Conditional export for certificates

2020-01-19 11:31:33 +01:00 · 2020-01-19 11:31:33 +01:00 · aa1c835186
commit aa1c835186
parent d2a113e5a4
15 changed files with 103 additions and 81 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -131,6 +131,7 @@ dependencies = [
 "coffer-common 0.1.0",
 "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "futures 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
 "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
@ -343,6 +344,11 @@ dependencies = [
 "libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "hex"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "humantime"
 version = "1.3.0"
@ -957,6 +963,7 @@ dependencies = [
 "checksum half 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9ff54597ea139063f4225f1ec47011b03c9de4a486957ff3fc506881dac951d0"
 "checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
 "checksum hermit-abi 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)" = "307c3c9f937f38e3534b1d6447ecf090cafcc9744e4a6360e8b037b2cf5af120"
 "checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e"
 "checksum humantime 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
 "checksum iovec 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "b2b3ea6ff95e175473f8ffe6a7eb7c00d054240321b84c57051175fe3c1e075e"
 "checksum itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "501266b7edd0174f8530248f87f99c88fbe60ca4ef3dd486835b8d8d53136f7f"
--- a/Design.org
+++ b/Design.org
@ -42,3 +42,27 @@
  - All server requests are sealed by the server's public and client's private
    key. No tampered requests can be sent or communication data collected except
    the private keys are compromised.
 * Coffer YAML
 ** Secrets Definition  
   Encrypted with: SK of coffer-companion, PK of coffer-server
   #+BEGIN_SRC yaml
     # Names for ids (public keys) of clients
     [clients]
     file = "AAAA-AAAA-AAAA-AAAA"
     bin = "FFFF-FFFF-FFFF-FFFF"
     # Secrets for a named client (defined in clients)
     [file]
     secretkey = "secret value"
     secretkey2 = "secret value2"
   #+END_SRC
 ** Secret Response
   file client executes GET to server
   #+BEGIN_SRC yaml
     secretkey = "secret value"
     secretkey2 = "secret value2"
   #+END_SRC
--- a/TODO.org
+++ b/TODO.org
@ -19,12 +19,9 @@
 ** TODO Secure Communication
 * Coffer Companion
 ** TODO Add Subcommands
-   - [X] Generate master key
+   - [X] Generate certificate 
-   - [ ] Generate client key
+   - [ ] Seal secrets with certificate
-   - [X] Encrypt secrets with master key
+   - [ ] Open secrets with certificate
   - [ ] Decrypt secrets with master key
   - [ ] Encrypt key request with client key
   - [ ] Decrypt key request with client key
   - [ ] Generate trampolin sh from dockerfile
 * Docker
 ** TODO Create Dockerfile for server
--- a/coffer-client/src/main.rs
+++ b/coffer-client/src/main.rs
@ -1,12 +1,13 @@
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use std::net::SocketAddr;
 use env_logger;
 use structopt::StructOpt;
 use std::fs::File;
 use std::error::Error;
 use std::net::TcpStream;
 use std::net::ToSocketAddrs;
 use std::path::PathBuf;
 use std::io::BufRead;
 use std::io::BufReader;
@ -14,16 +15,12 @@ use std::io::Write;
 #[derive(StructOpt, Debug)]
 struct Args {
-    /// The port secsrv is listening on
+    /// Address of the coffer server
-    #[structopt(short, long, env = "SECSRV_PORT", default_value = "9187")]
+    #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
-    port: u16,
+    server_address: SocketAddr,
-    /// The address secsrv binds to
+    /// Path to the request file sent to the server
-    #[structopt(short, long, env = "SECSRV_HOST", default_value = "127.0.0.1")]
+    #[structopt(parse(from_os_str), env = "COFFER_REQUEST", hide_env_values = true)]
    host: String,
    /// Path to the keys file
    #[structopt(parse(from_os_str), env = "SECSRV_SECRETS", hide_env_values = true)]
    secrets: PathBuf,
    /// The subcommand spawned by coffer-client
@ -38,8 +35,7 @@ fn main() -> Result<(), Box<dyn Error>> {
    let args = Args::from_args();
    info!{"Connecting to coffer server"}
-    let mut addr = (&*args.host, args.port).to_socket_addrs()?;
+    let stream: TcpStream = TcpStream::connect(args.server_address)?;
    let stream: TcpStream = TcpStream::connect(addr.next().unwrap())?;
    info!{"Parsing key requests"}
    let keys = parse_from_path(&args.secrets)?;
--- a/coffer-common/Cargo.toml
+++ b/coffer-common/Cargo.toml
@ -6,6 +6,11 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
 # Make certificates exportable
 # Otherwise secret keys are not accessible other than via the Certificate API
 export = []
 [dependencies]
 # Base tools
 log = "^0.4"
--- a/coffer-common/src/certificate.rs
+++ b/coffer-common/src/certificate.rs
@ -76,6 +76,7 @@ impl Certificate {
        Ok(Certificate{inner})
    }
    #[cfg(feature = "export")]
    pub fn to_cbor(&self) -> Result<Vec<u8>, CertificateError> {
        let inner_cert = &*self.inner.read();
        let cbor = serde_cbor::to_vec(inner_cert)?;
--- a/coffer-common/src/coffer.rs
+++ b/coffer-common/src/coffer.rs
@ -12,7 +12,7 @@ quick_error! {
    pub enum CofferError {
        Msg(err: &'static str) {
            from(err)
-                display("{}", err)
+            display("{}", err)
        }
        Other(err: Box<dyn std::error::Error>) {
            cause(&**err)
@ -42,7 +42,7 @@ pub trait Coffer {
    /// Put `value` at `path`. Errors if there is already a value at `path`.
