From 2953699d3d922e5d57be745aebed4a64d7c5e75c Mon Sep 17 00:00:00 2001 From: Jin Jiu Date: Fri, 30 Aug 2024 13:04:03 +0800 Subject: [PATCH] Fix the bug in issuing sm2 certificate. --- Cargo.toml | 6 +- src/modules/pki/mod.rs | 339 +++++++++++++++++++--------------- src/modules/pki/path_issue.rs | 1 + src/modules/pki/path_keys.rs | 4 +- src/modules/pki/path_roles.rs | 10 + src/modules/pki/util.rs | 13 +- src/utils/cert.rs | 39 ++-- src/utils/key.rs | 4 +- 8 files changed, 237 insertions(+), 179 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index b055ccb..fa23586 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -43,7 +43,7 @@ log = "0.4" env_logger = "0.10" hex = "0.4" humantime = "2.1" -delay_timer = "0.11" +delay_timer = "0.11.6" as-any = "0.3.1" pem = "3.0" chrono = "0.4" @@ -60,8 +60,8 @@ base64 = "0.22" ipnetwork = "0.20" # optional dependencies -openssl = { version = "0.10", optional = true } -openssl-sys = { version = "0.9", optional = true } +openssl = { version = "0.10.64", optional = true } +openssl-sys = { version = "0.9.102", optional = true } # uncomment the following lines to use Tongsuo as underlying crypto adaptor #[patch.crates-io] diff --git a/src/modules/pki/mod.rs b/src/modules/pki/mod.rs index d22d4ce..1b73161 100644 --- a/src/modules/pki/mod.rs +++ b/src/modules/pki/mod.rs @@ -249,21 +249,9 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L resp } - /* - fn test_list_api(core: &Core, token: &str, path: &str, is_ok: bool) -> Result, RvError> { - let mut req = Request::new(path); - req.operation = Operation::List; - req.client_token = token.to_string(); - let resp = core.handle_request(&mut req); - assert_eq!(resp.is_ok(), is_ok); - resp - } - */ - - fn test_pki_config_ca(core: Arc>, token: &str) { + fn test_pki_mount(core: Arc>, token: &str, path: &str) { let core = core.read().unwrap(); - - // mount pki backend to path: pki/ + // mount pki backend to path let mount_data = json!({ "type": "pki", }) @@ -271,8 +259,12 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); - let resp = test_write_api(&core, token, "sys/mounts/pki/", true, Some(mount_data)); + let resp = test_write_api(&core, token, &format!("sys/mounts/{}/", path), true, Some(mount_data)); assert!(resp.is_ok()); + } + + fn test_pki_config_ca(core: Arc>, token: &str, path: &str) { + let core = core.read().unwrap(); let ca_pem_bundle = format!("{}{}", CA_CERT_PEM, CA_KEY_PEM); @@ -284,10 +276,10 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .clone(); // config ca - let resp = test_write_api(&core, token, "pki/config/ca", true, Some(ca_data)); + let resp = test_write_api(&core, token, &format!("{}/config/ca", path), true, Some(ca_data)); assert!(resp.is_ok()); - let resp_ca = test_read_api(&core, token, "pki/ca", true); - let resp_ca_pem = test_read_api(&core, token, "pki/ca/pem", true); + let resp_ca = test_read_api(&core, token, &format!("{}/ca", path), true); + let resp_ca_pem = test_read_api(&core, token, &format!("{}/ca/pem", path), true); let resp_ca_cert_data = resp_ca.unwrap().unwrap().data.unwrap(); let resp_ca_pem_cert_data = resp_ca_pem.unwrap().unwrap().data.unwrap(); assert!(resp_ca_cert_data.get("private_key").is_none()); @@ -303,14 +295,14 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L assert_eq!(resp_ca_cert_data["certificate"].as_str().unwrap().trim(), CA_CERT_PEM.trim()); } - fn test_pki_config_role(core: Arc>, token: &str) { + fn test_pki_config_role(core: Arc>, token: &str, path: &str, key_type: &str, key_bits: u64) { let core = core.read().unwrap(); let role_data = json!({ "ttl": "60d", "max_ttl": "365d", - "key_type": "rsa", - "key_bits": 4096, + "key_type": key_type, + "key_bits": key_bits, "country": "CN", "province": "Beijing", "locality": "Beijing", @@ -322,8 +314,8 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .clone(); // config role - assert!(test_write_api(&core, token, "pki/roles/test", true, Some(role_data)).is_ok()); - let resp = test_read_api(&core, token, "pki/roles/test", true); + assert!(test_write_api(&core, token, &format!("{}/roles/test", path), true, Some(role_data)).is_ok()); + let resp = test_read_api(&core, token, &format!("{}/roles/test", path), true); assert!(resp.as_ref().unwrap().is_some()); let resp = resp.unwrap(); assert!(resp.is_some()); @@ -334,8 +326,8 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L assert_eq!(role_data["ttl"].as_u64().unwrap(), 60 * 24 * 60 * 60); assert_eq!(role_data["max_ttl"].as_u64().unwrap(), 365 * 24 * 60 * 60); assert_eq!(role_data["not_before_duration"].as_u64().unwrap(), 30); - assert_eq!(role_data["key_type"].as_str().unwrap(), "rsa"); - assert_eq!(role_data["key_bits"].as_u64().unwrap(), 4096); + assert_eq!(role_data["key_type"].as_str().unwrap(), key_type); + assert_eq!(role_data["key_bits"].as_u64().unwrap(), key_bits); assert_eq!(role_data["country"].as_str().unwrap(), "CN"); assert_eq!(role_data["province"].as_str().unwrap(), "Beijing"); assert_eq!(role_data["locality"].as_str().unwrap(), "Beijing"); @@ -343,7 +335,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L assert_eq!