Conditional export for certificates

This commit is contained in:
Armin Friedl 2020-01-19 11:31:33 +01:00
parent d2a113e5a4
commit aa1c835186
Signed by: armin
GPG key ID: 48C726EEE7FBCBC8
15 changed files with 103 additions and 81 deletions

7
Cargo.lock generated
View file

@ -131,6 +131,7 @@ dependencies = [
"coffer-common 0.1.0",
"env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
"futures 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
"quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
@ -343,6 +344,11 @@ dependencies = [
"libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "hex"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "humantime"
version = "1.3.0"
@ -957,6 +963,7 @@ dependencies = [
"checksum half 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9ff54597ea139063f4225f1ec47011b03c9de4a486957ff3fc506881dac951d0"
"checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
"checksum hermit-abi 0.1.3 (registry+https://github.com/rust-lang/crates.io-index)" = "307c3c9f937f38e3534b1d6447ecf090cafcc9744e4a6360e8b037b2cf5af120"
"checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e"
"checksum humantime 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
"checksum iovec 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "b2b3ea6ff95e175473f8ffe6a7eb7c00d054240321b84c57051175fe3c1e075e"
"checksum itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "501266b7edd0174f8530248f87f99c88fbe60ca4ef3dd486835b8d8d53136f7f"

View file

@ -42,3 +42,27 @@
- All server requests are sealed by the server's public and client's private
key. No tampered requests can be sent or communication data collected except
the private keys are compromised.
* Coffer YAML
** Secrets Definition
Encrypted with: SK of coffer-companion, PK of coffer-server
#+BEGIN_SRC yaml
# Names for ids (public keys) of clients
[clients]
file = "AAAA-AAAA-AAAA-AAAA"
bin = "FFFF-FFFF-FFFF-FFFF"
# Secrets for a named client (defined in clients)
[file]
secretkey = "secret value"
secretkey2 = "secret value2"
#+END_SRC
** Secret Response
file client executes GET to server
#+BEGIN_SRC yaml
secretkey = "secret value"
secretkey2 = "secret value2"
#+END_SRC

View file

@ -19,12 +19,9 @@
** TODO Secure Communication
* Coffer Companion
** TODO Add Subcommands
- [X] Generate master key
- [ ] Generate client key
- [X] Encrypt secrets with master key
- [ ] Decrypt secrets with master key
- [ ] Encrypt key request with client key
- [ ] Decrypt key request with client key
- [X] Generate certificate
- [ ] Seal secrets with certificate
- [ ] Open secrets with certificate
- [ ] Generate trampolin sh from dockerfile
* Docker
** TODO Create Dockerfile for server

View file

@ -1,12 +1,13 @@
#[allow(unused_imports)]
use log::{debug, error, info, trace, warn};
use std::net::SocketAddr;
use env_logger;
use structopt::StructOpt;
use std::fs::File;
use std::error::Error;
use std::net::TcpStream;
use std::net::ToSocketAddrs;
use std::path::PathBuf;
use std::io::BufRead;
use std::io::BufReader;
@ -14,16 +15,12 @@ use std::io::Write;
#[derive(StructOpt, Debug)]
struct Args {
/// The port secsrv is listening on
#[structopt(short, long, env = "SECSRV_PORT", default_value = "9187")]
port: u16,
/// Address of the coffer server
#[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
server_address: SocketAddr,
/// The address secsrv binds to
#[structopt(short, long, env = "SECSRV_HOST", default_value = "127.0.0.1")]
host: String,
/// Path to the keys file
#[structopt(parse(from_os_str), env = "SECSRV_SECRETS", hide_env_values = true)]
/// Path to the request file sent to the server
#[structopt(parse(from_os_str), env = "COFFER_REQUEST", hide_env_values = true)]
secrets: PathBuf,
/// The subcommand spawned by coffer-client
@ -38,8 +35,7 @@ fn main() -> Result<(), Box<dyn Error>> {
let args = Args::from_args();
info!{"Connecting to coffer server"}
let mut addr = (&*args.host, args.port).to_socket_addrs()?;
let stream: TcpStream = TcpStream::connect(addr.next().unwrap())?;
let stream: TcpStream = TcpStream::connect(args.server_address)?;
info!{"Parsing key requests"}
let keys = parse_from_path(&args.secrets)?;