    fn put(&mut self, path: CofferPath, value: CofferValue) -> CofferResult<()>;
-    /// Push `value` to `path`. Replaces existing values silently.
+    /// Push `value` to `path`. Replaces existing values.
    fn push(&mut self, path: CofferPath, value: CofferValue);
    /// Retrieve `value` at path. Errors if there is no `value` at path.
--- a/coffer-companion/Cargo.toml
+++ b/coffer-companion/Cargo.toml
@ -19,4 +19,4 @@ serde = { version = "1.0", features = ["derive"]}
 serde_cbor = "0.10.2"
 serde_yaml = "0.8"
-coffer-common = { path = "../coffer-common" }
+coffer-common = { path = "../coffer-common", features = ["export"]}
--- a/coffer-companion/src/encrypt.rs
+++ b/coffer-companion/src/encrypt.rs
@ -0,0 +1,14 @@
 use coffer_common::certificate::Certificate;
 use std::path::PathBuf;
 use std::fs::File;
 use std::io::Write;
 use serde::Deserialize;
 use serde_yaml;
 pub fn encrypt_yaml(yaml:PathBuf, out: PathBuf, certificate: PathBuf) {
    let cert = Certificate::new_from_cbor(certificate).unwrap();
    let  
 }
--- a/coffer-companion/src/generate.rs
+++ b/coffer-companion/src/generate.rs
@ -12,6 +12,6 @@ pub fn generate_key(out: PathBuf) {
    let mut writer = File::create(&out)
        .expect(&format!{"Could not create out file {}", &out.display()});
-    writer.write_all(&cert);
+    writer.write_all(&cert).unwrap();
 }
--- a/coffer-companion/src/main.rs
+++ b/coffer-companion/src/main.rs
@ -6,7 +6,7 @@ mod encrypt;
 #[derive(StructOpt, Debug)]
 enum Args {
-    Generate {
+    Certificate {
        #[structopt(short, long, parse(from_os_str))]
        out: PathBuf
    },
@ -16,7 +16,7 @@ enum Args {
        #[structopt(short, long, parse(from_os_str))]
        out: PathBuf,
        #[structopt(short, long, parse(from_os_str))]
-        masterkey: PathBuf,
+        certificate: PathBuf,
    }
 }
@ -24,7 +24,7 @@ fn main() {
    let args: Args = Args::from_args();
    match args {
-        Args::Generate {out} => generate::generate_key(out),
+        Args::Certificate {out} => generate::generate_key(out),
-        Args::Encrypt {yaml, out, masterkey} => {}
+        Args::Encrypt {yaml, out, certificate} => {}
    }
 }
--- a/coffer-server/Cargo.toml
+++ b/coffer-server/Cargo.toml
@ -14,6 +14,7 @@ lazy_static = "^1.4"
 # Key management/Cryptography 
 sodiumoxide = "^0.2"
 hex = "^0.4"
 # Communication
 tokio = { version="^0.2.9", features = ["full"]}
 serde = { version = "^1.0", features = ["derive"]}
--- a/coffer-server/src/command_parser.rs
+++ b/coffer-server/src/command_parser.rs
@ -1,36 +0,0 @@
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use tokio::io::AsyncRead;
 use quick_error::quick_error;
 quick_error! {
    #[derive(Debug)]
    pub enum CommandParserError {
        Msg(err: &'static str) {
            from(err)
                display("{}", err)
        }
        Other(err: Box<dyn std::error::Error>) {
            cause(&**err)
        }
    }
 }
 enum Command {
    None
 }
 struct CommandParser<T>
 where T: AsyncRead {
    reader: T
 }
 impl Stream for CommandParser {
    type Item = Command;
    fn poll_next(self: Pin<&mut Self>, _cx: &mut Context) -> Poll<Option<Self::Item>> {
        Poll::Ready(Some(Command::None))
    }
 }
--- a/coffer-server/src/main.rs
+++ b/coffer-server/src/main.rs
@ -23,12 +23,12 @@ struct Args {
    #[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_CERTIFICATE", hide_env_values = true)]
    certificate: Option<PathBuf>,
-    /// Path to an initial secrets file. Will be deleted after processing.
