Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

. #3249

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
+88 −438
Draft

. #3249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
afd3e65
.
rumenov Dec 19, 2024
179f6ff
.
rumenov Dec 19, 2024
5920abe
.
rumenov Dec 19, 2024
12e675d
.
rumenov Dec 19, 2024
bac01fe
.
rumenov Dec 19, 2024
bdd5dea
.
rumenov Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions rs/crypto/src/tls/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use super::*;
use ic_crypto_internal_logmon::metrics::{MetricsDomain, MetricsResult, MetricsScope};
use ic_crypto_tls_interfaces::{SomeOrAllNodes, TlsConfig, TlsConfigError, TlsPublicKeyCert};
use ic_crypto_tls_interfaces::{TlsConfig, TlsConfigError, TlsPublicKeyCert};
use ic_logger::{debug, new_logger};
use ic_types::registry::RegistryClientError;
use ic_types::{NodeId, RegistryVersion};
Expand All @@ -15,7 +15,6 @@ where
{
fn server_config(
&self,
allowed_clients: SomeOrAllNodes,
registry_version: RegistryVersion,
) -> Result<::rustls::ServerConfig, TlsConfigError> {
let log_id = get_log_id(&self.logger);
Expand All @@ -27,14 +26,12 @@ where
debug!(logger;
crypto.description => "start",
crypto.registry_version => registry_version.get(),
crypto.allowed_tls_clients => format!("{:?}", allowed_clients),
);
let start_time = self.metrics.now();
let result = rustls::server_handshake::server_config(
&self.vault,
self.node_id,
Arc::clone(&self.registry_client),
allowed_clients,
registry_version,
);
self.metrics.observe_duration_seconds(
Expand Down Expand Up @@ -65,7 +62,6 @@ where
debug!(logger;
crypto.description => "start",
crypto.registry_version => registry_version.get(),
crypto.allowed_tls_clients => "all clients allowed",
);
let start_time = self.metrics.now();
let result = rustls::server_handshake::server_config_without_client_auth(
Expand All @@ -91,7 +87,7 @@ where

fn client_config(
&self,
server: NodeId,
_server: NodeId,
registry_version: RegistryVersion,
) -> Result<::rustls::ClientConfig, TlsConfigError> {
let log_id = get_log_id(&self.logger);
Expand All @@ -103,14 +99,12 @@ where
debug!(logger;
crypto.description => "start",
crypto.registry_version => registry_version.get(),
crypto.tls_server => format!("{}", server),
);
let start_time = self.metrics.now();
let result = rustls::client_handshake::client_config(
&self.vault,
self.node_id,
Arc::clone(&self.registry_client),
server,
registry_version,
);
self.metrics.observe_duration_seconds(
Expand Down
9 changes: 2 additions & 7 deletions rs/crypto/src/tls/rustls/client_handshake.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use crate::tls::rustls::node_cert_verifier::NodeServerCertVerifier;
use crate::tls::tls_cert_from_registry;
use ic_crypto_internal_csp::key_id::KeyId;
use ic_crypto_internal_csp::vault::api::CspVault;
use ic_crypto_tls_interfaces::{SomeOrAllNodes, TlsConfigError};
use ic_crypto_tls_interfaces::TlsConfigError;
use ic_interfaces_registry::RegistryClient;
use ic_types::{NodeId, RegistryVersion};
use rustls::{
Expand All @@ -21,7 +21,6 @@ pub fn client_config(
vault: &Arc<dyn CspVault>,
self_node_id: NodeId,
registry_client: Arc<dyn RegistryClient>,
server: NodeId,
registry_version: RegistryVersion,
) -> Result<ClientConfig, TlsConfigError> {
let self_tls_cert =
Expand All @@ -33,11 +32,7 @@ pub fn client_config(
})?;
let ed25519_signing_key =
CspServerEd25519SigningKey::new(self_tls_cert_key_id, Arc::clone(vault));
let server_cert_verifier = NodeServerCertVerifier::new(
SomeOrAllNodes::new_with_single_node(server),
registry_client,
registry_version,
);
let server_cert_verifier = NodeServerCertVerifier::new(registry_client, registry_version);
let mut ring_crypto_provider = rustls::crypto::ring::default_provider();
ring_crypto_provider.cipher_suites = vec![TLS13_AES_256_GCM_SHA384, TLS13_AES_128_GCM_SHA256];

