ic-bn-lib 0.1.19

Internet Computer Boundary Nodes shared modules
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307

#[cfg(feature = "acme")]
pub mod acme;
#[cfg(feature = "cert-providers")]
pub mod providers;
pub mod resolver;
pub mod sessions;
pub mod tickets;
pub mod verify;

use std::{fs::read, path::PathBuf, sync::Arc};

use anyhow::{Context, anyhow};
use fqdn::{FQDN, Fqdn};
use ic_bn_lib_common::types::{
    http::{ALPN_H1, ALPN_H2},
    tls::TlsOptions,
};
use prometheus::Registry;
use rustls::{
    ClientConfig, ServerConfig, SupportedProtocolVersion, TicketRotator,
    client::{ClientSessionMemoryCache, Resumption},
    compress::CompressionCache,
    crypto::ring,
    server::ResolvesServerCert,
    sign::CertifiedKey,
};
use rustls_platform_verifier::Verifier;
use std::net::{Ipv4Addr, Ipv6Addr};
use x509_parser::prelude::{FromDer, GeneralName, ParsedExtension, X509Certificate};

/// Generic error for now
/// TODO improve
#[derive(thiserror::Error, Debug)]
pub enum Error {
    #[error(transparent)]
    Generic(#[from] anyhow::Error),
}

/// Checks if given host matches any of domains.
/// If wildcard is true then also checks if host is a direct child of any of domains
pub fn sni_matches(host: &Fqdn, domains: &[FQDN], wildcard: bool) -> bool {
    domains
        .iter()
        .any(|x| x == host || (wildcard && Some(x.as_ref()) == host.parent()))
}

fn parse_general_name(name: &GeneralName<'_>) -> Result<Option<String>, Error> {
    let name = match name {
        GeneralName::DNSName(v) => (*v).to_string(),
        GeneralName::IPAddress(v) => match v.len() {
            4 => {
                let b: [u8; 4] = (*v).try_into().unwrap(); // We already checked that it's 4
                let ip = Ipv4Addr::from(b);
                ip.to_string()
            }

            16 => {
                let b: [u8; 16] = (*v).try_into().unwrap(); // We already checked that it's 16
                let ip = Ipv6Addr::from(b);
                ip.to_string()
            }

            _ => return Err(anyhow!("Invalid IP address length {}", v.len()).into()),
        },

        // Ignore other types
        _ => return Ok(None),
    };

    Ok(Some(name))
}

/// Extracts a list of SubjectAlternativeName from a single certificate in DER format, formatted as strings.
/// Skips everything except DNSName and IPAddress
pub fn extract_sans_der(cert: &[u8]) -> Result<Vec<String>, Error> {
    let cert = X509Certificate::from_der(cert)
        .context("unable to parse DER-encoded certificate")?
        .1;

    // Extract a list of SANs from the 1st certificate in the chain (the leaf one)
    extract_sans(&cert)
}

/// Parses the given PEM-encoded certificate (1st if there are more than one) & extracts its validity period.
pub fn extract_validity(mut pem: &[u8]) -> Result<(i64, i64), Error> {
    let certs = rustls_pemfile::certs(&mut pem)
        .collect::<Result<Vec<_>, _>>()
        .context("unable to read certificate")?;

    if certs.is_empty() {
        return Err(anyhow!("no certificates found").into());
    }

    extract_validity_der(&certs[0])
}

/// Parses the given DER-encoded certificate (1st if there are more than one) & extracts its validity period.
pub fn extract_validity_der(der: &[u8]) -> Result<(i64, i64), Error> {
    let cert = X509Certificate::from_der(der)
        .context("unable to parse DER-encoded certificate")?
        .1;

    Ok((
        cert.validity().not_before.timestamp(),
        cert.validity().not_after.timestamp(),
    ))
}

