crypto: Implement CertificateBuilder to generate certificates

The CertificateBuilder struct follows the builder pattern to add desired parameters incrementally before generating the certificate. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
keylime · Mar 26, 2024 · dcc6f92 · dcc6f92
1 parent aaff038
commit dcc6f92
Show file tree

Hide file tree

Showing 5 changed files with 651 additions and 176 deletions.
diff --git a/keylime-agent/src/error.rs b/keylime-agent/src/error.rs
@@ -89,6 +89,10 @@ pub(crate) enum Error {
     ListParser(#[from] keylime::list_parser::ListParsingError),
     #[error("Zip error: {0}")]
     Zip(#[from] zip::result::ZipError),
+    #[error("Certificate generation error")]
+    CertificateGeneration(
+        #[from] keylime::crypto::x509::CertificateBuilderError,
+    ),
     #[error("{0}")]
     Other(String),
 }

diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
@@ -55,7 +55,10 @@ use futures::{
     future::{ok, TryFutureExt},
     try_join,
 };
-use keylime::{crypto, ima::MeasurementList, list_parser::parse_list, tpm};
+use keylime::{
+    crypto, crypto::x509::CertificateBuilder, ima::MeasurementList,
+    list_parser::parse_list, tpm,
+};
 use log::*;
 use openssl::{
     pkey::{PKey, Private, Public},
@@ -586,16 +589,16 @@ async fn main() -> Result<()> {
     let mtls_cert;
     let ssl_context;
     if config.agent.enable_agent_mtls {
-        let contact_ips = vec![config.agent.contact_ip.clone()];
+        let contact_ips = vec![config.agent.contact_ip.as_str()];
         cert = match config.agent.server_cert.as_ref() {
             "" => {
                 debug!("The server_cert option was not set in the configuration file");
 
-                crypto::generate_x509(
-                    &nk_priv,
-                    &agent_uuid,
-                    Some(contact_ips),
-                )?
+                crypto::x509::CertificateBuilder::new()
+                    .private_key(&nk_priv)
+                    .common_name(&agent_uuid)
+                    .add_ips(contact_ips)
+                    .build()?
             }
             path => {
                 let cert_path = Path::new(&path);
@@ -607,11 +610,11 @@ async fn main() -> Result<()> {
                     crypto::load_x509_pem(cert_path)?
                 } else {
                     debug!("Generating new mTLS certificate");
-                    let cert = crypto::generate_x509(
-                        &nk_priv,
-                        &agent_uuid,
-                        Some(contact_ips),
-                    )?;
+                    let cert = crypto::x509::CertificateBuilder::new()
+                        .private_key(&nk_priv)
+                        .common_name(&agent_uuid)
+                        .add_ips(contact_ips)
+                        .build()?;
                     // Write the generated certificate
                     crypto::write_x509(&cert, cert_path)?;
                     cert

diff --git a/keylime-agent/src/registrar_agent.rs b/keylime-agent/src/registrar_agent.rs
@@ -204,6 +204,7 @@ pub(crate) async fn do_register_agent(
 mod tests {
     use super::*;
     use crate::crypto;
+    use keylime::crypto;
     use wiremock::matchers::{any, method};
     use wiremock::{Mock, MockServer, ResponseTemplate};
 
@@ -233,12 +234,12 @@ mod tests {
 
         let mock_data = [0u8; 1];
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
-        let cert = crypto::generate_x509(
-            &priv_key,
-            "uuid",
-            Some(vec!["1.2.3.4".to_string()]),
-        )
-        .unwrap(); //#[allow_ci]
+        let cert = crypto::x509::CertificateBuilder::new()
+            .private_key(&priv_key)
+            .common_name("uuid")
+            .add_ips(vec!["1.2.3.4"])
+            .build()
+            .unwrap(); //#[allow_ci]
         let response = do_register_agent(
             ip,
             port,
@@ -286,12 +287,12 @@ mod tests {
 
         let mock_data = [0u8; 1];
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
-        let cert = crypto::generate_x509(
-            &priv_key,
-            "uuid",
-            Some(vec!["1.2.3.4".to_string(), "1.2.3.5".to_string()]),
-        )
-        .unwrap(); //#[allow_ci]
+        let cert = crypto::x509::CertificateBuilder::new()
+            .private_key(&priv_key)
+            .common_name("uuid")
+            .add_ips(vec!["1.2.3.4", "1.2.3.5"])
+            .build()
+            .unwrap(); //#[allow_ci]
         let response = do_register_agent(
             ip,
             port,
@@ -335,7 +336,11 @@ mod tests {
 
         let mock_data = [0u8; 1];
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
-        let cert = crypto::generate_x509(&priv_key, "uuid", None).unwrap(); //#[allow_ci]
+        let cert = crypto::x509::CertificateBuilder::new()
+            .private_key(&priv_key)
+            .common_name("uuid")
+            .build()
+            .unwrap(); //#[allow_ci]
         let response = do_register_agent(
             ip,
             port,