From 975d24234474ec25f2c21ea2d6937b6813742fad Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Sat, 7 Jun 2025 10:48:14 +0200 Subject: [PATCH 1/5] flake: Address two small warnings about outdated versions --- flake.lock | 53 ++++++++++++++++++++++++++++------------------------- flake.nix | 2 +- 2 files changed, 29 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index 2b4169eb0ce8..bf9dff18f599 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "advisory-db": { "flake": false, "locked": { - "lastModified": 1727353582, - "narHash": "sha256-2csMEEOZhvowVKZNBHk1kMJqk72ZMrPj9LQYCzP6EKs=", + "lastModified": 1748950236, + "narHash": "sha256-kNiGMrXi5Bq/aWoQmnpK0v+ufQA4FOInhbkY56iUndc=", "owner": "rustsec", "repo": "advisory-db", - "rev": "cb905e6e405834bdff1eb1e20c9b10edb5403889", + "rev": "a1f651cba8bf224f52c5d55d8182b3bb0ebce49e", "type": "github" }, "original": { @@ -18,11 +18,11 @@ }, "crane": { "locked": { - "lastModified": 1727316705, - "narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=", + "lastModified": 1748970125, + "narHash": "sha256-UDyigbDGv8fvs9aS95yzFfOKkEjx1LO3PL3DsKopohA=", "owner": "ipetkov", "repo": "crane", - "rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e", + "rev": "323b5746d89e04b22554b061522dfce9e4c49b18", "type": "github" }, "original": { @@ -36,11 +36,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1726153070, - "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", "type": "github" }, "original": { @@ -51,39 +51,42 @@ }, "nixpkgs": { "locked": { - "lastModified": 1727540905, - "narHash": "sha256-40J9tW7Y794J7Uw4GwcAKlMxlX2xISBl6IBigo83ih8=", + "lastModified": 1749086602, + "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fbca5e745367ae7632731639de5c21f29c8744ed", + "rev": "4792576cb003c994bd7cc1edada3129def20b27d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1725233747, - "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1726871744, - "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=", + "lastModified": 1747958103, + "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2", + "rev": "fe51d34885f7b5e3e7b59572796e1bcb427eccb1", "type": "github" }, "original": { @@ -107,11 +110,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1727431250, - "narHash": "sha256-uGRlRT47ecicF9iLD1G3g43jn2e+b5KaMptb59LHnvM=", + "lastModified": 1749194973, + "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "879b29ae9a0378904fbbefe0dadaed43c8905754", + "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7c44aafe616b..ffbf87e42178 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "Core Lightning (CLN): A specification compliant Lightning Network implementation in C"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; flake-parts.url = "github:hercules-ci/flake-parts"; From 3a3e2ba4c1625bf89c7376e2d7f5027ceab6009d Mon Sep 17 00:00:00 2001 From: Peter Neuroth Date: Tue, 23 Sep 2025 20:02:32 +0200 Subject: [PATCH 2/5] wss-proxy: update rcgen version Update rcgen to >=14 to resolve vulnerability in ring 0.17.8 Signed-off-by: Peter Neuroth --- Cargo.lock | 21 ++++++++++++++++---- plugins/wss-proxy-plugin/Cargo.toml | 5 ++--- plugins/wss-proxy-plugin/src/certs.rs | 28 ++++++++++++++++----------- 3 files changed, 36 insertions(+), 18 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 75f85c53a514..a545a1013a3a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -512,7 +512,7 @@ dependencies = [ "cln-rpc", "log", "prost", - "rcgen", + "rcgen 0.13.2", "serde_json", "tokio", "tonic", @@ -586,7 +586,7 @@ dependencies = [ "log", "log-panics", "quick-xml", - "rcgen", + "rcgen 0.13.2", "roxmltree_to_serde", "serde", "serde_json", @@ -1966,6 +1966,19 @@ dependencies = [ "yasna", ] +[[package]] +name = "rcgen" +version = "0.14.