RubyGems - itsi-server - Versions diffs - 0.1.19 → 0.1.20 - Mend

itsi-server 0.1.19 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

data/ext/itsi_acme/src/acme.rs ADDED Viewed

@@ -0,0 +1,354 @@
+use std::sync::Arc;
+use crate::https_helper::{https, HttpsRequestError, Method, Response};
+use crate::jose::{key_authorization_sha256, sign, sign_eab, JoseError};
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine;
+use rcgen::{CustomExtension, Error as RcgenError, PKCS_ECDSA_P256_SHA256};
+use ring::error::{KeyRejected, Unspecified};
+use ring::rand::SystemRandom;
+use ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING};
+use rustls::{crypto::ring::sign::any_ecdsa_type, sign::CertifiedKey};
+use rustls::{
+    pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer},
+    ClientConfig,
+};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use thiserror::Error;
+pub const LETS_ENCRYPT_STAGING_DIRECTORY: &str =
+    "https://acme-staging-v02.api.letsencrypt.org/directory";
+pub const LETS_ENCRYPT_PRODUCTION_DIRECTORY: &str =
+    "https://acme-v02.api.letsencrypt.org/directory";
+pub const ACME_TLS_ALPN_NAME: &[u8] = b"acme-tls/1";
+#[derive(Debug)]
+pub struct Account {
+    pub key_pair: EcdsaKeyPair,
+    pub directory: Directory,
+    pub kid: String,
+}
+static ALG: &EcdsaSigningAlgorithm = &ECDSA_P256_SHA256_FIXED_SIGNING;
+impl Account {
+    pub fn generate_key_pair() -> Vec<u8> {
+        let rng = SystemRandom::new();
+        let pkcs8 = EcdsaKeyPair::generate_pkcs8(ALG, &rng).unwrap();
+        pkcs8.as_ref().to_vec()
+    }
+    pub async fn create<'a, S, I>(
+        client_config: &Arc<ClientConfig>,
+        directory: Directory,
+        contact: I,
+        eab: &Option<ExternalAccountKey>,
+    ) -> Result<Self, AcmeError>
+    where
+        S: AsRef<str> + 'a,
+        I: IntoIterator<Item = &'a S>,
+    {
+        let key_pair = Self::generate_key_pair();
+        Self::create_with_keypair(client_config, directory, contact, &key_pair, eab).await
+    }
+    pub async fn create_with_keypair<'a, S, I>(
+        client_config: &Arc<ClientConfig>,
+        directory: Directory,
+        contact: I,
+        key_pair: &[u8],
+        eab: &Option<ExternalAccountKey>,
+    ) -> Result<Self, AcmeError>
+    where
+        S: AsRef<str> + 'a,
+        I: IntoIterator<Item = &'a S>,
+    {
+        let key_pair = EcdsaKeyPair::from_pkcs8(ALG, key_pair, &SystemRandom::new())?;
+        let contact: Vec<&'a str> = contact.into_iter().map(AsRef::<str>::as_ref).collect();
+        let payload = if let Some(eab) = &eab.as_ref() {
+            let eab_body = sign_eab(&key_pair, &eab.key, &eab.kid, &directory.new_account)?;
+            json!({
+                "termsOfServiceAgreed": true,
+                "contact": contact,
+                "externalAccountBinding": eab_body,
+            })
+        } else {
+            json!({
+                "termsOfServiceAgreed": true,
+                "contact": contact,
+            })
+        }
+        .to_string();
+        let body = sign(
+            &key_pair,
+            None,
+            directory.nonce(client_config).await?,
+            &directory.new_account,
+            &payload,
+        )?;
+        let response = https(
+            client_config,
+            &directory.new_account,
+            Method::Post,
+            Some(body),
+        )
+        .await?;
+        let kid = get_header(&response, "Location")?;
+        Ok(Account {
+            key_pair,
+            kid,
+            directory,
+        })
+    }
+    async fn request(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+        payload: &str,
+    ) -> Result<(Option<String>, String), AcmeError> {
+        let body = sign(
+            &self.key_pair,
+            Some(&self.kid),
+            self.directory.nonce(client_config).await?,
+            url.as_ref(),
+            payload,
+        )?;
+        let response = https(client_config, url.as_ref(), Method::Post, Some(body)).await?;
+        let location = get_header(&response, "Location").ok();
+        let body = response.text().await.map_err(HttpsRequestError::from)?;
+        log::debug!("response: {:?}", body);
+        Ok((location, body))
+    }
+    pub async fn new_order(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        domains: Vec<String>,
+    ) -> Result<(String, Order), AcmeError> {
+        let domains: Vec<Identifier> = domains.into_iter().map(Identifier::Dns).collect();
+        let payload = format!("{{\"identifiers\":{}}}", serde_json::to_string(&domains)?);
+        let response = self
+            .request(client_config, &self.directory.new_order, &payload)
+            .await?;
+        let url = response.0.ok_or(AcmeError::MissingHeader("Location"))?;
+        let order = serde_json::from_str(&response.1)?;
+        Ok((url, order))
+    }
+    pub async fn auth(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+    ) -> Result<Auth, AcmeError> {
+        let payload = "".to_string();
+        let response = self.request(client_config, url, &payload).await?;
+        Ok(serde_json::from_str(&response.1)?)
+    }
+    pub async fn challenge(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+    ) -> Result<(), AcmeError> {
+        self.request(client_config, &url, "{}").await?;
+        Ok(())
+    }
+    pub async fn order(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+    ) -> Result<Order, AcmeError> {
+        let response = self.request(client_config, &url, "").await?;
