crabka-security 0.3.3

TLS, SASL, SCRAM, OAuth, and Kerberos security utilities for Crabka
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535

//! Pure X.509 CA + leaf-cert generation for the operator's
//! clients-CA bootstrap. Reusable by inter-broker mTLS
//! and cert hot-reload tests.
//!
//! No async, no I/O — these helpers return PEM-encoded material
//! that callers persist to Kubernetes Secrets, files, or anywhere
//! else.

use std::net::IpAddr;

use rcgen::{
    BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa,
    Issuer, KeyPair, KeyUsagePurpose, PKCS_ECDSA_P256_SHA256, SanType,
};
use thiserror::Error;
use time::format_description::well_known::Rfc3339;
use time::{Duration, OffsetDateTime};

#[derive(Debug, Error)]
pub enum CaError {
    #[error("rcgen: {0}")]
    Rcgen(#[from] rcgen::Error),
    #[error("time math overflow")]
    TimeOverflow,
    #[error("time format: {0}")]
    TimeFormat(#[from] time::error::Format),
}

/// Self-signed clients-CA material.
#[derive(Debug, Clone)]
pub struct CaMaterial {
    pub cert_pem: String,
    pub key_pem: String,
}

/// A leaf cert issued by a clients-CA. `not_after` is RFC3339.
pub struct UserCert {
    pub cert_pem: String,
    pub key_pem: String,
    pub not_after: String,
}

/// SAN entry for a leaf cert. ECDSA leaf certs accept any mix of DNS
/// names and IP addresses; the broker-cert path uses a mix.
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
pub enum SubjectAltName {
    Dns(String),
    Ip(IpAddr),
}

/// A broker leaf cert (server + client cert in one).
pub struct BrokerCert {
    pub cert_pem: String,
    pub key_pem: String,
    pub not_after: String,
}

fn validity_window(validity_days: u32) -> Result<(OffsetDateTime, OffsetDateTime), CaError> {
    let not_before = OffsetDateTime::now_utc();
    let not_after = not_before
        .checked_add(Duration::days(i64::from(validity_days)))
        .ok_or(CaError::TimeOverflow)?;
    Ok((not_before, not_after))
}

/// Generate a self-signed clients CA with `Subject = CN=<cn>, O=crabka`,
/// `BasicConstraints: CA:TRUE`, and `KeyUsage = keyCertSign|cRLSign`.
/// ECDSA P-256.
pub fn generate_clients_ca(cn: &str, validity_days: u32) -> Result<CaMaterial, CaError> {
    let key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;

    let mut params = CertificateParams::new(Vec::<String>::new())?;
    let (not_before, not_after) = validity_window(validity_days)?;
    params.not_before = not_before;
    params.not_after = not_after;

    let mut dn = DistinguishedName::new();
    dn.push(DnType::CommonName, cn);
    dn.push(DnType::OrganizationName, "crabka");
    params.distinguished_name = dn;

    params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
    params.key_usages = vec![KeyUsagePurpose::KeyCertSign, KeyUsagePurpose::CrlSign];

    let cert = params.self_signed(&key)?;

    Ok(CaMaterial {
        cert_pem: cert.pem(),
        key_pem: key.serialize_pem(),
    })
}

/// Generate a self-signed cluster CA. Same shape as
/// [`generate_clients_ca`] (ECDSA P-256, CA:TRUE, KU keyCertSign +
/// cRLSign) but the subject DN carries `OU=cluster` so the cluster CA
/// and clients CA are trivially distinguishable in cert chains and
/// audit logs.
pub fn generate_cluster_ca(cn: &str, validity_days: u32) -> Result<CaMaterial, CaError> {
    let key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;

    let mut params = CertificateParams::new(Vec::<String>::new())?;
    let (not_before, not_after) = validity_window(validity_days)?;
    params.not_before = not_before;
    params.not_after = not_after;

    let mut dn = DistinguishedName::new();
    dn.push(DnType::CommonName, cn);
    dn.push(DnType::OrganizationName, "crabka");
    dn.push(DnType::OrganizationalUnitName, "cluster");
    params.distinguished_name = dn;

    params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
    params.key_usages = vec![KeyUsagePurpose::KeyCertSign, KeyUsagePurpose::CrlSign];

    let cert = params.self_signed(&key)?;

    Ok(CaMaterial {
        cert_pem: cert.pem(),
        key_pem: key.serialize_pem(),
    })
}

