Add some auth/tls logic back in

istio · Jan 21, 2025 · f1cc535 · f1cc535
1 parent dff6c92
commit f1cc535
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 38 deletions.
diff --git a/src/tls/certificate.rs b/src/tls/certificate.rs
@@ -230,7 +230,8 @@ impl WorkloadCertificate {
         roots.add_parsable_certificates(chain.iter().last().map(|c| c.der.clone()));
         roots.add_parsable_certificates(vec![CertificateDer::from_pem_file(
             "/home/sj/learning/openssl/c/root.crt",
-        ).unwrap()]);
+        )
+        .unwrap()]);
 
         Ok(WorkloadCertificate {
             cert,
@@ -259,7 +260,8 @@ impl WorkloadCertificate {
         let mut roots = (*self.roots).clone();
         roots.add_parsable_certificates(vec![CertificateDer::from_pem_file(
             "/home/sj/learning/openssl/c/root.crt",
-        ).unwrap()]);
+        )
+        .unwrap()]);
         let raw_client_cert_verifier = WebPkiClientVerifier::builder_with_provider(
             Arc::new(roots),
             crate::tls::lib::provider(),
@@ -291,7 +293,7 @@ impl WorkloadCertificate {
             .expect("client config must be valid")
             .dangerous() // Customer verifier is requires "dangerous" opt-in
             .with_custom_certificate_verifier(Arc::new(verifier))
-            .with_no_client_auth();
+            .with_client_auth_cert(self.cert_and_intermediates(), self.private_key.clone_key())?;
         cc.alpn_protocols = vec![b"h2".into()];
         cc.resumption = Resumption::disabled();
         cc.enable_sni = false;

diff --git a/src/tls/workload.rs b/src/tls/workload.rs
@@ -108,12 +108,11 @@ impl ClientCertVerifier for TrustDomainVerifier {
         intermediates: &[CertificateDer<'_>],
         now: UnixTime,
     ) -> Result<ClientCertVerified, rustls::Error> {
-        Ok(ClientCertVerified::assertion())
-        // let res = self
-        //     .base
-        //     .verify_client_cert(end_entity, intermediates, now)?;
-        // self.verify_trust_domain(end_entity)?;
-        // Ok(res)
+        let res = self
+            .base
+            .verify_client_cert(end_entity, intermediates, now)?;
+        self.verify_trust_domain(end_entity)?;
+        Ok(res)
     }
 
     fn verify_tls12_signature(
@@ -122,8 +121,7 @@ impl ClientCertVerifier for TrustDomainVerifier {
         cert: &CertificateDer<'_>,
         dss: &DigitallySignedStruct,
     ) -> Result<HandshakeSignatureValid, rustls::Error> {
-        Ok(HandshakeSignatureValid::assertion())
-        // self.base.verify_tls12_signature(message, cert, dss)
+        self.base.verify_tls12_signature(message, cert, dss)
     }
 
     fn verify_tls13_signature(
@@ -132,8 +130,7 @@ impl ClientCertVerifier for TrustDomainVerifier {
         cert: &CertificateDer<'_>,
         dss: &DigitallySignedStruct,
     ) -> Result<HandshakeSignatureValid, rustls::Error> {
-        Ok(HandshakeSignatureValid::assertion())
-        // self.base.verify_tls13_signature(message, cert, dss)
+        self.base.verify_tls13_signature(message, cert, dss)
     }
 
     fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
@@ -188,31 +185,30 @@ pub struct IdentityVerifier {
 
 impl IdentityVerifier {
     fn verify_full_san(&self, server_cert: &CertificateDer<'_>) -> Result<(), rustls::Error> {
-        Ok(())
-        // use x509_parser::prelude::*;
-        // let (_, c) = X509Certificate::from_der(server_cert).map_err(|_e| {
-        //     rustls::Error::InvalidCertificate(rustls::CertificateError::BadEncoding)
-        // })?;
-        // let id = tls::certificate::identities(c).map_err(|_e| {
-        //     rustls::Error::InvalidCertificate(
-        //         rustls::CertificateError::ApplicationVerificationFailure,
-        //     )
-        // })?;
-        // trace!(
-        //     "verifying server identities {id:?} against {:?}",
-        //     self.identity
-        // );
-        // for ident in id.iter() {
-        //     if let Some(_i) = self.identity.iter().find(|id| id == &ident) {
-        //         return Ok(());
-        //     }
-        // }
-        // debug!("identity mismatch {id:?} != {:?}", self.identity);
-        // Err(rustls::Error::InvalidCertificate(
-        //     rustls::CertificateError::Other(rustls::OtherError(Arc::new(DebugAsDisplay(
-        //         TlsError::SanError(self.identity.clone(), id),
-        //     )))),
-        // ))
+        use x509_parser::prelude::*;
+        let (_, c) = X509Certificate::from_der(server_cert).map_err(|_e| {
+            rustls::Error::InvalidCertificate(rustls::CertificateError::BadEncoding)
+        })?;
+        let id = tls::certificate::identities(c).map_err(|_e| {
+            rustls::Error::InvalidCertificate(
+                rustls::CertificateError::ApplicationVerificationFailure,
+            )
+        })?;
+        trace!(
+            "verifying server identities {id:?} against {:?}",
+            self.identity
+        );
+        for ident in id.iter() {
+            if let Some(_i) = self.identity.iter().find(|id| id == &ident) {
+                return Ok(());
+            }
+        }
+        debug!("identity mismatch {id:?} != {:?}", self.identity);
+        Err(rustls::Error::InvalidCertificate(
+            rustls::CertificateError::Other(rustls::OtherError(Arc::new(DebugAsDisplay(
+                TlsError::SanError(self.identity.clone(), id),
+            )))),
+        ))
     }
 }