use mirage-crypto and modern tls
This commit is contained in:
Hannes Mehnert
parent
22ce1fbdbc
commit
a134218b64
10
.merlin
10
.merlin
|
|
@ -1,10 +0,0 @@
|
||||||
S src
|
|
||||||
S stats
|
|
||||||
S app
|
|
||||||
S provision
|
|
||||||
|
|
||||||
B _build/**
|
|
||||||
|
|
||||||
PKG topkg logs ipaddr x509 tls rresult bos lwt cmdliner hex duration
|
|
||||||
PKG ptime ptime.clock.os ipaddr.unix decompress
|
|
||||||
PKG lwt.unix
|
|
||||||
|
|
@ -10,10 +10,9 @@ env:
|
||||||
- DISTRO=ubuntu
|
- DISTRO=ubuntu
|
||||||
- TESTS=false
|
- TESTS=false
|
||||||
matrix:
|
matrix:
|
||||||
- OCAML_VERSION=4.05
|
|
||||||
- OCAML_VERSION=4.06
|
|
||||||
- OCAML_VERSION=4.07
|
- OCAML_VERSION=4.07
|
||||||
- OCAML_VERSION=4.08
|
- OCAML_VERSION=4.08
|
||||||
- OCAML_VERSION=4.09
|
- OCAML_VERSION=4.09
|
||||||
|
- OCAML_VERSION=4.10
|
||||||
notifications:
|
notifications:
|
||||||
email: false
|
email: false
|
||||||
|
|
|
||||||
|
|
@ -6,8 +6,8 @@ dev-repo: "git+https://github.com/hannesm/albatross.git"
|
||||||
bug-reports: "https://github.com/hannesm/albatross/issues"
|
bug-reports: "https://github.com/hannesm/albatross/issues"
|
||||||
|
|
||||||
depends: [
|
depends: [
|
||||||
"ocaml" {>= "4.05.0"}
|
"ocaml" {>= "4.07.0"}
|
||||||
"dune" {build}
|
"dune"
|
||||||
"lwt" {>= "3.0.0"}
|
"lwt" {>= "3.0.0"}
|
||||||
"ipaddr" {>= "4.0.0"}
|
"ipaddr" {>= "4.0.0"}
|
||||||
"hex"
|
"hex"
|
||||||
|
|
@ -20,9 +20,10 @@ depends: [
|
||||||
"fmt"
|
"fmt"
|
||||||
"astring"
|
"astring"
|
||||||
"jsonm"
|
"jsonm"
|
||||||
"x509" {>= "0.9.0"}
|
"x509" {>= "0.10.0"}
|
||||||
"tls" {>= "0.9.0"}
|
"tls" {>= "0.11.0"}
|
||||||
"nocrypto"
|
"mirage-crypto-pk"
|
||||||
|
"mirage-crypto-rng"
|
||||||
"asn1-combinators" {>= "0.2.0"}
|
"asn1-combinators" {>= "0.2.0"}
|
||||||
"duration"
|
"duration"
|
||||||
"decompress" {>= "0.9.0" & < "1.0.0"}
|
"decompress" {>= "0.9.0" & < "1.0.0"}
|
||||||
|
|
|
||||||
|
|
@ -47,7 +47,7 @@ let handle (host, port) cert key ca id (cmd : Vmm_commands.t) =
|
||||||
| _, Error (`Msg e) ->
|
| _, Error (`Msg e) ->
|
||||||
Lwt.fail_with ("couldn't parse private key (" ^ key ^ "): " ^ e)
|
Lwt.fail_with ("couldn't parse private key (" ^ key ^ "): " ^ e)
|
||||||
| Ok cert, Ok key ->
|
| Ok cert, Ok key ->
|
||||||
let tmpkey = Nocrypto.Rsa.generate 4096 in
|
let tmpkey = Mirage_crypto_pk.Rsa.generate ~bits:4096 () in
|
||||||
let name = Vmm_core.Name.to_string id in
|
let name = Vmm_core.Name.to_string id in
|
||||||
let extensions =
|
let extensions =
|
||||||
let v = Vmm_asn.to_cert_extension cmd in
|
let v = Vmm_asn.to_cert_extension cmd in
|
||||||
|
|
@ -65,7 +65,7 @@ let handle (host, port) cert key ca id (cmd : Vmm_commands.t) =
|
||||||
in
|
in
|
||||||
let valid_from, valid_until = timestamps 300 in
|
let valid_from, valid_until = timestamps 300 in
|
||||||
let extensions =
