Skip to content

Commit

Permalink
feat!: renaming of TLS configuration parameters (#1503)
Browse files Browse the repository at this point in the history 
* feat!: renaming of TLS configuration parameters

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* chore: fix typo

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* fix: setting proper default value in default config file

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* fix: using default values for verify_name_on_connect

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* chore: fix default config

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* chore: updating error strings

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* chore: updating error strings

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

* style: make cargo fmt happy

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>

---------

Signed-off-by: Gabriele Baldoni <gabriele.baldoni@gmail.com>
  • Loading branch information
@gabrik
gabrik authored Oct 4, 2024
1 parent 82869fb commit 7e32e72
Show file tree
Hide file tree
Showing 14 changed files with 235 additions and 239 deletions.
25 changes: 13 additions & 12 deletions DEFAULT_CONFIG.json5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -431,20 +431,21 @@
/// or the client's keys and certificates, depending on the node's mode. If not specified
/// on router mode then the default WebPKI certificates are used instead.
root_ca_certificate: null,
/// Path to the TLS server private key
server_private_key: null,
/// Path to the TLS server public certificate
server_certificate: null,
/// Client authentication, if true enables mTLS (mutual authentication)
client_auth: false,
/// Path to the TLS client private key
client_private_key: null,
/// Path to the TLS client public certificate
client_certificate: null,
// Whether or not to use server name verification, if set to false zenoh will disregard the common names of the certificates when verifying servers.
/// Path to the TLS listening side private key
listen_private_key: null,
/// Path to the TLS listening side public certificate
listen_certificate: null,
/// Enables mTLS (mutual authentication), client authentication
enable_mtls: false,
/// Path to the TLS connecting side private key
connect_private_key: null,
/// Path to the TLS connecting side certificate
connect_certificate: null,
// Whether or not to verify the matching between hostname/dns and certificate when connecting,
// if set to false zenoh will disregard the common names of the certificates when verifying servers.
// This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your
// ca to verify that the server at baz.com is actually baz.com, let this be true (default).
server_name_verification: null,
verify_name_on_connect: true,
},
},
/// Shared memory configuration.
Expand Down
20 changes: 10 additions & 10 deletions commons/zenoh-config/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,23 +463,23 @@ validated_struct::validator! {
pub tls: #[derive(Default)]
TLSConf {
root_ca_certificate: Option<String>,
server_private_key: Option<String>,
server_certificate: Option<String>,
client_auth: Option<bool>,
client_private_key: Option<String>,
client_certificate: Option<String>,
server_name_verification: Option<bool>,
listen_private_key: Option<String>,
listen_certificate: Option<String>,
enable_mtls: Option<bool>,
connect_private_key: Option<String>,
connect_certificate: Option<String>,
verify_name_on_connect: Option<bool>,
// Skip serializing field because they contain secrets
#[serde(skip_serializing)]
root_ca_certificate_base64: Option<SecretValue>,
#[serde(skip_serializing)]
server_private_key_base64: Option<SecretValue>,
listen_private_key_base64: Option<SecretValue>,
#[serde(skip_serializing)]
server_certificate_base64: Option<SecretValue>,
listen_certificate_base64: Option<SecretValue>,
#[serde(skip_serializing)]
client_private_key_base64 : Option<SecretValue>,
connect_private_key_base64 : Option<SecretValue>,
#[serde(skip_serializing)]
client_certificate_base64 : Option<SecretValue>,
connect_certificate_base64 : Option<SecretValue>,
},
pub unixpipe: #[derive(Default)]
UnixPipeConf {
Expand Down
30 changes: 15 additions & 15 deletions io/zenoh-links/zenoh-link-quic/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,24 +92,24 @@ pub mod config {
pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw";
pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64";

pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file";
pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw";
pub const TLS_SERVER_PRIVATE_KEY_BASE64: &str = "server_private_key_base64";
pub const TLS_LISTEN_PRIVATE_KEY_FILE: &str = "listen_private_key_file";
pub const TLS_LISTEN_PRIVATE_KEY_RAW: &str = "listen_private_key_raw";
pub const TLS_LISTEN_PRIVATE_KEY_BASE64: &str = "listen_private_key_base64";

pub const TLS_SERVER_CERTIFICATE_FILE: &str = "server_certificate_file";
pub const TLS_SERVER_CERTIFICATE_RAW: &str = "server_certificate_raw";
pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "server_certificate_base64";
pub const TLS_LISTEN_CERTIFICATE_FILE: &str = "listen_certificate_file";
pub const TLS_LISTEN_CERTIFICATE_RAW: &str = "listen_certificate_raw";
pub const TLS_LISTEN_CERTIFICATE_BASE64: &str = "listen_certificate_base64";

pub const TLS_CLIENT_PRIVATE_KEY_FILE: &str = "client_private_key_file";
pub const TLS_CLIENT_PRIVATE_KEY_RAW: &str = "client_private_key_raw";
pub const TLS_CLIENT_PRIVATE_KEY_BASE64: &str = "client_private_key_base64";
pub const TLS_CONNECT_PRIVATE_KEY_FILE: &str = "connect_private_key_file";
pub const TLS_CONNECT_PRIVATE_KEY_RAW: &str = "connect_private_key_raw";
pub const TLS_CONNECT_PRIVATE_KEY_BASE64: &str = "connect_private_key_base64";

pub const TLS_CLIENT_CERTIFICATE_FILE: &str = "client_certificate_file";
pub const TLS_CLIENT_CERTIFICATE_RAW: &str = "client_certificate_raw";
pub const TLS_CLIENT_CERTIFICATE_BASE64: &str = "client_certificate_base64";
pub const TLS_CONNECT_CERTIFICATE_FILE: &str = "connect_certificate_file";
pub const TLS_CONNECT_CERTIFICATE_RAW: &str = "connect_certificate_raw";
pub const TLS_CONNECT_CERTIFICATE_BASE64: &str = "connect_certificate_base64";

pub const TLS_CLIENT_AUTH: &str = "client_auth";
pub const TLS_ENABLE_MTLS: &str = "enable_mtls";

pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification";
pub const TLS_SERVER_NAME_VERIFICATION_DEFAULT: &str = "true";
pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect";
pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true;
}
91 changes: 44 additions & 47 deletions io/zenoh-links/zenoh-link-quic/src/utils.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,83 +62,84 @@ impl ConfigurationInspector<ZenohConfig> for TlsConfigurator {
_ => {}
}

match (c.server_private_key(), c.server_private_key_base64()) {
match (c.listen_private_key(), c.listen_private_key_base64()) {
(Some(_), Some(_)) => {
bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!")
bail!("Only one between 'listen_private_key' and 'listen_private_key_base64' can be present!")
}
(Some(server_private_key), None) => {
ps.push((TLS_SERVER_PRIVATE_KEY_FILE, server_private_key));
ps.push((TLS_LISTEN_PRIVATE_KEY_FILE, server_private_key));
}
(None, Some(server_private_key)) => {
ps.push((
TLS_SERVER_PRIVATE_KEY_BASE64,
TLS_LISTEN_PRIVATE_KEY_BASE64,
server_private_key.expose_secret(),
));
}
_ => {}
}

match (c.server_certificate(), c.server_certificate_base64()) {
match (c.listen_certificate(), c.listen_certificate_base64()) {
(Some(_), Some(_)) => {
bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!")
bail!("Only one between 'listen_certificate' and 'listen_certificate_base64' can be present!")
}
(Some(server_certificate), None) => {
ps.push((TLS_SERVER_CERTIFICATE_FILE, server_certificate));
ps.push((TLS_LISTEN_CERTIFICATE_FILE, server_certificate));
}
(None, Some(server_certificate)) => {
ps.push((
TLS_SERVER_CERTIFICATE_BASE64,
TLS_LISTEN_CERTIFICATE_BASE64,
server_certificate.expose_secret(),
));
}
_ => {}
}

if let Some(client_auth) = c.client_auth() {
if let Some(client_auth) = c.enable_mtls() {
match client_auth {
true => ps.push((TLS_CLIENT_AUTH, "true")),
false => ps.push((TLS_CLIENT_AUTH, "false")),
true => ps.push((TLS_ENABLE_MTLS, "true")),
false => ps.push((TLS_ENABLE_MTLS, "false")),
};
}

