chore: 🚧 generate certificates from config file

Author: dergecko

test-certs/Cargo.toml

@@ -4,6 +4,9 @@ version = "0.1.0"
 edition = "2021"
 default-run = "test-certs"
 
+[features]
+fixtures = []
+
 [dependencies]
 thiserror = "2"
 rcgen = "0.13"

test-certs/src/configuration/certificates.rs

@@ -1,6 +1,6 @@
 //! Certificate generation configuration.
 //!
-use std::collections::HashMap;
+use std::{collections::HashMap, sync::LazyLock};
 
 use serde::{Deserialize, Serialize};
 
@@ -16,45 +16,73 @@ pub struct Certificates {
 #[derive(Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(default, deny_unknown_fields)]
 pub struct CertificateAuthority {
-    /// Enables the export of the private key file
+    /// Enables the export of the private key file.
     pub export_key: bool,
 
-    /// Certificates that are signed by this CA
+    /// Certificates that are signed by this CA.
     #[serde(skip_serializing_if = "HashMap::is_empty")]
     pub certificates: HashMap<String, CertificateTypes>,
 }
 
-/// A certificate used for client authentication
+/// A certificate used for client authentication.
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(default, deny_unknown_fields)]
 pub struct Client {
-    /// Enables the export of the private key file
+    /// Enables the export of the private key file.
     pub export_key: bool,
 }
 
-/// A certificate used for server authentication
+/// A certificate used for server authentication.
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(default, deny_unknown_fields)]
 pub struct Server {
-    /// Enables the export of the private key file
+    /// Enables the export of the private key file.
     pub export_key: bool,
 }
 
-/// All kinds of different certificates
+/// All kinds of different certificates.
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(tag = "type", rename_all = "lowercase")]
 pub enum CertificateTypes {
-    /// A certificate that acts as a Certificate Authority
+    /// A certificate that acts as a Certificate Authority.
     #[serde(alias = "ca")]
     CertificateAuthority(CertificateAuthority),
 
-    /// A certificate for client authentication
+    /// A certificate for client authentication.
     Client(Client),
 
-    /// A certificate for server authentication
+    /// A certificate for server authentication.
     Server(Server),
 }
 
+impl CertificateTypes {
+    /// Should the private key be exported or not
+    pub fn export_key(&self) -> bool {
+        match self {
+            CertificateTypes::CertificateAuthority(certificate_authority) => {
+                certificate_authority.export_key
+            }
+            CertificateTypes::Client(client) => client.export_key,
+            CertificateTypes::Server(server) => server.export_key,
+        }
+    }
+
+    /// Certificates issued by this certificate.
+    pub fn certificates(&self) -> &HashMap<String, CertificateTypes> {
+        match self {
+            CertificateTypes::CertificateAuthority(certificate_authority) => {
+                &certificate_authority.certificates
+            }
+            CertificateTypes::Client(_client) => &NO_CERTIFICATES,
+            CertificateTypes::Server(_server) => &NO_CERTIFICATES,
+        }
+    }
+}
+
+/// Is used to provide a reference to an empty HashMap.
+/// The [`LazyLock`] is required as a HashMap::new is not usable in const expressions.
+static NO_CERTIFICATES: LazyLock<HashMap<String, CertificateTypes>> = LazyLock::new(HashMap::new);
+
 impl Default for Client {
     fn default() -> Self {
         Self { export_key: true }
@@ -67,11 +95,63 @@ impl Default for Server {
     }
 }
 