View file

@ -6,6 +6,11 @@ edition = "2018"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[features]
# Make certificates exportable
# Otherwise secret keys are not accessible other than via the Certificate API
export = []
[dependencies]
# Base tools
log = "^0.4"

View file

@ -76,6 +76,7 @@ impl Certificate {
Ok(Certificate{inner})
}
#[cfg(feature = "export")]
pub fn to_cbor(&self) -> Result<Vec<u8>, CertificateError> {
let inner_cert = &*self.inner.read();
let cbor = serde_cbor::to_vec(inner_cert)?;

View file

@ -42,7 +42,7 @@ pub trait Coffer {
/// Put `value` at `path`. Errors if there is already a value at `path`.
fn put(&mut self, path: CofferPath, value: CofferValue) -> CofferResult<()>;
/// Push `value` to `path`. Replaces existing values silently.
/// Push `value` to `path`. Replaces existing values.
fn push(&mut self, path: CofferPath, value: CofferValue);
/// Retrieve `value` at path. Errors if there is no `value` at path.

View file

@ -19,4 +19,4 @@ serde = { version = "1.0", features = ["derive"]}
serde_cbor = "0.10.2"
serde_yaml = "0.8"
coffer-common = { path = "../coffer-common" }
coffer-common = { path = "../coffer-common", features = ["export"]}

View file

@ -0,0 +1,14 @@
use coffer_common::certificate::Certificate;
use std::path::PathBuf;
use std::fs::File;
use std::io::Write;
use serde::Deserialize;
use serde_yaml;
pub fn encrypt_yaml(yaml:PathBuf, out: PathBuf, certificate: PathBuf) {
let cert = Certificate::new_from_cbor(certificate).unwrap();
let
}

View file

@ -12,6 +12,6 @@ pub fn generate_key(out: PathBuf) {
let mut writer = File::create(&out)
.expect(&format!{"Could not create out file {}", &out.display()});
writer.write_all(&cert);
writer.write_all(&cert).unwrap();
}

View file

@ -6,7 +6,7 @@ mod encrypt;
#[derive(StructOpt, Debug)]
enum Args {
Generate {
Certificate {
#[structopt(short, long, parse(from_os_str))]
out: PathBuf
},
@ -16,7 +16,7 @@ enum Args {
#[structopt(short, long, parse(from_os_str))]
out: PathBuf,
#[structopt(short, long, parse(from_os_str))]
masterkey: PathBuf,
certificate: PathBuf,
}
}
@ -24,7 +24,7 @@ fn main() {
let args: Args = Args::from_args();
match args {
Args::Generate {out} => generate::generate_key(out),
Args::Encrypt {yaml, out, masterkey} => {}
Args::Certificate {out} => generate::generate_key(out),
Args::Encrypt {yaml, out, certificate} => {}
}
}

View file

@ -14,6 +14,7 @@ lazy_static = "^1.4"
# Key management/Cryptography
sodiumoxide = "^0.2"
hex = "^0.4"
# Communication
tokio = { version="^0.2.9", features = ["full"]}
serde = { version = "^1.0", features = ["derive"]}

View file

@ -1,36 +0,0 @@
#[allow(unused_imports)]
use log::{debug, error, info, trace, warn};
use tokio::io::AsyncRead;
use quick_error::quick_error;
quick_error! {
#[derive(Debug)]
pub enum CommandParserError {
Msg(err: &'static str) {
from(err)
display("{}", err)
}
Other(err: Box<dyn std::error::Error>) {
cause(&**err)
}
}
}
enum Command {
None
}
struct CommandParser<T>
where T: AsyncRead {
reader: T
}
impl Stream for CommandParser {
type Item = Command;
fn poll_next(self: Pin<&mut Self>, _cx: &mut Context) -> Poll<Option<Self::Item>> {
Poll::Ready(Some(Command::None))
}
}

