From 047e67464c598685a06e30e8213e0cc6b7e41a55 Mon Sep 17 00:00:00 2001 From: Aaron Kaiser Date: Mon, 14 Oct 2024 17:15:57 +0200 Subject: [PATCH] use agent --- Cargo.lock | 2 +- flake.lock | 26 ++++++++++++++++++++++++++ flake.nix | 12 ++++++++++++ keyfile | Bin 0 -> 1024 bytes shell.nix | 24 ++++++++++++++++++++++++ src/certificate_resolver.rs | 27 ++++++++++++++------------- src/main.rs | 5 ++--- 7 files changed, 79 insertions(+), 17 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 keyfile create mode 100644 shell.nix diff --git a/Cargo.lock b/Cargo.lock index 235d773..67f94c2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5,7 +5,7 @@ version = 3 [[package]] name = "agent_lib" version = "0.1.0" -source = "git+https://gitea.rixxc.de/rixxc/agent_lib.git#5c05bd7921d7dd496d68d60cb92e23b9ffea59b4" +source = "git+https://gitea.rixxc.de/rixxc/agent_lib.git#d770fd2641a9697a1e08f866456a4e142f143ed8" dependencies = [ "anyhow", "libc", diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..0805874 --- /dev/null +++ b/flake.lock @@ -0,0 +1,26 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1728018373, + "narHash": "sha256-NOiTvBbRLIOe5F6RbHaAh6++BNjsb149fGZd1T4+KBg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bc947f541ae55e999ffdb4013441347d83b00feb", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0c3c1cf --- /dev/null +++ b/flake.nix @@ -0,0 +1,12 @@ +{ + inputs.nixpkgs.url = "nixpkgs/nixos-unstable"; + + outputs = { nixpkgs, ... }: + let + system = "x86_64-linux"; + pkgs = import nixpkgs { inherit system; }; + in + { + devShells.${system}.default = pkgs.callPackage ./shell.nix { inherit pkgs; }; + }; +} diff --git a/keyfile b/keyfile new file mode 100644 index 0000000000000000000000000000000000000000..b8b6c2b81acd79e97ffaee589d414b38fe5a10df GIT binary patch literal 1024 zcmZ=>^LSAP`|Z%4EAQ@eoU><$7FoL|=zQL5X7jg9l8zd?%#Noh7wT+G+RC)XR{FG1 hb { } }: +with pkgs; +let + ed25519_agent_lib = callPackage "${fetchgit { + url = "https://gitea.rixxc.de/rixxc/ed25519_agent.git"; + rev = "d2ae2cd9142671a8e13d6f133b8d5429e507cd78"; + hash = "sha256-hKKzsRY7IvM4eq8ybWZ5Z/ix7Oaohvcz6qngM+jGIgU="; + }}/default.nix" + { inherit pkgs; }; + + harness = fetchgit { + url = "https://gitea.rixxc.de/rixxc/agent_harness.git"; + rev = "f7720356f3db3bdf2b115e13afe521ba06c10fe1"; + hash = "sha256-6FTNByDZp9DRukuMQrlsrbouSytrllfdrULhS7UMwqs="; + }; + + ed25519_agent = callPackage "${harness}/default.nix" { inherit pkgs; agent = ed25519_agent_lib; }; +in +mkShell { + name = "agent-test"; + + ED25519_AGENT_PATH = "${ed25519_agent}/bin/agent_harness"; + ED25519_KEYFILE = "./keyfile"; +} diff --git a/src/certificate_resolver.rs b/src/certificate_resolver.rs index 774c262..2301b6d 100644 --- a/src/certificate_resolver.rs +++ b/src/certificate_resolver.rs @@ -1,19 +1,18 @@ +use agent_lib::{ed25519::Ed25519PrivKey, SharedPtr}; use rustls::{pki_types::CertificateDer, server::{ClientHello, ResolvesServerCert}, sign::{CertifiedKey, Signer as TLSSigner, SigningKey}, SignatureAlgorithm, SignatureScheme}; -// use rustls_pki_types::CertificateDer; -use std::{sync::Arc, fs, io::BufReader}; -use ed25519_dalek::Signer; +use std::{fs, io::BufReader, ops::Deref, sync::Arc}; #[derive(Debug)] pub struct CertificateResolver { cert_filename: String, - key: [u8; 32] + key: Arc } impl CertificateResolver { - pub fn new(cert_filename: String, key: [u8; 32]) -> Self { + pub fn new(cert_filename: String, key: Ed25519PrivKey) -> Self { Self { cert_filename, - key + key: Arc::new(key) } } } @@ -31,7 +30,7 @@ impl ResolvesServerCert for CertificateResolver { Some(Arc::new(CertifiedKey { cert: vec![cert], key: Arc::new(Ed25519Key{ - key: self.key + key: self.key.clone() }), ocsp: None })) @@ -40,13 +39,13 @@ impl ResolvesServerCert for CertificateResolver { #[derive(Debug)] struct Ed25519Key { - key: [u8; 32] + key: Arc } impl SigningKey for Ed25519Key { fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option> { if offered.contains(&SignatureScheme::ED25519) { - Some(Box::new(Ed25519Signer::new(&self.key))) + Some(Box::new(Ed25519Signer::new(self.key.clone()))) } else { None } @@ -59,13 +58,13 @@ impl SigningKey for Ed25519Key { #[derive(Debug)] struct Ed25519Signer { - key: ed25519_dalek::SigningKey + key: Arc } impl Ed25519Signer { - fn new(key: &[u8; 32]) -> Self { + fn new(key: Arc) -> Self { Self { - key: ed25519_dalek::SigningKey::from_bytes(key) + key } } } @@ -76,6 +75,8 @@ impl TLSSigner for Ed25519Signer { } fn sign(&self, message: &[u8]) -> Result, rustls::Error> { - Ok(self.key.sign(message).to_vec()) + let mut msg = SharedPtr::new(message.len()).expect("SharedPtr allocation failed"); + msg.copy_from_slice(message); + Ok(agent_lib::ed25519::ed25519_sign(self.key.deref(), &msg).to_vec()) } } diff --git a/src/main.rs b/src/main.rs index 8b47a3c..05a6658 100644 --- a/src/main.rs +++ b/src/main.rs @@ -3,15 +3,14 @@ mod certificate_resolver; use std::{error::Error, io::Write}; use std::net::TcpListener; use std::sync::Arc; +use agent_lib::ed25519::Ed25519PrivKey; use rustls::server::{ServerConfig, Acceptor}; use certificate_resolver::CertificateResolver; fn main() -> Result<(), Box> { env_logger::init(); - let ed25519_key = [67, 172, 227, 162, 104, 7, 219, 85, 140, 212, 238, 223, 8, 206, 63, 0, 91, 20, 173, 188, 82, 207, 110, 235, 3, 55, 237, 2, 25, 65, 40, 186]; - - let cert_resolver = Arc::new(CertificateResolver::new("./ed25519.crt".to_string(), ed25519_key)); + let cert_resolver = Arc::new(CertificateResolver::new("./ed25519.crt".to_string(), Ed25519PrivKey::from(&[0,0,0,0,0,0,0,0]))); let config = Arc::new(ServerConfig::builder() .with_no_client_auth()