+        Ok(serde_json::from_str(&response.1)?)
+    }
+    pub async fn finalize(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+        csr: Vec<u8>,
+    ) -> Result<Order, AcmeError> {
+        let payload = format!("{{\"csr\":\"{}\"}}", URL_SAFE_NO_PAD.encode(csr),);
+        let response = self.request(client_config, &url, &payload).await?;
+        Ok(serde_json::from_str(&response.1)?)
+    }
+    pub async fn certificate(
+        &self,
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+    ) -> Result<String, AcmeError> {
+        Ok(self.request(client_config, &url, "").await?.1)
+    }
+    pub fn tls_alpn_01<'a>(
+        &self,
+        challenges: &'a [Challenge],
+        domain: String,
+    ) -> Result<(&'a Challenge, CertifiedKey), AcmeError> {
+        let challenge = challenges
+            .iter()
+            .find(|c| c.typ == ChallengeType::TlsAlpn01);
+        let challenge = match challenge {
+            Some(challenge) => challenge,
+            None => return Err(AcmeError::NoTlsAlpn01Challenge),
+        };
+        let mut params = rcgen::CertificateParams::new(vec![domain])?;
+        let key_auth = key_authorization_sha256(&self.key_pair, &challenge.token)?;
+        params.custom_extensions = vec![CustomExtension::new_acme_identifier(key_auth.as_ref())];
+        let key_pair = rcgen::KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
+        let cert = params.self_signed(&key_pair)?;
+        let pk_bytes = key_pair.serialize_der();
+        let pk_der: PrivatePkcs8KeyDer = pk_bytes.into();
+        let pk_der: PrivateKeyDer = pk_der.into();
+        let pk = any_ecdsa_type(&pk_der).unwrap();
+        let certified_key = CertifiedKey::new(vec![cert.der().clone()], pk);
+        Ok((challenge, certified_key))
+    }
+}
+#[derive(Debug, Clone, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct Directory {
+    pub new_nonce: String,
+    pub new_account: String,
+    pub new_order: String,
+}
+impl Directory {
+    pub async fn discover(
+        client_config: &Arc<ClientConfig>,
+        url: impl AsRef<str>,
+    ) -> Result<Self, AcmeError> {
+        let response = https(client_config, url, Method::Get, None).await?;
+        let body = response.bytes().await.map_err(HttpsRequestError::from)?;
+        Ok(serde_json::from_slice(&body)?)
+    }
+    pub async fn nonce(&self, client_config: &Arc<ClientConfig>) -> Result<String, AcmeError> {
+        let response = &https(client_config, &self.new_nonce.as_str(), Method::Head, None).await?;
+        get_header(response, "replay-nonce")
+    }
+}
+/// See RFC 8555 section 7.3.4 for more information.
+pub struct ExternalAccountKey {
+    pub kid: String,
+    pub key: ring::hmac::Key,
+}
+impl ExternalAccountKey {
+    pub fn new(kid: String, key: &[u8]) -> Self {
+        Self {
+            kid,
+            key: ring::hmac::Key::new(ring::hmac::HMAC_SHA256, key),
+        }
+    }
+}
+#[derive(Debug, Deserialize, Eq, PartialEq)]
+pub enum ChallengeType {
+    #[serde(rename = "http-01")]
+    Http01,
+    #[serde(rename = "dns-01")]
+    Dns01,
+    #[serde(rename = "tls-alpn-01")]
+    TlsAlpn01,
+}
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct Order {
+    #[serde(flatten)]
+    pub status: OrderStatus,
+    pub authorizations: Vec<String>,
+    pub finalize: String,
+    pub error: Option<Problem>,
+}
+#[derive(Debug, Deserialize, Clone, PartialEq, Eq)]
+#[serde(tag = "status", rename_all = "camelCase")]
+pub enum OrderStatus {
+    Pending,
+    Ready,
+    Valid { certificate: String },
+    Invalid,
+    Processing,
+}
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct Auth {
+    pub status: AuthStatus,
+    pub identifier: Identifier,
+    pub challenges: Vec<Challenge>,
+}
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub enum AuthStatus {
+    Pending,
+    Valid,
+    Invalid,
+    Revoked,
+    Expired,
+    Deactivated,
+}
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(tag = "type", content = "value", rename_all = "camelCase")]
+pub enum Identifier {
+    Dns(String),
+}
+#[derive(Debug, Deserialize)]
+pub struct Challenge {
+    #[serde(rename = "type")]
+    pub typ: ChallengeType,
+    pub url: String,
+    pub token: String,
+    pub error: Option<Problem>,
+}
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct Problem {
+    #[serde(rename = "type")]
+    pub typ: Option<String>,
+    pub detail: Option<String>,
+}
+#[derive(Error, Debug)]
+pub enum AcmeError {
+    #[error("io error: {0}")]
+    Io(#[from] std::io::Error),
+    #[error("certificate generation error: {0}")]
+    Rcgen(#[from] RcgenError),
+    #[error("JOSE error: {0}")]
+    Jose(#[from] JoseError),
+    #[error("JSON error: {0}")]
+    Json(#[from] serde_json::Error),
+    #[error("http request error: {0}")]
+    HttpRequest(#[from] HttpsRequestError),
+    #[error("invalid key pair: {0}")]
+    KeyRejected(#[from] KeyRejected),
+    #[error("crypto error: {0}")]
+    Crypto(#[from] Unspecified),
+    #[error("acme service response is missing {0} header")]
+    MissingHeader(&'static str),
+    #[error("no tls-alpn-01 challenge found")]
+    NoTlsAlpn01Challenge,
+}
+fn get_header(response: &Response, header: &'static str) -> Result<String, AcmeError> {
+    let h = response
+        .headers()
+        .get_all(header)
+        .iter()
+        .next_back()
+        .and_then(|v| v.to_str().ok())
+        .map(|s| s.to_string());
+    match h {
+        None => Err(AcmeError::MissingHeader(header)),
+        Some(value) => Ok(value),
+    }
+}