match (c.client_private_key(), c.client_private_key_base64()) {
match (c.connect_private_key(), c.connect_private_key_base64()) {
(Some(_), Some(_)) => {
bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!")
bail!("Only one between 'connect_private_key' and 'connect_private_key_base64' can be present!")
}
(Some(client_private_key), None) => {
ps.push((TLS_CLIENT_PRIVATE_KEY_FILE, client_private_key));
ps.push((TLS_CONNECT_PRIVATE_KEY_FILE, client_private_key));
}
(None, Some(client_private_key)) => {
ps.push((
TLS_CLIENT_PRIVATE_KEY_BASE64,
TLS_CONNECT_PRIVATE_KEY_BASE64,
client_private_key.expose_secret(),
));
}
_ => {}
}

match (c.client_certificate(), c.client_certificate_base64()) {
match (c.connect_certificate(), c.connect_certificate_base64()) {
(Some(_), Some(_)) => {
bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!")
bail!("Only one between 'connect_certificate' and 'connect_certificate_base64' can be present!")
}
(Some(client_certificate), None) => {
ps.push((TLS_CLIENT_CERTIFICATE_FILE, client_certificate));
ps.push((TLS_CONNECT_CERTIFICATE_FILE, client_certificate));
}
(None, Some(client_certificate)) => {
ps.push((
TLS_CLIENT_CERTIFICATE_BASE64,
TLS_CONNECT_CERTIFICATE_BASE64,
client_certificate.expose_secret(),
));
}
_ => {}
}

if let Some(server_name_verification) = c.server_name_verification() {
match server_name_verification {
true => ps.push((TLS_SERVER_NAME_VERIFICATION, "true")),
false => ps.push((TLS_SERVER_NAME_VERIFICATION, "false")),
};
}
match c
.verify_name_on_connect()
.unwrap_or(TLS_VERIFY_NAME_ON_CONNECT_DEFAULT)
{
true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")),
false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")),
};

Ok(parameters::from_iter(ps.drain(..)))
}
Expand All @@ -150,10 +151,10 @@ pub(crate) struct TlsServerConfig {

impl TlsServerConfig {
pub async fn new(config: &Config<'_>) -> ZResult<TlsServerConfig> {
let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) {
let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) {
Some(s) => s
.parse()
.map_err(|_| zerror!("Unknown client auth argument: {}", s))?,
.map_err(|_| zerror!("Unknown enable mTLS argument: {}", s))?,
None => false,
};
let tls_server_private_key = TlsServerConfig::load_tls_private_key(config).await?;
Expand Down Expand Up @@ -200,11 +201,7 @@ impl TlsServerConfig {

let sc = if tls_server_client_auth {
let root_cert_store = load_trust_anchors(config)?.map_or_else(
|| {
Err(zerror!(
"Missing root certificates while client authentication is enabled."
))
},
|| Err(zerror!("Missing root certificates while mTLS is enabled.")),
Ok,
)?;
let client_auth = WebPkiClientVerifier::builder(root_cert_store.into()).build()?;
Expand All @@ -224,19 +221,19 @@ impl TlsServerConfig {
async fn load_tls_private_key(config: &Config<'_>) -> ZResult<Vec<u8>> {
load_tls_key(
config,
TLS_SERVER_PRIVATE_KEY_RAW,
TLS_SERVER_PRIVATE_KEY_FILE,
TLS_SERVER_PRIVATE_KEY_BASE64,
TLS_LISTEN_PRIVATE_KEY_RAW,
TLS_LISTEN_PRIVATE_KEY_FILE,
TLS_LISTEN_PRIVATE_KEY_BASE64,
)
.await
}

async fn load_tls_certificate(config: &Config<'_>) -> ZResult<Vec<u8>> {
load_tls_certificate(
config,
TLS_SERVER_CERTIFICATE_RAW,
TLS_SERVER_CERTIFICATE_FILE,
TLS_SERVER_CERTIFICATE_BASE64,
TLS_LISTEN_CERTIFICATE_RAW,
TLS_LISTEN_CERTIFICATE_FILE,
TLS_LISTEN_CERTIFICATE_BASE64,
)
.await
}
Expand All @@ -248,14 +245,14 @@ pub(crate) struct TlsClientConfig {

impl TlsClientConfig {
pub async fn new(config: &Config<'_>) -> ZResult<TlsClientConfig> {
let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) {
let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) {
Some(s) => s
.parse()
.map_err(|_| zerror!("Unknown client auth argument: {}", s))?,
.map_err(|_| zerror!("Unknown enable mTLS argument: {}", s))?,
None => false,
};