/// Extracts a list of SubjectAlternativeName from a single certificate, formatted as strings.
/// Skips everything except DNSName and IPAddress
pub fn extract_sans(cert: &X509Certificate) -> Result<Vec<String>, Error> {
    for ext in cert.extensions() {
        if let ParsedExtension::SubjectAlternativeName(san) = ext.parsed_extension() {
            let names = san
                .general_names
                .iter()
                .map(parse_general_name)
                .collect::<Result<Vec<_>, _>>()?
                .into_iter()
                .flatten()
                .collect::<Vec<_>>();

            return Ok(names);
        }
    }

    Err(anyhow!("SubjectAlternativeName extension not found").into())
}

/// Converts raw PEM certificate chain & private key to a CertifiedKey ready to be consumed by Rustls.
/// This reads the first private key and ignores any others.
pub fn pem_convert_to_rustls(key: &[u8], certs: &[u8]) -> Result<CertifiedKey, Error> {
    let (key, certs) = (key.to_vec(), certs.to_vec());
    #[allow(clippy::tuple_array_conversions)] // Clippy being stupid here
    let pem = [key, certs].concat();

    pem_convert_to_rustls_single(&pem)
}

/// Converts raw concatenated PEM certificate chain & private key to a CertifiedKey ready to be consumed by Rustls.
/// This reads the first private key and ignores any others.
pub fn pem_convert_to_rustls_single(pem: &[u8]) -> Result<CertifiedKey, Error> {
    let pem = pem.to_vec();

    let key = rustls_pemfile::private_key(&mut pem.as_ref())
        .context("unable to read private key")?
        .ok_or_else(|| anyhow!("no private key found"))?;

    // Load the cert chain
    let certs = rustls_pemfile::certs(&mut pem.as_ref())
        .collect::<Result<Vec<_>, _>>()
        .context("unable to read certificate chain")?;

    if certs.is_empty() {
        return Err(anyhow!("no certificates found").into());
    }

    // Parse private key
    let key = ring::sign::any_supported_type(&key).context("unable to parse private key")?;

    Ok(CertifiedKey::new(certs, key))
}

/// Loads raw concatenated PEM certificate chain & private key and converts to a CertifiedKey ready to be consumed by Rustls.
/// This reads the first private key and ignores any others.
pub fn pem_load_rustls(key: PathBuf, certs: PathBuf) -> Result<CertifiedKey, Error> {
    let key = read(key).context("unable to read private key")?;
    let certs = read(certs).context("unable to read certificate chain")?;
    pem_convert_to_rustls(&key, &certs)
}

/// Loads raw PEM certificate chain & private key and converts to a CertifiedKey ready to be consumed by Rustls.
/// This reads the first private key and ignores any others.
pub fn pem_load_rustls_single(pem: PathBuf) -> Result<CertifiedKey, Error> {
    let pem = read(pem).context("unable to read PEM file")?;
    pem_convert_to_rustls_single(&pem)
}

/// Creates Rustls server config.
/// Must be run in Tokio environment since it spawns a task to record metrics
pub fn prepare_server_config(
    opts: TlsOptions,
    resolver: Arc<dyn ResolvesServerCert>,
    registry: &Registry,
) -> ServerConfig {
    let mut cfg = ServerConfig::builder_with_protocol_versions(&opts.tls_versions)
        .with_no_client_auth()
        .with_cert_resolver(resolver);

    // Create custom session storage to allow effective TLS session resumption
    let session_storage = Arc::new(sessions::Storage::new(
        opts.sessions_count,
        opts.sessions_tti,
        registry,
    ));
    let session_storage_metrics = session_storage.clone();
    // Spawn metrics runner
    tokio::spawn(async move { session_storage_metrics.metrics_runner().await });
    cfg.session_storage = session_storage;

    // Enable ticketer to encrypt/decrypt TLS tickets.
    // TicketSwitcher rotates the inner ticketers every `ticket_lifetime`
    // while keeping the previous one available for decryption of tickets
    // issued earlier than `ticket_lifetime` ago.
    let ticketer = tickets::WithMetrics(
        TicketRotator::new(opts.ticket_lifetime.as_secs() as u32, move || {
            Ok(Box::new(tickets::Ticketer::new()))
        })
        .unwrap(),
        tickets::Metrics::new(registry),
    );
    cfg.ticketer = Arc::new(ticketer);