(role_data["no_store"].as_bool().unwrap(), false); } - fn test_pki_issue_cert(core: Arc>, token: &str) { + fn test_pki_issue_cert(core: Arc>, token: &str, path: &str, key_type: &str, key_bits: u32) { let core = core.read().unwrap(); let dns_sans = vec!["test.com", "a.test.com", "b.test.com"]; @@ -357,7 +349,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .clone(); // issue cert - let resp = test_write_api(&core, token, "pki/issue/test", true, Some(issue_data)); + let resp = test_write_api(&core, token, &format!("{}/issue/test", path), true, Some(issue_data)); assert!(resp.is_ok()); let resp_body = resp.unwrap(); assert!(resp_body.is_some()); @@ -372,9 +364,9 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L for alt_name in alt_names { assert!(dns_sans.contains(&alt_name.dnsname().unwrap())); } - assert_eq!(cert_data["private_key_type"].as_str().unwrap(), "rsa"); + assert_eq!(cert_data["private_key_type"].as_str().unwrap(), key_type); let priv_key = PKey::private_key_from_pem(cert_data["private_key"].as_str().unwrap().as_bytes()).unwrap(); - assert_eq!(priv_key.bits(), 4096); + assert_eq!(priv_key.bits(), key_bits); assert!(priv_key.public_eq(&cert.public_key().unwrap())); let serial_number = cert.serial_number().to_bn().unwrap(); let serial_number_hex = serial_number.to_hex_str().unwrap(); @@ -398,13 +390,13 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L let resp_lowercase = test_read_api( &core, token, - format!("pki/cert/{}", serial_number_hex.to_lowercase().as_str()).as_str(), + format!("{}/cert/{}", path, serial_number_hex.to_lowercase().as_str()).as_str(), true, ); let resp_uppercase = test_read_api( &core, token, - format!("pki/cert/{}", serial_number_hex.to_uppercase().as_str()).as_str(), + format!("{}/cert/{}", path, serial_number_hex.to_uppercase().as_str()).as_str(), true, ); println!("resp_uppercase: {:?}", resp_uppercase); @@ -429,6 +421,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L fn test_pki_generate_key_case( core: &Core, token: &str, + path: &str, key_name: &str, key_type: &str, key_bits: u32, @@ -447,7 +440,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L let resp = test_write_api( core, token, - format!("pki/keys/generate/{}", if exported { "exported" } else { "internal" }).as_str(), + format!("{}/keys/generate/{}", path, if exported { "exported" } else { "internal" }).as_str(), is_ok, Some(req_data), ); @@ -492,6 +485,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L fn test_pki_import_key_case( core: &Core, token: &str, + path: &str, key_name: &str, key_type: &str, key_bits: u32, @@ -519,7 +513,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L } println!("import req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/import", is_ok, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/import", path), is_ok, Some(req_data)); if !is_ok { return; } @@ -534,7 +528,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L assert_eq!(key_data["key_bits"].as_u64().unwrap(), key_bits as u64); } - fn test_pki_sign_verify(core: &Core, token: &str, key_name: &str, data: &[u8], is_ok: bool) { + fn test_pki_sign_verify(core: &Core, token: &str, path: &str, key_name: &str, data: &[u8], is_ok: bool) { let req_data = json!({ "key_name": key_name.to_string(), "data": hex::encode(data), @@ -543,7 +537,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); println!("sign req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/sign", is_ok, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/sign", path), is_ok, Some(req_data)); if !is_ok { return; } @@ -565,7 +559,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); println!("verify req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/verify", is_ok, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/verify", path), is_ok, Some(req_data)); let resp_body = resp.unwrap(); assert!(resp_body.is_some()); let resp_raw_data = resp_body.unwrap().data; @@ -584,7 +578,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); println!("verify bad req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/verify", true, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/verify", path), true, Some(req_data)); let resp_body = resp.unwrap(); assert!(resp_body.is_some()); let resp_raw_data = resp_body.unwrap().data; @@ -602,7 +596,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); println!("verify bad signatue req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/verify", true, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/verify", path), true, Some(req_data)); let resp_body = resp.unwrap(); assert!(resp_body.is_some()); let resp_raw_data = resp_body.unwrap().data; @@ -619,10 +613,10 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .as_object() .unwrap() .clone(); - assert!(test_write_api(core, token, "pki/keys/verify", false, Some(req_data)).is_err()); + assert!(test_write_api(core, token, &format!("{}/keys/verify", path), false, Some(req_data)).is_err()); } - fn test_pki_encrypt_decrypt(core: &Core, token: &str, key_name: &str, data: &[u8], is_ok: bool) { + fn test_pki_encrypt_decrypt(core: &Core, token: &str, path: &str, key_name: &str, data: &[u8], is_ok: bool) { let origin_data = hex::encode(data); let req_data = json!