+    /// Path to secrets file. Will be deleted after processing.
    /// Must be sealed by the public key of the server certificate
    #[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_SECRETS", hide_env_values = true)]
    secrets: Option<PathBuf>,
-    /// Address the coffer server should bind to
+    /// Address, the coffer server should bind to
    #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
    address: SocketAddr,
 }
--- a/coffer-server/src/protocol.rs
+++ b/coffer-server/src/protocol.rs
@ -2,11 +2,12 @@
 use log::{debug, error, info, trace, warn};
 use std::sync::Arc;
-use std::convert::TryInto;
+use std::convert::{TryFrom, TryInto};
 use std::convert::TryFrom;
 use std::net::Shutdown;
-use tokio::prelude::*;
+use tokio::io::{AsyncRead,
                AsyncReadExt,
                AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::sync::RwLock;
@ -14,10 +15,11 @@ use serde_cbor;
 use quick_error::quick_error;
-use coffer_common::coffer::Coffer;
+use coffer_common::coffer::{CofferValue,
-use coffer_common::coffer::CofferValue;
+                            CofferPath,
-use coffer_common::coffer::CofferPath;
+                            Coffer};
 use coffer_common::keyring::Keyring;
 use hex;
 quick_error! {
    #[derive(Debug)]
@ -68,13 +70,13 @@ where C: Coffer
        keyring: Arc<RwLock<Keyring>>
    ) -> Protocol<C>
    {
        let state = State::Start;
        let client = None;
        Protocol {stream, coffer, keyring, client, state}
    }
-    pub async fn run(mut self) {
+    pub async fn run(mut self)
    {
        while self.state != State::End
        {
            debug!{"In state: {:?}", self.state}
@ -85,7 +87,8 @@ where C: Coffer
        self.stream.shutdown(Shutdown::Both).unwrap();
    }
-    async fn event(&mut self) -> Request {
+    async fn event(&mut self) -> Request
    {
        let (mut reader, _writer) = self.stream.split();
        // TODO restrict msg_size more, otherwise bad client could bring server
@ -163,7 +166,8 @@ where C: Coffer
        Some(message)
    }
-    async fn transit(&mut self, event: Request) {
+    async fn transit(&mut self, event: Request)
    {
        match (&self.state, event) {
            (State::Start, Request::Hello(pk)) => {
                debug!{"Reading public key"}
@ -176,11 +180,14 @@ where C: Coffer
            (State::Link, Request::Get(req)) => {
                debug!{"Writing response"}
-                let req = serde_cbor::from_slice(
+                let mut req: CofferPath =
-                    &self.keyring.read().await
+                    serde_cbor::from_slice(
-                        .open(&req)
+                        &self.keyring.read().await
-                        .unwrap()
+                            .open(&req)
-                ).unwrap();
+                            .unwrap()
                    ).unwrap();
                req.0.insert(0, hex::encode(self.client.as_ref().unwrap()));
                let res = self.coffer.read().await
                    .get(req)
@ -203,13 +210,18 @@ where C: Coffer
            (State::Link, Request::Put(put)) => {
                debug!{"Putting secrets"}
-                let put: Vec<(CofferPath, CofferValue)> =
+                let mut put: Vec<(CofferPath, CofferValue)> =
                    serde_cbor::from_slice(
                        &self.keyring.read().await
                            .open(&put)
                            .unwrap()
                    ).unwrap();
                let key_string = hex::encode(self.client.as_ref().unwrap());
                put.iter_mut().map( |(cp, _cv)| &mut cp.0)
                    .for_each(|cp| cp.insert(0, key_string.clone()));
                for (coffer_path, coffer_value) in put {
                    self.coffer.write().await
                        .put(coffer_path, coffer_value)
@ -227,7 +239,8 @@ where C: Coffer
        }
    }
-    async fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8> {
+    async fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8>
    {
        trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data}
        // TODO magic number