/// Re-sign a cluster CA cert reusing an existing key (same-key renewal).
///
/// Generates a fresh self-signed cert with the SAME subject DN (`CN=<cn>,
/// O=crabka, OU=cluster`), `CA:TRUE`, `KU keyCertSign|cRLSign`, and a new
/// `validityDays` window, but keyed by `key_pem` rather than a freshly
/// generated key. Because the public key (SPKI) and subject DN are identical to
/// the cert this replaces, leaf certs issued under the old cert still chain to
/// the renewed one — the renewal is non-disruptive. Returns the cert PEM only;
/// the caller already holds the key.
pub fn renew_cluster_ca(key_pem: &str, cn: &str, validity_days: u32) -> Result<String, CaError> {
    renew_ca(key_pem, cn, validity_days, true)
}

/// Re-sign a clients CA cert reusing an existing key (same-key renewal).
/// Like [`renew_cluster_ca`] but with the clients-CA subject DN (no
/// `OU=cluster`).
pub fn renew_clients_ca(key_pem: &str, cn: &str, validity_days: u32) -> Result<String, CaError> {
    renew_ca(key_pem, cn, validity_days, false)
}

fn renew_ca(key_pem: &str, cn: &str, validity_days: u32, cluster: bool) -> Result<String, CaError> {
    let key = KeyPair::from_pem(key_pem)?;

    let mut params = CertificateParams::new(Vec::<String>::new())?;
    let (not_before, not_after) = validity_window(validity_days)?;
    params.not_before = not_before;
    params.not_after = not_after;

    let mut dn = DistinguishedName::new();
    dn.push(DnType::CommonName, cn);
    dn.push(DnType::OrganizationName, "crabka");
    if cluster {
        dn.push(DnType::OrganizationalUnitName, "cluster");
    }
    params.distinguished_name = dn;

    params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
    params.key_usages = vec![KeyUsagePurpose::KeyCertSign, KeyUsagePurpose::CrlSign];

    let cert = params.self_signed(&key)?;
    Ok(cert.pem())
}

/// Sign a broker leaf cert: server cert + client cert in one
/// (EKU = serverAuth + clientAuth, KU = digitalSignature +
/// keyEncipherment). SANs accept a mix of DNS names and IPs. ECDSA
/// P-256.
///
/// Merges `base_sans` and `extra_sans` (e.g. external advertised addresses
/// for `NodePort` or `LoadBalancer` listeners) into a single SAN list;
/// duplicates are silently dropped.
pub fn issue_broker_cert(
    ca_cert_pem: &str,
    ca_key_pem: &str,
    cn: &str,
    base_sans: &[SubjectAltName],
    extra_sans: &[SubjectAltName],
    validity_days: u32,
) -> Result<BrokerCert, CaError> {
    let mut all_sans: Vec<SubjectAltName> = base_sans.to_vec();
    for s in extra_sans {
        if !all_sans.contains(s) {
            all_sans.push(s.clone());
        }
    }

    let ca_key = KeyPair::from_pem(ca_key_pem)?;
    let ca_issuer = Issuer::from_ca_cert_pem(ca_cert_pem, ca_key)?;

    let leaf_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;

    let mut params = CertificateParams::new(Vec::<String>::new())?;
    let (not_before, not_after) = validity_window(validity_days)?;
    params.not_before = not_before;
    params.not_after = not_after;

    let mut dn = DistinguishedName::new();
    dn.push(DnType::CommonName, cn);
    params.distinguished_name = dn;

    params.is_ca = IsCa::NoCa;
    params.key_usages = vec![
        KeyUsagePurpose::DigitalSignature,
        KeyUsagePurpose::KeyEncipherment,
    ];
    params.extended_key_usages = vec![
        ExtendedKeyUsagePurpose::ServerAuth,
        ExtendedKeyUsagePurpose::ClientAuth,
    ];
    params.subject_alt_names = all_sans
        .iter()
        .map(|s| match s {
            SubjectAltName::Dns(d) => SanType::DnsName(d.parse().expect("valid Ia5String")),
            SubjectAltName::Ip(ip) => SanType::IpAddress(*ip),
        })
        .collect();

    let leaf = params.signed_by(&leaf_key, &ca_issuer)?;
    let not_after_str = not_after.format(&Rfc3339)?;

    Ok(BrokerCert {
        cert_pem: leaf.pem(),
        key_pem: leaf_key.serialize_pem(),
        not_after: not_after_str,
    })
}