({ "key_name": key_name.to_string(), @@ -632,7 +626,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); println!("encrypt req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/encrypt", is_ok, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/encrypt", path), is_ok, Some(req_data)); if !is_ok { return; } @@ -653,7 +647,7 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .unwrap() .clone(); println!("decrypt req_data: {:?}, is_ok: {}", req_data, is_ok); - let resp = test_write_api(core, token, "pki/keys/decrypt", is_ok, Some(req_data)); + let resp = test_write_api(core, token, &format!("{}/keys/decrypt", path), is_ok, Some(req_data)); let resp_body = resp.unwrap(); assert!(resp_body.is_some()); let resp_raw_data = resp_body.unwrap().data; @@ -670,107 +664,108 @@ x/+V28hUf8m8P2NxP5ALaDZagdaMfzjGZo3O3wDv33Cds0P5GMGQYnRXDxcZN/2L .as_object() .unwrap() .clone(); - assert!(test_write_api(core, token, "pki/keys/decrypt", false, Some(req_data)).is_err()); + assert!(test_write_api(core, token, &format!("{}/keys/decrypt", path), false, Some(req_data)).is_err()); } - fn test_pki_generate_key(core: Arc>, token: &str) { + fn test_pki_generate_key(core: Arc>, token: &str, path: &str) { let core = core.read().unwrap(); //test generate rsa key - test_pki_generate_key_case(&core, token, "rsa-2048", "rsa", 2048, true, true); - test_pki_generate_key_case(&core, token, "rsa-3072", "rsa", 3072, true, true); - test_pki_generate_key_case(&core, token, "rsa-4096", "rsa", 4096, true, true); - test_pki_generate_key_case(&core, token, "rsa-2048-internal", "rsa", 2048, false, true); - test_pki_generate_key_case(&core, token, "rsa-3072-internal", "rsa", 3072, false, true); - test_pki_generate_key_case(&core, token, "rsa-4096-internal", "rsa", 4096, false, true); - test_pki_generate_key_case(&core, token, "rsa-2048", "rsa", 2048, true, false); - test_pki_generate_key_case(&core, token, "rsa-2048-bad-type", "rsaa", 2048, true, false); - test_pki_generate_key_case(&core, token, "rsa-2048-bad-bits", "rsa", 2049, true, false); + test_pki_generate_key_case(&core, token, path, "rsa-2048", "rsa", 2048, true, true); + test_pki_generate_key_case(&core, token, path, "rsa-3072", "rsa", 3072, true, true); + test_pki_generate_key_case(&core, token, path, "rsa-4096", "rsa", 4096, true, true); + test_pki_generate_key_case(&core, token, path, "rsa-2048-internal", "rsa", 2048, false, true); + test_pki_generate_key_case(&core, token, path, "rsa-3072-internal", "rsa", 3072, false, true); + test_pki_generate_key_case(&core, token, path, "rsa-4096-internal", "rsa", 4096, false, true); + test_pki_generate_key_case(&core, token, path, "rsa-2048", "rsa", 2048, true, false); + test_pki_generate_key_case(&core, token, path, "rsa-2048-bad-type", "rsaa", 2048, true, false); + test_pki_generate_key_case(&core, token, path, "rsa-2048-bad-bits", "rsa", 2049, true, false); //test rsa sign and verify - test_pki_sign_verify(&core, token, "rsa-2048", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "rsa-3072", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "rsa-4096", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "rsa-4096-bad-key-name", "rusty_vault test".as_bytes(), false); + test_pki_sign_verify(&core, token, path, "rsa-2048", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "rsa-3072", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "rsa-4096", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "rsa-4096-bad-key-name", "rusty_vault test".as_bytes(), false); //test generate ec key - test_pki_generate_key_case(&core, token, "ec-224", "ec", 224, true, true); - test_pki_generate_key_case(&core, token, "ec-256", "ec", 256, true, true); - test_pki_generate_key_case(&core, token, "ec-384", "ec", 384, true, true); - test_pki_generate_key_case(&core, token, "ec-521", "ec", 521, true, true); - test_pki_generate_key_case(&core, token, "ec-224-internal", "ec", 224, false, true); - test_pki_generate_key_case(&core, token, "ec-256-internal", "ec", 256, false, true); - test_pki_generate_key_case(&core, token, "ec-384-internal", "ec", 384, false, true); - test_pki_generate_key_case(&core, token, "ec-521-internal", "ec", 521, false, true); - test_pki_generate_key_case(&core, token, "ec-224", "ec", 224, true, false); - test_pki_generate_key_case(&core, token, "ec-224-bad_type", "ecc", 224, true, false); - test_pki_generate_key_case(&core, token, "ec-224-bad_bits", "ec", 250, true, false); + test_pki_generate_key_case(&core, token, path, "ec-224", "ec", 224, true, true); + test_pki_generate_key_case(&core, token, path, "ec-256", "ec", 256, true, true); + test_pki_generate_key_case(&core, token, path, "ec-384", "ec", 384, true, true); + test_pki_generate_key_case(&core, token, path, "ec-521", "ec", 521, true, true); + test_pki_generate_key_case(&core, token, path, "ec-224-internal", "ec", 224, false, true); + test_pki_generate_key_case(&core, token, path, "ec-256-internal", "ec", 