Merge pull request #110 from dfinity/igor/certs

feat(BOUN-1401): Add `--cert-provider-file` CLI option

Author: blind-oracle

Cargo.lock

@@ -53,7 +53,7 @@ ic-agent = { version = "0.40.0", features = [
     "ring",
     "_internal_dynamic-routing",
 ] }
-ic-bn-lib = { git = "https://github.com/dfinity/ic-bn-lib", rev = "ec4a6b4abab2d94e09c4d5fee2d57d7bb1260835", features = [
+ic-bn-lib = { git = "https://github.com/dfinity/ic-bn-lib", rev = "23b3b0b76795c9b75eed96742c2185da0ce9ee2a", features = [
     "vector",
 ] }
 ic-http-certification = { version = "3.0.3", optional = true }

Cargo.toml

@@ -198,6 +198,11 @@ pub struct Ic {
 
 #[derive(Args)]
 pub struct Cert {
+    /// Read certificates from given files.
+    /// Each file should be PEM-encoded concatenated certificate chain with a private key.
+    #[clap(env, long, value_delimiter = ',')]
+    pub cert_provider_file: Vec<PathBuf>,
+
     /// Read certificates from given directories
     /// Each certificate should be a pair .pem + .key files with the same base name.
     #[clap(env, long, value_delimiter = ',')]

src/cli.rs

@@ -3,11 +3,11 @@ pub mod storage;
 
 use std::sync::{Arc, Mutex};
 
-use anyhow::{Error, anyhow};
+use anyhow::{Context, Error, anyhow};
 use async_trait::async_trait;
 use ic_bn_lib::{
     tasks::Run,
-    tls::{extract_sans_der, pem_convert_to_rustls},
+    tls::{extract_sans_der, pem_convert_to_rustls_single},
 };
 use rustls::sign::CertifiedKey;
 use tokio_util::sync::CancellationToken;
@@ -26,10 +26,11 @@ pub struct Cert<T: Clone + Send + Sync> {
 // Commonly used concrete type of the above for Rustls
 pub type CertKey = Cert<Arc<CertifiedKey>>;
 
-pub fn pem_convert_to_certkey(key: &[u8], certs: &[u8]) -> Result<CertKey, Error> {
-    let cert_key = pem_convert_to_rustls(key, certs)?;
+pub fn pem_convert_to_certkey(pem: &[u8]) -> Result<CertKey, Error> {
+    let cert_key = pem_convert_to_rustls_single(pem)
+        .context("unable to convert certificate chain and/or private key from PEM")?;
 
-    let san = extract_sans_der(cert_key.cert[0].as_ref())?;
+    let san = extract_sans_der(cert_key.cert[0].as_ref()).context("unable to extract SANs")?;
     if san.is_empty() {
         return Err(anyhow!(
             "no supported names found in SubjectAlternativeName extension"
@@ -44,7 +45,7 @@ pub fn pem_convert_to_certkey(key: &[u8], certs: &[u8]) -> Result<CertKey, Error
 
 fn parse_pem(pem: &[Pem]) -> Result<Vec<CertKey>, Error> {
     pem.iter()
-        .map(|x| pem_convert_to_certkey(&x.key, &x.cert))
+        .map(|x| pem_convert_to_certkey(&x.0))
         .collect::<Result<Vec<_>, _>>()
 }
 
@@ -316,29 +317,17 @@ pub mod test {
 
     #[test]
     fn test_pem_convert_to_certkey() -> Result<(), Error> {
-        let cert = pem_convert_to_certkey(KEY_1, CERT_1)?;
+        let cert = pem_convert_to_certkey(&[KEY_1, CERT_1].concat())?;
         assert_eq!(cert.san, vec!["novg"]);
-        let cert = pem_convert_to_certkey(KEY_2, CERT_2)?;
+        let cert = pem_convert_to_certkey(&[KEY_2, CERT_2].concat())?;
         assert_eq!(cert.san, vec!["3658153f27e0"]);
         Ok(())
     }
 
     #[tokio::test]
     async fn test_aggregator() -> Result<(), Error> {
-        let prov1 = TestProvider(
-            Pem {
-                key: KEY_1.to_vec(),
-                cert: CERT_1.to_vec(),
-            },
-            AtomicUsize::new(0),
-        );
-        let prov2 = TestProvider(
-            Pem {
-                key: KEY_2.to_vec(),
-                cert: CERT_2.to_vec(),
-            },
-            AtomicUsize::new(0),
-        );
+        let prov1 = TestProvider(Pem([KEY_1, CERT_1].concat().to_vec()), AtomicUsize::new(0));
+        let prov2 = TestProvider(Pem([KEY_2, CERT_2].concat().to_vec()), AtomicUsize::new(0));
 
         let storage = Arc::new(storage::StorageKey::new(
             None,

src/tls/cert/mod.rs

@@ -57,7 +57,7 @@ impl ProvidesCertificates for Provider {
                 v.path().to_string_lossy()
             ))?;
 