+/// Fixtures for testing certificate generation.
+#[cfg(any(test, feature = "fixtures"))]
+pub mod fixtures {
+    use super::*;
+
+    /// Creates a certificate authority and a server and client certificated that are issued by it.
+    pub fn certificate_ca_with_client() -> Certificates {
+        let certs = Certificates {
+            certificates: HashMap::from([("ca".to_string(), ca_with_client())]),
+        };
+        certs
+    }
+
+    /// Creates a certificate of type ca with a client cert.
+    pub fn ca_with_client() -> CertificateTypes {
+        CertificateTypes::CertificateAuthority(CertificateAuthority {
+            certificates: HashMap::from([(
+                "client".to_string(),
+                CertificateTypes::Client(Client::default()),
+            )]),
+            ..Default::default()
+        })
+    }
+
+    /// Creates a client certificate.
+    pub fn certificate_client() -> Certificates {
+        let certs = Certificates {
+            certificates: HashMap::from([(
+                "client".to_string(),
+                CertificateTypes::Client(Client::default()),
+            )]),
+        };
+        certs
+    }
+
+    /// Creates a certificate of type client.
+    pub fn client() -> CertificateTypes {
+        CertificateTypes::Client(Client::default())
+    }
+
+    /// Creates a certificate authority without any other certificates.
+    pub fn certificate_ca() -> Certificates {
+        let certs = Certificates {
+            certificates: HashMap::from([(
+                "ca".to_string(),
+                CertificateTypes::CertificateAuthority(CertificateAuthority::default()),
+            )]),
+        };
+        certs
+    }
+}
+
 #[cfg(test)]
 mod tests {
-    use serde_json::json;
-
     use super::*;
+    use fixtures::certificate_ca_with_client;
+    use serde_json::json;
 
     fn get_ca(cert: &CertificateTypes) -> &CertificateAuthority {
         assert!(matches!(cert, CertificateTypes::CertificateAuthority(_)));
@@ -139,18 +219,7 @@ mod tests {
 
         #[test]
         fn should_serde_roundtrip() {
-            let certs = Certificates {
-                certificates: HashMap::from_iter([(
-                    "my-ca".to_string(),
-                    CertificateTypes::CertificateAuthority(CertificateAuthority {
-                        export_key: true,
-                        certificates: HashMap::from_iter([(
-                            "client".to_string(),
-                            CertificateTypes::Client(Client { export_key: true }),
-                        )]),
-                    }),
-                )]),
-            };
+            let certs = certificate_ca_with_client();
 
             let serialized = serde_json::to_string(&certs).unwrap();
             let deserialized: Certificates = serde_json::from_str(&serialized).unwrap();
@@ -202,5 +271,15 @@ mod tests {
 
             assert!(matches!(ca, CertificateTypes::CertificateAuthority(_)))
         }
+
+        #[test]
+        fn should_serde_roundtrip() {
+            let certs = certificate_ca_with_client();
+
+            let serialized = serde_yaml::to_string(&certs).unwrap();
+            let deserialized: Certificates = serde_yaml::from_str(&serialized).unwrap();
+
+            assert_eq!(deserialized, certs)
+        }
     }
 }

test-certs/src/configuration/mod.rs

@@ -18,12 +18,12 @@ pub struct Args {
     pub format: ConfigFormat,
 }
 
-/// Available configuration formats
+/// Available configuration formats.
 #[derive(Debug, Clone, ValueEnum)]
 pub enum ConfigFormat {
-    /// YAML Ain't Markup Language
+    /// YAML Ain't Markup Language.
     Yaml,
-    /// JavaScript Object Notation
+    /// JavaScript Object Notation.
     Json,
 }
 

test-certs/src/lib.rs

@@ -6,6 +6,7 @@
 
 use std::fmt::Debug;
 
+use configuration::certificates::CertificateTypes;
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair,
     KeyUsagePurpose,
@@ -22,9 +23,82 @@ pub enum Error {
 }
 
