coil-tls 0.1.0

TLS management primitives for the Coil framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

use super::super::control_plane::TlsControlPlaneRuntime;
use super::super::planning::{IssuancePlan, RenewalPlan};
use super::TlsCertificateExecutor;
use crate::material::{CertificateMaterial, ManualCertificateBundle, TlsMaterialProtector};
use crate::{CertificateId, CertificateRecord, TlsInstant, TlsModelError};

#[derive(Debug, Clone)]
pub struct ManualImportTlsCertificateExecutor {
    control_plane: TlsControlPlaneRuntime,
    protector: TlsMaterialProtector,
}

impl ManualImportTlsCertificateExecutor {
    pub fn new(control_plane: TlsControlPlaneRuntime, protector: TlsMaterialProtector) -> Self {
        Self {
            control_plane,
            protector,
        }
    }
}

impl TlsCertificateExecutor for ManualImportTlsCertificateExecutor {
    fn import_manual_certificate(
        &self,
        bundle: ManualCertificateBundle,
    ) -> Result<(), TlsModelError> {
        let record = bundle.into_encrypted_record(&self.protector)?;
        self.control_plane.import_certificate(record)
    }

    fn issue_certificate(
        &self,
        _plan: &IssuancePlan,
        _certificate_id: CertificateId,
        _issued_at: TlsInstant,
    ) -> Result<CertificateRecord, TlsModelError> {
        Err(TlsModelError::ManualModeRequiresImportedCertificate)
    }

    fn renew_certificate(
        &self,
        _plan: &RenewalPlan,
        _certificate_id: CertificateId,
        _replacement_certificate_id: CertificateId,
        _issued_at: TlsInstant,
    ) -> Result<CertificateRecord, TlsModelError> {
        Err(TlsModelError::ManualModeRequiresImportedCertificate)
    }

    fn certificate_material(
        &self,
        certificate_id: &CertificateId,
    ) -> Result<CertificateMaterial, TlsModelError> {
        let record = self
            .control_plane
            .inventory()
            .record(certificate_id)
            .cloned()
            .ok_or_else(|| TlsModelError::UnknownCertificate {
                certificate_id: certificate_id.to_string(),
            })?;
        let material =
            record
                .material
                .ok_or_else(|| TlsModelError::MissingCertificateMaterial {
                    certificate_id: certificate_id.to_string(),
                })?;
        self.protector
            .decrypt(&material)
            .map_err(|error| match error {
                TlsModelError::UnsupportedEncryptedMaterialKey { key_id } => {
                    TlsModelError::UnsupportedEncryptedMaterialKey { key_id }
                }
                other => other,
            })
    }

    fn validate_issuance_plan(
        &self,
        _plan: &IssuancePlan,
    ) -> Result<super::ChallengeValidation, TlsModelError> {
        Err(TlsModelError::ManualModeRequiresImportedCertificate)
    }
}