Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
467 Commits
12 Branches
27 Tags
2.1 MiB
Tree: 1afc6dc27e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1afc6dc27e'
${ noResults }
acmed/acmed/src/storage.rs

295 lines
7.9 KiB
Raw Normal View History

Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Change the template engine for TinyTemplate As discussed in the issue linked below, the template engine needed to be changed for various reasons. After a long search, it has been decided to use TinyTemplate since it is the best match so far. fixes #8
3 years ago
Move common items to a dedicated lib In a near future, ACMEd will be composed of several binaries which will use some common functions and structures.
5 years ago
Rewrite the crypto keys abstraction Until now, the crypto key abstraction used two different type: PublicKey and PrivateKey. Unfortunately, it does not work with ring and should therefore be rewrote with a single type: KeyPair.
5 years ago
Move common items to a dedicated lib In a near future, ACMEd will be composed of several binaries which will use some common functions and structures.
5 years ago
Add the file_name_format config directive
4 years ago
Add environment variables to hook templates
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Initial commit
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Change PathBuf to Path where it is possible
3 years ago
Initial commit
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Initial commit
5 years ago
Add the file_name_format config directive
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Add the file_name_format config directive
4 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Initial commit
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Change PathBuf to Path where it is possible
3 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Change PathBuf to Path where it is possible
3 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Initial commit
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Initial commit
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
5 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Initial commit
5 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Initial commit
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Initial commit
5 years ago
Add hooks before and after a file is created or edited It is considered a good practice to archive old certificates and private keys instead of simply dropping them away. Because ACMEd should not impose a way of doing things to system administrators, hooks are the way to go.
5 years ago
Create a dedicated FileManager struct The certificate struct was bloated with file management data which therefore required the certificate to be passed in every storage function. In order to clean this, a new FileManager struct has been created.
4 years ago
Indent with tabs instead of spaces https://adamtuttle.codes/blog/2021/tabs-vs-spaces-its-an-accessibility-issue/
1 year ago
Add hooks before and after a file is created or edited It is considered a good practice to archive old certificates and private keys instead of simply dropping them away. Because ACMEd should not impose a way of doing things to system administrators, hooks are the way to go.
5 years ago
  1. use crate::hooks::{self, FileStorageHookData, Hook, HookEnvData, HookType};
  2. use crate::logs::HasLogger;
  3. use crate::template::render_template;
  4. use acme_common::b64_encode;
  5. use acme_common::crypto::{KeyPair, X509Certificate};
  6. use acme_common::error::Error;
  7. use serde::Serialize;
  8. use std::collections::HashMap;
  9. use std::fmt;
  10. use std::fs::{File, OpenOptions};
  11. use std::io::{Read, Write};
  12. use std::path::{Path, PathBuf};
  14. #[cfg(target_family = "unix")]
  15. use std::os::unix::fs::OpenOptionsExt;
  17. #[derive(Clone, Debug)]
  18. pub struct FileManager {
  19. pub account_name: String,
  20. pub account_directory: String,
  21. pub crt_name: String,
  22. pub crt_name_format: String,
  23. pub crt_directory: String,
  24. pub crt_key_type: String,
  25. pub cert_file_mode: u32,
  26. pub cert_file_owner: Option<String>,
  27. pub cert_file_group: Option<String>,
  28. pub pk_file_mode: u32,