/// Sign a leaf client cert with `Subject = CN=<cn>` (bare RDN —
/// matches Strimzi, avoids RFC 2253 vs 4514 ordering ambiguity).
/// `ExtendedKeyUsage = clientAuth`, `KeyUsage = digitalSignature|keyEncipherment`.
/// ECDSA P-256.
pub fn issue_user_cert(
    ca_cert_pem: &str,
    ca_key_pem: &str,
    cn: &str,
    validity_days: u32,
) -> Result<UserCert, CaError> {
    let ca_key = KeyPair::from_pem(ca_key_pem)?;
    let ca_issuer = Issuer::from_ca_cert_pem(ca_cert_pem, ca_key)?;

    let leaf_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;

    let mut params = CertificateParams::new(Vec::<String>::new())?;
    let (not_before, not_after) = validity_window(validity_days)?;
    params.not_before = not_before;
    params.not_after = not_after;

    let mut dn = DistinguishedName::new();
    dn.push(DnType::CommonName, cn);
    params.distinguished_name = dn;

    params.is_ca = IsCa::NoCa;
    params.key_usages = vec![
        KeyUsagePurpose::DigitalSignature,
        KeyUsagePurpose::KeyEncipherment,
    ];
    params.extended_key_usages = vec![ExtendedKeyUsagePurpose::ClientAuth];

    let leaf = params.signed_by(&leaf_key, &ca_issuer)?;
    let not_after_str = not_after.format(&Rfc3339)?;

    Ok(UserCert {
        cert_pem: leaf.pem(),
        key_pem: leaf_key.serialize_pem(),
        not_after: not_after_str,
    })
}

#[cfg(test)]
mod tests {
    use super::*;
    use assert2::assert;
    use rustls::pki_types::CertificateDer;
    use rustls::pki_types::pem::PemObject;
    use x509_parser::prelude::FromDer;
    use x509_parser::prelude::X509Certificate;

    fn pem_to_der(pem: &str) -> CertificateDer<'static> {
        CertificateDer::pem_slice_iter(pem.as_bytes())
            .next()
            .expect("at least one PEM cert")
            .expect("valid PEM cert")
    }

    #[test]
    fn generate_clients_ca_round_trips() {
        let validity_days: u32 = 365;
        let ca = generate_clients_ca("root", validity_days).expect("generate CA");

        assert!(ca.cert_pem.contains("BEGIN CERTIFICATE"));
        assert!(ca.key_pem.contains("BEGIN PRIVATE KEY"));

        let der = pem_to_der(&ca.cert_pem);
        let (_, cert) = X509Certificate::from_der(der.as_ref()).expect("parse CA DER");

        let subject = cert.subject().to_string();
        assert!(subject.contains("CN=root"), "subject was {subject}");
        assert!(subject.contains("O=crabka"), "subject was {subject}");

        let bc = cert
            .basic_constraints()
            .expect("basic constraints parse")
            .expect("basic constraints present");
        assert!(bc.value.ca, "CA bit must be true on clients CA");

        let validity = cert.validity();
        let span = validity.not_after.timestamp() - validity.not_before.timestamp();
        let expected = i64::from(validity_days) * 86_400;
        let tolerance: i64 = 60;
        assert!(
            (span - expected).abs() <= tolerance,
            "validity span {span}s expected ~{expected}s"
        );
    }

    #[test]
    fn issue_user_cert_signed_by_ca_and_bare_cn() {
        let ca = generate_clients_ca("root", 365).expect("generate CA");
        let user = issue_user_cert(&ca.cert_pem, &ca.key_pem, "alice", 365).expect("issue leaf");

        let leaf_der = pem_to_der(&user.cert_pem);
        let (_, leaf) = X509Certificate::from_der(leaf_der.as_ref()).expect("parse leaf DER");
        assert!(leaf.subject().to_string() == "CN=alice");

        let ca_der = pem_to_der(&ca.cert_pem);
        let (_, ca_x509) = X509Certificate::from_der(ca_der.as_ref()).expect("parse CA DER");

        leaf.verify_signature(Some(ca_x509.public_key()))
            .expect("leaf signature must verify against CA pubkey");
    }

    #[test]
    fn issue_user_cert_dn_matches_extract_principal() {
        let ca = generate_clients_ca("root", 365).expect("generate CA");
        let user = issue_user_cert(&ca.cert_pem, &ca.key_pem, "alice", 365).expect("issue leaf");

        let der = pem_to_der(&user.cert_pem);
        let dn = crate::extract_principal_from_cert(der.as_ref()).expect("extract principal");
        assert!(dn == "CN=alice");
    }

