From b3978771418b2966642aff0cf5df7dac1b04741f Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 25 Jul 2024 10:23:48 -0400 Subject: [PATCH 1/4] cleanup: PROJECT_IS_TOP_LEVEL/_IS_TOP_LEVEL is standard CMake(3.21) feature --- CMakeLists.txt | 9 +++------ cmake/project-is-top-level.cmake | 6 ------ cmake/variables.cmake | 4 ++-- 3 files changed, 5 insertions(+), 14 deletions(-) delete mode 100644 cmake/project-is-top-level.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index 5fc596fc..38664445 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -10,17 +10,14 @@ project(ziti-sdk ) set(PROJECT_VERSION ${GIT_VERSION}) -include(cmake/project-is-top-level.cmake) include(cmake/variables.cmake) set(tlsuv_DIR "" CACHE FILEPATH "developer option: use local tlsuv checkout") -option(HAVE_LIBSODIUM "use and link installed shared libsodium library" OFF) - message("project version: ${PROJECT_VERSION}") message("git info:") -message(" branch : ${GIT_BRANCH}") -message(" hash : ${GIT_COMMIT_HASH}") +message(" branch : ${GIT_BRANCH}") +message(" hash : ${GIT_COMMIT_HASH}") message("") message("using ${CMAKE_GENERATOR}") @@ -105,7 +102,7 @@ if (ziti_DEVELOPER_MODE AND NOT CMAKE_CROSSCOMPILING) add_subdirectory(tests) endif () -if (EXISTS "${CMAKE_CURRENT_LIST_DIR}/local.cmake") +if (ziti-sdk_IS_TOP_LEVEL AND EXISTS "${CMAKE_CURRENT_LIST_DIR}/local.cmake") include("${CMAKE_CURRENT_LIST_DIR}/local.cmake") endif () diff --git a/cmake/project-is-top-level.cmake b/cmake/project-is-top-level.cmake deleted file mode 100644 index 9b2995cd..00000000 --- a/cmake/project-is-top-level.cmake +++ /dev/null @@ -1,6 +0,0 @@ -# This variable is set by project() in CMake 3.21+ -string( - COMPARE EQUAL - "${CMAKE_SOURCE_DIR}" "${PROJECT_SOURCE_DIR}" - PROJECT_IS_TOP_LEVEL -) diff --git a/cmake/variables.cmake b/cmake/variables.cmake index 28dcaec5..dcdf8a89 100644 --- a/cmake/variables.cmake +++ b/cmake/variables.cmake @@ -21,10 +21,10 @@ set(warning_guard "") if (NOT PROJECT_IS_TOP_LEVEL) option( ziti_INCLUDES_WITH_SYSTEM - "Use SYSTEM modifier for tlsuv's includes, disabling warnings" + "Use SYSTEM modifier for ziti's includes, disabling warnings" ON ) - mark_as_advanced(tlsuv_INCLUDES_WITH_SYSTEM) + mark_as_advanced(ziti_INCLUDES_WITH_SYSTEM) if (ziti_INCLUDES_WITH_SYSTEM) set(warning_guard SYSTEM) endif () From c027de884a0fa7166294aef76928d7ff3ffee097 Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 25 Jul 2024 10:27:43 -0400 Subject: [PATCH 2/4] move subcommand dep from top level --- deps/CMakeLists.txt | 11 ----------- programs/ziti-prox-c/CMakeLists.txt | 12 ++++++++++++ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/deps/CMakeLists.txt b/deps/CMakeLists.txt index 534d3b2f..011d005e 100644 --- a/deps/CMakeLists.txt +++ b/deps/CMakeLists.txt @@ -14,17 +14,6 @@ else () endif (tlsuv_DIR) -FetchContent_Declare(subcommand - GIT_REPOSITORY https://github.com/openziti/subcommands.c.git - GIT_TAG main - ) -FetchContent_GetProperties(subcommand) -if (NOT subcommand_POPULATED) - FetchContent_Populate(subcommand) -endif () -add_library(subcommand INTERFACE) -target_include_directories(subcommand INTERFACE ${subcommand_SOURCE_DIR}) - diff --git