|
let extensions =
|
||||||
let capub = match key with `RSA key -> Nocrypto.Rsa.pub_of_priv key in
|
let capub = match key with `RSA key -> Mirage_crypto_pk.Rsa.pub_of_priv key in
|
||||||
key_ids extensions Signing_request.((info csr).public_key) (`RSA capub)
|
key_ids extensions Signing_request.((info csr).public_key) (`RSA capub)
|
||||||
in
|
in
|
||||||
let issuer = Certificate.subject cert in
|
let issuer = Certificate.subject cert in
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,6 @@ let rec read_tls_write_cons t =
|
||||||
read_tls_write_cons t
|
read_tls_write_cons t
|
||||||
|
|
||||||
let client cas host port cert priv_key =
|
let client cas host port cert priv_key =
|
||||||
Nocrypto_entropy_lwt.initialize () >>= fun () ->
|
|
||||||
let auth = if Sys.is_directory cas then `Ca_dir cas else `Ca_file cas in
|
let auth = if Sys.is_directory cas then `Ca_dir cas else `Ca_file cas in
|
||||||
X509_lwt.authenticator auth >>= fun authenticator ->
|
X509_lwt.authenticator auth >>= fun authenticator ->
|
||||||
Lwt.catch (fun () ->
|
Lwt.catch (fun () ->
|
||||||
|
|
@ -52,6 +51,7 @@ let run_client _ cas cert key (host, port) =
|
||||||
| Tls_lwt.Tls_failure f -> Some ("TLS failure: " ^ Tls.Engine.string_of_failure f)
|
| Tls_lwt.Tls_failure f -> Some ("TLS failure: " ^ Tls.Engine.string_of_failure f)
|
||||||
| _ -> None) ;
|
| _ -> None) ;
|
||||||
Sys.(set_signal sigpipe Signal_ignore) ;
|
Sys.(set_signal sigpipe Signal_ignore) ;
|
||||||
|
Mirage_crypto_rng_unix.initialize ();
|
||||||
Lwt_main.run (client cas host port cert key)
|
Lwt_main.run (client cas host port cert key)
|
||||||
|
|
||||||
open Cmdliner
|
open Cmdliner
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ let sign ?dbname ?certname extensions issuer key csr delta =
|
||||||
| Some _ ->
|
| Some _ ->
|
||||||
match key with
|
match key with
|
||||||
| `RSA priv ->
|
| `RSA priv ->
|
||||||
let capub = `RSA (Nocrypto.Rsa.pub_of_priv priv) in
|
let capub = `RSA (Mirage_crypto_pk.Rsa.pub_of_priv priv) in
|
||||||
key_ids extensions X509.Signing_request.((info csr).public_key) capub
|
key_ids extensions X509.Signing_request.((info csr).public_key) capub
|
||||||
in
|
in
|
||||||
X509.Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer >>= fun cert ->
|
X509.Signing_request.sign csr ~valid_from ~valid_until ~extensions key issuer >>= fun cert ->
|
||||||
|
|
@ -69,7 +69,7 @@ let priv_key ?(bits = 2048) fn name =
|
||||||
Bos.OS.File.exists file >>= function
|
Bos.OS.File.exists file >>= function
|
||||||
| false ->
|
| false ->
|
||||||
Logs.info (fun m -> m "creating new RSA key %a" Fpath.pp file) ;
|
Logs.info (fun m -> m "creating new RSA key %a" Fpath.pp file) ;
|
||||||
let priv = `RSA (Nocrypto.Rsa.generate bits) in
|
let priv = `RSA (Mirage_crypto_pk.Rsa.generate ~bits ()) in
|
||||||