View file

@ -23,12 +23,12 @@ struct Args {
#[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_CERTIFICATE", hide_env_values = true)]
certificate: Option<PathBuf>,
/// Path to an initial secrets file. Will be deleted after processing.
/// Path to secrets file. Will be deleted after processing.
/// Must be sealed by the public key of the server certificate
#[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_SECRETS", hide_env_values = true)]
secrets: Option<PathBuf>,
/// Address the coffer server should bind to
/// Address, the coffer server should bind to
#[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
address: SocketAddr,
}

View file

@ -2,11 +2,12 @@
use log::{debug, error, info, trace, warn};
use std::sync::Arc;
use std::convert::TryInto;
use std::convert::TryFrom;
use std::convert::{TryFrom, TryInto};
use std::net::Shutdown;
use tokio::prelude::*;
use tokio::io::{AsyncRead,
AsyncReadExt,
AsyncWriteExt};
use tokio::net::TcpStream;
use tokio::sync::RwLock;
@ -14,10 +15,11 @@ use serde_cbor;
use quick_error::quick_error;
use coffer_common::coffer::Coffer;
use coffer_common::coffer::CofferValue;
use coffer_common::coffer::CofferPath;
use coffer_common::coffer::{CofferValue,
CofferPath,
Coffer};
use coffer_common::keyring::Keyring;
use hex;
quick_error! {
#[derive(Debug)]
@ -68,13 +70,13 @@ where C: Coffer
keyring: Arc<RwLock<Keyring>>
) -> Protocol<C>
{
let state = State::Start;
let client = None;
Protocol {stream, coffer, keyring, client, state}
}
pub async fn run(mut self) {
pub async fn run(mut self)
{
while self.state != State::End
{
debug!{"In state: {:?}", self.state}
@ -85,7 +87,8 @@ where C: Coffer
self.stream.shutdown(Shutdown::Both).unwrap();
}
async fn event(&mut self) -> Request {
async fn event(&mut self) -> Request
{
let (mut reader, _writer) = self.stream.split();
// TODO restrict msg_size more, otherwise bad client could bring server
@ -163,7 +166,8 @@ where C: Coffer
Some(message)
}
async fn transit(&mut self, event: Request) {
async fn transit(&mut self, event: Request)
{
match (&self.state, event) {
(State::Start, Request::Hello(pk)) => {
debug!{"Reading public key"}
@ -176,12 +180,15 @@ where C: Coffer
(State::Link, Request::Get(req)) => {
debug!{"Writing response"}
let req = serde_cbor::from_slice(
let mut req: CofferPath =
serde_cbor::from_slice(
&self.keyring.read().await
.open(&req)
.unwrap()
).unwrap();
req.0.insert(0, hex::encode(self.client.as_ref().unwrap()));
let res = self.coffer.read().await
.get(req)
.unwrap();
@ -203,13 +210,18 @@ where C: Coffer
(State::Link, Request::Put(put)) => {
debug!{"Putting secrets"}
let put: Vec<(CofferPath, CofferValue)> =
let mut put: Vec<(CofferPath, CofferValue)> =
serde_cbor::from_slice(
&self.keyring.read().await
.open(&put)
.unwrap()
).unwrap();
let key_string = hex::encode(self.client.as_ref().unwrap());
put.iter_mut().map( |(cp, _cv)| &mut cp.0)
.for_each(|cp| cp.insert(0, key_string.clone()));
for (coffer_path, coffer_value) in put {
self.coffer.write().await
.put(coffer_path, coffer_value)
@ -227,7 +239,8 @@ where C: Coffer
}
}
async fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8> {
async fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8>
{
trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data}
// TODO magic number