a/programs/ziti-prox-c/CMakeLists.txt b/programs/ziti-prox-c/CMakeLists.txt index 8a3feb12..f88c5e54 100644 --- a/programs/ziti-prox-c/CMakeLists.txt +++ b/programs/ziti-prox-c/CMakeLists.txt @@ -1,6 +1,18 @@ add_executable(ziti-prox-c proxy.c) +FetchContent_Declare(subcommand + GIT_REPOSITORY https://github.com/openziti/subcommands.c.git + GIT_TAG main +) +FetchContent_GetProperties(subcommand) +if (NOT subcommand_POPULATED) + FetchContent_Populate(subcommand) +endif () +add_library(subcommand INTERFACE) +target_include_directories(subcommand INTERFACE ${subcommand_SOURCE_DIR}) + + if(WIN32) target_include_directories(ziti-prox-c PRIVATE win32/include) target_sources(ziti-prox-c PRIVATE win32/src/getopt.c) From e36b850750a201218b9cfde57b26a2f6d61c4f7d Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 25 Jul 2024 10:28:36 -0400 Subject: [PATCH 3/4] bump tlsuv@v0.31.0 --- deps/CMakeLists.txt | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/deps/CMakeLists.txt b/deps/CMakeLists.txt index 011d005e..71a0150d 100644 --- a/deps/CMakeLists.txt +++ b/deps/CMakeLists.txt @@ -1,18 +1,19 @@ include(FetchContent) -if (tlsuv_DIR) - add_subdirectory(${tlsuv_DIR} - ${CMAKE_CURRENT_BINARY_DIR}/tlsuv) -else () - - FetchContent_Declare(tlsuv +# allow downstream projects to pull tlsuv on their own +if (NOT TARGET tlsuv) + if (tlsuv_DIR) + add_subdirectory(${tlsuv_DIR} + ${CMAKE_CURRENT_BINARY_DIR}/tlsuv) + else () + FetchContent_Declare(tlsuv GIT_REPOSITORY https://github.com/openziti/tlsuv.git - GIT_TAG v0.30.1 - ) - FetchContent_MakeAvailable(tlsuv) - -endif (tlsuv_DIR) + GIT_TAG v0.31.0 + ) + FetchContent_MakeAvailable(tlsuv) + endif (tlsuv_DIR) +endif () # tlsuv TARGET From 2fa0967494b0fc7036f9dfa233b83a3eb7bdfdd1 Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 26 Jul 2024 11:25:52 -0400 Subject: [PATCH 4/4] add support for keychain keys - allow loading private keys from keychain using key ref `keychain:` - allow generating identity keys right inside keychain `ziti_enroll_opts.use_keychain = true` --- deps/CMakeLists.txt | 2 +- inc_internal/ziti_enroll.h | 1 + includes/ziti/ziti.h | 1 + library/utils.c | 10 ++++++++++ library/ziti_enroll.c | 32 ++++++++++++++++++++++++-------- 5 files changed, 37 insertions(+), 9 deletions(-) diff --git a/deps/CMakeLists.txt b/deps/CMakeLists.txt index 71a0150d..764c011f 100644 --- a/deps/CMakeLists.txt +++ b/deps/CMakeLists.txt @@ -9,7 +9,7 @@ if (NOT TARGET tlsuv) else () FetchContent_Declare(tlsuv GIT_REPOSITORY https://github.com/openziti/tlsuv.git - GIT_TAG v0.31.0 + GIT_TAG v0.31.1 ) FetchContent_MakeAvailable(tlsuv) endif (tlsuv_DIR) diff --git a/inc_internal/ziti_enroll.h b/inc_internal/ziti_enroll.h index 4604a82c..c710f452 100644 --- a/inc_internal/ziti_enroll.h +++ b/inc_internal/ziti_enroll.h @@ -42,6 +42,7 @@ typedef struct enroll_cfg_s { char *CA; + bool use_keychain; const char *private_key; tlsuv_private_key_t pk; const char *own_cert; diff --git a/includes/ziti/ziti.h b/includes/ziti/ziti.h index af9b0fe8..ead4d945 100644 --- a/includes/ziti/ziti.h +++ b/includes/ziti/ziti.h @@ -258,6 +258,7 @@ typedef struct ziti_enroll_opts_s { const char *enroll_cert; const char *enroll_name; const char *jwt_content; + bool use_keychain; // use keychain if generating new key } ziti_enroll_opts; typedef struct ziti_dial_opts_s { diff --git a/library/utils.c b/library/utils.c index e98668c7..215b9d48 100644 --- a/library/utils.c +++ b/library/utils.c @@ -572,6 +572,16 @@ int load_key_internal(tls_context *tls, tlsuv_private_key_t *key, const char *ke return 0; } + if (strncmp(keystr, "keychain:", strlen("keychain:")) == 0) { + const char *keyname = strchr(keystr, ':') + 1; + rc = tls->load_keychain_key(key, keyname); + if (rc != 0) { + ZITI_LOG(WARN, "failed to load keychain key[%s]", keyname); + return ZITI_INVALID_CONFIG; + } + return 0; + } + if (tlsuv_parse_url(&uri, keystr) == 0) { if (uri.scheme_len == strlen("file") && strncmp(uri.scheme, "file", uri.scheme_len) == 0) { rc = tls->load_key(key, uri.path, uri.path_len); diff --git a/library/ziti_enroll.c b/library/ziti_enroll.c index 09fa7c08..4d9c9de5 100644 --- a/library/ziti_enroll.c +++ b/library/ziti_enroll.c @@ -100,6 +100,7 @@ int ziti_enroll(ziti_enroll_opts *opts, uv_loop_t *loop, ziti_enroll_cb enroll_c ecfg->own_cert = opts->enroll_cert; ecfg->private_key = opts->enroll_key; ecfg->name = opts->enroll_name; + ecfg->use_keychain = opts->use_keychain; if (opts->jwt) { TRY(ziti, load_jwt(opts->jwt, ecfg, &ecfg->zejh, &ecfg->zej)); @@ -175,11 +176,27 @@ static void well_known_certs_cb(char *base64_encoded_pkcs7, const ziti_error *er size_t len; if (enroll_req->ecfg->private_key == NULL) { ziti_err = ZITI_KEY_GENERATION_FAILED; - TRY(TLS, tls->generate_key(&enroll_req->ecfg->pk)); - TRY(TLS, - enroll_req->ecfg->pk->to_pem(enroll_req->ecfg->pk, (char **) &enroll_req->ecfg->private_key, &len)); - } - else { + if (enroll_req->ecfg->use_keychain && tls->generate_keychain_key) { + tlsuv_private_key_t pk = NULL; + struct tlsuv_url_s url; + tlsuv_parse_url(&url, enroll_req->ecfg->zej->controller); + + string_buf_t *keyname_buf = new_string_buf(); + string_buf_fmt(keyname_buf, "keychain:%s@%.*s", + enroll_req->ecfg->zej->subject, + (int)url.hostname_len, url.hostname); + char *keyname_ref = string_buf_to_string(keyname_buf, NULL); + delete_string_buf(keyname_buf); + + char *keyname = strchr(keyname_ref, ':') + 1; + enroll_req->ecfg->private_key = keyname_ref; + TRY(TLS, tls->generate_keychain_key(&pk, keyname)); + enroll_req->ecfg->pk = pk; + } else { + TRY(TLS, tls->generate_key(&enroll_req->ecfg->pk)); + TRY(TLS, enroll_req->ecfg->pk->to_pem( + enroll_req->ecfg->pk, (char **) &enroll_req->ecfg->private_key, &len)); + } } ziti_err = ZITI_CSR_GENERATION_FAILED; @@ -190,9 +207,8 @@ static void well_known_certs_cb(char *base64_encoded_pkcs7, const ziti_error *er "DC", enroll_req->ecfg->zej->controller, "CN", enroll_req->ecfg->zej->subject, NULL)); - } - else if (enroll_req->ecfg->zej->method == ziti_enrollment_methods.ottca || - enroll_req->ecfg->zej->method == ziti_enrollment_methods.ca) { + } else if (enroll_req->ecfg->zej->method == ziti_enrollment_methods.ottca || + enroll_req->ecfg->zej->method == ziti_enrollment_methods.ca) { ziti_err = ZITI_KEY_LOAD_FAILED; tlsuv_certificate_t cert; TRY(TLS, tls->load_cert(&cert, enroll_req->ecfg->own_cert, strlen(enroll_req->ecfg->own_cert)));