYWQgVG93bjESMBAGA1UE
+CgwJRGVURUUgTHRkMQ0wCwYDVQQLDARXZWIzMRMwEQYDVQQDDApkZXRlZS1yb290
+MSAwHgYJKoZIhvcNAQkBFhFzdXBwb3J0QGRldGVlLmx0ZDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAOtwb0JqT61l058FKkXWxYwxcn9mkIQ3JY5t67xL
+dM/eaSYcLCFvQQ8LZilhYUxEIkqF2+qloyhMgru5erHcn/xul7RnIPpj/ActPFEU
+5Snr4lHP6WJebDSFHmKkh4ogwFqMpq3SvAJ0/h1MxZu1hf369hCmyMvevjINX1kB
+VzZGMKUe3M1YOi62Vbhfd3JUkAMedrVmcZoeOE63Fz4NYs/UMbAQYBtEvPp3qYvM
+vLnDJlCrb9fAia4qFOnzqIa40LEcbDiG7Yxw9jvacb9+rKboaPkNWcZqyNl7CQYr
+yOlSPYa6ehoZ4WGrDzrZMOGp88i3Qkd55VxuivSouUS4bkmSS+QPkRHyOGovatfp
+7AmhgQmfozjovSR2Tk+kGD3VxsAPAQWYxJLYHUtjidBUFQnwjAWpU0gh/iydpb0Q
+q1yEUkijMhUP6uHCLrEb+GGrkGgKgFKfgKsbyKjhXe5ftFdBJnMv8jeTxvkca3Ff
+/Tu8DXq3GVj3UZzCqv9w1a1UJTLH5WkAKrGcFsJ1QwW7yLHXW47cIgKUEAkurpWA
+TXJv7faUGcHBhywSMVCXuBRRg5zk/bdK4KXKtPt9U0QHmnNRXfl2t+1jZKVDAfF2
+x3S0x87URL4IZhGgmfTPoIlpc8ktplPQoxKpdrbMj+6BvXTRmRZRH/LoroRWunba
+1g4BAgMBAAGjUzBRMB0GA1UdDgQWBBQRnZzDpOUYk0CeW0R2pALfN80JFzAfBgNV
+HSMEGDAWgBQRnZzDpOUYk0CeW0R2pALfN80JFzAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4ICAQBQBjchxrS2LDH2HNlSOsKwar8F30tkjYG/E00Y0qjn
+x3ciC0Zlo4M0odhAF8rGkLorEbm5JN/k8lI8oKTzne1YF7g05kt4JDlr6C8vmEL2
+KpLkWc+h42z8jjc1Othj6vhHdl+vOKP+W3f2idoImvAijd2JS0+E3XWI8cgMiwHQ
+lxdMqpwk/dwS1D0E4zvXH041VAXJmlE/ys4DTEq234IwEp41AW0z9Pd9EN7QEDaq
+qUaDVOsaYCAdFCWuEucB2v0NcBNDAJVlepH+uGaQ7UH0afADTscIdrSNcNtf87ad
+1U20wiO2ayBTL5s1dz/XyGc/f3QzCSniE2fILkNg31O0wijrfLUhGbxdx0fVfcXS
+jTabojeQkmRoMguW1H5LaKvPSK06gHxFpaPqhJ8XC9Z5xrtvtVI60kquNHX7Sjwd
+wU7s40J3z5+btYHH4mPdXGsSWXS4xqmKvktzLKBJKVSgjjvzLTKspAAAFsHpIjwN
+YxxQYQl+/hmppCsp/XHE5FbT0051nIxepdtJgWfT4Xo8SxtoQy9C8RzWjMiTiYxG
+IuYkATUex//jBRxABy99v6Kx1Wa2agx7aqnAuC1VinTXG+c1RasAoNWg0vgvnUXn
+4x9HmZYJ4J3PxZjWXdn7Bna7ZV6tmmbDMlp4zy2hNEGtOVlE/ffXRyz/vkLD88Bq
+QA==
+-----END CERTIFICATE-----

