added support for self signed TLS certificates

2025-03-28 17:47:20 +02:00 · 2025-03-28 17:47:20 +02:00 · c3b62a397d
commit c3b62a397d
parent e4f2cf2be3
7 changed files with 38 additions and 11 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1561,7 +1561,9 @@ version = "0.23.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f287924602bf649d949c63dc8ac8b235fa5387d394020705b80c4eb597ce5b8"
 dependencies = [
+ "log",
 "once_cell",
+ "ring",
 "rustls-pki-types",
 "rustls-webpki",
 "subtle",
@ -2009,8 +2011,10 @@ dependencies = [
 "percent-encoding",
 "pin-project",
 "prost",
+ "rustls-pemfile",
 "socket2",
 "tokio",
+ "tokio-rustls",
 "tokio-stream",
 "tower 0.4.13",
 "tower-layer",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -8,7 +8,7 @@ env_logger = "0.11.6"
 prost = "0.13.4"
 prost-types = "0.13.4"
 tokio = { version = "1.43.0", features = ["macros", "rt-multi-thread", "fs"] }
-tonic = "0.12.3"
+tonic = { version = "0.12", features = ["tls"] }
 reqwest = { version = "0.12.12", features = ["blocking"] }
 flate2 = "1.0.35"
 tar = "0.4.43"
--- a/scripts/install_daemon.sh
+++ b/scripts/install_daemon.sh
@ -21,6 +21,7 @@ wget -q --show-progress -O /usr/local/bin/detee-sgx-daemon https://registry.dete
 wget -q --show-progress -O /etc/systemd/system/detee-sgx-daemon.service https://registry.detee.ltd/sgx/daemon/detee-sgx-daemon.service
 wget -q --show-progress -O /etc/detee/app_daemon/sample_config.yaml https://registry.detee.ltd/sgx/daemon/sample_config.yaml
 chmod +x /usr/local/bin/detee-sgx-daemon
+wget -q --show-progress -O /etc/detee/root_ca.pem https://registry.detee.ltd/root_ca.pem

 echo "Take a look at /etc/detee/app_daemon/sample_config.yaml"
 echo "Modify config based on your setup and save it to /etc/detee/app_daemon/config.yaml"
@ -29,4 +30,4 @@ read my_var

 echo "Starting detee-sgx-daemon..."
 systemctl daemon-reload
-systemctl start detee-sgx-daemon.service
+systemctl start detee-sgx-daemon.service
--- a/src/config.rs
+++ b/src/config.rs
@ -6,7 +6,7 @@ use crate::global::IP_INFO;

 #[derive(Debug, Clone, Deserialize)]
 pub struct HostConfig {
-    pub brain_url: String,
+    pub network: String,
    #[serde(default = "retrieve_node_ip")]
    pub host_ip_address: String,
    pub operator_wallet: String,
--- a/src/global.rs
+++ b/src/global.rs
@ -6,6 +6,9 @@ use std::fs::File;
 use std::io::{Read, Write};
 use std::sync::LazyLock;

+pub const DETEE_ROOT_CA: &str = "/etc/detee/root_ca.pem";
+pub const BRAIN_STAGING: (&str, &str) = ("https://159.65.58.38:31337", "staging-brain");
+pub const BRAIN_TESTING: (&str, &str) = ("https://164.92.249.180:31337", "testing-brain");
 pub const PACKAGE_ARCHIVE_POSTFIX: &str = "-enclave_package.tar.gz";
 pub const PACKAGE_ARCHIVE_DIR_PATH: &str = "./enclave_archives";
 pub const PACKAGE_DIR_PATH: &str = "./enclaves";
--- a/src/grpc.rs
+++ b/src/grpc.rs
@ -9,22 +9,41 @@ use tokio::task::JoinSet;
 use tokio_stream::wrappers::ReceiverStream;
 use tokio_stream::StreamExt;
 use tonic::metadata::AsciiMetadataValue;
-use tonic::transport::Channel;
+use tonic::transport::{Certificate, Channel, ClientTlsConfig};
 use tonic::Request;

-use crate::global::IP_INFO;
-use crate::global::PUBLIC_KEY;
+use crate::global::{IP_INFO, PUBLIC_KEY, BRAIN_STAGING, BRAIN_TESTING, DETEE_ROOT_CA};

 pub struct ConnectionData {
-    pub brain_url: String,
+    pub network: String,
    pub brain_msg_tx: Sender<BrainMessageApp>,
    pub daemon_msg_rx: Receiver<DaemonMessageApp>,
    pub daemon_msg_tx: Sender<DaemonMessageApp>,
    pub app_contracts_uuid: Vec<String>,
 }

+pub async fn client(network: &str) -> Result<BrainAppDaemonClient<Channel>> {
+    let (brain_url, brain_san) = match network {
+        "staging" => BRAIN_STAGING,
+        "testnet" => BRAIN_TESTING,
+        _ => {
+            return Err(anyhow::anyhow!(
+                "The only networks currently supported are staging and testnet."
+            ))
+        }
+    };
+    let pem = std::fs::read_to_string(DETEE_ROOT_CA)?;
+    let ca = Certificate::from_pem(pem);
+
+    let tls = ClientTlsConfig::new().ca_certificate(ca).domain_name(brain_san);
+
+    let channel = Channel::from_shared(brain_url.to_string())?.tls_config(tls)?.connect().await?;
+
+    Ok(BrainAppDaemonClient::new(channel))
+}
+
 pub async fn register_node(config: &crate::HostConfig) -> Result<Vec<AppContract>> {
-    let mut client = BrainAppDaemonClient::connect(config.brain_url.clone()).await?;
+    let mut client = client(&config.network).await?;

    log::debug!("registering node with brain");

@ -71,7 +90,7 @@ pub async fn register_node(config: &crate::HostConfig) -> Result<Vec<AppContract
 }

 pub async fn connect_and_run(conn_data: ConnectionData) -> Result<()> {
-    let client = BrainAppDaemonClient::connect(conn_data.brain_url).await?;
+    let client = client(&conn_data.network).await?;

    let mut streaming_tasks = JoinSet::new();

--- a/src/main.rs
+++ b/src/main.rs
@ -197,7 +197,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
        let (daemon_msg_tx, daemon_msg_rx) = tokio::sync::mpsc::channel(6);

        let mut app_handler = AppHandler::new(brain_msg_rx, daemon_msg_tx.clone());
-        let brain_url = app_handler.host_config.brain_url.clone();
+        let network = app_handler.host_config.network.clone();

        let mut contracts = vec![];
        match grpc::register_node(&app_handler.host_config).await {
@ -215,7 +215,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {

        log::info!("Connecting to brain...");
        if let Err(e) = grpc::connect_and_run(grpc::ConnectionData {
-            brain_url,
+            network,
            brain_msg_tx,
            daemon_msg_rx,
            daemon_msg_tx,