[server] Read known client ids from secrets file

Remove explicit client id file
This commit is contained in:
Armin Friedl 2020-01-27 17:53:36 +01:00
parent 40905d647a
commit 9ae5a72fce
Signed by: armin
GPG key ID: 48C726EEE7FBCBC8
5 changed files with 47 additions and 9 deletions

1
Cargo.lock generated
View file

@ -100,6 +100,7 @@ version = "0.4.0"
dependencies = [ dependencies = [
"base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)", "base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
"env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
"quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)", "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
"seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)", "seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)",

View file

@ -8,6 +8,9 @@ release:
publish: publish:
podman pull clux/muslrust podman pull clux/muslrust
podman run -v .:/volume --rm -t clux/muslrust cargo build --release podman run -v .:/volume:Z --rm -t clux/muslrust cargo build --release
strip target/x86_64-unknown-linux-musl/release/coffer-server
strip target/x86_64-unknown-linux-musl/release/coffer-client
strip target/x86_64-unknown-linux-musl/release/coffer-companion
.PHONY: default release publish .PHONY: default release publish

View file

@ -21,6 +21,7 @@ serde = { version = "^1.0", features = ["derive"]}
serde_cbor = "^0.10" serde_cbor = "^0.10"
toml = "^0.5" toml = "^0.5"
base64 = "^0.11" base64 = "^0.11"
hex = "^0.4"
# Key management/Cryptography # Key management/Cryptography
sodiumoxide = "^0.2" sodiumoxide = "^0.2"
seckey = "^0.9" seckey = "^0.9"

View file

@ -8,6 +8,8 @@ use quick_error::quick_error;
use sodiumoxide::crypto::box_; use sodiumoxide::crypto::box_;
use sodiumoxide::crypto::sealedbox; use sodiumoxide::crypto::sealedbox;
use toml::Value as TomlValue;
use crate::certificate::{Certificate, CertificateError}; use crate::certificate::{Certificate, CertificateError};
quick_error! { quick_error! {
@ -18,6 +20,12 @@ quick_error! {
Certificate(err: CertificateError) { Certificate(err: CertificateError) {
from() from()
} }
HexDecodeError(err: hex::FromHexError) {
from()
}
IoError(err: std::io::Error) {
from()
}
Msg(err: &'static str) { Msg(err: &'static str) {
from(err) from(err)
display("{}", err) display("{}", err)
@ -50,6 +58,32 @@ impl Keyring {
} }
} }
pub fn add_known_keys_toml(&mut self, toml: &str) -> Result<(), KeyringError> {
// parse the string into a toml Table
let clients: toml::value::Table = match toml.parse::<TomlValue>().unwrap() {
TomlValue::Table(t) => t,
_ => panic!{"Invalid secrets file"}
};
for (_k, v) in clients {
let client = match v {
TomlValue::Table(client) => client,
_ => panic!{"Invalid secrets file"}
};
match client.get("id") {
Some(TomlValue::String(id)) => {
let id = id.to_owned();
self.add_known_key(&hex::decode(id)?)?;
},
_ => panic!{"Invalid id, only hex encoded ids supported"}
}
}
Ok(())
}
pub fn add_known_key(&mut self, key: &[u8]) -> Result<(), KeyringError> { pub fn add_known_key(&mut self, key: &[u8]) -> Result<(), KeyringError> {
let public_key = box_::PublicKey::from_slice(key) let public_key = box_::PublicKey::from_slice(key)
.ok_or(KeyringError::InvalidClientKey)?; .ok_or(KeyringError::InvalidClientKey)?;

View file

@ -33,9 +33,6 @@ struct Args {
/// Address, the coffer server should bind to /// Address, the coffer server should bind to
#[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")] #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
address: SocketAddr, address: SocketAddr,
#[structopt(long, parse(from_os_str))]
client: PathBuf
} }
#[tokio::main] #[tokio::main]
@ -45,20 +42,22 @@ async fn main() {
_print_banner(); _print_banner();
// create keyring from server certificate
let mut keyring = Keyring::new_from_path(&args.certificate); let mut keyring = Keyring::new_from_path(&args.certificate);
// read in client key
let mut client_key = Vec::new();
File::open(&args.client).unwrap().read_to_end(&mut client_key).unwrap();
keyring.add_known_key(&client_key).unwrap();
// decrypt secrets file and put into coffer // decrypt secrets file and put into coffer
let mut secrets_file = File::open(&args.secrets).unwrap(); let mut secrets_file = File::open(&args.secrets).unwrap();
let mut secrets_buf = Vec::new(); let mut secrets_buf = Vec::new();
secrets_file.read_to_end(&mut secrets_buf).unwrap(); secrets_file.read_to_end(&mut secrets_buf).unwrap();
let secrets_buf_clear = String::from_utf8(keyring.open(&secrets_buf).unwrap()).unwrap(); let secrets_buf_clear = String::from_utf8(keyring.open(&secrets_buf).unwrap()).unwrap();
// read known client ids from secrets file
keyring.add_known_keys_toml(&secrets_buf_clear).unwrap();
// read secrets from secrets file
let coffer = CofferMap::from_toml(&secrets_buf_clear); let coffer = CofferMap::from_toml(&secrets_buf_clear);
// start server
let server = Server::new(keyring, coffer); let server = Server::new(keyring, coffer);
server.run(args.address).await; server.run(args.address).await;
} }