-            certs.push(Pem { cert, key });
+            certs.push(Pem([cert, key].concat()));
         }
 
         debug!(
@@ -73,27 +73,31 @@ impl ProvidesCertificates for Provider {
 #[cfg(test)]
 mod test {
     use super::*;
-    use crate::tls::cert::test::{CERT_1, KEY_1};
+    use crate::tls::cert::test::{CERT_1, CERT_2, KEY_1, KEY_2};
 
     #[tokio::test]
     async fn test() -> Result<(), Error> {
         let dir = tempfile::tempdir()?;
 
-        let keyfile = dir.path().join("foobar.key");
-        std::fs::write(keyfile, KEY_1)?;
+        let keyfile1 = dir.path().join("foobar1.key");
+        std::fs::write(keyfile1, KEY_1)?;
+        let certfile1 = dir.path().join("foobar1.pem");
+        std::fs::write(certfile1, CERT_1)?;
 
-        let certfile = dir.path().join("foobar.pem");
-        std::fs::write(certfile, CERT_1)?;
+        let keyfile2 = dir.path().join("foobar2.key");
+        std::fs::write(keyfile2, KEY_2)?;
+        let certfile2 = dir.path().join("foobar2.pem");
+        std::fs::write(certfile2, CERT_2)?;
 
         // Some junk to be ignored
         std::fs::write(dir.path().join("foobar.baz"), b"foobar")?;
 
         let prov = Provider::new(dir.path().to_path_buf());
         let certs = prov.get_certificates().await?;
 
-        assert_eq!(certs.len(), 1);
-        assert_eq!(certs[0].key, KEY_1);
-        assert_eq!(certs[0].cert, CERT_1);
+        assert_eq!(certs.len(), 2);
+        assert_eq!(certs[0].0, [CERT_1, KEY_1].concat());
+        assert_eq!(certs[1].0, [CERT_2, KEY_2].concat());
 
         Ok(())
     }

src/tls/cert/providers/dir.rs

@@ -0,0 +1,50 @@
+use std::path::PathBuf;
+
+use anyhow::{Context, Error};
+use async_trait::async_trait;
+
+use super::Pem;
+use crate::tls::cert::providers::ProvidesCertificates;
+
+/// Loads the certificate chain & private key from provided PEM-encoded file
+#[derive(derive_new::new)]
+pub struct Provider {
+    path: PathBuf,
+}
+
+impl std::fmt::Debug for Provider {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "FileProvider({})", self.path.to_str().unwrap_or(""))
+    }
+}
+
+#[async_trait]
+impl ProvidesCertificates for Provider {
+    async fn get_certificates(&self) -> Result<Vec<Pem>, Error> {
+        let pem = std::fs::read(&self.path).context("unable to read the PEM file")?;
+        Ok(vec![Pem(pem)])
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use crate::tls::cert::test::{CERT_1, KEY_1};
+
+    #[tokio::test]
+    async fn test() -> Result<(), Error> {
+        let dir = tempfile::tempdir()?;
+
+        let pemfile = dir.path().join("foobar.pem");
+        let pem = [KEY_1, CERT_1].concat();
+        std::fs::write(&pemfile, &pem)?;
+
+        let prov = Provider::new(pemfile);
+        let certs = prov.get_certificates().await?;
+
+        assert_eq!(certs.len(), 1);
+        assert_eq!(certs[0].0, pem);
+
+        Ok(())
+    }
+}

src/tls/cert/providers/file.rs

@@ -210,10 +210,7 @@ impl ProvidesCertificates for CertificatesImporter {
             .as_ref()
             .clone()
             .into_iter()
-            .map(|x| Pem {
-                cert: x.pair.1,
-                key: x.pair.0,
-            })
+            .map(|x| Pem([x.pair.0, x.pair.1].concat()))
             .collect::<Vec<_>>();
 
         Ok(certs)

src/tls/cert/providers/issuer/mod.rs

@@ -1,7 +1,9 @@
 pub mod dir;
+pub mod file;
 pub mod issuer;
 
 pub use dir::Provider as Dir;
+pub use file::Provider as File;
 pub use issuer::CertificatesImporter as Issuer;
 
 use async_trait::async_trait;
@@ -12,10 +14,7 @@ use std::sync::Arc;
 use crate::{cli::Cli, routing::domain::ProvidesCustomDomains};
 
 #[derive(Clone, Debug, Eq, PartialEq)]
-pub struct Pem {
-    pub cert: Vec<u8>,
-    pub key: Vec<u8>,
-}
+pub struct Pem(pub Vec<u8>);
 
 // Trait that the certificate providers should implement
 // It should return a vector of PEM-encoded cert-keys pairs

src/tls/cert/providers/mod.rs

@@ -126,6 +126,11 @@ pub async fn setup(
 
     let mut cert_providers: Vec<Arc<dyn ProvidesCertificates>> = vec![];
 
+    // Create File providers
+    for v in &cli.cert.cert_provider_file {
+        cert_providers.push(Arc::new(providers::File::new(v.clone())));
+    }
+
     // Create Dir providers
     for v in &cli.cert.cert_provider_dir {
         cert_providers.push(Arc::new(providers::Dir::new(v.clone())));