let tls_server_name_verification: bool = match config.get(TLS_SERVER_NAME_VERIFICATION) {
let tls_server_name_verification: bool = match config.get(TLS_VERIFY_NAME_ON_CONNECT) {
Some(s) => {
let s: bool = s
.parse()
Expand Down Expand Up @@ -360,19 +357,19 @@ impl TlsClientConfig {
async fn load_tls_private_key(config: &Config<'_>) -> ZResult<Vec<u8>> {
load_tls_key(
config,
TLS_CLIENT_PRIVATE_KEY_RAW,
TLS_CLIENT_PRIVATE_KEY_FILE,
TLS_CLIENT_PRIVATE_KEY_BASE64,
TLS_CONNECT_PRIVATE_KEY_RAW,
TLS_CONNECT_PRIVATE_KEY_FILE,
TLS_CONNECT_PRIVATE_KEY_BASE64,
)
.await
}

async fn load_tls_certificate(config: &Config<'_>) -> ZResult<Vec<u8>> {
load_tls_certificate(
config,
TLS_CLIENT_CERTIFICATE_RAW,
TLS_CLIENT_CERTIFICATE_FILE,
TLS_CLIENT_CERTIFICATE_BASE64,
TLS_CONNECT_CERTIFICATE_RAW,
TLS_CONNECT_CERTIFICATE_FILE,
TLS_CONNECT_CERTIFICATE_BASE64,
)
.await
}
Expand Down
29 changes: 15 additions & 14 deletions io/zenoh-links/zenoh-link-tls/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,23 +88,24 @@ pub mod config {
pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw";
pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64";

pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file";
pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw";
pub const TLS_SERVER_PRIVATE_KEY_BASE_64: &str = "server_private_key_base64";
pub const TLS_LISTEN_PRIVATE_KEY_FILE: &str = "listen_private_key_file";
pub const TLS_LISTEN_PRIVATE_KEY_RAW: &str = "listen_private_key_raw";
pub const TLS_LISTEN_PRIVATE_KEY_BASE_64: &str = "listen_private_key_base64";

pub const TLS_SERVER_CERTIFICATE_FILE: &str = "server_certificate_file";
pub const TLS_SERVER_CERTIFICATE_RAW: &str = "server_certificate_raw";
pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "server_certificate_base64";
pub const TLS_LISTEN_CERTIFICATE_FILE: &str = "listen_certificate_file";
pub const TLS_LISTEN_CERTIFICATE_RAW: &str = "listen_certificate_raw";
pub const TLS_LISTEN_CERTIFICATE_BASE64: &str = "listen_certificate_base64";

pub const TLS_CLIENT_PRIVATE_KEY_FILE: &str = "client_private_key_file";
pub const TLS_CLIENT_PRIVATE_KEY_RAW: &str = "client_private_key_raw";
pub const TLS_CLIENT_PRIVATE_KEY_BASE64: &str = "client_private_key_base64";
pub const TLS_CONNECT_PRIVATE_KEY_FILE: &str = "connect_private_key_file";
pub const TLS_CONNECT_PRIVATE_KEY_RAW: &str = "connect_private_key_raw";
pub const TLS_CONNECT_PRIVATE_KEY_BASE64: &str = "connect_private_key_base64";

pub const TLS_CLIENT_CERTIFICATE_FILE: &str = "client_certificate_file";
pub const TLS_CLIENT_CERTIFICATE_RAW: &str = "client_certificate_raw";
pub const TLS_CLIENT_CERTIFICATE_BASE64: &str = "client_certificate_base64";
pub const TLS_CONNECT_CERTIFICATE_FILE: &str = "connect_certificate_file";
pub const TLS_CONNECT_CERTIFICATE_RAW: &str = "connect_certificate_raw";
pub const TLS_CONNECT_CERTIFICATE_BASE64: &str = "connect_certificate_base64";

pub const TLS_CLIENT_AUTH: &str = "client_auth";
pub const TLS_ENABLE_MTLS: &str = "enable_mtls";

pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification";
pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect";
pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true;
}
Loading

0 comments on commit 7e32e72

Please sign in to comment.