256, false, true); + test_pki_generate_key_case(&core, token, path, "ec-384-internal", "ec", 384, false, true); + test_pki_generate_key_case(&core, token, path, "ec-521-internal", "ec", 521, false, true); + test_pki_generate_key_case(&core, token, path, "ec-224", "ec", 224, true, false); + test_pki_generate_key_case(&core, token, path, "ec-224-bad_type", "ecc", 224, true, false); + test_pki_generate_key_case(&core, token, path, "ec-224-bad_bits", "ec", 250, true, false); //test ec sign and verify - test_pki_sign_verify(&core, token, "ec-224", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-256", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-384", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-521", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-224-bad-key-name", "rusty_vault test".as_bytes(), false); + test_pki_sign_verify(&core, token, path, "ec-224", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-256", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-384", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-521", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-224-bad-key-name", "rusty_vault test".as_bytes(), false); //test generate aes-gcm key - test_pki_generate_key_case(&core, token, "aes-gcm-128", "aes-gcm", 128, true, true); - test_pki_generate_key_case(&core, token, "aes-gcm-192", "aes-gcm", 192, true, true); - test_pki_generate_key_case(&core, token, "aes-gcm-256", "aes-gcm", 256, true, true); - test_pki_generate_key_case(&core, token, "aes-gcm-128-internal", "aes-gcm", 128, false, true); - test_pki_generate_key_case(&core, token, "aes-gcm-192-internal", "aes-gcm", 192, false, true); - test_pki_generate_key_case(&core, token, "aes-gcm-256-internal", "aes-gcm", 256, false, true); - test_pki_generate_key_case(&core, token, "aes-gcm-128", "aes-gcm", 128, true, false); - test_pki_generate_key_case(&core, token, "aes-gcm-128-bad-type", "aes-gcmm", 128, true, false); - test_pki_generate_key_case(&core, token, "aes-gcm-128-bad-bits", "aes-gcm", 129, true, false); + test_pki_generate_key_case(&core, token, path, "aes-gcm-128", "aes-gcm", 128, true, true); + test_pki_generate_key_case(&core, token, path, "aes-gcm-192", "aes-gcm", 192, true, true); + test_pki_generate_key_case(&core, token, path, "aes-gcm-256", "aes-gcm", 256, true, true); + test_pki_generate_key_case(&core, token, path, "aes-gcm-128-internal", "aes-gcm", 128, false, true); + test_pki_generate_key_case(&core, token, path, "aes-gcm-192-internal", "aes-gcm", 192, false, true); + test_pki_generate_key_case(&core, token, path, "aes-gcm-256-internal", "aes-gcm", 256, false, true); + test_pki_generate_key_case(&core, token, path, "aes-gcm-128", "aes-gcm", 128, true, false); + test_pki_generate_key_case(&core, token, path, "aes-gcm-128-bad-type", "aes-gcmm", 128, true, false); + test_pki_generate_key_case(&core, token, path, "aes-gcm-128-bad-bits", "aes-gcm", 129, true, false); //test aes-gcm encrypt and decrypt - test_pki_encrypt_decrypt(&core, token, "aes-gcm-128", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-gcm-192", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-gcm-256", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-gcm-256-bad-key-name", "rusty_vault test".as_bytes(), false); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-128", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-192", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-256", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-256-bad-key-name", "rusty_vault test".as_bytes(), false); //test generate aes-cbc key - test_pki_generate_key_case(&core, token, "aes-cbc-128", "aes-cbc", 128, true, true); - test_pki_generate_key_case(&core, token, "aes-cbc-192", "aes-cbc", 192, true, true); - test_pki_generate_key_case(&core, token, "aes-cbc-256", "aes-cbc", 256, true, true); - test_pki_generate_key_case(&core, token, "aes-cbc-128-internal", "aes-cbc", 128, false, true); - test_pki_generate_key_case(&core, token, "aes-cbc-192-internal", "aes-cbc", 192, false, true); - test_pki_generate_key_case(&core, token, "aes-cbc-256-internal", "aes-cbc", 256, false, true); - test_pki_generate_key_case(&core, token, "aes-cbc-128", "aes-cbc", 128, true, false); - test_pki_generate_key_case(&core, token, "aes-cbc-128-bad-type", "aes-cbcc", 128, true, false); - test_pki_generate_key_case(&core, token, "aes-cbc-128-bad-bits", "aes-cbc", 129, true, false); + test_pki_generate_key_case(&core, token, path, "aes-cbc-128", "aes-cbc", 128, true, true); + test_pki_generate_key_case(&core, token, path, "aes-cbc-192", "aes-cbc", 192, true, true); + test_pki_generate_key_case(&core, token, path, "aes-cbc-256", "aes-cbc", 256, true, true); + test_pki_generate_key_case(&core, token, path, "aes-cbc-128-internal", "aes-cbc", 128, false, true); + test_pki_generate_key_case(&core, token, path, "aes-cbc-192-internal", "aes-cbc", 192, false, true); + test_pki_generate_key_case(&core, token, path, "aes-cbc-256-internal", "aes-cbc", 256, false, true); + test_pki_generate_key_case(&core, token, path, "aes-cbc-128", "aes-cbc", 