data/ext/itsi_acme/src/axum.rs ADDED Viewed

@@ -0,0 +1,86 @@
+use crate::{AcmeAccept, AcmeAcceptor};
+use rustls::ServerConfig;
+use std::future::Future;
+use std::io;
+use std::io::ErrorKind;
+use std::pin::Pin;
+use std::sync::Arc;
+use std::task::{Context, Poll};
+use tokio::io::{AsyncRead, AsyncWrite};
+use tokio_rustls::Accept;
+#[derive(Clone)]
+pub struct AxumAcceptor {
+    acme_acceptor: AcmeAcceptor,
+    config: Arc<ServerConfig>,
+}
+impl AxumAcceptor {
+    pub fn new(acme_acceptor: AcmeAcceptor, config: Arc<ServerConfig>) -> Self {
+        Self {
+            acme_acceptor,
+            config,
+        }
+    }
+}
+impl<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static>
+    axum_server::accept::Accept<I, S> for AxumAcceptor
+{
+    type Stream = tokio_rustls::server::TlsStream<I>;
+    type Service = S;
+    type Future = AxumAccept<I, S>;
+    fn accept(&self, stream: I, service: S) -> Self::Future {
+        let acme_accept = self.acme_acceptor.accept(stream);
+        Self::Future {
+            config: self.config.clone(),
+            acme_accept,
+            tls_accept: None,
+            service: Some(service),
+        }
+    }
+}
+pub struct AxumAccept<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static> {
+    config: Arc<ServerConfig>,
+    acme_accept: AcmeAccept<I>,
+    tls_accept: Option<Accept<I>>,
+    service: Option<S>,
+}
+impl<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static> Unpin
+    for AxumAccept<I, S>
+{
+}
+impl<I: AsyncRead + AsyncWrite + Unpin + Send + 'static, S: Send + 'static> Future
+    for AxumAccept<I, S>
+{
+    type Output = io::Result<(tokio_rustls::server::TlsStream<I>, S)>;
+    fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
+        loop {
+            if let Some(tls_accept) = &mut self.tls_accept {
+                return match Pin::new(&mut *tls_accept).poll(cx) {
+                    Poll::Ready(Ok(tls)) => Poll::Ready(Ok((tls, self.service.take().unwrap()))),
+                    Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
+                    Poll::Pending => Poll::Pending,
+                };
+            }
+            return match Pin::new(&mut self.acme_accept).poll(cx) {
+                Poll::Ready(Ok(Some(start_handshake))) => {
+                    let config = self.config.clone();
+                    self.tls_accept = Some(start_handshake.into_stream(config));
+                    continue;
+                }
+                Poll::Ready(Ok(None)) => Poll::Ready(Err(io::Error::new(
+                    ErrorKind::Other,
+                    "TLS-ALPN-01 validation request",
+                ))),
+                Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
+                Poll::Pending => Poll::Pending,
+            };
+        }
+    }
+}