Expand Down
35 changes: 5 additions & 30 deletions rs/crypto/src/tls/rustls/node_cert_verifier.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use crate::tls::tls_cert_from_registry;
use ic_crypto_tls_cert_validation::ValidTlsCertificate;
use ic_crypto_tls_interfaces::{SomeOrAllNodes, TlsPublicKeyCert};
use ic_crypto_tls_interfaces::TlsPublicKeyCert;
use ic_crypto_utils_tls::{node_id_from_certificate_der, NodeIdFromCertificateDerError};
use ic_interfaces_registry::RegistryClient;
use ic_protobuf::registry::crypto::v1::X509PublicKeyCert;
Expand Down Expand Up @@ -31,7 +31,6 @@ mod tests;
///
/// If any of these conditions does not hold, a `TLSError` is returned.
pub struct NodeServerCertVerifier {
allowed_nodes: SomeOrAllNodes,
registry_client: Arc<dyn RegistryClient>,
registry_version: RegistryVersion,
}
Expand All @@ -41,12 +40,10 @@ impl NodeServerCertVerifier {
/// `allowed_nodes` fetched from the `registry_client` at registry version
/// `registry_version` as trusted.
pub fn new(
allowed_nodes: SomeOrAllNodes,
registry_client: Arc<dyn RegistryClient>,
registry_version: RegistryVersion,
) -> Self {
Self {
allowed_nodes,
registry_client,
registry_version,
}
Expand All @@ -57,8 +54,8 @@ impl fmt::Debug for NodeServerCertVerifier {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(
f,
"NodeServerCertVerifier{{ allowed_nodes: {:?}, registry_version: {} }}",
self.allowed_nodes, self.registry_version
"NodeServerCertVerifier{{ registry_version: {} }}",
self.registry_version
)
}
}
Expand All @@ -68,8 +65,6 @@ impl fmt::Debug for NodeServerCertVerifier {
/// * No intermediate certificates.
/// * The end entity certificate can be parsed from DER.
/// * The end entity certificate subject CN can be parsed as a `NodeId`.
/// * The `NodeId` parsed from the end entity's subject CN is
/// contained in `allowed_nodes` (as passed to the constructors).
/// * The end entity certificate equals the node's certificate fetched from the
/// `registry_client` at version `registry_version` for the `NodeId` parsed
/// from the end entity certificate. (The `registry_client` and
Expand All @@ -79,7 +74,6 @@ impl fmt::Debug for NodeServerCertVerifier {
///
/// This verifier always offers client authentication, see `offer_client_auth`.
pub struct NodeClientCertVerifier {
allowed_nodes: SomeOrAllNodes,
registry_client: Arc<dyn RegistryClient>,
registry_version: RegistryVersion,
}
Expand All @@ -88,8 +82,8 @@ impl fmt::Debug for NodeClientCertVerifier {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(
f,
"NodeClientCertVerifier{{ allowed_nodes: {:?}, registry_version: {} }}",
self.allowed_nodes, self.registry_version
"NodeClientCertVerifier{{ registry_version: {} }}",
self.registry_version
)
}
}
Expand All @@ -101,12 +95,10 @@ impl NodeClientCertVerifier {
///
/// Client authentication is mandatory.
pub fn new_with_mandatory_client_auth(
allowed_nodes: SomeOrAllNodes,
registry_client: Arc<dyn RegistryClient>,
registry_version: RegistryVersion,
) -> Self {
Self {
allowed_nodes,
registry_client,
registry_version,
}
Expand All @@ -125,7 +117,6 @@ impl ServerCertVerifier for NodeServerCertVerifier {
verify_node_cert(
end_entity,
intermediates,
&self.allowed_nodes,
self.registry_client.as_ref(),
self.registry_version,
unix_time_to_ic_time(now)?,
Expand Down Expand Up @@ -173,7 +164,6 @@ impl ClientCertVerifier for NodeClientCertVerifier {
verify_node_cert(
end_entity,
intermediates,
&self.allowed_nodes,
self.registry_client.as_ref(),
self.registry_version,
unix_time_to_ic_time(now)?,
Expand Down Expand Up @@ -218,7 +208,6 @@ impl ClientCertVerifier for NodeClientCertVerifier {
fn verify_node_cert(
end_entity_der: &CertificateDer,
intermediates: &[CertificateDer],
allowed_nodes: &SomeOrAllNodes,
registry_client: &dyn RegistryClient,
registry_version: RegistryVersion,
current_time: Time,
Expand All @@ -234,7 +223,6 @@ fn verify_node_cert(
),
})?;

ensure_node_id_in_allowed_nodes(end_entity_node_id, allowed_nodes)?;
let node_cert_from_registry =
node_cert_from_registry(end_entity_node_id, registry_client, registry_version)?;
ensure_certificates_equal(
Expand Down Expand Up @@ -262,19 +250,6 @@ fn ensure_intermediate_certs_empty(intermediates: &[CertificateDer]) -> Result<(
Ok(())
}

fn ensure_node_id_in_allowed_nodes(
node_id: NodeId,
allowed_nodes: &SomeOrAllNodes,
) -> Result<(), TLSError> {
if !allowed_nodes.contains(node_id) {
return Err(TLSError::General(format!(
"The peer certificate with node ID {} is not allowed. Allowed node IDs: {:?}",
node_id, allowed_nodes
)));
}
Ok(())
}

fn node_cert_from_registry(
node_id: NodeId,
registry_client: &dyn RegistryClient,
Expand Down
Loading
Loading