128, true, false); + test_pki_generate_key_case(&core, token, path, "aes-cbc-128-bad-type", "aes-cbcc", 128, true, false); + test_pki_generate_key_case(&core, token, path, "aes-cbc-128-bad-bits", "aes-cbc", 129, true, false); //test aes-cbc encrypt and decrypt - test_pki_encrypt_decrypt(&core, token, "aes-cbc-128", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-cbc-192", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-cbc-256", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-cbc-256-bad-key-name", "rusty_vault test".as_bytes(), false); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-128", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-192", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-256", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-256-bad-key-name", "rusty_vault test".as_bytes(), false); //test generate aes-ecb key - test_pki_generate_key_case(&core, token, "aes-ecb-128", "aes-ecb", 128, true, true); - test_pki_generate_key_case(&core, token, "aes-ecb-192", "aes-ecb", 192, true, true); - test_pki_generate_key_case(&core, token, "aes-ecb-256", "aes-ecb", 256, true, true); - test_pki_generate_key_case(&core, token, "aes-ecb-128-internal", "aes-ecb", 128, false, true); - test_pki_generate_key_case(&core, token, "aes-ecb-192-internal", "aes-ecb", 192, false, true); - test_pki_generate_key_case(&core, token, "aes-ecb-256-internal", "aes-ecb", 256, false, true); - test_pki_generate_key_case(&core, token, "aes-ecb-128", "aes-ecb", 128, true, false); - test_pki_generate_key_case(&core, token, "aes-ecb-128-bad-type", "aes-ecbb", 128, true, false); - test_pki_generate_key_case(&core, token, "aes-ecb-128-bad-bits", "aes-ecb", 129, true, false); + test_pki_generate_key_case(&core, token, path, "aes-ecb-128", "aes-ecb", 128, true, true); + test_pki_generate_key_case(&core, token, path, "aes-ecb-192", "aes-ecb", 192, true, true); + test_pki_generate_key_case(&core, token, path, "aes-ecb-256", "aes-ecb", 256, true, true); + test_pki_generate_key_case(&core, token, path, "aes-ecb-128-internal", "aes-ecb", 128, false, true); + test_pki_generate_key_case(&core, token, path, "aes-ecb-192-internal", "aes-ecb", 192, false, true); + test_pki_generate_key_case(&core, token, path, "aes-ecb-256-internal", "aes-ecb", 256, false, true); + test_pki_generate_key_case(&core, token, path, "aes-ecb-128", "aes-ecb", 128, true, false); + test_pki_generate_key_case(&core, token, path, "aes-ecb-128-bad-type", "aes-ecbb", 128, true, false); + test_pki_generate_key_case(&core, token, path, "aes-ecb-128-bad-bits", "aes-ecb", 129, true, false); //test aes-ecb encrypt and decrypt - test_pki_encrypt_decrypt(&core, token, "aes-ecb-128", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-ecb-192", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-ecb-256", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-ecb-256-bad-key-name", "rusty_vault test".as_bytes(), false); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-128", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-192", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-256", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-256-bad-key-name", "rusty_vault test".as_bytes(), false); } - fn test_pki_import_key(core: Arc>, token: &str) { + fn test_pki_import_key(core: Arc>, token: &str, path: &str) { let core = core.read().unwrap(); //test import rsa key test_pki_import_key_case( &core, token, + path, "rsa-2048-import", "rsa", 2048, @@ -810,6 +805,7 @@ bwtnhIcuKu7aG0qI2abuLtNI test_pki_import_key_case( &core, token, + path, "rsa-3072-import", "rsa", 3072, @@ -861,6 +857,7 @@ Do5o32GEcxbLo+woXez/9og= test_pki_import_key_case( &core, token, + path, "rsa-4096-import", "rsa", 4096, @@ -924,6 +921,7 @@ srlAra2xKovU8At81EhC3oarMYLbY9w= test_pki_import_key_case( &core, token, + path, "rsa-4096-import", "rsa", 4096, @@ -987,6 +985,7 @@ srlAra2xKovU8At81EhC3oarMYLbY9w= test_pki_import_key_case( &core, token, + path, "rsa-4096-import-bad-type", "rsaa", 4096, @@ -1050,6 +1049,7 @@ srlAra2xKovU8At81EhC3oarMYLbY9w= test_pki_import_key_case( &core, token, + path, "rsa-4096-import-bad-pem", "rsaa", 4096, @@ -1113,14 +1113,15 @@ srlAra2xKovU8At81EhC3oarMYLbY9w= ); //test rsa sign and verify - test_pki_sign_verify(&core, token, "rsa-2048-import", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "rsa-3072-import", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "rsa-4096-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "rsa-2048-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "rsa-3072-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "rsa-4096-import", "rusty_vault test".as_bytes(), true); //test import ec key test_pki_import_key_case( &core, token, + path, "ec-224-import", "ec", 224, @@ -1137,6 +1138,7 @@ K9bNL/xrK2WENeATjX1eZE9JZtjDwnAqlJM= test_pki_import_key_case( &core, token, + path, "ec-256-import", "ec", 256, @@ -1153,6 +1155,7 @@ AAOYNTNA2jpy34lQ2zlBLIoaTuxXtg6mWvfITYPGrpWorcPTYzG+ test_pki_import_key_case( &core, token, + path, "ec-384-import", "ec", 384, @@ -1170,6 +1173,7 @@ TKSYqB3QPPoSWhfvlq1iSdarRYfH+6S9dRpeaf+xnnVVMD8iqmUBOdl0UZZHOOt6 