diff --git a/keyserver/addons/rust-node-addon/Cargo.lock b/keyserver/addons/rust-node-addon/Cargo.lock --- a/keyserver/addons/rust-node-addon/Cargo.lock +++ b/keyserver/addons/rust-node-addon/Cargo.lock @@ -19,6 +19,28 @@ "password-hash", ] +[[package]] +name = "async-stream" +version = "0.3.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cd56dd203fef61ac097dd65721a419ddccb106b2d2b70ba60a6b529f03961a51" +dependencies = [ + "async-stream-impl", + "futures-core", + "pin-project-lite", +] + +[[package]] +name = "async-stream-impl" +version = "0.3.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16e62a023e7c117e27523144c5d2459f4397fcc3cab0085af8e2224f643a0193" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.15", +] + [[package]] name = "async-trait" version = "0.1.68" @@ -141,6 +163,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "89b2fd2a0dcf38d7971e2194b6b6eebab45ae01067456a7fd93d5547a61b70be" +[[package]] +name = "cc" +version = "1.0.79" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" + [[package]] name = "cfg-if" version = "1.0.0" @@ -618,6 +646,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440" +[[package]] +name = "js-sys" +version = "0.3.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730" +dependencies = [ + "wasm-bindgen", +] + [[package]] name = "lazy_static" version = "1.4.0" @@ -1045,6 +1082,21 @@ "winapi", ] +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin", + "untrusted", + "web-sys", + "winapi", +] + [[package]] name = "rust-node-addon" version = "0.1.0" @@ -1067,6 +1119,37 @@ "tracing-subscriber", ] +[[package]] +name = "rustls" +version = "0.21.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e32ca28af694bc1bbf399c33a516dbdf1c90090b8ab23c2bc24f834aa2247f5f" +dependencies = [ + "log", + "ring", + "rustls-webpki", + "sct", +] + +[[package]] +name = "rustls-pemfile" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d3987094b1d07b653b7dfdc3f70ce9a1da9c51ac18c1b06b662e4f9a0e9f4b2" +dependencies = [ + "base64", +] + +[[package]] +name = "rustls-webpki" +version = "0.100.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6207cd5ed3d8dca7816f8f3725513a34609c0c765bf652b8c3cb4cfd87db46b" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.11" @@ -1079,6 +1162,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041" +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "sec1" version = "0.3.0" @@ -1168,6 +1261,12 @@ "winapi", ] +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + [[package]] name = "subtle" version = "2.4.1" @@ -1277,6 +1376,16 @@ "syn 1.0.107", ] +[[package]] +name = "tokio-rustls" +version = "0.24.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" +dependencies = [ + "rustls", + "tokio", +] + [[package]] name = "tokio-stream" version = "0.1.12" @@ -1308,6 +1417,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" dependencies = [ + "async-stream", "async-trait", "axum", "base64", @@ -1322,7 +1432,9 @@ "percent-encoding", "pin-project", "prost", + "rustls-pemfile", "tokio", + "tokio-rustls", "tokio-stream", "tower", "tower-layer", @@ -1467,6 +1579,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "valuable" version = "0.1.0" @@ -1568,6 +1686,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" +[[package]] +name = "web-sys" +version = "0.3.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "which" version = "4.4.0" diff --git a/keyserver/addons/rust-node-addon/Cargo.toml b/keyserver/addons/rust-node-addon/Cargo.toml --- a/keyserver/addons/rust-node-addon/Cargo.toml +++ b/keyserver/addons/rust-node-addon/Cargo.toml @@ -16,7 +16,7 @@ napi-derive = { version = "2.9.1", default-features = false } opaque-ke = "1.2" rand = "0.8" -tonic = "0.9.1" +tonic = { version = "0.9.1", features = ["tls"]} tokio = { version = "1.0", features = ["macros", "rt-multi-thread"] } tokio-stream = "0.1" tracing = "0.1" diff --git a/keyserver/addons/rust-node-addon/src/identity_client/mod.rs b/keyserver/addons/rust-node-addon/src/identity_client/mod.rs --- a/keyserver/addons/rust-node-addon/src/identity_client/mod.rs +++ b/keyserver/addons/rust-node-addon/src/identity_client/mod.rs @@ -16,6 +16,8 @@ use napi::bindgen_prelude::*; use serde::{Deserialize, Serialize}; use std::env::var; +use std::path::Path; +use tonic::transport::{Certificate, ClientTlsConfig}; use tonic::{transport::Channel, Request}; use tracing::{self, info, instrument, warn, Level}; use tracing_subscriber::EnvFilter; @@ -40,6 +42,22 @@ }; } +const CERT_PATHS: &'static [&'static str] = &[ + // MacOS and newer Ubuntu + "/etc/ssl/cert.pem", + // Common CA cert Path + "/etc/ssl/certs/ca-bundle.crt", +]; + +pub fn get_ca_cert_contents() -> Option { + CERT_PATHS + .iter() + .map(Path::new) + .filter(|p| p.exists()) + .filter_map(|f| std::fs::read_to_string(f).ok()) + .next() +} + #[derive(Serialize, Deserialize)] #[serde(rename_all = "camelCase")] struct IdentityServiceConfig { @@ -50,22 +68,39 @@ fn default() -> Self { info!("Using default identity configuration"); Self { - identity_socket_addr: "https://[::1]:50054".to_string(), + identity_socket_addr: "http://[::1]:50054".to_string(), } } } async fn get_identity_service_channel() -> Result { + let ca_cert = get_ca_cert_contents().expect("Unable to get CA bundle"); + info!("Connecting to identity service"); - Channel::from_static(&IDENTITY_SERVICE_CONFIG.identity_socket_addr) - .connect() - .await - .map_err(|_| { - Error::new( - Status::GenericFailure, - "Unable to connect to identity service".to_string(), + + let mut channel = + Channel::from_static(&IDENTITY_SERVICE_CONFIG.identity_socket_addr); + + // tls_config will fail if the underlying URI is only http:// + if IDENTITY_SERVICE_CONFIG + .identity_socket_addr + .starts_with("https:") + { + channel = channel + .tls_config( + ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&ca_cert)), ) - }) + .map_err(|_| { + Error::new(Status::GenericFailure, "TLS configure failed") + })?; + } + + channel.connect().await.map_err(|_| { + Error::new( + Status::GenericFailure, + "Unable to connect to identity service".to_string(), + ) + }) } #[napi(object)]