  29. pub pk_file_owner: Option<String>,
  30. pub pk_file_group: Option<String>,
  31. pub hooks: Vec<Hook>,
  32. pub env: HashMap<String, String>,
  33. }
  35. impl HasLogger for FileManager {
  36. fn warn(&self, msg: &str) {
  37. log::warn!("{}: {}", self, msg);
  38. }
  40. fn info(&self, msg: &str) {
  41. log::info!("{}: {}", self, msg);
  42. }
  44. fn debug(&self, msg: &str) {
  45. log::debug!("{}: {}", self, msg);
  46. }
  48. fn trace(&self, msg: &str) {
  49. log::trace!("{}: {}", self, msg);
  50. }
  51. }
  53. impl fmt::Display for FileManager {
  54. fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
  55. let s = if !self.crt_name.is_empty() {
  56. format!("certificate \"{}_{}\"", self.crt_name, self.crt_key_type)
  57. } else {
  58. format!("account \"{}\"", self.account_name)
  59. };
  60. write!(f, "{}", s)
  61. }
  62. }
  64. #[derive(Clone)]
  65. enum FileType {
  66. Account,
  67. PrivateKey,
  68. Certificate,
  69. }
  71. impl fmt::Display for FileType {
  72. fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
  73. let s = match self {
  74. FileType::Account => "account",
  75. FileType::PrivateKey => "pk",
  76. FileType::Certificate => "crt",
  77. };
  78. write!(f, "{}", s)
  79. }
  80. }
  82. #[derive(Clone, Serialize)]
  83. pub struct CertFileFormat {
  84. pub ext: String,
  85. pub file_type: String,
  86. pub key_type: String,
  87. pub name: String,
  88. }
  90. fn get_file_full_path(
  91. fm: &FileManager,
  92. file_type: FileType,
  93. ) -> Result<(String, String, PathBuf), Error> {
  94. let base_path = match file_type {
  95. FileType::Account => &fm.account_directory,
  96. FileType::PrivateKey => &fm.crt_directory,
  97. FileType::Certificate => &fm.crt_directory,
  98. };
  99. let file_name = match file_type {
  100. FileType::Account => format!(
  101. "{account}.{file_type}.{ext}",
  102. account = b64_encode(&fm.account_name),
  103. file_type = file_type,
  104. ext = "bin"
  105. ),
  106. FileType::PrivateKey | FileType::Certificate => {
  107. let fmt_data = CertFileFormat {
  108. key_type: fm.crt_key_type.to_string(),
  109. ext: "pem".into(),
  110. file_type: file_type.to_string(),
  111. name: fm.crt_name.to_owned(),
  112. };
  113. render_template(&fm.crt_name_format, &fmt_data)?
  114. }
  115. };
  116. let mut path = PathBuf::from(&base_path);
  117. path.push(&file_name);
  118. Ok((base_path.to_string(), file_name, path))
  119. }
  121. fn get_file_path(fm: &FileManager, file_type: FileType) -> Result<PathBuf, Error> {
  122. let (_, _, path) = get_file_full_path(fm, file_type)?;
  123. Ok(path)
  124. }
  126. fn read_file(fm: &FileManager, path: &Path) -> Result<Vec<u8>, Error> {
  127. fm.trace(&format!("reading file {:?}", path));
  128. let mut file =
  129. File::open(path).map_err(|e| Error::from(e).prefix(&path.display().to_string()))?;
  130. let mut contents = vec![];
  131. file.read_to_end(&mut contents)?;
  132. Ok(contents)
  133. }
  135. #[cfg(unix)]
  136. fn set_owner(fm: &FileManager, path: &Path, file_type: FileType) -> Result<(), Error> {
  137. let (uid, gid) = match file_type {
  138. FileType::Certificate => (fm.cert_file_owner.to_owned(), fm.cert_file_group.to_owned()),
  139. FileType::PrivateKey => (fm.pk_file_owner.to_owned(), fm.pk_file_group.to_owned()),
  140. FileType::Account => {
  141. // The account file does not need to be accessible to users other different from the current one.
  142. return Ok(());
  143. }
  144. };
  145. let uid = match uid {
  146. Some(u) => {
  147. if u.bytes().all(|b| b.is_ascii_digit()) {
  148. let raw_uid = u
  149. .parse::<u32>()
  150. .map_err(|_| Error::from("unable to parse the UID"))?;
  151. let nix_uid = nix::unistd::Uid::from_raw(raw_uid);
  152. Some(nix_uid)
  153. } else {
  154. let user = nix::unistd::User::from_name(&u)?;
  155. user.map(|u| u.uid)
  156. }
  157. }
  158. None => None,
  159. };
  160. let gid = match gid {
  161. Some(g) => {
  162. if g.bytes().all(|b| b.is_ascii_digit()) {
  163. let raw_gid = g
  164. .parse::<u32>()
  165. .map_err(|_| Error::from("unable to parse the GID"))?;
  166. let nix_gid = nix::unistd::Gid::from_raw(raw_gid);
  167. Some(nix_gid)
  168. } else {