test_pki_import_key_case( &core, token, + path, "ec-521-import", "ec", 521, @@ -1186,10 +1190,11 @@ Fw== "#, true, ); - test_pki_import_key_case(&core, token, "ec-521-import", "ec", 521, "", "same key name", false); + test_pki_import_key_case(&core, token, path, "ec-521-import", "ec", 521, "", "same key name", false); test_pki_import_key_case( &core, token, + path, "ec-521-import-bad-type", "ecc", 521, @@ -1209,6 +1214,7 @@ Fw== test_pki_import_key_case( &core, token, + path, "ec-521-import-bad-pem", "ec", 521, @@ -1228,15 +1234,16 @@ xxxxxxxxxxxxxx ); //test ec sign and verify - test_pki_sign_verify(&core, token, "ec-224-import", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-256-import", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-384-import", "rusty_vault test".as_bytes(), true); - test_pki_sign_verify(&core, token, "ec-521-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-224-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-256-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-384-import", "rusty_vault test".as_bytes(), true); + test_pki_sign_verify(&core, token, path, "ec-521-import", "rusty_vault test".as_bytes(), true); //test import aes-gcm key test_pki_import_key_case( &core, token, + path, "aes-gcm-128-import", "aes-gcm", 128, @@ -1247,6 +1254,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-gcm-192-import", "aes-gcm", 192, @@ -1257,6 +1265,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-gcm-256-import", "aes-gcm", 256, @@ -1267,6 +1276,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-gcm-256-import", "aes-gcm", 256, @@ -1277,6 +1287,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-gcm-256-import-bad-type", "aes-gcmm", 256, @@ -1287,6 +1298,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-gcm-256-import-bad-hex", "aes-gcm", 256, @@ -1296,14 +1308,15 @@ xxxxxxxxxxxxxx ); //test aes-gcm encrypt and decrypt - test_pki_encrypt_decrypt(&core, token, "aes-gcm-128-import", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-gcm-192-import", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-gcm-256-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-128-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-192-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-gcm-256-import", "rusty_vault test".as_bytes(), true); //test import aes-cbc key test_pki_import_key_case( &core, token, + path, "aes-cbc-128-import", "aes-cbc", 128, @@ -1314,6 +1327,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-cbc-192-import", "aes-cbc", 192, @@ -1324,6 +1338,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-cbc-256-import", "aes-cbc", 256, @@ -1334,6 +1349,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-cbc-256-import", "aes-cbc", 256, @@ -1344,6 +1360,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-cbc-256-import-bad-type", "aes-cbcc", 256, @@ -1354,6 +1371,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-cbc-256-import-bad-hex", "aes-cbc", 256, @@ -1363,14 +1381,15 @@ xxxxxxxxxxxxxx ); //test aes-cbc encrypt and decrypt - test_pki_encrypt_decrypt(&core, token, "aes-cbc-128-import", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-cbc-192-import", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-cbc-256-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-128-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-192-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-cbc-256-import", "rusty_vault test".as_bytes(), true); //test import aes-ecb key test_pki_import_key_case( &core, token, + path, "aes-ecb-128-import", "aes-ecb", 128, @@ -1381,6 +1400,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-ecb-192-import", "aes-ecb", 192, @@ -1391,6 +1411,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-ecb-256-import", "aes-ecb", 256, @@ -1398,10 +1419,11 @@ xxxxxxxxxxxxxx "95b622ebf838b0b8b4cc60635333f87f9b10bcbe340b710020a6e9789156c052", true, ); - test_pki_import_key_case(&core, token, "aes-ecb-256-import", "aes-ecb", 256, "", "same key name", false); + test_pki_import_key_case(&core, token, path, "aes-ecb-256-import", "aes-ecb", 256, "", "same key name", false); test_pki_import_key_case( &core, token, + path, "aes-ecb-256-import-bad-type", "aes-ecbb", 256, @@ -1412,6 +1434,7 @@ xxxxxxxxxxxxxx test_pki_import_key_case( &core, token, + path, "aes-ecb-256-import-bad-hex", "aes-ecb", 256, @@ -1421,16 +1444,14 @@ xxxxxxxxxxxxxx ); //test aes-gcm encrypt and decrypt - test_pki_encrypt_decrypt(&core, token, "aes-ecb-128-import", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-ecb-192-import", "rusty_vault test".as_bytes(), true); - test_pki_encrypt_decrypt(&core, token, "aes-ecb-256-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-128-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-192-import", "rusty_vault test".as_bytes(), true); + test_pki_encrypt_decrypt(&core, token, path, "aes-ecb-256-import", "rusty_vault test".as_bytes(), true); } - fn test_pki_generate_root(core: Arc>, token: &str, exported: bool, is_ok: bool) { + fn test_pki_generate_root(core: Arc>, token: &str, path: &str, key_type: &str, key_bits: u32, exported: bool, is_ok: bool) { let core = core.read().unwrap(); - let key_type = "rsa"; - let key_bits = 4096; let common_name = "test-ca"; let req_data = json!