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c83367ba62b3f1dbd0f086ede4e5ebfb4713fb234dbbc5807772a31245ff46d" +dependencies = [ + "pem", + "ring", + "rustls-pki-types", + "time", + "yasna", +] + [[package]] name = "redox_syscall" version = "0.5.15" @@ -3590,7 +3603,7 @@ checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" [[package]] name = "wss-proxy" -version = "0.1.0" +version = "0.1.1" dependencies = [ "anyhow", "cln-plugin", @@ -3598,7 +3611,7 @@ dependencies = [ "futures-util", "log", "log-panics", - "rcgen", + "rcgen 0.14.4", "rustls 0.23.29", "serde", "serde_json", diff --git a/plugins/wss-proxy-plugin/Cargo.toml b/plugins/wss-proxy-plugin/Cargo.toml index 9e8f38fca5da..a7def938b76d 100644 --- a/plugins/wss-proxy-plugin/Cargo.toml +++ b/plugins/wss-proxy-plugin/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "wss-proxy" -version = "0.1.0" +version = "0.1.1" edition = "2021" license = "MIT" description = "WSS Proxy plugin" @@ -13,7 +13,7 @@ log = { version = "0.4", features = ['std'] } serde = { version = "1", features = ["derive"] } serde_json = "1" tokio = { version="1", features = ['io-std', 'rt-multi-thread', 'sync', 'macros', 'io-util'] } -rcgen = "0.13" +rcgen = "0.14" futures-util = { version = "0.3", default-features = false, features = ["sink", "std"] } tokio-tungstenite = { version = "0.26", features = ["tokio-rustls"] } @@ -25,4 +25,3 @@ log-panics = "2" cln-plugin = { version = "0.5", path = "../../plugins" } cln-rpc = { version = "0.5", path = "../../cln-rpc" } - diff --git a/plugins/wss-proxy-plugin/src/certs.rs b/plugins/wss-proxy-plugin/src/certs.rs index b08b7d3e77b7..749914d806f3 100644 --- a/plugins/wss-proxy-plugin/src/certs.rs +++ b/plugins/wss-proxy-plugin/src/certs.rs @@ -1,5 +1,6 @@ use anyhow::{anyhow, Error}; -use rcgen::{CertificateParams, DistinguishedName, Ia5String, KeyPair}; +use rcgen::string::Ia5String; +use rcgen::{CertificateParams, DistinguishedName, Issuer, KeyPair}; use rustls::pki_types::pem::PemObject; use rustls::pki_types::{CertificateDer, PrivateKeyDer}; use rustls::ServerConfig; @@ -18,10 +19,13 @@ pub fn generate_certificates(certs_path: &PathBuf, wss_host: &[String]) -> Resul "localhost".to_string(), ])?; ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained); - ca_params.key_usages.push(rcgen::KeyUsagePurpose::KeyCertSign); + ca_params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyCertSign); ca_params.use_authority_key_identifier_extension = true; let ca_key = KeyPair::generate()?; let ca_cert = ca_params.self_signed(&ca_key)?; + let ca = Issuer::from_params(&ca_params, &ca_key); fs::create_dir_all(certs_path)?; @@ -38,9 +42,15 @@ pub fn generate_certificates(certs_path: &PathBuf, wss_host: &[String]) -> Resul "localhost".to_string(), ])?; server_params.is_ca = rcgen::IsCa::NoCa; - server_params.key_usages.push(rcgen::KeyUsagePurpose::DigitalSignature); - server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyEncipherment); - server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyAgreement); + server_params + .key_usages + .push(rcgen::KeyUsagePurpose::DigitalSignature); + server_params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyEncipherment); + server_params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyAgreement); server_params.use_authority_key_identifier_extension = true; server_params.distinguished_name = DistinguishedName::new(); server_params @@ -66,9 +76,7 @@ pub fn generate_certificates(certs_path: &PathBuf, wss_host: &[String]) -> Resul } let server_key = KeyPair::generate()?; - let server_pem = server_params - .signed_by(&server_key, &ca_cert, &ca_key)? - .pem(); + let server_pem = server_params.signed_by(&server_key, &ca)?.pem(); fs::write(certs_path.join("server.pem"), server_pem)?; fs::write( @@ -88,9 +96,7 @@ pub fn generate_certificates(certs_path: &PathBuf, wss_host: &[String]) -> Resul .distinguished_name .push(rcgen::DnType::CommonName, "cln wss-proxy client"); let client_key = KeyPair::generate()?; - let client_pem = client_params - .signed_by(&client_key, &ca_cert, &ca_key)? - .pem(); + let client_pem = client_params.signed_by(&client_key, &ca)?.pem(); fs::write(certs_path.join("client.pem"), client_pem)?; fs::write( From 1dc841d102320ee832ed5f6efcef86a1c1a54700 Mon Sep 17 00:00:00 2001 From: Peter Neuroth Date: Tue, 23 Sep 2025 20:10:56 +0200 Subject: [PATCH 3/5] clnrest: update rcgen version Update rcgen to >=14 to resolve vulnerability in ring 0.17.8 Signed-off-by: Peter Neuroth --- Cargo.lock | 4 ++-- plugins/rest-plugin/Cargo.toml | 5 ++--- plugins/rest-plugin/src/certs.rs | 27 ++++++++++++++++----------- 3 files changed, 20 insertions(+), 16 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a545a1013a3a..5dd64bec1cf5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -573,7 +573,7 @@ dependencies = [ [[package]] name = "clnrest" -version = "0.2.0" +version = "0.2.1" dependencies = [ "anyhow", "axum 0.8.4", @@ -586,7 +586,7 @@ dependencies = [ "log", "log-panics", "quick-xml", - "rcgen 0.13.2", + "rcgen 0.14.4", "roxmltree_to_serde", "serde", "serde_json", diff --git a/plugins/rest-plugin/Cargo.toml b/plugins/rest-plugin/Cargo.toml index 32b74a4f0b3d..98653b6d20f7 100644 --- a/plugins/rest-plugin/Cargo.toml +++ b/plugins/rest-plugin/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "clnrest" -version = "0.2.0" +version = "0.2.1" edition = "2021" license = "MIT" description = "Transforms RPC calls into REST APIs" @@ -22,7 +22,7 @@ tokio = { version="1", features = ['io-std', 'rt-multi-thread', 'sync', 'macros' axum = "0.8" axum-server = { version = "0.6", features = ["tls-rustls"] } futures-util = { version = "0.3", default-features = false, features = ["sink", "std"] } -rcgen = "0.13" +rcgen = "0.14" hyper = "1" tower= "0.5" tower-http = { version = "0.6", features = ["cors", "set-header"] } @@ -34,4 +34,3 @@ socketioxide = "0.15" cln-plugin = { version = "0.5", path = "../../plugins" } cln-rpc = { version = "0.5", path = "../../cln-rpc" } utoipa-swagger-ui = { version = "9.0.0", features = ["vendored", "axum"] } - diff --git a/plugins/rest-plugin/src/certs.rs b/plugins/rest-plugin/src/certs.rs index e6ab61345609..6e9475e3daf6 100644 --- a/plugins/rest-plugin/src/certs.rs +++ b/plugins/rest-plugin/src/certs.rs @@ -1,5 +1,5 @@ use anyhow::Error; -use rcgen::{CertificateParams, DistinguishedName, KeyPair}; +use rcgen::{CertificateParams, DistinguishedName, Issuer, KeyPair}; use std::fs; use std::net::IpAddr; use std::path::{Path, PathBuf}; @@ -12,10 +12,13 @@ pub fn generate_certificates(certs_path: &PathBuf, rest_host: &str) -> Result<() "localhost".to_string(), ])?; ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained); - ca_params.key_usages.push(rcgen::KeyUsagePurpose::KeyCertSign); + ca_params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyCertSign); ca_params.use_authority_key_identifier_extension = true; let ca_key = KeyPair::generate()?; let ca_cert = ca_params.self_signed(&ca_key)?; + let ca = Issuer::from_params(&ca_params, &ca_key); fs::create_dir_all(certs_path)?; @@ -32,9 +35,15 @@ pub fn generate_certificates(certs_path: &PathBuf, rest_host: &str) -> Result<() "localhost".to_string(), ])?; server_params.is_ca = rcgen::IsCa::NoCa; - server_params.key_usages.push(rcgen::KeyUsagePurpose::DigitalSignature); - server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyEncipherment); - server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyAgreement); + server_params + .key_usages + .push(rcgen::KeyUsagePurpose::DigitalSignature); + server_params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyEncipherment); + server_params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyAgreement); server_params.use_authority_key_identifier_extension = true; server_params.distinguished_name = DistinguishedName::new(); server_params @@ -46,9 +55,7 @@ pub fn generate_certificates(certs_path: &PathBuf, rest_host: &str) -> Result<() .push(rcgen::SanType::IpAddress(ip)); } let server_key = KeyPair::generate()?; - let server_pem = server_params - .signed_by(&server_key, &ca_cert, &ca_key)? - .pem(); + let server_pem = server_params.signed_by(&server_key, &ca)?.pem(); fs::write(certs_path.join("server.pem"), server_pem)?; fs::write( @@ -68,9 +75,7 @@ pub fn generate_certificates(certs_path: &PathBuf, rest_host: &str) -> Result<() .distinguished_name .push(rcgen::DnType::CommonName, "cln rest client"); let client_key = KeyPair::generate()?; - let client_pem = client_params - .signed_by(&client_key, &ca_cert, &ca_key)? - .pem(); + let client_pem = client_params.signed_by(&client_key, &ca)?.pem(); fs::write(certs_path.join("client.pem"), client_pem)?; fs::write( From c43b7f1f031962940b1eb37ef4fa4ec7ed5431b4 Mon Sep 17 00:00:00 2001 From: Peter Neuroth Date: Tue, 23 Sep 2025 21:02:25 +0200 Subject: [PATCH 4/5] grpc-plugin: update rcgen version Update rcgen to >=14 to resolve vulnerability in ring 0.17.8 Signed-off-by: Peter Neuroth --- Cargo.lock | 47 ++++++++++++---------------------- plugins/grpc-plugin/Cargo.toml | 4 +-- plugins/grpc-plugin/src/tls.rs | 22 ++++++++-------- 3 files changed, 31 insertions(+), 42 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5dd64bec1cf5..2e4c98c41cfd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -55,9 +55,9 @@ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" [[package]] name = "asn1-rs" -version = "0.6.2" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048" +checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60" dependencies = [ "asn1-rs-derive", "asn1-rs-impl", @@ -65,15 +65,15 @@ dependencies = [ "nom", "num-traits", "rusticata-macros", - "thiserror 1.0.69", + "thiserror 2.0.12", "time", ] [[package]] name = "asn1-rs-derive" -version = "0.5.1" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490" +checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c" dependencies = [ "proc-macro2", "quote", @@ -504,7 +504,7 @@ dependencies = [ [[package]] name = "cln-grpc-plugin" -version = "0.4.0" +version = "0.4.1" dependencies = [ "anyhow", "cln-grpc", @@ -512,7 +512,7 @@ dependencies = [ "cln-rpc", "log", "prost", - "rcgen 0.13.2", + "rcgen", "serde_json", "tokio", "tonic", @@ -586,7 +586,7 @@ dependencies = [ "log", "log-panics", "quick-xml", - "rcgen 0.14.4", + "rcgen", "roxmltree_to_serde", "serde", "serde_json", @@ -653,9 +653,9 @@ checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476" [[package]] name = "der-parser" -version = "9.0.0" +version = "10.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553" +checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6" dependencies = [ "asn1-rs", "displaydoc", @@ -1672,9 +1672,9 @@ dependencies = [ [[package]] name = "oid-registry" -version = "0.7.1" +version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9" +checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7" dependencies = [ "asn1-rs", ] @@ -1952,20 +1952,6 @@ dependencies = [ "getrandom 0.3.3", ] -[[package]] -name = "rcgen" -version = "0.