scripts/ca_cert.srl

@@ -0,0 +1 @@
+449CCB0DA49A05BA82A5F123866D4822A64AAAC5

scripts/create_certs.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+cd -- "$( dirname -- "${BASH_SOURCE[0]}" )"
+
+mkdir -p secrets
+mkdir -p tmp
+chmod 700 secrets
+
+[[ -f "secrets/ca_key.pem" ]] || {
+  openssl genrsa -out secrets/ca_key.pem 4096
+  chmod 400 secrets/ca_key.pem
+}
+
+[[ -f "ca_cert.pem" ]] || {
+  openssl req -x509 -new -nodes \
+    -key secrets/ca_key.pem -sha256 \
+    -days 3650 -out ca_cert.pem
+}
+
+[[ -f "secrets/staging_key.pem" ]] || {
+  openssl genrsa -out secrets/staging_key.pem 2048
+  chmod 400 secrets/staging_key.pem 
+}
+
+[[ -f "tmp/staging_csr.pem" ]] || {
+  openssl req -new -key secrets/staging_key.pem \
+    -out tmp/staging_csr.pem -config staging_brain.cnf
+}
+
+[[ -f "staging_cert.pem" ]] || {
+  openssl x509 -req -in tmp/staging_csr.pem -CA ca_cert.pem -CAkey secrets/ca_key.pem \
+    -CAcreateserial -out staging_cert.pem -days 825 -sha256 \
+    -extfile staging_brain.cnf -extensions req_ext
+}
+
+[[ -f "secrets/testnet_key.pem" ]] || {
+  openssl genrsa -out secrets/testnet_key.pem 4096
+  chmod 400 secrets/testnet_key.pem 
+}
+
+[[ -f "tmp/testnet_csr.pem" ]] || {
+  openssl req -new -key secrets/testnet_key.pem \
+    -out tmp/testnet_csr.pem -config testnet_brain.cnf
+}
+
+[[ -f "testnet_cert.pem" ]] || {
+  openssl x509 -req -in tmp/testnet_csr.pem -CA ca_cert.pem -CAkey secrets/ca_key.pem \
+    -CAcreateserial -out testnet_cert.pem -days 825 -sha256 \
+    -extfile testnet_brain.cnf -extensions req_ext
+}

scripts/staging_brain.cnf

@@ -0,0 +1,20 @@
+[ req ]
+default_bits       = 2048
+prompt             = no
+default_md         = sha256
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+
+[ req_distinguished_name ]
+C  = VG
+ST = Tortola
+L  = Road Town
+O  = DeTEE Ltd
+OU = Web3
+CN = staging-brain
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = staging-brain