({ "common_name": common_name, @@ -1446,7 +1467,7 @@ xxxxxxxxxxxxxx let resp = test_write_api( &core, token, - format!("pki/root/generate/{}", if exported { "exported" } else { "internal" }).as_str(), + format!("{}/root/generate/{}", path, if exported { "exported" } else { "internal" }).as_str(), is_ok, Some(req_data), ); @@ -1460,7 +1481,7 @@ xxxxxxxxxxxxxx let key_data = data.unwrap(); println!("generate root result: {:?}", key_data); - let resp_ca_pem = test_read_api(&core, token, "pki/ca/pem", true); + let resp_ca_pem = test_read_api(&core, token, &format!("{}/ca/pem", path), true); let resp_ca_pem_cert_data = resp_ca_pem.unwrap().unwrap().data.unwrap(); let ca_cert = X509::from_pem(resp_ca_pem_cert_data["certificate"].as_str().unwrap().as_bytes()).unwrap(); @@ -1485,7 +1506,7 @@ xxxxxxxxxxxxxx assert!(rsa_key.is_ok()); assert_eq!(rsa_key.unwrap().size() * 8, key_bits); } - "ec" => { + "sm2" | "ec" => { let ec_key = EcKey::private_key_from_pem(private_key_pem.as_bytes()); assert!(ec_key.is_ok()); assert_eq!(ec_key.unwrap().group().degree(), key_bits); @@ -1497,20 +1518,20 @@ xxxxxxxxxxxxxx } } - fn test_pki_delete_root(core: Arc>, token: &str, is_ok: bool) { + fn test_pki_delete_root(core: Arc>, token: &str, path: &str, is_ok: bool) { let core = core.read().unwrap(); - let resp = test_delete_api(&core, token, "pki/root", is_ok); + let resp = test_delete_api(&core, token, &format!("{}/root", path), is_ok); if !is_ok { return; } assert!(resp.is_ok()); - let resp_ca_pem = test_read_api(&core, token, "pki/ca/pem", false); + let resp_ca_pem = test_read_api(&core, token, &format!("{}/ca/pem", path), false); assert_eq!(resp_ca_pem.unwrap_err(), RvError::ErrPkiCaNotConfig); } - fn test_pki_issue_cert_by_generate_root(core: Arc>, token: &str) { + fn test_pki_issue_cert_by_generate_root(core: Arc>, token: &str, path: &str, key_type: &str, key_bits: u32) { let core = core.read().unwrap(); let dns_sans = vec!["test.com", "a.test.com", "b.test.com"]; @@ -1524,7 +1545,7 @@ xxxxxxxxxxxxxx .clone(); // issue cert - let resp = test_write_api(&core, token, "pki/issue/test", true, Some(issue_data)); + let resp = test_write_api(&core, token, &format!("{}/issue/test", path), true, Some(issue_data)); assert!(resp.is_ok()); let resp_body = resp.unwrap(); assert!(resp_body.is_some()); @@ -1539,9 +1560,9 @@ xxxxxxxxxxxxxx for alt_name in alt_names { assert!(dns_sans.contains(&alt_name.dnsname().unwrap())); } - assert_eq!(cert_data["private_key_type"].as_str().unwrap(), "rsa"); + assert_eq!(cert_data["private_key_type"].as_str().unwrap(), key_type); let priv_key = PKey::private_key_from_pem(cert_data["private_key"].as_str().unwrap().as_bytes()).unwrap(); - assert_eq!(priv_key.bits(), 4096); + assert_eq!(priv_key.bits(), key_bits); assert!(priv_key.public_eq(&cert.public_key().unwrap())); let serial_number = cert.serial_number().to_bn().unwrap(); let serial_number_hex = serial_number.to_hex_str().unwrap(); @@ -1565,7 +1586,7 @@ xxxxxxxxxxxxxx println!("authority_key_id: {:?}", authority_key_id.unwrap().as_slice()); - let resp_ca_pem = test_read_api(&core, token, "pki/ca/pem", true); + let resp_ca_pem = test_read_api(&core, token, &format!("{}/ca/pem", path), true); let resp_ca_pem_cert_data = resp_ca_pem.unwrap().unwrap().data.unwrap(); let ca_cert = X509::from_pem(resp_ca_pem_cert_data["certificate"].as_str().unwrap().as_bytes()).unwrap(); @@ -1622,15 +1643,25 @@ xxxxxxxxxxxxxx { println!("root_token: {:?}", root_token); - test_pki_config_ca(Arc::clone(&c), &root_token); - test_pki_config_role(Arc::clone(&c), &root_token); - test_pki_issue_cert(Arc::clone(&c), &root_token); - test_pki_generate_key(Arc::clone(&c), &root_token); - test_pki_import_key(Arc::clone(&c), &root_token); - test_pki_generate_root(Arc::clone(&c), &root_token, true, true); - test_pki_generate_root(Arc::clone(&c), &root_token, false, true); - test_pki_issue_cert_by_generate_root(Arc::clone(&c), &root_token); - test_pki_delete_root(Arc::clone(&c), &root_token, true); + test_pki_mount(Arc::clone(&c), &root_token, "pki"); + test_pki_config_ca(Arc::clone(&c), &root_token, "pki"); + test_pki_config_role(Arc::clone(&c), &root_token, "pki", "rsa", 4096); + test_pki_issue_cert(Arc::clone(&c), &root_token, "pki", "rsa", 4096); + test_pki_generate_key(Arc::clone(&c), &root_token, "pki"); + test_pki_import_key(Arc::clone(&c), &root_token, "pki"); + test_pki_generate_root(Arc::clone(&c), &root_token, "pki", "rsa", 4096, true, true); + test_pki_generate_root(Arc::clone(&c), &root_token, "pki", "rsa", 4096, false, true); + test_pki_issue_cert_by_generate_root(Arc::clone(&c), &root_token, "pki", "rsa", 4096); + test_pki_delete_root(Arc::clone(&c), &root_token, "pki", true); + + #[cfg(feature = "crypto_adaptor_tongsuo")] + { + test_pki_mount(Arc::clone(&c), &root_token, "sm2pki"); + test_pki_generate_root(Arc::clone(&c), &root_token, "sm2pki", "sm2", 