From 70df290306f27f73b01e2ae973c7e920c8a4097f Mon Sep 17 00:00:00 2001 From: Rodolphe Breard Date: Mon, 24 Jun 2019 17:49:53 +0200 Subject: [PATCH] Rewrite the crypto keys abstraction Until now, the crypto key abstraction used two different type: PublicKey and PrivateKey. Unfortunately, it does not work with ring and should therefore be rewrote with a single type: KeyPair. --- acme_common/src/crypto.rs | 2 +- acme_common/src/crypto/openssl_certificate.rs | 37 +++----- acme_common/src/crypto/openssl_keys.rs | 89 +++++++------------ acmed/src/acme_proto.rs | 8 +- acmed/src/acme_proto/account.rs | 24 ++--- acmed/src/acme_proto/certificate.rs | 20 ++--- acmed/src/acme_proto/jws.rs | 20 ++--- acmed/src/acme_proto/jws/algorithms.rs | 12 +-- acmed/src/acme_proto/structs/authorization.rs | 14 +-- acmed/src/storage.rs | 39 +++----- tacd/src/openssl_server.rs | 6 +- 11 files changed, 103 insertions(+), 168 deletions(-) diff --git a/acme_common/src/crypto.rs b/acme_common/src/crypto.rs index 0b288e8..7ef5338 100644 --- a/acme_common/src/crypto.rs +++ b/acme_common/src/crypto.rs @@ -19,4 +19,4 @@ pub use openssl_hash::sha256; #[cfg(feature = "standalone")] pub use standalone_hash::sha256; -pub use openssl_keys::{gen_keypair, KeyType, PrivateKey, PublicKey}; +pub use openssl_keys::{gen_keypair, KeyPair, KeyType}; diff --git a/acme_common/src/crypto/openssl_certificate.rs b/acme_common/src/crypto/openssl_certificate.rs index 0b6d59c..fe75ee0 100644 --- a/acme_common/src/crypto/openssl_certificate.rs +++ b/acme_common/src/crypto/openssl_certificate.rs @@ -1,4 +1,4 @@ -use super::{gen_keypair, KeyType, PrivateKey, PublicKey}; +use super::{gen_keypair, KeyPair, KeyType}; use crate::b64_encode; use crate::error::Error; use openssl::asn1::Asn1Time; @@ -22,13 +22,9 @@ pub struct Csr { } impl Csr { - pub fn new( - pub_key: &PublicKey, - priv_key: &PrivateKey, - domains: &[String], - ) -> Result { + pub fn new(key_pair: &KeyPair, domains: &[String]) -> Result { let mut builder = X509ReqBuilder::new()?; - builder.set_pubkey(&pub_key.inner_key)?; + builder.set_pubkey(&key_pair.inner_key)?; let ctx = builder.x509v3_context(None); let mut san = SubjectAlternativeName::new(); for dns in domains.iter() { @@ -38,7 +34,7 @@ impl Csr { let mut ext_stack = Stack::new()?; ext_stack.push(san)?; builder.add_extensions(&ext_stack)?; - builder.sign(&priv_key.inner_key, MessageDigest::sha256())?; + builder.sign(&key_pair.inner_key, MessageDigest::sha256())?; Ok(Csr { inner_csr: builder.build(), }) @@ -62,17 +58,11 @@ impl X509Certificate { }) } - pub fn from_acme_ext(domain: &str, acme_ext: &str) -> Result<(PrivateKey, Self), Error> { - let (pub_key, priv_key) = gen_keypair(KeyType::EcdsaP256)?; - let inner_cert = gen_certificate(domain, &pub_key, &priv_key, acme_ext)?; + pub fn from_acme_ext(domain: &str, acme_ext: &str) -> Result<(KeyPair, Self), Error> { + let key_pair = gen_keypair(KeyType::EcdsaP256)?; + let inner_cert = gen_certificate(domain, &key_pair, acme_ext)?; let cert = X509Certificate { inner_cert }; - Ok((priv_key, cert)) - } - - pub fn public_key(&self) -> Result { - let raw_key = self.inner_cert.public_key()?.public_key_to_pem()?; - let pub_key = PublicKey::from_pem(&raw_key)?; - Ok(pub_key) + Ok((key_pair, cert)) } pub fn not_after(&self) -> Result { @@ -93,12 +83,7 @@ impl X509Certificate { } } -fn gen_certificate( - domain: &str, - public_key: &PublicKey, - private_key: &PrivateKey, - acme_ext: &str, -) -> Result { +fn gen_certificate(domain: &str, key_pair: &KeyPair, acme_ext: &str) -> Result { let mut x509_name = X509NameBuilder::new()?; x509_name.append_entry_by_text("O", APP_ORG)?; let ca_name = format!