scripts/staging_cert.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5jCCAs6gAwIBAgIURJzLDaSaBbqCpfEjhm1IIqZKqsMwDQYJKoZIhvcNAQEL
+BQAwgY0xCzAJBgNVBAYTAlZHMRAwDgYDVQQIDAdUb3J0b2xhMRIwEAYDVQQHDAlS
+b2FkIFRvd24xEjAQBgNVBAoMCURlVEVFIEx0ZDENMAsGA1UECwwEV2ViMzETMBEG
+A1UEAwwKZGV0ZWUtcm9vdDEgMB4GCSqGSIb3DQEJARYRc3VwcG9ydEBkZXRlZS5s
+dGQwHhcNMjUwMzI4MTQxMzIwWhcNMjcwNzAxMTQxMzIwWjBuMQswCQYDVQQGEwJW
+RzEQMA4GA1UECAwHVG9ydG9sYTESMBAGA1UEBwwJUm9hZCBUb3duMRIwEAYDVQQK
+DAlEZVRFRSBMdGQxDTALBgNVBAsMBFdlYjMxFjAUBgNVBAMMDXN0YWdpbmctYnJh
+aW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcXmOZ1GYsOghZzzS1
+c4139hs1VwB5kK4z2JLXR15SHc1dyDfQO1FBMDMUD/jfROVgTFx3l7X/MGv0hoeA
+h4QsyiDaHcba/WqFJ59rWDNIz5GvI4bDw8OctNrNMrhUtNYtfC9gTkk3N4c06TDE
+8ga9cTuPDw+fCKghvK7TJVF7UDZYaqjf4Et4zo+ahefkeJF8NUD+HTUbZcg5Ebuz
+me4/8b/zORMtXXmRUzcOCZTY5TnQfdGKtO+aYcUEuJusWPvjq3+8duprIElKn3sH
+e8Ju7qrJpX+NurJHEonbtzWspIgJP8/4GO4oetHN/ppXrHtE5qqG6qvS+Fna71DQ
+HGORAgMBAAGjXDBaMBgGA1UdEQQRMA+CDXN0YWdpbmctYnJhaW4wHQYDVR0OBBYE
+FP7OXu7YjWhacQVz7Xi9HqixkcoeMB8GA1UdIwQYMBaAFBGdnMOk5RiTQJ5bRHak
+At83zQkXMA0GCSqGSIb3DQEBCwUAA4ICAQBIQ/EboY0ZVf1VTWtBZKXIWFANDlGc
+vFgejlxeruXGsiJpeQCsAXP6ZMSgVTapSBzTCURbV64vwhlSMJGFzV8m8XFYw6/o
+7mn0VCJjM2309A9uKs/Vk8dhG+BAMUT+bgQW+yyO/agpi5I1ChEVHHNyVI5JVxAR
+wAmKHVKccGnW5Ji9OVFCt14IXWqPo3cE/Y+IaFG9OJYENa3JNRLfXMDoxHpiQ6I3
+v2/YcN2E0m1WwrMgsUpRE8hroLQWCghgzMGjJn0YQ6yTGeh6ibRkIg9yaXLxHygq
+sauPn+JFhY7V/AP0V212ksEfEPHciZPaNriK3y2m2SDVYpXRVHHqWhQxb5yc+B6A
+QWdu45pP1gVM6SGnJDuIrtihg9hUXVB22Uoea6kOGhdlS5m9fv1KRH1ScF7Onbzd
+TjxPLoEzvj6/cNu7XEixjQOSmcs68PX8t+Jp8I2gMCQ++ZzQ7oyS5xzwKcDYcjPm
+2rud5px7H8zwNdP+cNFifSYNHs4ltgXmTDKOhvntGWXjNsq3Olw2tvbLIPQETRQc
+T5BTDMcNPNeXquzer/OJZOkJrZeG5RvbVeQ8AfdldMUNoX9fhSOtIY1L99wculHU
+XqC2NVpZxXDUwR8GKQuLGuOkMQmCdTLd1svJh5Deih4IddII1LP6qP2Izo3CUgDV
+LuxVyvp8squzVg==
+-----END CERTIFICATE-----

scripts/testnet_brain.cnf

@@ -0,0 +1,20 @@
+[ req ]
+default_bits       = 4096
+prompt             = no
+default_md         = sha256
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+
+[ req_distinguished_name ]
+C  = VG
+ST = Tortola
+L  = Road Town
+O  = DeTEE Ltd
+OU = Web3
+CN = testnet-brain
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = testnet-brain