256, true, true); + test_pki_config_role(Arc::clone(&c), &root_token, "sm2pki", "sm2", 256); + test_pki_issue_cert_by_generate_root(Arc::clone(&c), &root_token, "sm2pki", "sm2", 256); + test_pki_delete_root(Arc::clone(&c), &root_token, "sm2pki", true); + } } } } diff --git a/src/modules/pki/path_issue.rs b/src/modules/pki/path_issue.rs index 9c203d6..2cb78af 100644 --- a/src/modules/pki/path_issue.rs +++ b/src/modules/pki/path_issue.rs @@ -150,6 +150,7 @@ impl PkiBackendInner { subject, dns_sans: common_names, ip_sans, + key_type: role_entry.key_type.clone(), key_bits: role_entry.key_bits, ..cert::Certificate::default() }; diff --git a/src/modules/pki/path_keys.rs b/src/modules/pki/path_keys.rs index f290727..58e3f66 100644 --- a/src/modules/pki/path_keys.rs +++ b/src/modules/pki/path_keys.rs @@ -308,9 +308,7 @@ impl PkiBackendInner { key_bundle.bits = (key_bundle.key.len() as u32) * 8; match key_bundle.bits { 128 | 192 | 256 => {}, - _ => { - return Err(RvError::ErrPkiKeyBitsInvalid); - } + _ => return Err(RvError::ErrPkiKeyBitsInvalid), }; let iv_value = req.get_data_or_default("iv")?; let is_iv_required = matches!(key_type, "aes-gcm" | "aes-cbc" | "sm4-gcm" | "sm4-ccm"); diff --git a/src/modules/pki/path_roles.rs b/src/modules/pki/path_roles.rs index 59b1927..7112ab1 100644 --- a/src/modules/pki/path_roles.rs +++ b/src/modules/pki/path_roles.rs @@ -359,6 +359,16 @@ impl PkiBackendInner { return Err(RvError::ErrPkiKeyBitsInvalid); } } + #[cfg(feature = "crypto_adaptor_tongsuo")] + "sm2" => { + if key_bits == 0 { + key_bits = 256; + } + + if key_bits != 256 { + return Err(RvError::ErrPkiKeyBitsInvalid); + } + }, _ => { return Err(RvError::ErrPkiKeyTypeInvalid); } diff --git a/src/modules/pki/util.rs b/src/modules/pki/util.rs index 05c56b9..ee24775 100644 --- a/src/modules/pki/util.rs +++ b/src/modules/pki/util.rs @@ -40,9 +40,17 @@ pub fn get_role_params(req: &mut Request) -> Result { return Err(RvError::ErrPkiKeyBitsInvalid); } } - _ => { - return Err(RvError::ErrPkiKeyTypeInvalid); + #[cfg(feature = "crypto_adaptor_tongsuo")] + "sm2" => { + if key_bits == 0 { + key_bits = 256; + } + + if key_bits != 256 { + return Err(RvError::ErrPkiKeyBitsInvalid); + } } + _ => return Err(RvError::ErrPkiKeyTypeInvalid), } let signature_bits = req.get_data_or_default("signature_bits")?.as_u64().ok_or(RvError::ErrRequestFieldInvalid)?; @@ -145,6 +153,7 @@ pub fn generate_certificate(role_entry: &RoleEntry, req: &mut Request) -> Result subject, dns_sans: common_names, ip_sans, + key_type: role_entry.key_type.clone(), key_bits: role_entry.key_bits, ..Default::default() }; diff --git a/src/utils/cert.rs b/src/utils/cert.rs index e9a594a..84c0331 100644 --- a/src/utils/cert.rs +++ b/src/utils/cert.rs @@ -283,10 +283,16 @@ impl Certificate { AuthorityKeyIdentifier::new().keyid(true).issuer(false).build(&builder.x509v3_context(ca_cert, None))?; builder.append_extension(authority_key_id)?; + let digest = match self.key_type.as_str() { + "rsa" | "ec" => MessageDigest::sha256(), + #[cfg(feature = "crypto_adaptor_tongsuo")] + "sm2" => MessageDigest::sm3(), + _ => return Err(RvError::ErrPkiKeyTypeInvalid), + }; if ca_key.is_some() { - builder.sign(ca_key.as_ref().unwrap(), MessageDigest::sha256())?; + builder.sign(ca_key.as_ref().unwrap(), digest)?; } else { - builder.sign(private_key, MessageDigest::sha256())?; + builder.sign(private_key, digest)?; } Ok(builder.build()) @@ -300,12 +306,13 @@ impl Certificate { let key_bits = self.key_bits; let priv_key = match self.key_type.as_str() { "rsa" => { - if key_bits != 2048 && key_bits != 3072 && key_bits != 4096 { - return Err(RvError::ErrPkiKeyBitsInvalid); + match key_bits { + 2048 | 3072 | 4096 => { + let rsa_key = Rsa::generate(key_bits)?; + PKey::from_rsa(rsa_key)? + }, + _ => return Err(RvError::ErrPkiKeyBitsInvalid), } - let rsa_key = Rsa::generate(key_bits)?; - let pkey = PKey::from_rsa(rsa_key)?; - pkey } "ec" => { let curve_name = match key_bits { @@ -313,18 +320,22 @@ impl Certificate { 256 => Nid::SECP256K1, 384 => Nid::SECP384R1, 521 => Nid::SECP521R1, - _ => { - return Err(RvError::ErrPkiKeyBitsInvalid); - } + _ => return Err(RvError::ErrPkiKeyBitsInvalid), }; let ec_group = EcGroup::from_curve_name(curve_name)?; let ec_key = EcKey::generate(ec_group.as_ref())?; - let pkey = PKey::from_ec_key(ec_key)?; - pkey + PKey::from_ec_key(ec_key)? } - _ => { - return Err(RvError::ErrPkiKeyTypeInvalid); + #[cfg(feature = "crypto_adaptor_tongsuo")] + "sm2" => { + if key_bits != 256 { + return Err(RvError::ErrPkiKeyBitsInvalid); + } + let ec_group = EcGroup::from_curve_name(Nid::SM2)?; + let ec_key = EcKey::generate(&ec_group)?; + PKey::from_ec_key(ec_key)? } + _ => return Err(RvError::ErrPkiKeyTypeInvalid), }; let cert = self.to_x509(ca_cert, ca_key, &priv_key)?; diff --git a/src/utils/key.rs b/src/utils/key.rs index 8e20a8d..e3bc584 100644 --- a/src/utils/key.rs +++ b/src/utils/key.rs @@ -136,9 +136,7 @@ impl KeyBundle { rand_bytes(&mut key)?; key }, - _ => { - return Err(RvError::ErrPkiKeyTypeInvalid); - } + _ => return Err(RvError::ErrPkiKeyTypeInvalid), }; self.key = priv_key;