ci(https support ): add test for https support DI

- still WIP

Signed-off-by: Sarita Mahajan <[email protected]>

Author: sarmahaj

client-linuxapp/src/main.rs

@@ -855,7 +855,8 @@ async fn perform_to2(
 ) -> Result<bool> {
     log::info!("Performing TO2 protocol, URL: {:?}", url);
 
-    let mut client = fdo_http_wrapper::client::ServiceClient::new(ProtocolVersion::Version1_1, url)?;
+    let mut client =
+        fdo_http_wrapper::client::ServiceClient::new(ProtocolVersion::Version1_1, url)?;
 
     let nonce5 = match get_nonce(MessageType::TO1RVRedirect).await {
         Ok(nonce5) => nonce5,

http-wrapper/src/client.rs

@@ -159,13 +159,13 @@ impl ServiceClient {
             client_builder = client_builder.danger_accept_invalid_certs(true);
         }
 
-        Ok(ServiceClient {  
+        Ok(ServiceClient {
             protocol_version,
             base_url: base_url.trim_end_matches('/').to_string(),
             client: client_builder
-            .tls_info(true)
-          //  .danger_accept_invalid_certs(true)
-            .build()?,
+                .tls_info(true)
+                //  .danger_accept_invalid_certs(true)
+                .build()?,
             authorization_token: None,
             encryption_keys: EncryptionKeys::unencrypted(),
             last_message_type: None,
@@ -223,15 +223,15 @@ impl ServiceClient {
         let to_send = to_send.serialize_data()?;
         let to_send = self.encryption_keys.encrypt(&to_send)?;
         log::trace!("Sending message: {:?}", hex::encode(&to_send));
-     
-         let url = format!(
-            "{}/fdo/{}/msg/{}", 
+
+        let url = format!(
+            "{}/fdo/{}/msg/{}",
             &self.base_url,
             self.protocol_version,
             OM::message_type() as u8
-        ); 
+        );
 
-        log::debug!("url: {}",url);
+        log::debug!("url: {}", url);
         let mut req = self
             .client
             .post(&url)

integration-tests/Cargo.toml

@@ -32,7 +32,8 @@ serde_cbor = "0.11"
 serde_json = "1.0"
 pretty_assertions = "1.0.0"
 paste = "1.0"
-pem = "2.0"
+pem = "3.0.3"
+chrono = "0.4.33"
 
 fdo-data-formats = { path = "../data-formats" }
 fdo-util = { path = "../util" }

integration-tests/templates/manufacturing-server.yml.j2

@@ -8,7 +8,8 @@ ownership_voucher_store_driver:
 public_key_store_driver:
   Directory:
     path: {{ config_dir }}/keys/
-bind: {{ bind }}
+bind_http: {{ bind }}
+bind_https: {{ bind_https }}
 rendezvous_info:
 - dns: localhost
   device_port: 8082
@@ -33,3 +34,5 @@ manufacturing:
   owner_cert_path: {{ keys_path }}/owner_cert.pem
   device_cert_ca_private_key: {{ keys_path }}/device_ca_key.der
   device_cert_ca_chain: {{ keys_path }}/device_ca_cert.pem
+  manufacturing_server_https_cert: {{ keys_path }}/manufacturing_server_https_cert.crt
+  manufacturing_server_https_key: {{ keys_path }}/manufacturing_server_https_key.key

integration-tests/tests/common/mod.rs

@@ -3,7 +3,7 @@
 use std::{
     env,
     fs::{self, create_dir, File},
-    io::{BufRead, BufReader},
+    io::{BufRead, BufReader, Write},
     path::{Path, PathBuf},
     process::{Child, Command, ExitStatus},
     time::{Duration, Instant},
@@ -22,6 +22,11 @@ use openssl::{
 
 use fdo_util::servers::format_conf_env;
 
+use openssl::rsa::Rsa;
+use openssl::x509::extension::SubjectAlternativeName;
+use openssl::x509::X509Extension;
+use openssl::x509::X509ReqBuilder;
+
 const PORT_BASE: u16 = 5080;
 
 lazy_static::lazy_static! {
@@ -241,6 +246,9 @@ impl TestContext {
         };
 
         new_context.create_keys().context("Error creating keys")?;
+        new_context
+            .generate_https_keys_and_certs()
+            .context("Error creating https key & cert")?;
 
         Ok(new_context)
     }
@@ -259,6 +267,98 @@ impl TestContext {
     pub fn runner_path(&self, number: &TestBinaryNumber) -> PathBuf {
         self.testpath.join(number.name())
     }
+    pub fn generate_https_keys_and_certs(&self) -> Result<()> {
+        let https_keys_path = self.keys_path();
+        //  create_dir(&https_keys_path).context("Error creating HTTPS keys directory")?;
+
+        /*      // Generate RSA private key
+        let rsa = Rsa::generate(2048).context("Error generating RSA private key")?;
+        let private_key = PKey::from_rsa(rsa).context("Error converting RSA private key to PKey")?;
+
+        // Generate certificate request
+        let mut req_builder = X509ReqBuilder::new().context("Error creating X509ReqBuilder")?;
+        req_builder.set_pubkey(&private_key).context("Error setting public key in request")?;
+        req_builder
+            .add_extension(
+                X509Extension::subject_alt_name(
+                    &SubjectAlternativeName::new()
+                        .dns("localhost")
+                        .dns("example.com"),
+                )
+                .context("Error adding Subject Alternative Name extension")?,
+            )
+            .context("Error adding extension to request")?;
+        let req = req_builder.build();
+
+        // Sign the certificate request with the private key
+        let cert = req
+            .sign(&private_key, MessageDigest::sha256())
+            .context("Error signing certificate request")?;
+
+        // Now serialize the key and certificate
+        let private_key = private_key
+            .private_key_to_der()
+            .context("Error converting private key to DER")?;
+        let cert = cert.to_pem().context("Error converting certificate to PEM")?;
+
+        // Write them to disk
+        fs::write(https_keys_path.join("server_key.der"), private_key)
+            .context("Error writing private key")?;
+        fs::write(https_keys_path.join("server_cert.pem"), cert)
+            .context("Error writing certificate")?; */
+
+        // Generate RSA private key
+        let rsa = Rsa::generate(2048)?;
+        //let private_key = rsa.private_key_to_pem()?;
+        let private_key =
+            PKey::from_rsa(rsa).context("Error converting RSA private key to PKey")?;
+
+        // Write private key to server.key file
+        let mut key_file = File::create(format!(
+            "{}/manufacturing_server_https_key.key",
+            https_keys_path.display()
+        ))?;
+        //key_file.write_all(&private_key)?;
+        key_file.write_all(&private_key.private_key_to_pem_pkcs8()?)?;
+        // Generate X.509 certificate
+        let mut builder = X509Builder::new()?;
+
+        // Set subject for the certificate
+        let mut name_builder = X509NameBuilder::new()?;
+        name_builder.append_entry_by_nid(openssl::nid::Nid::COMMONNAME, "localhost")?;
+        let subject_name = name_builder.build();
+        builder.set_subject_name(&subject_name)?;
+
+        // Set issuer same as subject (self-signed certificate)
+        builder.set_issuer_name(&subject_name)?;
+
+        // Set public key in the certificate
+        builder.set_pubkey(&private_key)?;
+
+        // Set validity period of the certificate (365 days)
+        //  let not_after = chrono::Utc::now() + chrono::Duration::days(365);
+        //builder.set_not_after(&not_after)?;
+        //builder.set_not_before(&chrono::Utc::now())?;
+
+        //  let not_after = chrono::Utc::now() + chrono::Duration::days(365);
+        // builder.set_not_after(Asn1Time::from(&not_after)?)?;
+        builder.set_not_after(Asn1Time::days_from_now(365)?.as_ref())?;
+        builder.set_not_before(Asn1Time::days_from_now(0)?.as_ref())?;
+        //    builder.set_not_before(Asn1Time::from(&chrono::Utc::now())?)?;
+
+        // Sign the certificate with the private key
+        builder.sign(&private_key, openssl::hash::MessageDigest::sha256())?;
+        let certificate = builder.build();
+
+        // Write certificate to server.crt file
+        let mut cert_file = File::create(format!(
+            "{}/manufacturing_server_https_cert.crt",
+            https_keys_path.display()
+        ))?;
+        cert_file.write_all(&certificate.to_pem()?)?;
+
+        Ok(())
+    }
 
     fn create_keys(&self) -> Result<()> {
         let keys_path = self.keys_path();
@@ -336,7 +436,6 @@ impl TestContext {
             fs::write(keys_path.join(format!("{}_cert.pem", key_name)), cert)
                 .context("Error writing certificate")?;
         }
-
         Ok(())
     }
 
@@ -801,6 +900,7 @@ impl<'a> TestServerConfigurator<'a> {
                     "bind",
                     &format!("127.0.0.1:{}", self.server_number.server_port().unwrap()),
                 );
+                cfg.insert("bind_https", &format!("127.0.0.1:{}", 6000));
                 cfg.insert("test_dir", &self.test_context.testpath());
                 cfg.insert("owner_port", &self.server_number.server_port().unwrap());
                 cfg.insert(

integration-tests/tests/di_diun.rs

@@ -25,6 +25,9 @@ async fn test_device_credentials_already_active() -> Result<()> {
                     cfg.insert("rendezvous_port", "1337");
                     cfg.insert("diun_key_type", "FileSystem");
                     cfg.insert("device_identification_format", "SerialNumber");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                   // cfg.insert("bind_https", &format!("0.0.0.0:{}","8096"));
                     Ok(())
                 })?)
             },
@@ -109,6 +112,9 @@ async fn test_device_credentials_generated_with_mac_address() -> Result<()> {
                     cfg.insert("rendezvous_port", "1337");
                     cfg.insert("diun_key_type", "FileSystem");
                     cfg.insert("device_identification_format", "MACAddress");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                  //  cfg.insert("bind_https", &format!("0.0.0.0:{}","8086"));
                     Ok(())
                 })?)
             },
@@ -207,6 +213,9 @@ async fn test_device_credentials_with_tpm() -> Result<()> {
                     cfg.insert("rendezvous_port", "1337");
                     cfg.insert("diun_key_type", "Tpm");
                     cfg.insert("device_identification_format", "SerialNumber");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                   // cfg.insert("bind_https", &format!("0.0.0.0:{}","8086"));
                     Ok(())
                 })?)
             },
@@ -254,6 +263,10 @@ async fn test_device_credentials_generated_with_mac_address_no_user_given_iface(
                     cfg.insert("rendezvous_port", "1337");
                     cfg.insert("diun_key_type", "FileSystem");
                     cfg.insert("device_identification_format", "MACAddress");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                 //   cfg.insert("bind_https", &format!("0.0.0.0:{}","8086"));
+
                     Ok(())
                 })?)
             },

integration-tests/tests/di_diun_https.rs

@@ -0,0 +1,57 @@
+mod common;
+use anyhow::{Context, Result};
+use common::{Binary, LogSide, TestContext};
+use std::path::Path;
+use std::time::Duration;
+const L: LogSide = LogSide::Test;
+
+#[tokio::test]
+async fn di_diun_https_test() -> Result<()> {
+    let mut ctx = TestContext::new().context("Error building test context")?;
+
+    let mfg_server = ctx
+        .start_test_server(
+            Binary::ManufacturingServer,
+            |cfg| {
+                Ok(cfg.prepare_config_file(None, |cfg| {
+                    cfg.insert("rendezvous_port", "1337");
+                    cfg.insert("diun_key_type", "FileSystem");
+                    cfg.insert("device_identification_format", "SerialNumber");
+                    //  cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    //  cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    // cfg.insert("bind_http", "8085");
+                    // cfg.insert("bind_https", &("127.0.0.1:{}" ));
+                    Ok(())
+                })?)
+            },
+            |_| Ok(()),
+        )
+        .context("Error creating manufacturing server")?;
+    ctx.wait_until_servers_ready()
+        .await
+        .context("Error waiting for servers to start")?;
+
+    let client_result = ctx
+        .run_client(
+            Binary::ManufacturingClient,
+            Some(&mfg_server),
+            |cfg| {
+                cfg.env("DEVICE_CREDENTIAL_FILENAME", "devicecredential.dc")
+                    .env("MANUFACTURING_SERVER_URL", "https://localhost:8086")
+                    .env("DEV_ENVIRONMENT", "1")
+                    .env("DIUN_PUB_KEY_INSECURE", "true");
+                Ok(())
+            },
+            Duration::from_secs(5),
+        )
+        .context("Error running manufacturing client")?;
+    client_result
+        .expect_success()
+        .context("Manufacturing client failed")?;
+
+    let dc_path = client_result.client_path().join("devicecredential.dc");
+    L.l(format!("Device Credential should be in {:?}", dc_path));
+    assert!(Path::new(&dc_path).exists());
+
+    Ok(())
+}

integration-tests/tests/e2e.rs

@@ -192,6 +192,10 @@ where
                     cfg.insert("diun_key_type", diun_key_type);
                     cfg.insert("rendezvous_port", &rendezvous_server.server_port().unwrap());
                     cfg.insert("device_identification_format", "SerialNumber");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                 //   cfg.insert("bind_https", &format!("0.0.0.0:{}","8086"));
+
                     Ok(())
                 })?)
             },
@@ -514,6 +518,10 @@ where
                     cfg.insert("diun_key_type", diun_key_type);
                     cfg.insert("rendezvous_port", &rendezvous_server.server_port().unwrap());
                     cfg.insert("device_identification_format", "SerialNumber");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                  //  cfg.insert("bind_https", &format!("0.0.0.0:{}","8086"));
+
                     Ok(())
                 })?)
             },

integration-tests/tests/service_info.rs

@@ -106,6 +106,9 @@ where
                     cfg.insert("diun_key_type", diun_key_type);
                     cfg.insert("rendezvous_port", &rendezvous_server.server_port().unwrap());
                     cfg.insert("device_identification_format", "SerialNumber");
+                    cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                    cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
+                   // cfg.insert("bind_https", &format!("0.0.0.0:{}","8086"));
                     Ok(())
                 })?)
             },

integration-tests/tests/test-data/https-test/manufacturing_server_https_cert.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCApMCFDBq5YwvijIjOB6U4yFgJpJwHTsEMA0GCSqGSIb3DQEBCwUAMIGR
+MQswCQYDVQQGEwJJRTEPMA0GA1UECAwGR2Fsd2F5MQ8wDQYDVQQHDAZHYWx3YXkx
+EDAOBgNVBAoMB1JlZCBIYXQxDDAKBgNVBAsMA1I0RTEcMBoGA1UEAwwTd3d3LmZk
+by5leGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTc2FybWFoYWpAcmVkaGF0LmNv
+bTAeFw0yMzA5MTIxMDA5MzdaFw0yNDA5MTExMDA5MzdaMIGRMQswCQYDVQQGEwJJ
+RTEPMA0GA1UECAwGR2Fsd2F5MQ8wDQYDVQQHDAZHYWx3YXkxEDAOBgNVBAoMB1Jl
+ZCBIYXQxDDAKBgNVBAsMA1I0RTEcMBoGA1UEAwwTd3d3LmZkby5leGFtcGxlLmNv
+bTEiMCAGCSqGSIb3DQEJARYTc2FybWFoYWpAcmVkaGF0LmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMiKFA4zj4DZ3S85HosHND7hAapN7MSS6h+4
+xdJC6xZBe4EkSNpvuj22I09bxdmdPB4KDI0mKIhzM5QTmeIj5ejGaeviuDbLuF1t
+2CLbb4Dprj9uS81XattqSdRDeWa4EZRGf3iGoryb2KgdRaqT1sy5Rh2KfNa+267w
+JElZ6EsBjjXojBO2yg+dW75U1oIhLtQPFUIQ78muOr8Hg6p67UHaLO6rry7R/Dhd
+bphrJwLME5AaQAvpudWM7y0PrHsOzW3nmykktTSbOXBWtx2d7pZYju+DXSW9/1rV
++GV+NtoUIjUL9fEKm9mT2VuW433ZCvPrQTAcNo87VsMYk4mZyZcCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAx0l+3iEf6SydBwWP1qVFPRC9NExym5DN14bYQivBwvNO
+454WrO/lQyXuKsMrS5Uu2bURNblxs7lOIfyzIn9CHZq8DRcAfPoVl9nn90WnD72j
+YIqCvOcC5VtLR5SFMIfWYgpj7/uHhEO0ykQk5oLkxkooPROOcJPDdUuZZx5hY3f9
+r7zGBrPhQHT+3YJmg2aF4j7+GCGoydg+alkxLHhHfs7r+tH7bNtL28x86iqilWGs
+7ciG5nZm+tM/DaI+yUtnJhN83J6914Zjm8QX/85IiaBC6rVcEfkFTkqlPXId2kHV
+pmRu5tNQOqLctpmIr+M1/JQDuhkoh+MyJBfEwzG6Tw==
+-----END CERTIFICATE-----