Added key-pair + certificate generation.

Signed-off-by: MikeCamel <[email protected]>
enarx-archive · Oct 1, 2020 · 53f73e5 · 53f73e5
1 parent 21570d4
commit 53f73e5
Show file tree

Hide file tree

Showing 3 changed files with 126 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "enarx-wasmldr"
 version = "0.1.0"
-authors = ["Stefan Junker <[email protected]>", "Daiki Ueno <[email protected]>"]
+authors = ["Stefan Junker <[email protected]>", "Daiki Ueno <[email protected]>", "Mike Bursell <[email protected]>"]
 edition = "2018"
 license = "Apache-2.0"
 homepage = "https://github.com/enarx/enarx-wasmldr"
@@ -36,6 +36,8 @@ serde = { version = "1.0", features = ["derive"] }
 serde_yaml = "0.8"
 cfg-if = "0.1"
 
+openssl = { version = "0.10", features = ["vendored"] }
+
 [build-dependencies]
 wat = "1.0"
 

diff --git a/src/main.rs b/src/main.rs
@@ -36,20 +36,32 @@ mod workload;
 use cfg_if::cfg_if;
 use log::info;
 
+use openssl::asn1::Asn1Time;
+use openssl::hash::MessageDigest;
+use openssl::pkey::PKey;
+use openssl::rsa::Rsa;
 use std::fs::File;
 use std::io::Read;
 #[cfg(unix)]
 use std::os::unix::io::FromRawFd;
 
 #[cfg(unix)]
 const FD: std::os::unix::io::RawFd = 3;
+/// Source of the key to use for TLS
+pub const KEY_SOURCE: &str = "generate";
 
 fn main() {
     let _ = env_logger::try_init_from_env(env_logger::Env::default());
 
     let mut args = std::env::args().skip(1);
     let vars = std::env::vars();
 
+    //TODO - need to pass this in (e.g. as args).  Use sensible defaults for now
+    //let listen_address: &str = &args[0];
+    let _listen_address: &str = "127.0.0.1";
+    //NOTE - these are currently unused
+    let (_public_key, _private_key, _server_cert) = get_credentials_bytes(_listen_address);
+
     let mut reader = if let Some(path) = args.next() {
         File::open(&path).expect("Unable to open file")
     } else {
@@ -71,3 +83,49 @@ fn main() {
 
     info!("got result: {:#?}", result);
 }
+
+fn get_credentials_bytes(listen_addr: &str) -> (Vec<u8>, Vec<u8>, Vec<u8>) {
+    let (public_key, private_key, cert) = match KEY_SOURCE {
+        "generate" => (generate_credentials(&listen_addr)),
+        //no match!
+        _ => panic!("No match for credentials source"),
+    };
+    (public_key, private_key, cert)
+}
+
+//TODO - this is vital code, and needs to be carefully audited!
+fn generate_credentials(listen_addr: &str) -> (Vec<u8>, Vec<u8>, Vec<u8>) {
+    let key = Rsa::generate(2048).unwrap();
+    let pkey = PKey::from_rsa(key.clone()).unwrap();
+
+    println!(
+        "Should create a certificate for {}, but using hard-coded 127.0.0.1 instead",
+        &listen_addr
+    );
+
+    let mut x509_name = openssl::x509::X509NameBuilder::new().unwrap();
+    x509_name.append_entry_by_text("C", "GB").unwrap();
+    x509_name.append_entry_by_text("O", "enarx-test").unwrap();
+    //FIXME - problems when client parses some addresses need investigation
+    x509_name.append_entry_by_text("CN", &listen_addr).unwrap();
+    let x509_name = x509_name.build();
+
+    let mut x509_builder = openssl::x509::X509::builder().unwrap();
+    if let Err(e) = x509_builder.set_not_before(&Asn1Time::days_from_now(0).unwrap()) {
+        panic!("Problem creating cert {}", e)
+    }
+    if let Err(e) = x509_builder.set_not_after(&Asn1Time::days_from_now(7).unwrap()) {
+        panic!("Problem creating cert {}", e)
+    }
+
+    x509_builder.set_subject_name(&x509_name).unwrap();
+    x509_builder.set_pubkey(&pkey).unwrap();
+    x509_builder.sign(&pkey, MessageDigest::sha256()).unwrap();
+    let certificate = x509_builder.build();
+
+    (
+        key.public_key_to_pem().unwrap(),
+        key.private_key_to_pem().unwrap(),
+        certificate.to_pem().unwrap(),
+    )
+}