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2" -dependencies = [ - "pem", - "ring", - "rustls-pki-types", - "time", - "x509-parser", - "yasna", -] - [[package]] name = "rcgen" version = "0.14.4" @@ -1976,6 +1962,7 @@ dependencies = [ "ring", "rustls-pki-types", "time", + "x509-parser", "yasna", ] @@ -3611,7 +3598,7 @@ dependencies = [ "futures-util", "log", "log-panics", - "rcgen 0.14.4", + "rcgen", "rustls 0.23.29", "serde", "serde_json", @@ -3622,9 +3609,9 @@ dependencies = [ [[package]] name = "x509-parser" -version = "0.16.0" +version = "0.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69" +checksum = "eb3e137310115a65136898d2079f003ce33331a6c4b0d51f1531d1be082b6425" dependencies = [ "asn1-rs", "data-encoding", @@ -3634,7 +3621,7 @@ dependencies = [ "oid-registry", "ring", "rusticata-macros", - "thiserror 1.0.69", + "thiserror 2.0.12", "time", ] diff --git a/plugins/grpc-plugin/Cargo.toml b/plugins/grpc-plugin/Cargo.toml index 35c774c58c5f..88a1d47ee42e 100644 --- a/plugins/grpc-plugin/Cargo.toml +++ b/plugins/grpc-plugin/Cargo.toml @@ -1,7 +1,7 @@ [package] edition = "2021" name = "cln-grpc-plugin" -version = "0.4.0" +version = "0.4.1" description = "A Core Lightning plugin that re-exposes the JSON-RPC over grpc. Authentication is done via mTLS." license = "MIT" @@ -15,7 +15,7 @@ path = "src/main.rs" [dependencies] anyhow = "1.0" log = "0.4" -rcgen = { version = "0.13.1", features = ["pem", "x509-parser"] } +rcgen = { version = "0.14", features = ["pem", "x509-parser"] } prost = "0.12" cln-grpc = { version = "0.5", features = ["server"], path = "../../cln-grpc"} cln-plugin = { version = "0.5", path = "../../plugins" } diff --git a/plugins/grpc-plugin/src/tls.rs b/plugins/grpc-plugin/src/tls.rs index 18f72e819068..0172bebfe494 100644 --- a/plugins/grpc-plugin/src/tls.rs +++ b/plugins/grpc-plugin/src/tls.rs @@ -1,7 +1,7 @@ //! Utilities to manage TLS certificates. use anyhow::{Context, Result}; use log::debug; -use rcgen::{Certificate, KeyPair}; +use rcgen::{Issuer, KeyPair}; use std::path::Path; /// Just a wrapper around a certificate and an associated keypair. @@ -18,11 +18,11 @@ impl Identity { Ok(key) } - fn to_certificate(&self) -> Result { + fn to_issuer<'a>(&self) -> Result> { let certstr = String::from_utf8_lossy(&self.certificate); - let params = rcgen::CertificateParams::from_ca_cert_pem(&certstr)?; - let cert = params.self_signed(&self.to_key()?)?; - Ok(cert) + let key = self.to_key()?; + let issuer = rcgen::Issuer::from_ca_cert_pem(&certstr, key)?; + Ok(issuer) } pub fn to_tonic_identity(&self) -> tonic::transport::Identity { @@ -101,8 +101,12 @@ fn generate_or_load_identity( params.key_usages.push(rcgen::KeyUsagePurpose::KeyCertSign); } else { params.is_ca = rcgen::IsCa::NoCa; - params.key_usages.push(rcgen::KeyUsagePurpose::DigitalSignature); - params.key_usages.push(rcgen::KeyUsagePurpose::KeyEncipherment); + params + .key_usages + .push(rcgen::KeyUsagePurpose::DigitalSignature); + params + .key_usages + .push(rcgen::KeyUsagePurpose::KeyEncipherment); params.key_usages.push(rcgen::KeyUsagePurpose::KeyAgreement); } params @@ -112,9 +116,7 @@ fn generate_or_load_identity( let cert = match parent { None => params.self_signed(&keypair), - Some(parent) => { - params.signed_by(&keypair, &parent.to_certificate()?, &parent.to_key()?) - } + Some(parent) => params.signed_by(&keypair, &parent.to_issuer()?), }?; std::fs::write(&cert_path, cert.pem().as_bytes()).context("writing