Bos.OS.File.write ~mode:0o400 file (Cstruct.to_string (X509.Private_key.encode_pem priv)) >>= fun () ->
|
Bos.OS.File.write ~mode:0o400 file (Cstruct.to_string (X509.Private_key.encode_pem priv)) >>= fun () ->
|
||||||
Ok priv
|
Ok priv
|
||||||
| true ->
|
| true ->
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ let sign_csr dbname cacert key csr days =
|
||||||
| Error e -> Error e
|
| Error e -> Error e
|
||||||
|
|
||||||
let sign_main _ db cacert cakey csrname days =
|
let sign_main _ db cacert cakey csrname days =
|
||||||
Nocrypto_entropy_unix.initialize () ;
|
Mirage_crypto_rng_unix.initialize () ;
|
||||||
Bos.OS.File.read (Fpath.v cacert) >>= fun cacert ->
|
Bos.OS.File.read (Fpath.v cacert) >>= fun cacert ->
|
||||||
Certificate.decode_pem (Cstruct.of_string cacert) >>= fun cacert ->
|
Certificate.decode_pem (Cstruct.of_string cacert) >>= fun cacert ->
|
||||||
Bos.OS.File.read (Fpath.v cakey) >>= fun pk ->
|
Bos.OS.File.read (Fpath.v cakey) >>= fun pk ->
|
||||||
|
|
@ -74,7 +74,7 @@ let help _ man_format cmds = function
|
||||||
| Some _ -> List.iter print_endline cmds; `Ok ()
|
| Some _ -> List.iter print_endline cmds; `Ok ()
|
||||||
|
|
||||||
let generate _ name db days sname sdays =
|
let generate _ name db days sname sdays =
|
||||||
Nocrypto_entropy_unix.initialize () ;
|
Mirage_crypto_rng_unix.initialize () ;
|
||||||
priv_key ~bits:4096 None name >>= fun key ->
|
priv_key ~bits:4096 None name >>= fun key ->
|
||||||
let name = [ Distinguished_name.(Relative_distinguished_name.singleton (CN name)) ] in
|
let name = [ Distinguished_name.(Relative_distinguished_name.singleton (CN name)) ] in
|
||||||
let csr = Signing_request.create name key in
|
let csr = Signing_request.create name key in
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ let csr priv name cmd =
|
||||||
X509.Signing_request.create name ~extensions priv
|
X509.Signing_request.create name ~extensions priv
|
||||||
|
|
||||||
let jump id cmd =
|
let jump id cmd =
|
||||||
Nocrypto_entropy_unix.initialize () ;
|
Mirage_crypto_rng_unix.initialize () ;
|
||||||
let name = Vmm_core.Name.to_string id in
|
let name = Vmm_core.Name.to_string id in
|
||||||
priv_key None name >>= fun priv ->
|
priv_key None name >>= fun priv ->
|
||||||
let csr = csr priv name cmd in
|
let csr = csr priv name cmd in
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
(public_name albatross.provision)
|
(public_name albatross.provision)
|
||||||
(wrapped false)
|
(wrapped false)
|
||||||
(modules albatross_provision)
|
(modules albatross_provision)
|
||||||
(libraries albatross.cli x509 nocrypto.unix))
|
(libraries albatross.cli x509 mirage-crypto-pk mirage-crypto-rng.unix))
|
||||||
|
|
||||||
(executable
|
(executable
|
||||||
(name albatross_provision_ca)
|
(name albatross_provision_ca)