    #[test]
    fn extended_key_usage_is_client_auth_on_leaf() {
        let ca = generate_clients_ca("root", 365).expect("generate CA");
        let user = issue_user_cert(&ca.cert_pem, &ca.key_pem, "alice", 365).expect("issue leaf");

        let der = pem_to_der(&user.cert_pem);
        let (_, leaf) = X509Certificate::from_der(der.as_ref()).expect("parse leaf DER");
        let eku = leaf
            .extended_key_usage()
            .expect("EKU parse")
            .expect("EKU present");
        assert!(eku.value.client_auth, "client_auth must be set on leaf EKU");
    }

    #[test]
    fn each_generate_is_unique() {
        let a = generate_clients_ca("x", 365).expect("generate CA a");
        let b = generate_clients_ca("x", 365).expect("generate CA b");
        assert!(
            a.cert_pem != b.cert_pem,
            "each CA must have unique serial/key"
        );
        assert!(a.key_pem != b.key_pem, "each CA must have a unique key");
    }

    #[test]
    fn generate_cluster_ca_carries_ou_cluster() {
        let ca = generate_cluster_ca("c1", 365).expect("generate cluster CA");
        let der = pem_to_der(&ca.cert_pem);
        let (_, cert) = X509Certificate::from_der(der.as_ref()).expect("parse cluster CA DER");
        let subject = cert.subject().to_string();
        assert!(subject.contains("CN=c1"), "subject was {subject}");
        assert!(subject.contains("O=crabka"), "subject was {subject}");
        assert!(subject.contains("OU=cluster"), "subject was {subject}");
        let bc = cert
            .basic_constraints()
            .expect("BC parse")
            .expect("BC present");
        assert!(bc.value.ca, "CA bit must be true on cluster CA");
    }

    #[test]
    fn clients_ca_does_not_carry_ou_cluster() {
        let ca = generate_clients_ca("root", 365).expect("generate clients CA");
        let der = pem_to_der(&ca.cert_pem);
        let (_, cert) = X509Certificate::from_der(der.as_ref()).expect("parse");
        let subject = cert.subject().to_string();
        assert!(
            !subject.contains("OU=cluster"),
            "clients CA must not carry OU=cluster; subject={subject}"
        );
    }

    #[test]
    fn issue_broker_cert_has_server_and_client_auth_eku() {
        use std::net::Ipv4Addr;
        let ca = generate_cluster_ca("c1", 365).expect("CA");
        let sans = vec![
            SubjectAltName::Dns("c1-broker-0.c1-broker.default.svc.cluster.local".into()),
            SubjectAltName::Dns("c1-broker-0".into()),
            SubjectAltName::Ip(IpAddr::V4(Ipv4Addr::LOCALHOST)),
        ];
        let b = issue_broker_cert(&ca.cert_pem, &ca.key_pem, "c1-broker-0", &sans, &[], 365)
            .expect("issue broker cert");

        let der = pem_to_der(&b.cert_pem);
        let (_, leaf) = X509Certificate::from_der(der.as_ref()).expect("parse leaf");

        let eku = leaf
            .extended_key_usage()
            .expect("EKU parse")
            .expect("EKU present");
        assert!(eku.value.server_auth, "broker leaf must carry serverAuth");
        assert!(eku.value.client_auth, "broker leaf must carry clientAuth");

        let san_ext = leaf
            .subject_alternative_name()
            .expect("SAN parse")
            .expect("SAN present");
        let general_names: Vec<_> = san_ext.value.general_names.iter().collect();
        assert!(general_names.iter().any(|gn| matches!(
            gn,
            x509_parser::extensions::GeneralName::DNSName(s) if *s == "c1-broker-0"
        )));
        assert!(
            general_names
                .iter()
                .any(|gn| matches!(gn, x509_parser::extensions::GeneralName::IPAddress(_)))
        );
    }

    fn spki_der(cert_pem: &str) -> Vec<u8> {
        let der = pem_to_der(cert_pem);
        let (_, cert) = X509Certificate::from_der(der.as_ref()).expect("parse");
        cert.public_key().raw.to_vec()
    }