certificate to file")?; } From f45db55f4866be273acf18cad3cebb4e092c3360 Mon Sep 17 00:00:00 2001 From: Peter Neuroth Date: Tue, 23 Sep 2025 21:04:42 +0200 Subject: [PATCH 5/5] grpc-plugin: add some basic tests for cert gen I introduced some changes to the tls Identity, these tests shall add some confidence that I didn't break something. Signed-off-by: Peter Neuroth --- Cargo.lock | 1 + plugins/grpc-plugin/Cargo.toml | 3 ++ plugins/grpc-plugin/src/tls.rs | 81 ++++++++++++++++++++++++++++++++++ 3 files changed, 85 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index 2e4c98c41cfd..c0979df89dbf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -514,6 +514,7 @@ dependencies = [ "prost", "rcgen", "serde_json", + "tempfile", "tokio", "tonic", ] diff --git a/plugins/grpc-plugin/Cargo.toml b/plugins/grpc-plugin/Cargo.toml index 88a1d47ee42e..9c562f10615d 100644 --- a/plugins/grpc-plugin/Cargo.toml +++ b/plugins/grpc-plugin/Cargo.toml @@ -29,3 +29,6 @@ version = "1" [dependencies.tonic] features = ["tls", "transport"] version = "0.11" + +[dev-dependencies] +tempfile = "3.8" diff --git a/plugins/grpc-plugin/src/tls.rs b/plugins/grpc-plugin/src/tls.rs index 0172bebfe494..b2748d1c3f89 100644 --- a/plugins/grpc-plugin/src/tls.rs +++ b/plugins/grpc-plugin/src/tls.rs @@ -125,3 +125,84 @@ fn generate_or_load_identity( let certificate = std::fs::read(cert_path)?; Ok(Identity { certificate, key }) } + +#[cfg(test)] +mod tests { + use super::*; + use anyhow::Result; + use tempfile::TempDir; + + fn create_test_dir() -> TempDir { + TempDir::new().expect("Failed to create temp directory") + } + + #[test] + fn test_generate_identity() -> Result<()> { + let temp_dir = create_test_dir(); + + let identity = + generate_or_load_identity("Test Certificate", temp_dir.path(), "test", None)?; + + // Should have key and certificate data + assert!(!identity.key.is_empty()); + assert!(!identity.certificate.is_empty()); + + // Should be valid PEM format + let key_str = String::from_utf8_lossy(&identity.key); + let cert_str = String::from_utf8_lossy(&identity.certificate); + + assert!(key_str.contains("-----BEGIN PRIVATE KEY-----")); + assert!(cert_str.contains("-----BEGIN CERTIFICATE-----")); + + Ok(()) + } + + #[test] + fn test_load_existing_identity() -> Result<()> { + let temp_dir = create_test_dir(); + + // Generate first time + let identity1 = + generate_or_load_identity("Test Certificate", temp_dir.path(), "test", None)?; + + let identity2 = + generate_or_load_identity("Test Certificate", temp_dir.path(), "test", None)?; + + // If identity was loaded - should be equal. + assert_eq!(identity1.key, identity2.key); + assert_eq!(identity1.certificate, identity2.certificate); + + Ok(()) + } + + #[test] + fn test_ca_and_signed_certificate() -> Result<()> { + let temp_dir = create_test_dir(); + + let ca = generate_or_load_identity("Test CA", temp_dir.path(), "ca", None)?; + let server = generate_or_load_identity("Server", temp_dir.path(), "server", Some(&ca))?; + + assert_ne!(ca.certificate, server.certificate); + assert_ne!(ca.key, server.key); + + Ok(()) + } + + #[test] + fn test_file_permissions() -> Result<()> { + use std::os::unix::fs::PermissionsExt; + + let temp_dir = create_test_dir(); + + generate_or_load_identity("Test", temp_dir.path(), "test", None)?; + + let key_path = temp_dir.path().join("test-key.pem"); + let metadata = std::fs::metadata(&key_path)?; + let permissions = metadata.permissions(); + + // Key file should be readable only by owner + assert_eq!(permissions.mode() & 0o777, 0o600); + + Ok(()) + } +}