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,8 @@ let () =
|
||||||
(package albatross)
|
(package albatross)
|
||||||
(modules albatross_stat_client)
|
(modules albatross_stat_client)
|
||||||
%s
|
%s
|
||||||
(libraries albatross.cli albatross.stats albatross)) |}
|
(libraries albatross.cli albatross.stats albatross))
|
||||||
|
|}
|
||||||
(if freebsd then "(link_flags (-ccopt \"-lvmmapi\"))" else "")
|
(if freebsd then "(link_flags (-ccopt \"-lvmmapi\"))" else "")
|
||||||
(if freebsd then "(link_flags (-ccopt \"-lvmmapi\"))" else "")
|
(if freebsd then "(link_flags (-ccopt \"-lvmmapi\"))" else "")
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ let tls_config cacert cert priv_key =
|
||||||
|
|
||||||
let client_auth ca tls =
|
let client_auth ca tls =
|
||||||
let authenticator =
|
let authenticator =
|
||||||
let time = Ptime_clock.now () in
|
let time () = Some (Ptime_clock.now ()) in
|
||||||
X509.Authenticator.chain_of_trust ~time (* ~crls:!state.Vmm_engine.crls *) [ca]
|
X509.Authenticator.chain_of_trust ~time (* ~crls:!state.Vmm_engine.crls *) [ca]
|
||||||
in
|
in
|
||||||
Lwt.catch
|
Lwt.catch
|
||||||
|
|
|
||||||
|
|
@ -15,10 +15,10 @@ let server_socket port =
|
||||||
|
|
||||||
let jump _ cacert cert priv_key port tmpdir =
|
let jump _ cacert cert priv_key port tmpdir =
|
||||||
Sys.(set_signal sigpipe Signal_ignore);
|
Sys.(set_signal sigpipe Signal_ignore);
|
||||||
|
Mirage_crypto_rng_unix.initialize ();
|
||||||
Albatross_cli.set_tmpdir tmpdir;
|
Albatross_cli.set_tmpdir tmpdir;
|
||||||
Lwt_main.run
|
Lwt_main.run
|
||||||
(Nocrypto_entropy_lwt.initialize () >>= fun () ->
|
(server_socket port >>= fun socket ->
|
||||||
server_socket port >>= fun socket ->
|
|
||||||
tls_config cacert cert priv_key >>= fun (config, ca) ->
|
tls_config cacert cert priv_key >>= fun (config, ca) ->
|
||||||
let rec loop () =
|
let rec loop () =
|
||||||
Lwt.catch (fun () ->
|
Lwt.catch (fun () ->
|
||||||
|
|
|
||||||
|
|
@ -5,10 +5,10 @@ open Albatross_tls_common
|
||||||
|
|
||||||
let jump cacert cert priv_key tmpdir =
|
let jump cacert cert priv_key tmpdir =
|
||||||
Sys.(set_signal sigpipe Signal_ignore) ;
|
Sys.(set_signal sigpipe Signal_ignore) ;
|
||||||
|
Mirage_crypto_rng_unix.initialize ();
|
||||||
Albatross_cli.set_tmpdir tmpdir;
|
Albatross_cli.set_tmpdir tmpdir;
|
||||||
Lwt_main.run
|
Lwt_main.run
|
||||||
(Nocrypto_entropy_lwt.initialize () >>= fun () ->
|
(tls_config cacert cert priv_key >>= fun (config, ca) ->
|
||||||
tls_config cacert cert priv_key >>= fun (config, ca) ->
|
|
||||||
let fd = Lwt_unix.of_unix_file_descr Unix.stdin in
|
let fd = Lwt_unix.of_unix_file_descr Unix.stdin in
|
||||||
Lwt.catch
|
Lwt.catch
|
||||||
(fun () -> Tls_lwt.Unix.server_of_fd config fd)
|
(fun () -> Tls_lwt.Unix.server_of_fd config fd)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue