feat: ✨ create certificate files

Author: dergecko

.gitignore

@@ -13,6 +13,7 @@ Cargo.lock
 # MSVC Windows builds of rustc generate these, which store debugging information
 *.pdb
 
+**/certificates.d
 # RustRover
 #  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore

test-certs/Cargo.toml

@@ -18,3 +18,6 @@ serde_with = "3.11"
 clap = { version = "4.5", features = ["derive"] }
 tracing = "0.1"
 tracing-subscriber = "0.3"
+
+[dev-dependencies]
+testdir = "0.9"

test-certs/src/configuration/certificates.rs

@@ -6,7 +6,7 @@ use serde::{Deserialize, Serialize};
 
 /// This is the root structure that contains all certificate chains.
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
-pub struct Certificates {
+pub struct CertificateRoot {
     /// All certificates
     #[serde(flatten)]
     pub certificates: HashMap<String, CertificateTypes>,
@@ -15,7 +15,7 @@ pub struct Certificates {
 /// The certificate authority to sign other certificates.
 #[derive(Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(default, deny_unknown_fields)]
-pub struct CertificateAuthority {
+pub struct CertificateAuthorityConfiguration {
     /// Enables the export of the private key file.
     pub export_key: bool,
 
@@ -27,15 +27,15 @@ pub struct CertificateAuthority {
 /// A certificate used for client authentication.
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(default, deny_unknown_fields)]
-pub struct Client {
+pub struct ClientConfiguration {
     /// Enables the export of the private key file.
     pub export_key: bool,
 }
 
 /// A certificate used for server authentication.
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(default, deny_unknown_fields)]
-pub struct Server {
+pub struct ServerConfiguration {
     /// Enables the export of the private key file.
     pub export_key: bool,
 }
@@ -46,13 +46,13 @@ pub struct Server {
 pub enum CertificateTypes {
     /// A certificate that acts as a Certificate Authority.
     #[serde(alias = "ca")]
-    CertificateAuthority(CertificateAuthority),
+    CertificateAuthority(CertificateAuthorityConfiguration),
 
     /// A certificate for client authentication.
-    Client(Client),
+    Client(ClientConfiguration),
 
     /// A certificate for server authentication.
-    Server(Server),
+    Server(ServerConfiguration),
 }
 
 impl CertificateTypes {
@@ -83,13 +83,13 @@ impl CertificateTypes {
 /// The [`LazyLock`] is required as a HashMap::new is not usable in const expressions.
 static NO_CERTIFICATES: LazyLock<HashMap<String, CertificateTypes>> = LazyLock::new(HashMap::new);
 
-impl Default for Client {
+impl Default for ClientConfiguration {
     fn default() -> Self {
         Self { export_key: true }
     }
 }
 
-impl Default for Server {
+impl Default for ServerConfiguration {
     fn default() -> Self {
         Self { export_key: true }
     }
@@ -101,46 +101,46 @@ pub mod fixtures {
     use super::*;
 
     /// Creates a certificate authority and a server and client certificated that are issued by it.
-    pub fn certificate_ca_with_client() -> Certificates {
-        let certs = Certificates {
+    pub fn certificate_ca_with_client() -> CertificateRoot {
+        let certs = CertificateRoot {
             certificates: HashMap::from([("ca".to_string(), ca_with_client())]),
         };
         certs
     }
 
     /// Creates a certificate of type ca with a client cert.
     pub fn ca_with_client() -> CertificateTypes {
-        CertificateTypes::CertificateAuthority(CertificateAuthority {
+        CertificateTypes::CertificateAuthority(CertificateAuthorityConfiguration {
             certificates: HashMap::from([(
                 "client".to_string(),
-                CertificateTypes::Client(Client::default()),
+                CertificateTypes::Client(ClientConfiguration::default()),
             )]),
             ..Default::default()
         })
     }
 
     /// Creates a client certificate.
-    pub fn certificate_client() -> Certificates {
-        let certs = Certificates {
+    pub fn certificate_client() -> CertificateRoot {
+        let certs = CertificateRoot {
             certificates: HashMap::from([(
                 "client".to_string(),
-                CertificateTypes::Client(Client::default()),
+                CertificateTypes::Client(ClientConfiguration::default()),
             )]),
         };
         certs
     }
 
     /// Creates a certificate of type client.
     pub fn client() -> CertificateTypes {
-        CertificateTypes::Client(Client::default())
+        CertificateTypes::Client(ClientConfiguration::default())
     }
 