  169. let grp = nix::unistd::Group::from_name(&g)?;
  170. grp.map(|g| g.gid)
  171. }
  172. }
  173. None => None,
  174. };
  175. match uid {
  176. Some(u) => fm.trace(&format!("{:?}: setting the uid to {}", path, u.as_raw())),
  177. None => fm.trace(&format!("{:?}: uid unchanged", path)),
  178. };
  179. match gid {
  180. Some(g) => fm.trace(&format!("{:?}: setting the gid to {}", path, g.as_raw())),
  181. None => fm.trace(&format!("{:?}: gid unchanged", path)),
  182. };
  183. match nix::unistd::chown(path, uid, gid) {
  184. Ok(_) => Ok(()),
  185. Err(e) => Err(format!("{}", e).into()),
  186. }
  187. }
  189. fn write_file(fm: &FileManager, file_type: FileType, data: &[u8]) -> Result<(), Error> {
  190. let (file_directory, file_name, path) = get_file_full_path(fm, file_type.clone())?;
  191. let mut hook_data = FileStorageHookData {
  192. file_name,
  193. file_directory,
  194. file_path: path.to_owned(),
  195. env: HashMap::new(),
  196. };
  197. hook_data.set_env(&fm.env);
  198. let is_new = !path.is_file();
  200. if is_new {
  201. hooks::call(fm, &fm.hooks, &hook_data, HookType::FilePreCreate)?;
  202. } else {
  203. hooks::call(fm, &fm.hooks, &hook_data, HookType::FilePreEdit)?;
  204. }
  206. fm.trace(&format!("writing file {:?}", path));
  207. let mut file = if cfg!(unix) {
  208. let mut options = OpenOptions::new();
  209. options.mode(match &file_type {
  210. FileType::Certificate => fm.cert_file_mode,
  211. FileType::PrivateKey => fm.pk_file_mode,
  212. FileType::Account => crate::DEFAULT_ACCOUNT_FILE_MODE,
  213. });
  214. options
  215. .write(true)
  216. .create(true)
  217. .open(&path)
  218. .map_err(|e| Error::from(e).prefix(&path.display().to_string()))?
  219. } else {
  220. File::create(&path).map_err(|e| Error::from(e).prefix(&path.display().to_string()))?
  221. };
  222. file.write_all(data)
  223. .map_err(|e| Error::from(e).prefix(&path.display().to_string()))?;
  224. if cfg!(unix) {
  225. set_owner(fm, &path, file_type).map_err(|e| e.prefix(&path.display().to_string()))?;
  226. }
  228. if is_new {
  229. hooks::call(fm, &fm.hooks, &hook_data, HookType::FilePostCreate)?;
  230. } else {
  231. hooks::call(fm, &fm.hooks, &hook_data, HookType::FilePostEdit)?;
  232. }
  233. Ok(())
  234. }
  236. pub fn get_account_data(fm: &FileManager) -> Result<Vec<u8>, Error> {
  237. let path = get_file_path(fm, FileType::Account)?;
  238. read_file(fm, &path)
  239. }
  241. pub fn set_account_data(fm: &FileManager, data: &[u8]) -> Result<(), Error> {
  242. write_file(fm, FileType::Account, data)
  243. }
  245. pub fn get_keypair(fm: &FileManager) -> Result<KeyPair, Error> {
  246. let path = get_file_path(fm, FileType::PrivateKey)?;
  247. let raw_key = read_file(fm, &path)?;
  248. let key = KeyPair::from_pem(&raw_key)?;
  249. Ok(key)
  250. }
  252. pub fn set_keypair(fm: &FileManager, key_pair: &KeyPair) -> Result<(), Error> {
  253. let data = key_pair.private_key_to_pem()?;
  254. write_file(fm, FileType::PrivateKey, &data)
  255. }
  257. pub fn get_certificate(fm: &FileManager) -> Result<X509Certificate, Error> {
  258. let path = get_file_path(fm, FileType::Certificate)?;
  259. let raw_crt = read_file(fm, &path)?;
  260. let crt = X509Certificate::from_pem(&raw_crt)?;
  261. Ok(crt)
  262. }
  264. pub fn write_certificate(fm: &FileManager, data: &[u8]) -> Result<(), Error> {
  265. write_file(fm, FileType::Certificate, data)
  266. }
  268. fn check_files(fm: &FileManager, file_types: &[FileType]) -> bool {
  269. for t in file_types.iter().cloned() {
  270. let path = match get_file_path(fm, t) {
  271. Ok(p) => p,
  272. Err(_) => {
  273. return false;
  274. }
  275. };
  276. fm.trace(&format!(
  277. "testing file path: {}",
  278. path.to_str().unwrap_or_default()
  279. ));
  280. if !path.is_file() {
  281. return false;
  282. }
  283. }
  284. true
  285. }
  287. pub fn account_files_exists(fm: &FileManager) -> bool {
  288. let file_types = vec![FileType::Account];
  289. check_files(fm, &file_types)
  290. }
  292. pub fn certificate_files_exists(fm: &FileManager) -> bool {
  293. let file_types = vec![FileType::PrivateKey, FileType::Certificate];
  294. check_files(fm, &file_types)
  295. }