qcp 0.8.3

Secure remote file copy utility which uses the QUIC protocol over UDP
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

//! X509 certificate management helper
// (c) 2024 Ross Younger

use std::{borrow::Borrow, sync::Arc};

use anyhow::Result;
use quinn::rustls::sign::{CertifiedKey as RustlsCertifiedKey, SigningKey as RustlsSigningKey};
use rcgen::{CertifiedKey as RcgenCertifiedKey, KeyPair as RcgenKeyPair, PublicKeyData};
use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};

use crate::protocol::{
    DataTag as _, TaggedData,
    compat::Feature,
    control::{Compatibility, CredentialsType},
};

/// In-memory representation of TLS credentials
#[allow(missing_debug_implementations)]
pub struct Credentials {
    /// A keypair with self-signed X509 certificate
    pub keypair: RcgenCertifiedKey<RcgenKeyPair>,
    /// The hostname to which this applies (for convenience)
    pub hostname: String,
}

impl Credentials {
    /// Generates a self-certified keypair
    pub fn generate() -> Result<Self> {
        let hostname = gethostname::gethostname()
            .into_string()
            .unwrap_or("unknown.host.invalid".to_string());
        tracing::trace!("Creating certificate with hostname {hostname}");
        Ok(Self {
            keypair: rcgen::generate_simple_self_signed([hostname.clone()])?,
            hostname,
        })
    }
    /// Extracts the certificate in DER format
    #[must_use]
    pub fn certificate(&self) -> &CertificateDer<'static> {
        self.keypair.cert.der()
    }

    /// Extracts the private key in DER format
    #[must_use]
    pub fn private_key_der(&self) -> PrivateKeyDer<'static> {
        rustls_pki_types::PrivateKeyDer::Pkcs8(self.keypair.signing_key.serialize_der().into())
    }

    /// Returns the raw public key as a `CertifiedKey` in RFC7250 format
    /// (i.e., with the SPKI inside a `CertificateDer`),
    /// suitable for use with `AlwaysResolvesClientRawPublicKeys` etc.
    pub fn as_raw_public_key(&self) -> Result<RustlsCertifiedKey> {
        let spki = self.keypair.signing_key.subject_public_key_info();
        let public_key_cert = CertificateDer::from(spki);
        let kp_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
            self.keypair.signing_key.serialized_der(),
        ));
        let signing_key: Arc<dyn RustlsSigningKey> =
            rustls::crypto::ring::sign::any_supported_type(&kp_der)?;

        Ok(RustlsCertifiedKey::new(vec![public_key_cert], signing_key))
    }

    /// Determines the credentials type to use for the control channel,
    /// based on the chosen compatibility mode.
    /// * If the compatibility mode supports it, uses RFC7250 raw public keys.
    /// * Otherwise, uses the self-signed X509 certificate.
    #[must_use]
    pub fn type_tag_for(
        compat: Compatibility,
        configured_type: Option<CredentialsType>,
    ) -> CredentialsType {
        match configured_type {
            // in a config struct, 'invalid' means unset i.e. default to automatic
            None | Some(CredentialsType::Any) => (),
            Some(other) => return other,
        }
        if compat.supports(Feature::CMSG_SMSG_2) {
            tracing::trace!("selected creds type: Rfc7250");
            CredentialsType::RawPublicKey
        } else {
            tracing::trace!("selected creds type: X509");
            CredentialsType::X509
        }
    }

    /// Converts to a TaggedData suitable for sending over the control channel
    /// * If the compatibility mode supports it, uses RFC7250 raw public keys.
    /// * Otherwise, uses the self-signed X509 certificate.
    pub fn to_tagged_data(
        &self,
        compat: Compatibility,
        configured_type: Option<CredentialsType>,
    ) -> Result<TaggedData<CredentialsType>> {
        let tag = Self::type_tag_for(compat, configured_type);
        let res = match tag {
            CredentialsType::Any => unreachable!(),
            CredentialsType::X509 => {
                // Compat level 1 supports this
                tag.with_bytes(self.certificate())
            }
            CredentialsType::RawPublicKey => {
                // Compat level 3 needed to support this
                anyhow::ensure!(
                    compat.supports(Feature::CMSG_SMSG_2),
                    "RawPublicKey credentials configured, but not supported by remote",
                );
                let key = self.as_raw_public_key()?;
                let borrowed: &rustls::sign::CertifiedKey = key.borrow();
                tag.with_bytes(&borrowed.cert[0])
            }
        };
        Ok(res)
    }
}

#[cfg(test)]
#[cfg_attr(coverage_nightly, coverage(off))]
mod tests {
    use pretty_assertions::assert_eq;

    use crate::{
        protocol::control::{Compatibility, CredentialsType},
        util::Credentials,
    };
    #[test]
    fn generate_works() {
        let _ = super::Credentials::generate().unwrap();
    }

    #[test]
    fn type_tag_cases() {
        assert_eq!(
            Credentials::type_tag_for(Compatibility::Level(3), Some(CredentialsType::RawPublicKey)),
            CredentialsType::RawPublicKey
        );
        assert_eq!(
            Credentials::type_tag_for(Compatibility::Level(3), Some(CredentialsType::X509)),
            CredentialsType::X509
        );

        let c = Credentials::generate().unwrap();
        let e = c
            .to_tagged_data(Compatibility::Level(1), Some(CredentialsType::RawPublicKey))
            .unwrap_err();
        assert_eq!(
            e.to_string(),
            "RawPublicKey credentials configured, but not supported by remote"
        );
    }
}