     /// Creates a certificate authority without any other certificates.
-    pub fn certificate_ca() -> Certificates {
-        let certs = Certificates {
+    pub fn certificate_ca() -> CertificateRoot {
+        let certs = CertificateRoot {
             certificates: HashMap::from([(
                 "ca".to_string(),
-                CertificateTypes::CertificateAuthority(CertificateAuthority::default()),
+                CertificateTypes::CertificateAuthority(CertificateAuthorityConfiguration::default()),
             )]),
         };
         certs
@@ -153,7 +153,7 @@ mod tests {
     use fixtures::certificate_ca_with_client;
     use serde_json::json;
 
-    fn get_ca(cert: &CertificateTypes) -> &CertificateAuthority {
+    fn get_ca(cert: &CertificateTypes) -> &CertificateAuthorityConfiguration {
         assert!(matches!(cert, CertificateTypes::CertificateAuthority(_)));
         let ca = match cert {
             CertificateTypes::CertificateAuthority(certificate_authority) => certificate_authority,
@@ -222,7 +222,7 @@ mod tests {
             let certs = certificate_ca_with_client();
 
             let serialized = serde_json::to_string(&certs).unwrap();
-            let deserialized: Certificates = serde_json::from_str(&serialized).unwrap();
+            let deserialized: CertificateRoot = serde_json::from_str(&serialized).unwrap();
 
             assert_eq!(deserialized, certs)
         }
@@ -233,10 +233,10 @@ mod tests {
 
         #[test]
         fn should_serialize_certificateauthority() {
-            let certificates = Certificates {
+            let certificates = CertificateRoot {
                 certificates: HashMap::from([(
                     "my-ca".to_string(),
-                    CertificateTypes::CertificateAuthority(CertificateAuthority {
+                    CertificateTypes::CertificateAuthority(CertificateAuthorityConfiguration {
                         certificates: HashMap::new(),
                         export_key: false,
                     }),
@@ -277,7 +277,7 @@ mod tests {
             let certs = certificate_ca_with_client();
 
             let serialized = serde_yaml::to_string(&certs).unwrap();
-            let deserialized: Certificates = serde_yaml::from_str(&serialized).unwrap();
+            let deserialized: CertificateRoot = serde_yaml::from_str(&serialized).unwrap();
 
             assert_eq!(deserialized, certs)
         }

test-certs/src/configuration/mod.rs

@@ -13,6 +13,10 @@ pub struct Args {
     #[arg(short, long, default_value = "./certificate_generation.yaml")]
     pub configuration: PathBuf,
 
+    /// Folder where all generated certificates will be saved.
+    #[arg(short, long = "out-dir", default_value = "./certificates.d/")]
+    pub outdir: PathBuf,
+
     /// Use the provided configuration language.
     #[arg(default_value_t = ConfigFormat::Yaml)]
     pub format: ConfigFormat,
@@ -42,9 +46,12 @@ mod tests {
 
     #[test]
     fn should_parse_args() {
-        let args = Args::try_parse_from(&["", "--configuration", "./file.yaml", "json"]).unwrap();
+        let args =
+            Args::try_parse_from(&["", "--configuration", "./file.yaml", "--out-dir", "./certs", "json"])
+                .unwrap();
 
         assert_eq!(args.configuration.display().to_string(), "./file.yaml");
         assert_eq!(args.format.to_string(), "json");
+        assert_eq!(args.outdir.display().to_string(), "./certs");
     }
 }

test-certs/src/lib.rs

@@ -4,12 +4,11 @@
 #![warn(missing_debug_implementations)]
 #![warn(clippy::unwrap_used)]
 
-use std::fmt::Debug;
+use std::{fmt::Debug, io::Write, path::PathBuf};
 
 use configuration::certificates::CertificateTypes;
 use rcgen::{
-    BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair,
-    KeyUsagePurpose,
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, KeyUsagePurpose,
 };
 
 pub mod configuration;
@@ -20,26 +19,61 @@ pub enum Error {
     /// Errors when working with rcgen to create and sign certificates.
     #[error("Could not generate certificate")]
     FailedToCreateCertificate(#[from] rcgen::Error),
+
+    /// Error to write the certificate to disk
+    #[error("Could not write certificate to '{0}'")]
+    FailedToWriteCertificate(PathBuf),
+
+    /// Error to write the certificate  key to disk
+    #[error("Could not write certificate key to '{0}'")]
+    FailedToWriteKey(PathBuf),
+
+    /// Multiple errors that occurred while working with certificates
+    #[error("Multiple errors occurred")]
+    ErrorCollection(Vec<Error>),
 }
 
 /// A pair of a certificate and the corresponding private key.
 #[allow(unused, reason = "Initial draft therefore values are not used yet")]
-pub struct CertKeyPair {
-    certificate: Certificate,
+pub struct Certificate {
+    certificate: rcgen::Certificate,
     key: KeyPair,
     export_key: bool,
     name: String,
 }
 