 /// A pair of a certificate and the corresponding private key.
+#[allow(unused, reason = "Initial draft therefore values are not used yet")]
 pub struct CertKeyPair {
     certificate: Certificate,
     key: KeyPair,
+    export_key: bool,
+    name: String,
+}
+
+/// Generates all certificates that are present in the configuration file.
+///
+/// Each certificate chain is evaluated from the specified root certificate.
+/// If one certificate in the chain could not be created the corresponding error is reported and the chain will not be generated.
+pub fn generate(
+    certificate_config: configuration::certificates::Certificates,
+) -> Result<Vec<CertKeyPair>, Vec<Error>> {
+    let certs: Vec<Result<Vec<CertKeyPair>, Error>> = certificate_config
+        .certificates
+        .iter()
+        .map(|(name, config)| generate_certificates(name, config, None))
+        .collect();
+
+    let mut errors = vec![];
+    let mut certificates = vec![];
+    for result in certs.into_iter() {
+        match result {
+            Ok(mut certs) => certificates.append(&mut certs),
+            Err(error) => errors.push(error),
+        }
+    }
+
+    if !errors.is_empty() {
+        return Err(errors);
+    }
+
+    Ok(certificates)
+}
+
+/// Generates the certificate and all certificates issued by this one.
+fn generate_certificates(
+    name: &str,
+    config: &CertificateTypes,
+    issuer: Option<&CertKeyPair>,
+) -> Result<Vec<CertKeyPair>, Error> {
+    let mut result = vec![];
+    let issuer = create_certificate(name, config, issuer)?;
+
+    for (name, config) in config.certificates().iter() {
+        let mut certificates = generate_certificates(name, config, Some(&issuer))?;
+        result.append(&mut certificates);
+    }
+
+    result.push(issuer);
+    Ok(result)
+}
+
+/// Create the actual certificate and private key.
+fn create_certificate(
+    name: &str,
+    certificate_config: &CertificateTypes,
+    issuer: Option<&CertKeyPair>,
+) -> Result<CertKeyPair, Error> {
+    let key = KeyPair::generate()?;
+
+    // TODO: right now the certificate type is ignored and no client or server auth certs are generated
+    let certificate = if let Some(issuer) = issuer {
+        issuer_params(name).signed_by(&key, &issuer.certificate, &issuer.key)?
+    } else {
+        issuer_params(name).self_signed(&key)?
+    };
+
+    Ok(CertKeyPair {
+        certificate,
+        key,
+        export_key: certificate_config.export_key(),
+        name: name.to_string(),
+    })
 }
 
 impl Debug for CertKeyPair {
@@ -36,16 +110,6 @@ impl Debug for CertKeyPair {
     }
 }
 
-/// Create a [`CertKeyPair`] that is our certificate authority to sign other certificates.
-pub fn create_root_ca() -> Result<CertKeyPair, Error> {
-    let root_key = KeyPair::generate()?;
-    let root_ca = issuer_params(env!("CARGO_PKG_NAME")).self_signed(&root_key)?;
-    Ok(CertKeyPair {
-        certificate: root_ca,
-        key: root_key,
-    })
-}
-
 fn issuer_params(common_name: &str) -> CertificateParams {
     let mut issuer_name = DistinguishedName::new();
     issuer_name.push(DnType::CommonName, common_name);
@@ -61,24 +125,34 @@ fn issuer_params(common_name: &str) -> CertificateParams {
 
 #[cfg(test)]
 mod test {
+    use configuration::certificates::fixtures::{
+        ca_with_client, certificate_ca_with_client, client,
+    };
+
     use super::*;
 
     #[test]
-    fn should_create_root_ca() {
-        let result = create_root_ca();
-        assert!(result.is_ok())
+    fn should_create_certificates() {
+        let certificate_config = certificate_ca_with_client();
+        let certificates = generate(certificate_config).unwrap();
+        assert_eq!(
+            certificates.len(),
+            2,
+            "Expected to generate one ca certificate and one client certificate: {certificates:?}"
+        )
     }
 
     #[test]
-    fn root_ca_should_be_ca() {
-        let CertKeyPair {
-            certificate,
-            key: _,
-        } = create_root_ca().unwrap();
+    fn should_create_certificate() {
+        let config = client();
+        let result = create_certificate("test", &config, None);
+        assert!(result.is_ok())
+    }
 
-        assert_eq!(
-            certificate.params().is_ca,
-            IsCa::Ca(BasicConstraints::Unconstrained)
-        );
+    #[test]
+    fn should_generate_certificates() {
+        let config = ca_with_client();
+        let result = generate_certificates("my-ca", &config, None);
+        assert!(result.is_ok())
     }
 }