scripts/testnet_cert.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF5jCCA86gAwIBAgIURJzLDaSaBbqCpfEjhm1IIqZKqsUwDQYJKoZIhvcNAQEL
+BQAwgY0xCzAJBgNVBAYTAlZHMRAwDgYDVQQIDAdUb3J0b2xhMRIwEAYDVQQHDAlS
+b2FkIFRvd24xEjAQBgNVBAoMCURlVEVFIEx0ZDENMAsGA1UECwwEV2ViMzETMBEG
+A1UEAwwKZGV0ZWUtcm9vdDEgMB4GCSqGSIb3DQEJARYRc3VwcG9ydEBkZXRlZS5s
+dGQwHhcNMjUwMzI4MTQxNDE1WhcNMjcwNzAxMTQxNDE1WjBuMQswCQYDVQQGEwJW
+RzEQMA4GA1UECAwHVG9ydG9sYTESMBAGA1UEBwwJUm9hZCBUb3duMRIwEAYDVQQK
+DAlEZVRFRSBMdGQxDTALBgNVBAsMBFdlYjMxFjAUBgNVBAMMDXRlc3RuZXQtYnJh
+aW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwbfN9iq/Zl97etbqW
+q1DR8WOupTK94r1pZ2cGAyozED2JuQVdslaLU8Jt9QZUlhLYYVf/vXanPmgxh+NA
+VxvLPUjI/RZ84qGi58Uii3YCEQm6AwW0M21HPRQyctBqFc2KvxBBsCNg/G0wLpEI
+qdEP9mHP1k/hlW6nxKsM/jAgeIuEGWH83sqkZnzRb6jVjQw9yPYvY/4UzSX13fdD
+J+ML9H+0qfYgYkpv0Y9LjEwJEOM7tZY5y9LcOBb/CAKgBjb1MWqJuKhTen9ZryGi
+snmqXRMgOygTMiUUKV/cy4SUnlKymUDUxt5sSbV+2f/lzamYzjXreycR+6m4ol4n
+Xz8IfLROEDp0lk07r33fj1z9Z4huH7J9L1eOQpViDNI762hrZzz8my1VyOfyyhOr
+wbg2GtIaM5pnakeWFXRw/+NGQEy2quSDBrHsWliEN2F/pDiDByZhaotNxNTN56Jq
+mmOyOv4HjPgmK5iSmUp+Dpf8CWT+PPec9UqRQfV/6gUeRD68VvRsPD5UmQ+wl/3Y
+DLq0y2GkGmzGOFk2LN916Tl4gynlj1EDtsiXFyHGvJk05ZjjNy/QDJG4BlQIR1yV
+a7uHVCi4GOhE5CUS2XVLZ+kQC/IAiXM2Cw8z9W0JPv4p/CnH8riWacCY22kIz9oH
+Rn7x31YKRsrULjgRMA57up/ycwIDAQABo1wwWjAYBgNVHREEETAPgg10ZXN0bmV0
+LWJyYWluMB0GA1UdDgQWBBSsKdb7/zgpiNza73tRZc+Iw83f3zAfBgNVHSMEGDAW
+gBQRnZzDpOUYk0CeW0R2pALfN80JFzANBgkqhkiG9w0BAQsFAAOCAgEAeDG2X2Lk
+wgbwSrx3fzRVP2KIho7C3rBVX/6p4eisl4s50pHXF9UAHwc2BXY4r+gl1TisF24y
+hWTD9OfYW+q4d7+gcF5smQVeSmwIPSZgIRRaz4YI7p5grICw9+7Qh6IgLw+WsEUw
+URCll5a81CdpITmrKxy4O+MScBY4+M4PZziqaZw60cdjC6hFikrndox91hEYvNdc
+EQXoivYjfB9TO55gwzKHdmBHGzI1hPlTJMdBn4l0QixkJeIk2TBCWWhp15tgrNTC
+HdawZ0cTwVH1CkeXr4jdi1afvX7cGbHPufjKW2KeyasLNaUagVH13NdYTe9et4Nf
+rY3byqXICj9UMZuuMc7GJv07hRJ4DNyZMWtRr0duqAo3frGzJk4C4v25nU9msfCY
+YjqM0KWOlrVPpnH7e8eMLFKZgrD6rV1a+cqvtjGSwNhbOZJ3xCPe/m+zeIOPkgDH
+hDKoOagHVyBS+9ryIeEYmipxg7yjpbFUmI9Z8FE+teZdA0iBRjyikqzgtten7ZP8
+uJiSAEbqn0l1O/qAyI6SlD/nsCX513KRk6kvFEWSud2vePsSQ9gtwjKCw3E4/OdL
+AWUEOWQlCHVQioyrVc2WwRtO6o+prb+Nk/TTp9Gyp1fQjqMquESIsNoUvhrMOwXf
+nIUh6pszMpdBlOnyry4RUK3I0sgM5TACZ1Y=
+-----END CERTIFICATE-----

src/main.rs

@@ -13,7 +13,9 @@ use grpc::BrainGeneraClilMock;
 use grpc::BrainVmCliMock;
 use grpc::BrainVmDaemonMock;
 use std::sync::Arc;
+use tonic::transport::Identity;
 use tonic::transport::Server;
+use tonic::transport::ServerTlsConfig;
 
 #[tokio::main]
 async fn main() {
@@ -43,7 +45,14 @@ async fn main() {
 
     let general_service_server = BrainGeneralCliServer::new(BrainGeneraClilMock::new(data.clone()));
 
+    let cert = std::fs::read_to_string("/etc/detee/brain-mock/brain-crt.pem").unwrap();
+    let key = std::fs::read_to_string("/etc/detee/brain-mock/brain-key.pem").unwrap();
+
+    let identity = Identity::from_pem(cert, key);
+
     Server::builder()
+        .tls_config(ServerTlsConfig::new().identity(identity))
+        .unwrap()
         .add_service(snp_daemon_server)
         .add_service(snp_cli_server)
         .add_service(sgx_cli_server)