    // Enable certificate compression cache.
    // See https://datatracker.ietf.org/doc/rfc8879/ for details
    cfg.cert_compression_cache = Arc::new(CompressionCache::new(8192));

    // Enable ALPN
    cfg.alpn_protocols = vec![ALPN_H2.to_vec(), ALPN_H1.to_vec()];
    cfg.alpn_protocols.extend_from_slice(&opts.additional_alpn);

    cfg
}

pub fn prepare_client_config(tls_versions: &[&'static SupportedProtocolVersion]) -> ClientConfig {
    let cfg = ClientConfig::builder_with_protocol_versions(tls_versions);

    let crypto_provider = rustls::crypto::CryptoProvider::get_default()
        .unwrap()
        .clone();

    // Use a custom certificate verifier from rustls project that is presumably secure.
    let verifier = Verifier::new_with_extra_roots(
        webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned(),
        crypto_provider,
    )
    .unwrap();

    let mut cfg = cfg
        .dangerous() // Nothing really dangerous here
        .with_custom_certificate_verifier(Arc::new(verifier))
        .with_no_client_auth();

    // Session resumption
    let store = ClientSessionMemoryCache::new(2048);
    cfg.resumption = Resumption::store(Arc::new(store));
    cfg.alpn_protocols = vec![ALPN_H2.to_vec(), ALPN_H1.to_vec()];

    cfg
}

#[cfg(test)]
mod test {
    use fqdn::fqdn;

    use crate::tests::{TEST_CERT_1, TEST_KEY_1};

    use super::*;

    #[test]
    fn test_sni_matches() {
        let domains = vec![fqdn!("foo1.bar"), fqdn!("foo2.bar"), fqdn!("foo3.bar")];

        // Check direct
        assert!(sni_matches(&fqdn!("foo1.bar"), &domains, false));
        assert!(sni_matches(&fqdn!("foo2.bar"), &domains, false));
        assert!(sni_matches(&fqdn!("foo3.bar"), &domains, false));
        assert!(!sni_matches(&fqdn!("foo4.bar"), &domains, false));

        // Check wildcard
        assert!(sni_matches(&fqdn!("foo1.bar"), &domains, true));
        assert!(sni_matches(&fqdn!("baz.foo1.bar"), &domains, true));
        assert!(sni_matches(&fqdn!("bza.foo1.bar"), &domains, true));
        assert!(sni_matches(&fqdn!("baz.foo2.bar"), &domains, true));
        assert!(sni_matches(&fqdn!("bza.foo2.bar"), &domains, true));

        // Make sure deeper subdomains are not matched
        assert!(!sni_matches(&fqdn!("baz.baz.foo1.bar"), &domains, true));
    }

    #[test]
    fn test_pem_convert_to_rustls_single() {
        let pem = [TEST_KEY_1, TEST_CERT_1].concat();
        let res = pem_convert_to_rustls_single(pem.as_bytes()).unwrap();
        assert!(res.cert.len() == 1);
    }

    #[test]
    fn test_pem_convert_to_rustls() {
        let res = pem_convert_to_rustls(TEST_KEY_1.as_bytes(), TEST_CERT_1.as_bytes()).unwrap();
        assert!(res.cert.len() == 1);
    }

    #[test]
    fn test_prepare_client_config() {
        // rustls 0.23+ requires a process-level CryptoProvider to be installed
        let _ = rustls::crypto::ring::default_provider().install_default();
        prepare_client_config(&[&rustls::version::TLS13, &rustls::version::TLS12]);
    }

    #[test]
    fn test_extract_validity() {
        let (from, to) = extract_validity(TEST_CERT_1.as_bytes()).unwrap();
        assert_eq!(from, 1673300396);
        assert_eq!(to, 1988660396);
    }
}