+impl Certificate {
+    /// Write the certificate and the key if marked for export to the specified folder.
+    ///
+    /// This fails if the folder is not accessible.
+    pub fn write(&self, directory: &PathBuf) -> Result<(), Error> {
+        let cert_file = directory.join(format!("{}.pem", &self.name));
+
+        let mut cert = std::fs::File::create(&cert_file)
+            .map_err(|_| Error::FailedToWriteCertificate(cert_file.clone()))?;
+        cert.write_fmt(format_args!("{}", self.certificate.pem()))
+            .map_err(|_| Error::FailedToWriteCertificate(cert_file))?;
+
+        if self.export_key {
+            let key_file = directory.join(format!("{}.key", &self.name));
+            let mut key = std::fs::File::create(&key_file)
+                .map_err(|_| Error::FailedToWriteCertificate(key_file.clone()))?;
+            key.write_fmt(format_args!("{}", self.key.serialize_pem()))
+                .map_err(|_| Error::FailedToWriteCertificate(key_file))?;
+        }
+        Ok(())
+    }
+}
+
 /// Generates all certificates that are present in the configuration file.
 ///
 /// Each certificate chain is evaluated from the specified root certificate.
-/// If one certificate in the chain could not be created the corresponding 
+/// If one certificate in the chain could not be created the corresponding
 /// error is reported and the chain will not be generated.
 pub fn generate(
-    certificate_config: configuration::certificates::Certificates,
-) -> Result<Vec<CertKeyPair>, Vec<Error>> {
-    let certs: Vec<Result<Vec<CertKeyPair>, Error>> = certificate_config
+    certificate_config: configuration::certificates::CertificateRoot,
+) -> Result<Vec<Certificate>, Error> {
+    let certs: Vec<Result<Vec<Certificate>, Error>> = certificate_config
         .certificates
         .iter()
         .map(|(name, config)| generate_certificates(name, config, None))
@@ -55,7 +89,7 @@ pub fn generate(
     }
 
     if !errors.is_empty() {
-        return Err(errors);
+        return Err(Error::ErrorCollection(errors));
     }
 
     Ok(certificates)
@@ -65,8 +99,8 @@ pub fn generate(
 fn generate_certificates(
     name: &str,
     config: &CertificateTypes,
-    issuer: Option<&CertKeyPair>,
-) -> Result<Vec<CertKeyPair>, Error> {
+    issuer: Option<&Certificate>,
+) -> Result<Vec<Certificate>, Error> {
     let mut result = vec![];
     let issuer = create_certificate(name, config, issuer)?;
 
@@ -83,8 +117,8 @@ fn generate_certificates(
 fn create_certificate(
     name: &str,
     certificate_config: &CertificateTypes,
-    issuer: Option<&CertKeyPair>,
-) -> Result<CertKeyPair, Error> {
+    issuer: Option<&Certificate>,
+) -> Result<Certificate, Error> {
     let key = KeyPair::generate()?;
 
     // TODO: right now the certificate type is ignored and no client or server auth certs are generated
@@ -94,15 +128,15 @@ fn create_certificate(
         issuer_params(name).self_signed(&key)?
     };
 
-    Ok(CertKeyPair {
+    Ok(Certificate {
         certificate,
         key,
         export_key: certificate_config.export_key(),
         name: name.to_string(),
     })
 }
 
-impl Debug for CertKeyPair {
+impl Debug for Certificate {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.debug_struct("CertKey")
             .field("certificate", &self.certificate.pem())
@@ -129,6 +163,7 @@ mod test {
     use configuration::certificates::fixtures::{
         ca_with_client, certificate_ca_with_client, client,
     };
+    use testdir::testdir;
 
     use super::*;
 
@@ -147,13 +182,32 @@ mod test {
     fn should_create_certificate() {
         let config = client();
         let result = create_certificate("test", &config, None);
+
         assert!(result.is_ok())
     }
 
     #[test]
     fn should_generate_certificates() {
         let config = ca_with_client();
         let result = generate_certificates("my-ca", &config, None);
+
         assert!(result.is_ok())
     }
+
+    #[test]
+    fn should_write_certificate_to_file() {
+        let dir = testdir!();
+        let config = client();
+        let certificates = generate_certificates("my-client", &config, None).unwrap();
+        let certificate = certificates.first().unwrap();
+
+        certificate.write(&dir).unwrap();
+
+        let file_exists = dir
+            .read_dir()
+            .unwrap()
+            .filter_map(|e| e.ok())
+            .any(|f| f.file_name() == "my-client.pem");
+        assert!(file_exists)
+    }
 }