    #[test]
    fn renew_cluster_ca_reuses_key_and_preserves_subject() {
        let orig = generate_cluster_ca("c1-cluster-ca", 30).expect("CA");
        let renewed_pem = renew_cluster_ca(&orig.key_pem, "c1-cluster-ca", 365).expect("renew");

        // Same public key (same SPKI) — the renewal reuses the key.
        assert!(
            spki_der(&orig.cert_pem) == spki_der(&renewed_pem),
            "renewed cert must carry the same public key"
        );

        // Same subject DN, including OU=cluster.
        let der = pem_to_der(&renewed_pem);
        let (_, cert) = X509Certificate::from_der(der.as_ref()).expect("parse renewed");
        let subject = cert.subject().to_string();
        assert!(subject.contains("CN=c1-cluster-ca"), "subject={subject}");
        assert!(subject.contains("O=crabka"), "subject={subject}");
        assert!(subject.contains("OU=cluster"), "subject={subject}");
        assert!(
            cert.basic_constraints()
                .expect("BC")
                .expect("BC present")
                .value
                .ca,
            "renewed cert must still be a CA"
        );
    }

    #[test]
    fn renew_cluster_ca_extends_validity() {
        let orig = generate_cluster_ca("c1-cluster-ca", 30).expect("CA");
        let renewed_pem = renew_cluster_ca(&orig.key_pem, "c1-cluster-ca", 365).expect("renew");

        let span = |pem: &str| {
            let der = pem_to_der(pem);
            let (_, c) = X509Certificate::from_der(der.as_ref()).expect("parse");
            c.validity().not_after.timestamp() - c.validity().not_before.timestamp()
        };
        assert!(
            span(&renewed_pem) > span(&orig.cert_pem),
            "renewed validity window must be longer"
        );
    }

    #[test]
    fn leaf_under_old_cert_verifies_against_renewed_cert() {
        // A leaf issued by the ORIGINAL cluster CA must verify against the
        // RENEWED cert's public key — this is what makes same-key renewal
        // non-disruptive (existing broker leafs keep chaining).
        let orig = generate_cluster_ca("c1-cluster-ca", 30).expect("CA");
        let sans = vec![SubjectAltName::Dns("c1-broker-0".into())];
        let leaf = issue_broker_cert(&orig.cert_pem, &orig.key_pem, "c1-broker-0", &sans, &[], 30)
            .expect("leaf");
        let renewed_pem = renew_cluster_ca(&orig.key_pem, "c1-cluster-ca", 365).expect("renew");

        let leaf_der = pem_to_der(&leaf.cert_pem);
        let (_, leaf_x509) = X509Certificate::from_der(leaf_der.as_ref()).expect("parse leaf");
        let renewed_der = pem_to_der(&renewed_pem);
        let (_, renewed_ca) =
            X509Certificate::from_der(renewed_der.as_ref()).expect("parse renewed");

        leaf_x509
            .verify_signature(Some(renewed_ca.public_key()))
            .expect("leaf must verify against the renewed CA public key");
    }

    #[test]
    fn renew_clients_ca_has_no_ou_cluster() {
        let orig = generate_clients_ca("c1-clients-ca", 30).expect("CA");
        let renewed_pem = renew_clients_ca(&orig.key_pem, "c1-clients-ca", 365).expect("renew");
        assert!(spki_der(&orig.cert_pem) == spki_der(&renewed_pem));
        let der = pem_to_der(&renewed_pem);
        let (_, cert) = X509Certificate::from_der(der.as_ref()).expect("parse");
        assert!(
            !cert.subject().to_string().contains("OU=cluster"),
            "clients CA must not carry OU=cluster"
        );
    }

    #[test]
    fn issue_broker_cert_chains_to_cluster_ca() {
        let ca = generate_cluster_ca("c1", 365).expect("CA");
        let sans = vec![SubjectAltName::Dns("c1-broker-0".into())];
        let b = issue_broker_cert(&ca.cert_pem, &ca.key_pem, "c1-broker-0", &sans, &[], 365)
            .expect("leaf");

        let leaf_der = pem_to_der(&b.cert_pem);
        let (_, leaf) = X509Certificate::from_der(leaf_der.as_ref()).expect("parse leaf");
        let ca_der = pem_to_der(&ca.cert_pem);
        let (_, ca_x509) = X509Certificate::from_der(ca_der.as_ref()).expect("parse CA");

        leaf.verify_signature(Some(ca_x509.public_key()))
            .expect("leaf signature must verify against cluster CA pubkey");
    }
}