("{} TLS-ALPN-01 Authority", APP_NAME); @@ -115,7 +100,7 @@ fn gen_certificate( builder.set_serial_number(&serial_number)?; builder.set_subject_name(&x509_name)?; builder.set_issuer_name(&x509_name)?; - builder.set_pubkey(&public_key.inner_key)?; + builder.set_pubkey(&key_pair.inner_key)?; let not_before = Asn1Time::days_from_now(0)?; builder.set_not_before(¬_before)?; let not_after = Asn1Time::days_from_now(CRT_NB_DAYS_VALIDITY)?; @@ -138,7 +123,7 @@ fn gen_certificate( builder .append_extension(acme_ext) .map_err(|_| Error::from(INVALID_EXT_MSG))?; - builder.sign(&private_key.inner_key, MessageDigest::sha256())?; + builder.sign(&key_pair.inner_key, MessageDigest::sha256())?; let cert = builder.build(); Ok(cert) } diff --git a/acme_common/src/crypto/openssl_keys.rs b/acme_common/src/crypto/openssl_keys.rs index 8268035..770628b 100644 --- a/acme_common/src/crypto/openssl_keys.rs +++ b/acme_common/src/crypto/openssl_keys.rs @@ -4,7 +4,7 @@ use openssl::bn::{BigNum, BigNumContext}; use openssl::ec::{EcGroup, EcKey}; use openssl::ecdsa::EcdsaSig; use openssl::nid::Nid; -use openssl::pkey::{Id, PKey, Private, Public}; +use openssl::pkey::{Id, PKey, Private}; use openssl::rsa::Rsa; use serde_json::json; use std::fmt; @@ -36,10 +36,10 @@ macro_rules! get_key_type { #[derive(Clone, Copy, Debug)] pub enum KeyType { - Rsa2048, - Rsa4096, EcdsaP256, EcdsaP384, + Rsa2048, + Rsa4096, } impl FromStr for KeyType { @@ -47,10 +47,10 @@ impl FromStr for KeyType { fn from_str(s: &str) -> Result { match s.to_lowercase().as_str() { - "rsa2048" => Ok(KeyType::Rsa2048), - "rsa4096" => Ok(KeyType::Rsa4096), "ecdsa_p256" => Ok(KeyType::EcdsaP256), "ecdsa_p384" => Ok(KeyType::EcdsaP384), + "rsa2048" => Ok(KeyType::Rsa2048), + "rsa4096" => Ok(KeyType::Rsa4096), _ => Err(format!("{}: unknown algorithm.", s).into()), } } @@ -59,56 +59,40 @@ impl FromStr for KeyType { impl fmt::Display for KeyType { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { let s = match self { - KeyType::Rsa2048 => "rsa2048", - KeyType::Rsa4096 => "rsa4096", KeyType::EcdsaP256 => "ecdsa-p256", KeyType::EcdsaP384 => "ecdsa-p384", + KeyType::Rsa2048 => "rsa2048", + KeyType::Rsa4096 => "rsa4096", }; write!(f, "{}", s) } } -pub struct PublicKey { - pub key_type: KeyType, - pub inner_key: PKey, -} - -impl PublicKey { - pub fn from_pem(pem_data: &[u8]) -> Result { - let inner_key = PKey::public_key_from_pem(pem_data)?; - let key_type = get_key_type!(inner_key); - Ok(PublicKey { - key_type, - inner_key, - }) - } - - pub fn to_pem(&self) -> Result, Error> { - self.inner_key.public_key_to_pem().map_err(Error::from) - } -} - -pub struct PrivateKey { +pub struct KeyPair { pub key_type: KeyType, pub inner_key: PKey, } -impl PrivateKey { +impl KeyPair { pub fn from_pem(pem_data: &[u8]) -> Result { let inner_key = PKey::private_key_from_pem(pem_data)?; let key_type = get_key_type!