data/ext/itsi_acme/src/cache.rs ADDED Viewed

@@ -0,0 +1,39 @@
+use std::fmt::Debug;
+use async_trait::async_trait;
+pub trait Cache: CertCache + AccountCache {}
+impl<T> Cache for T where T: CertCache + AccountCache {}
+#[async_trait]
+pub trait CertCache: Send + Sync {
+    type EC: Debug;
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC>;
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC>;
+}
+#[async_trait]
+pub trait AccountCache: Send + Sync {
+    type EA: Debug;
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA>;
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA>;
+}

data/ext/itsi_acme/src/caches/boxed.rs ADDED Viewed

@@ -0,0 +1,80 @@
+use crate::{AccountCache, CertCache};
+use async_trait::async_trait;
+use std::fmt::Debug;
+pub struct BoxedErrCache<T: Send + Sync> {
+    inner: T,
+}
+impl<T: Send + Sync> BoxedErrCache<T> {
+    pub fn new(inner: T) -> Self {
+        Self { inner }
+    }
+    pub fn into_inner(self) -> T {
+        self.inner
+    }
+}
+fn box_err(e: impl Debug + 'static) -> Box<dyn Debug> {
+    Box::new(e)
+}
+#[async_trait]
+impl<T: CertCache> CertCache for BoxedErrCache<T>
+where
+    <T as CertCache>::EC: 'static,
+{
+    type EC = Box<dyn Debug>;
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        self.inner
+            .load_cert(domains, directory_url)
+            .await
+            .map_err(box_err)
+    }
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        self.inner
+            .store_cert(domains, directory_url, cert)
+            .await
+            .map_err(box_err)
+    }
+}
+#[async_trait]
+impl<T: AccountCache> AccountCache for BoxedErrCache<T>
+where
+    <T as AccountCache>::EA: 'static,
+{
+    type EA = Box<dyn Debug>;
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.inner
+            .load_account(contact, directory_url)
+            .await
+            .map_err(box_err)
+    }
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        self.inner
+            .store_account(contact, directory_url, account)
+            .await
+            .map_err(box_err)
+    }
+}

data/ext/itsi_acme/src/caches/composite.rs ADDED Viewed

@@ -0,0 +1,69 @@
+use crate::{AccountCache, CertCache};
+use async_trait::async_trait;
+pub struct CompositeCache<C: CertCache + Send + Sync, A: AccountCache + Send + Sync> {
+    pub cert_cache: C,
+    pub account_cache: A,
+}
+impl<C: CertCache + Send + Sync, A: AccountCache + Send + Sync> CompositeCache<C, A> {
+    pub fn new(cert_cache: C, account_cache: A) -> Self {
+        Self {
+            cert_cache,
+            account_cache,
+        }
+    }
+    pub fn into_inner(self) -> (C, A) {
+        (self.cert_cache, self.account_cache)
+    }
+}
+#[async_trait]
+impl<C: CertCache + Send + Sync, A: AccountCache + Send + Sync> CertCache for CompositeCache<C, A> {
+    type EC = C::EC;
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        self.cert_cache.load_cert(domains, directory_url).await
+    }
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        self.cert_cache
+            .store_cert(domains, directory_url, cert)
+            .await
+    }
+}
+#[async_trait]
+impl<C: CertCache + Send + Sync, A: AccountCache + Send + Sync> AccountCache
+    for CompositeCache<C, A>
+{
+    type EA = A::EA;
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        self.account_cache
+            .load_account(contact, directory_url)
+            .await
+    }
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        self.account_cache
+            .store_account(contact, directory_url, account)
+            .await
+    }
+}