Set X509 SAN with local DNSname/IP/IPv6

Set X509 Subject Alternative Name with local
DNS names (localhost, localhost.domain) and
local IPs (127.0.0.1, ::1). It will also include
the contact IP stored in configuration

Resolves: #327

Signed-off-by: Sergio Arroutbi <[email protected]>

Author: sarroutbi

keylime-agent/src/main.rs

@@ -586,10 +586,16 @@ async fn main() -> Result<()> {
     let mtls_cert;
     let ssl_context;
     if config.agent.enable_agent_mtls {
+        let contact_ips = vec![config.agent.contact_ip.clone()];
         cert = match config.agent.server_cert.as_ref() {
             "" => {
                 debug!("The server_cert option was not set in the configuration file");
-                crypto::generate_x509(&nk_priv, &agent_uuid)?
+
+                crypto::generate_x509(
+                    &nk_priv,
+                    &agent_uuid,
+                    Some(contact_ips),
+                )?
             }
             path => {
                 let cert_path = Path::new(&path);
@@ -601,7 +607,11 @@ async fn main() -> Result<()> {
                     crypto::load_x509_pem(cert_path)?
                 } else {
                     debug!("Generating new mTLS certificate");
-                    let cert = crypto::generate_x509(&nk_priv, &agent_uuid)?;
+                    let cert = crypto::generate_x509(
+                        &nk_priv,
+                        &agent_uuid,
+                        Some(contact_ips),
+                    )?;
                     // Write the generated certificate
                     crypto::write_x509(&cert, cert_path)?;
                     cert

keylime-agent/src/registrar_agent.rs

@@ -233,7 +233,12 @@ mod tests {
 
         let mock_data = [0u8; 1];
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
-        let cert = crypto::generate_x509(&priv_key, "uuid").unwrap(); //#[allow_ci]
+        let cert = crypto::generate_x509(
+            &priv_key,
+            "uuid",
+            Some(vec!["1.2.3.4".to_string()]),
+        )
+        .unwrap(); //#[allow_ci]
         let response = do_register_agent(
             ip,
             port,
@@ -248,7 +253,7 @@ mod tests {
             None,
             None,
             Some(&cert),
-            "",
+            "1.2.3.4",
             0,
         )
         .await;
@@ -281,7 +286,12 @@ mod tests {
 
         let mock_data = [0u8; 1];
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
-        let cert = crypto::generate_x509(&priv_key, "uuid").unwrap(); //#[allow_ci]
+        let cert = crypto::generate_x509(
+            &priv_key,
+            "uuid",
+            Some(vec!["1.2.3.4".to_string(), "1.2.3.5".to_string()]),
+        )
+        .unwrap(); //#[allow_ci]
         let response = do_register_agent(
             ip,
             port,
@@ -325,7 +335,7 @@ mod tests {
 
         let mock_data = [0u8; 1];
         let priv_key = crypto::testing::rsa_generate(2048).unwrap(); //#[allow_ci]
-        let cert = crypto::generate_x509(&priv_key, "uuid").unwrap(); //#[allow_ci]
+        let cert = crypto::generate_x509(&priv_key, "uuid", None).unwrap(); //#[allow_ci]
         let response = do_register_agent(
             ip,
             port,

keylime/src/crypto.rs

@@ -17,7 +17,7 @@ use openssl::{
     ssl::{SslAcceptor, SslAcceptorBuilder, SslMethod, SslVerifyMode},
     symm::Cipher,
     x509::store::X509StoreBuilder,
-    x509::{X509Name, X509},
+    x509::{extension, X509Name, X509},
 };
 use picky_asn1_x509::SubjectPublicKeyInfo;
 use std::{
@@ -33,6 +33,9 @@ pub const AES_128_KEY_LEN: usize = 16;
 pub const AES_256_KEY_LEN: usize = 32;
 pub const AES_BLOCK_SIZE: usize = 16;
 
+static LOCAL_IPS: &[&str] = &["127.0.0.1", "::1"];
+static LOCAL_DNS_NAMES: &[&str] = &["localhost", "localhost.domain"];
+
 #[derive(Error, Debug)]
 pub enum CryptoError {
     /// Error getting ASN.1 Time from days from now
@@ -673,6 +676,7 @@ pub fn pkey_pub_to_pem(pubkey: &PKey<Public>) -> Result<String, CryptoError> {
 pub fn generate_x509(
     key: &PKey<Private>,
     uuid: &str,
+    additional_ips: Option<Vec<String>>,
 ) -> Result<X509, CryptoError> {
     let mut name =
         X509Name::builder().map_err(|source| CryptoError::X509NameError {
@@ -725,7 +729,7 @@ pub fn generate_x509(
     })?;
     builder.set_not_after(&valid_to).map_err(|source| {
         CryptoError::X509BuilderError {
-            message: "failed to set X509 certificate Nof After date".into(),
+            message: "failed to set X509 certificate Not After date".into(),
             source,
         }
     })?;
@@ -735,6 +739,37 @@ pub fn generate_x509(
             source,
         }
     })?;
+    let mut san = &mut extension::SubjectAlternativeName::new();
+    for local_domain_name in LOCAL_DNS_NAMES.iter() {
+        san = san.dns(local_domain_name);
+    }
+    for local_ip in LOCAL_IPS.iter() {
+        san = san.ip(local_ip);
+    }
+    match additional_ips {
+        None => {}
+        Some(ips) => {
+            for ip in ips.iter() {
+                if !LOCAL_IPS.iter().any(|e| ip.contains(e)) {
+                    san = san.ip(ip);
+                }
+            }
+        }
+    }
+    let x509 =
+        san.build(&builder.x509v3_context(None, None))
+            .map_err(|source| CryptoError::X509BuilderError {
+                message: "failed to build Subject Alternative Name".into(),
+                source,
+            })?;
+    builder.append_extension(x509).map_err(|source| {
+        CryptoError::X509BuilderError {
+            message:
+                "failed to append X509 certificate Subject Alternative Name extension"
+                    .into(),
+            source,
+        }
+    })?;
     builder
         .sign(key, MessageDigest::sha256())
         .map_err(|source| CryptoError::X509BuilderError {
@@ -1439,15 +1474,19 @@ mod tests {
     fn test_x509(privkey: PKey<Private>, pubkey: PKey<Public>) {
         let tempdir = tempfile::tempdir().unwrap(); //#[allow_ci]
 
-        let r = generate_x509(&privkey, "uuidA");
+        let r = generate_x509(&privkey, "uuidA", None);
         assert!(r.is_ok());
         let cert_a = r.unwrap(); //#[allow_ci]
         let cert_a_path = tempdir.path().join("cert_a.pem");
         let r = write_x509(&cert_a, &cert_a_path);
         assert!(r.is_ok());
         assert!(cert_a_path.exists());
 
-        let r = generate_x509(&privkey, "uuidB");
+        let r = generate_x509(
+            &privkey,
+            "uuidB",
+            Some(vec!["1.2.3.4".to_string(), "1.2.3.5".to_string()]),
+        );
         assert!(r.is_ok());
         let cert_b = r.unwrap(); //#[allow_ci]
         let cert_b_path = tempdir.path().join("cert_b.pem");