(inner_key); - Ok(PrivateKey { + Ok(KeyPair { key_type, inner_key, }) } - pub fn to_pem(&self) -> Result, Error> { + pub fn private_key_to_pem(&self) -> Result, Error> { self.inner_key .private_key_to_pem_pkcs8() .map_err(Error::from) } + pub fn public_key_to_pem(&self) -> Result, Error> { + self.inner_key.public_key_to_pem().map_err(Error::from) + } + pub fn sign(&self, data: &[u8]) -> Result, Error> { match self.key_type { KeyType::Rsa2048 | KeyType::Rsa4096 => { @@ -177,45 +161,32 @@ impl PrivateKey { } } -fn gen_rsa_pair(nb_bits: u32) -> Result<(PKey, PKey), Error> { - let priv_key = Rsa::generate(nb_bits).unwrap(); - let pub_key = Rsa::from_public_components( - priv_key.n().to_owned().unwrap(), - priv_key.e().to_owned().unwrap(), - ) - .unwrap(); - Ok(( - PKey::from_rsa(pub_key).unwrap(), - PKey::from_rsa(priv_key).unwrap(), - )) +fn gen_rsa_pair(nb_bits: u32) -> Result, Error> { + // TODO: check if map_err is required + let priv_key = Rsa::generate(nb_bits).map_err(|_| Error::from(""))?; + let pk = PKey::from_rsa(priv_key).map_err(|_| Error::from(""))?; + Ok(pk) } -fn gen_ec_pair(nid: Nid) -> Result<(PKey, PKey), Error> { - let group = EcGroup::from_curve_name(nid).unwrap(); - let ec_priv_key = EcKey::generate(&group).unwrap(); - let public_key_point = ec_priv_key.public_key(); - let ec_pub_key = EcKey::from_public_key(&group, public_key_point).unwrap(); - Ok(( - PKey::from_ec_key(ec_pub_key).unwrap(), - PKey::from_ec_key(ec_priv_key).unwrap(), - )) +fn gen_ec_pair(nid: Nid) -> Result, Error> { + // TODO: check if map_err is required + let group = EcGroup::from_curve_name(nid).map_err(|_| Error::from(""))?; + let ec_priv_key = EcKey::generate(&group).map_err(|_| Error::from(""))?; + let pk = PKey::from_ec_key(ec_priv_key).map_err(|_| Error::from(""))?; + Ok(pk) } -pub fn gen_keypair(key_type: KeyType) -> Result<(PublicKey, PrivateKey), Error> { - let (pub_key, priv_key) = match key_type { +pub fn gen_keypair(key_type: KeyType) -> Result { + let priv_key = match key_type { KeyType::Rsa2048 => gen_rsa_pair(2048), KeyType::Rsa4096 => gen_rsa_pair(4096), KeyType::EcdsaP256 => gen_ec_pair(Nid::X9_62_PRIME256V1), KeyType::EcdsaP384 => gen_ec_pair(Nid::SECP384R1), } .map_err(|_| Error::from(format!("Unable to generate a {} key pair.", key_type)))?; - let pub_key = PublicKey { - key_type, - inner_key: pub_key, - }; - let priv_key = PrivateKey { + let key_pair = KeyPair { key_type, inner_key: priv_key, }; - Ok((pub_key, priv_key)) + Ok(key_pair) } diff --git a/acmed/src/acme_proto.rs b/acmed/src/acme_proto.rs index d0aeb2c..d5bff80 100644 --- a/acmed/src/acme_proto.rs +++ b/acmed/src/acme_proto.rs @@ -58,7 +58,7 @@ impl PartialEq for Challenge { macro_rules! set_data_builder { ($account: ident, $data: expr, $url: expr) => { - |n: &str| encode_kid(&$account.priv_key, &$account.account_url, $data, &$url, n) + |n: &str| encode_kid(&$account.key_pair, &$account.account_url, $data, &$url, n) }; } macro_rules! set_empty_data_builder { @@ -124,7 +124,7 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result< let current_challenge = cert.get_domain_challenge(&auth.identifier.value)?; for challenge in auth.challenges.iter() { if current_challenge == *challenge { - let proof = challenge.get_proof(&account.priv_key)?; + let proof = challenge.get_proof(&account.key_pair)?; let file_name = challenge.get_file_name(); let domain = auth.identifier.value.to_owned(); @@ -178,10 +178,10 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result< )?; // 11. Finalize the order by sending the CSR - let (pub_key, priv_key) = certificate::get_key_pair(cert)?; + let key_pair = certificate::get_key_pair(cert)?; let domains: Vec = cert.domains.iter().map(|e| e.dns.to_owned()).collect(); let csr = json!({ - "csr": Csr::new(&pub_key, &priv_key, domains.as_slice())?.to_der_base64()?, + "csr": Csr::new(&key_pair, domains.as_slice())?.to_der_base64()?, }); let csr = csr.to_string(); let data_builder = set_data_builder!(account, csr.as_bytes(), order.finalize); diff --git a/acmed/src/acme_proto/account.rs b/acmed/src/acme_proto/account.rs index 009daff..113156a 100644 --- a/acmed/src/acme_proto/account.rs +++ b/acmed/src/acme_proto/account.rs @@ -4,13 +4,12 @@ use crate::acme_proto::jws::encode_jwk; use crate::acme_proto::structs::{Account, AccountResponse, Directory}; use crate::certificate::Certificate; use crate::storage; -use acme_common::crypto::{PrivateKey, PublicKey}; +use acme_common::crypto::KeyPair; use acme_common::error::Error; use std::str::FromStr; pub struct AccountManager { - pub pub_key: PublicKey, - pub priv_key: PrivateKey, + pub key_pair: KeyPair, pub account_url: String, pub orders_url: String, } @@ -23,25 +22,21 @@ impl AccountManager { root_certs: &[String], ) -> Result<(Self, String), Error> { // TODO: store the key id (account url) - let (pub_key, priv_key) = if storage::account_files_exists(cert) { + let key_pair = if storage::account_files_exists(cert) { // TODO: check if the keys are suitable for the specified signature algorithm // and, if not, initiate a key rollover. - ( - storage::get_account_pub_key(cert)?, - storage::get_account_priv_key(cert)?, - ) + storage::get_account_keypair(cert)? } else { // TODO: allow to change the signature algo let sign_alg = SignatureAlgorithm::from_str(crate::DEFAULT_JWS_SIGN_ALGO)?; - let (pub_key, priv_key) = sign_alg.gen_key_pair()?; - storage::set_account_priv_key(cert, &priv_key)?; - storage::set_account_pub_key(cert, &pub_key)?; - (pub_key, priv_key) + let key_pair = sign_alg.gen_key_pair()?; + storage::set_account_keypair(cert, &key_pair)?; + key_pair }; let account = Account::new(cert); let account = serde_json::to_string(&account)?; let data_builder = - |n: &str| encode_jwk(&priv_key, account.as_bytes(), &directory.new_account, n); + |n: &str| encode_jwk(&key_pair, account.as_bytes(), &directory.new_account, n); let (acc_rep, account_url, nonce): (AccountResponse, String, String) = http::get_obj_loc( cert, root_certs, @@ -50,8 +45,7 @@ impl AccountManager { &nonce, )?; let ac = AccountManager { - pub_key, - priv_key, + key_pair, account_url, orders_url: acc_rep.orders.unwrap_or_default(), }; diff --git a/acmed/src/acme_proto/certificate.rs b/acmed/src/acme_proto/certificate.rs index fdb358d..c057bff 100644 --- a/acmed/src/acme_proto/certificate.rs +++ b/acmed/src/acme_proto/certificate.rs @@ -1,30 +1,28 @@ use crate::certificate::{Algorithm, Certificate}; use crate::storage; -use acme_common::crypto::{gen_keypair, KeyType, PrivateKey, PublicKey}; +use acme_common::crypto::{gen_keypair, KeyPair, KeyType}; use acme_common::error::Error; -fn gen_key_pair(cert: &Certificate) -> Result<(PublicKey, PrivateKey), Error> { +fn gen_key_pair(cert: &Certificate) -> Result { let key_type = match cert.algo { Algorithm::Rsa2048 => KeyType::Rsa2048, Algorithm::Rsa4096 => KeyType::Rsa4096, Algorithm::EcdsaP256 => KeyType::EcdsaP256, Algorithm::EcdsaP384 => KeyType::EcdsaP384, }; - let (pub_key, priv_key) = gen_keypair(key_type)?; - storage::set_priv_key(cert, &priv_key)?; - Ok((pub_key, priv_key)) + let key_pair = gen_keypair(key_type)?; + storage::set_keypair(cert, &key_pair)?; + Ok(key_pair) } -fn read_key_pair(cert: &Certificate) -> Result<(PublicKey, PrivateKey), Error> { - let pub_key = storage::get_pub_key(cert)?; - let priv_key = storage::get_priv_key(cert)?; - Ok((pub_key, priv_key)) +fn read_key_pair(cert: &Certificate) -> Result { + storage::get_keypair(cert) } -pub fn get_key_pair(cert: &Certificate) -> Result<(PublicKey, PrivateKey), Error> { +pub fn get_key_pair(cert: &Certificate) -> Result { if cert.kp_reuse { match read_key_pair(cert) { - Ok((priv_key, pub_key)) => Ok((priv_key, pub_key)), + Ok(key_pair) => Ok(key_pair), Err(_) => gen_key_pair(cert), } } else { diff --git a/acmed/src/acme_proto/jws.rs b/acmed/src/acme_proto/jws.rs index 0b3ef3d..057473a 100644 --- a/acmed/src/acme_proto/jws.rs +++ b/acmed/src/acme_proto/jws.rs @@ -1,6 +1,6 @@ use crate::acme_proto::jws::algorithms::{EdDsaVariant, SignatureAlgorithm}; use acme_common::b64_encode; -use acme_common::crypto::{sha256, PrivateKey}; +use acme_common::crypto::{sha256, KeyPair}; use acme_common::error::Error; use serde::Serialize; @@ -30,12 +30,12 @@ struct JwsProtectedHeaderKid { url: String, } -fn get_data(private_key: &PrivateKey, protected: &str, payload: &[u8]) -> Result { +fn get_data(key_pair: &KeyPair, protected: &str, payload: &[u8]) -> Result { let protected = b64_encode(protected); let payload = b64_encode(payload); let signing_input = format!("{}.{}", protected, payload); let fingerprint = sha256(signing_input.as_bytes()); - let signature = private_key.sign(&fingerprint)?; + let signature = key_pair.sign(&fingerprint)?; let signature = b64_encode(&signature); let data = JwsData { protected, @@ -47,30 +47,30 @@ fn get_data(private_key: &PrivateKey, protected: &str, payload: &[u8]) -> Result } pub fn encode_jwk( - private_key: &PrivateKey, + key_pair: &KeyPair, payload: &[u8], url: &str, nonce: &str, ) -> Result { - let sign_alg = SignatureAlgorithm::from_pkey(private_key)?; + let sign_alg = SignatureAlgorithm::from_pkey(key_pair)?; let protected = JwsProtectedHeaderJwk { alg: sign_alg.to_string(), - jwk: sign_alg.get_jwk(private_key)?, + jwk: sign_alg.get_jwk(key_pair)?, nonce: nonce.into(), url: url.into(), }; let protected = serde_json::to_string(&protected)?; - get_data(private_key, &protected, payload) + get_data(key_pair, &protected, payload) } pub fn encode_kid( - private_key: &PrivateKey, + key_pair: &KeyPair, key_id: &str, payload: &[u8], url: &str, nonce: &str, ) -> Result { - let sign_alg = SignatureAlgorithm::from_pkey(private_key)?; + let sign_alg = SignatureAlgorithm::from_pkey(key_pair)?; let protected = JwsProtectedHeaderKid { alg: sign_alg.to_string(), kid: key_id.to_string(), @@ -78,7 +78,7 @@ pub fn encode_kid( url: url.into(), }; let protected = serde_json::to_string(&protected)?; - get_data(private_key, &protected, payload) + get_data(key_pair, &protected, payload) } #[cfg(test)] diff --git a/acmed/src/acme_proto/jws/algorithms.rs b/acmed/src/acme_proto/jws/algorithms.rs index c8039f3..6f7c471 100644 --- a/acmed/src/acme_proto/jws/algorithms.rs +++ b/acmed/src/acme_proto/jws/algorithms.rs @@ -1,5 +1,5 @@ use super::jwk::{EdDsaEd25519Jwk, Es256Jwk, Jwk}; -use acme_common::crypto::{gen_keypair, KeyType, PrivateKey, PublicKey}; +use acme_common::crypto::{gen_keypair, KeyPair, KeyType}; use acme_common::error::Error; use std::fmt; use std::str::FromStr; @@ -47,20 +47,20 @@ impl FromStr for SignatureAlgorithm { } impl SignatureAlgorithm { - pub fn from_pkey(private_key: &PrivateKey) -> Result { - match private_key.key_type { + pub fn from_pkey(key_pair: &KeyPair) -> Result { + match key_pair.key_type { KeyType::EcdsaP256 => Ok(SignatureAlgorithm::Es256), t => Err(format!("{}: unsupported key type", t).into()), } } - pub fn get_jwk(&self, private_key: &PrivateKey) -> Result { - let (x, y) = private_key.get_nist_ec_coordinates()?; + pub fn get_jwk(&self, key_pair: &KeyPair) -> Result { + let (x, y) = key_pair.get_nist_ec_coordinates()?; let jwk = Jwk::Es256(Es256Jwk::new(&x, &y)); Ok(jwk) } - pub fn gen_key_pair(&self) -> Result<(PublicKey, PrivateKey), Error> { + pub fn gen_key_pair(&self) -> Result { match self { SignatureAlgorithm::Es256 => gen_keypair(KeyType::EcdsaP256), SignatureAlgorithm::EdDsa(EdDsaVariant::Ed25519) => Err("Not implemented".into()), diff --git a/acmed/src/acme_proto/structs/authorization.rs b/acmed/src/acme_proto/structs/authorization.rs index 5ef1a94..656129d 100644 --- a/acmed/src/acme_proto/structs/authorization.rs +++ b/acmed/src/acme_proto/structs/authorization.rs @@ -1,6 +1,6 @@ use crate::acme_proto::structs::{ApiError, HttpApiError, Identifier}; use acme_common::b64_encode; -use acme_common::crypto::{sha256, PrivateKey}; +use acme_common::crypto::{sha256, KeyPair}; use acme_common::error::Error; use serde::Deserialize; use std::fmt; @@ -92,18 +92,18 @@ impl Challenge { } } - pub fn get_proof(&self, private_key: &PrivateKey) -> Result { + pub fn get_proof(&self, key_pair: &KeyPair) -> Result { match self { - Challenge::Http01(tc) => tc.key_authorization(private_key), + Challenge::Http01(tc) => tc.key_authorization(key_pair), Challenge::Dns01(tc) => { - let ka = tc.key_authorization(private_key)?; + let ka = tc.key_authorization(key_pair)?; let a = sha256(ka.as_bytes()); let a = b64_encode(&a); Ok(a) } Challenge::TlsAlpn01(tc) => { let acme_ext_name = format!("{}.{}", ACME_OID, ID_PE_ACME_ID); - let ka = tc.key_authorization(private_key)?; + let ka = tc.key_authorization(key_pair)?; let proof = sha256(ka.as_bytes()); let proof_str = proof .iter() @@ -154,8 +154,8 @@ pub struct TokenChallenge { } impl TokenChallenge { - fn key_authorization(&self, private_key: &PrivateKey) -> Result { - let thumbprint = private_key.get_jwk_thumbprint()?; + fn key_authorization(&self, key_pair: &KeyPair) -> Result { + let thumbprint = key_pair.get_jwk_thumbprint()?; let thumbprint = sha256(thumbprint.as_bytes()); let thumbprint = b64_encode(&thumbprint); let auth = format!("{}.{}", self.token, thumbprint); diff --git a/acmed/src/storage.rs b/acmed/src/storage.rs index 00dbc27..2f17de8 100644 --- a/acmed/src/storage.rs +++ b/acmed/src/storage.rs @@ -2,7 +2,7 @@ use crate::certificate::Certificate; use crate::config::HookType; use crate::hooks::{self, FileStorageHookData, HookEnvData}; use acme_common::b64_encode; -use acme_common::crypto::{PrivateKey, PublicKey, X509Certificate}; +use acme_common::crypto::{KeyPair, X509Certificate}; use acme_common::error::Error; use std::collections::HashMap; use std::fmt; @@ -174,46 +174,33 @@ fn write_file(cert: &Certificate, file_type: FileType, data: &[u8]) -> Result<() Ok(()) } -pub fn get_account_priv_key(cert: &Certificate) -> Result { +pub fn get_account_keypair(cert: &Certificate) -> Result { let path = get_file_path(cert, FileType::AccountPrivateKey)?; let raw_key = read_file(cert, &path)?; - let key = PrivateKey::from_pem(&raw_key)?; + let key = KeyPair::from_pem(&raw_key)?; Ok(key) } -pub fn set_account_priv_key(cert: &Certificate, key: &PrivateKey) -> Result<(), Error> { - let data = key.to_pem()?; - write_file(cert, FileType::AccountPrivateKey, &data) -} - -pub fn get_account_pub_key(cert: &Certificate) -> Result { - let path = get_file_path(cert, FileType::AccountPublicKey)?; - let raw_key = read_file(cert, &path)?; - let key = PublicKey::from_pem(&raw_key)?; - Ok(key) -} - -pub fn set_account_pub_key(cert: &Certificate, key: &PublicKey) -> Result<(), Error> { - let data = key.to_pem()?; - write_file(cert, FileType::AccountPublicKey, &data) +pub fn set_account_keypair(cert: &Certificate, key_pair: &KeyPair) -> Result<(), Error> { + let pem_pub_key = key_pair.private_key_to_pem()?; + let pem_priv_key = key_pair.public_key_to_pem()?; + write_file(cert, FileType::AccountPublicKey, &pem_priv_key)?; + write_file(cert, FileType::AccountPrivateKey, &pem_pub_key)?; + Ok(()) } -pub fn get_priv_key(cert: &Certificate) -> Result { +pub fn get_keypair(cert: &Certificate) -> Result { let path = get_file_path(cert, FileType::PrivateKey)?; let raw_key = read_file(cert, &path)?; - let key = PrivateKey::from_pem(&raw_key)?; + let key = KeyPair::from_pem(&raw_key)?; Ok(key) } -pub fn set_priv_key(cert: &Certificate, key: &PrivateKey) -> Result<(), Error> { - let data = key.to_pem()?; +pub fn set_keypair(cert: &Certificate, key_pair: &KeyPair) -> Result<(), Error> { + let data = key_pair.private_key_to_pem()?; write_file(cert, FileType::PrivateKey, &data) } -pub fn get_pub_key(cert: &Certificate) -> Result { - get_certificate(cert)?.public_key() -} - pub fn get_certificate(cert: &Certificate) -> Result { let path = get_file_path(cert, FileType::Certificate)?; let raw_crt = read_file(cert, &path)?; diff --git a/tacd/src/openssl_server.rs b/tacd/src/openssl_server.rs index 33d945b..68e2452 100644 --- a/tacd/src/openssl_server.rs +++ b/tacd/src/openssl_server.rs @@ -1,4 +1,4 @@ -use acme_common::crypto::{PrivateKey, X509Certificate}; +use acme_common::crypto::{KeyPair, X509Certificate}; use acme_common::error::Error; use log::debug; use openssl::ssl::{self, AlpnError, SslAcceptor, SslMethod}; @@ -32,14 +32,14 @@ macro_rules! listen_and_accept { pub fn start( listen_addr: &str, certificate: &X509Certificate, - private_key: &PrivateKey, + key_pair: &KeyPair, ) -> Result<(), Error> { let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; acceptor.set_alpn_select_callback(|_, client| { debug!("ALPN negociation"); ssl::select_next_proto(crate::ALPN_ACME_PROTO_NAME, client).ok_or(ALPN_ERROR) }); - acceptor.set_private_key(&private_key.inner_key)?; + acceptor.set_private_key(&key_pair.inner_key)?; acceptor.set_certificate(&certificate.inner_cert)?; acceptor.check_private_key()?; let acceptor = Arc::new(acceptor.build());