Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keychain support #697

Merged
merged 4 commits into from
Jul 26, 2024
Merged

Keychain support #697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b397877
cleanup: PROJECT_IS_TOP_LEVEL/<projectName>_IS_TOP_LEVEL is standard …
ekoby Jul 25, 2024
c027de8
move subcommand dep from top level
ekoby Jul 25, 2024
e36b850
bump [email protected]
ekoby Jul 25, 2024
2fa0967
add support for keychain keys
ekoby Jul 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,14 @@ project(ziti-sdk
)

set(PROJECT_VERSION ${GIT_VERSION})
include(cmake/project-is-top-level.cmake)
include(cmake/variables.cmake)

set(tlsuv_DIR "" CACHE FILEPATH "developer option: use local tlsuv checkout")

option(HAVE_LIBSODIUM "use and link installed shared libsodium library" OFF)

message("project version: ${PROJECT_VERSION}")
message("git info:")
message(" branch : ${GIT_BRANCH}")
message(" hash : ${GIT_COMMIT_HASH}")
message(" branch : ${GIT_BRANCH}")
message(" hash : ${GIT_COMMIT_HASH}")

message("")
message("using ${CMAKE_GENERATOR}")
Expand Down Expand Up @@ -105,7 +102,7 @@ if (ziti_DEVELOPER_MODE AND NOT CMAKE_CROSSCOMPILING)
add_subdirectory(tests)
endif ()

if (EXISTS "${CMAKE_CURRENT_LIST_DIR}/local.cmake")
if (ziti-sdk_IS_TOP_LEVEL AND EXISTS "${CMAKE_CURRENT_LIST_DIR}/local.cmake")
include("${CMAKE_CURRENT_LIST_DIR}/local.cmake")
endif ()

6 changes: 0 additions & 6 deletions cmake/project-is-top-level.cmake
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions cmake/variables.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ set(warning_guard "")
if (NOT PROJECT_IS_TOP_LEVEL)
option(
ziti_INCLUDES_WITH_SYSTEM
"Use SYSTEM modifier for tlsuv's includes, disabling warnings"
"Use SYSTEM modifier for ziti's includes, disabling warnings"
ON
)
mark_as_advanced(tlsuv_INCLUDES_WITH_SYSTEM)
mark_as_advanced(ziti_INCLUDES_WITH_SYSTEM)
if (ziti_INCLUDES_WITH_SYSTEM)
set(warning_guard SYSTEM)
endif ()
Expand Down
32 changes: 11 additions & 21 deletions deps/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,19 @@

include(FetchContent)

if (tlsuv_DIR)
add_subdirectory(${tlsuv_DIR}
${CMAKE_CURRENT_BINARY_DIR}/tlsuv)
else ()

FetchContent_Declare(tlsuv
# allow downstream projects to pull tlsuv on their own
if (NOT TARGET tlsuv)
if (tlsuv_DIR)
add_subdirectory(${tlsuv_DIR}
${CMAKE_CURRENT_BINARY_DIR}/tlsuv)
else ()
FetchContent_Declare(tlsuv
GIT_REPOSITORY https://github.com/openziti/tlsuv.git
GIT_TAG v0.30.1
)
FetchContent_MakeAvailable(tlsuv)

endif (tlsuv_DIR)

FetchContent_Declare(subcommand
GIT_REPOSITORY https://github.com/openziti/subcommands.c.git
GIT_TAG main
GIT_TAG v0.31.1
)
FetchContent_GetProperties(subcommand)
if (NOT subcommand_POPULATED)
FetchContent_Populate(subcommand)
endif ()
add_library(subcommand INTERFACE)
target_include_directories(subcommand INTERFACE ${subcommand_SOURCE_DIR})
FetchContent_MakeAvailable(tlsuv)
endif (tlsuv_DIR)
endif () # tlsuv TARGET



Expand Down
1 change: 1 addition & 0 deletions inc_internal/ziti_enroll.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ typedef struct enroll_cfg_s {

char *CA;

bool use_keychain;
const char *private_key;
tlsuv_private_key_t pk;
const char *own_cert;
Expand Down
1 change: 1 addition & 0 deletions includes/ziti/ziti.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,7 @@ typedef struct ziti_enroll_opts_s {
const char *enroll_cert;
const char *enroll_name;
const char *jwt_content;
bool use_keychain; // use keychain if generating new key
} ziti_enroll_opts;

typedef struct ziti_dial_opts_s {
Expand Down
10 changes: 10 additions & 0 deletions library/utils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,7 +414,7 @@
time_t t = ts.tv_sec;
struct tm *tm = gmtime(&t);

snprintf(log_timestamp, sizeof(log_timestamp), "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ",

Check warning on line 417 in library/utils.c

View workflow job for this annotation

GitHub Actions / Linux x86_64 

':' directive output may be truncated writing 1 byte into a region of size between 0 and 16 [-Wformat-truncation=]

Check warning on line 417 in library/utils.c

View workflow job for this annotation

GitHub Actions / Linux ARM 

':' directive output may be truncated writing 1 byte into a region of size between 0 and 16 [-Wformat-truncation=]

Check warning on line 417 in library/utils.c

View workflow job for this annotation

GitHub Actions / Linux ARM64 

':' directive output may be truncated writing 1 byte into a region of size between 0 and 16 [-Wformat-truncation=]
1900 + tm->tm_year, tm->tm_mon + 1, tm->tm_mday,
tm->tm_hour, tm->tm_min, tm->tm_sec, ts.tv_usec / 1000
);
Expand Down Expand Up @@ -572,6 +572,16 @@
return 0;
}

if (strncmp(keystr, "keychain:", strlen("keychain:")) == 0) {
const char *keyname = strchr(keystr, ':') + 1;
rc = tls->load_keychain_key(key, keyname);
if (rc != 0) {
ZITI_LOG(WARN, "failed to load keychain key[%s]", keyname);
return ZITI_INVALID_CONFIG;
}
return 0;
}

if (tlsuv_parse_url(&uri, keystr) == 0) {
if (uri.scheme_len == strlen("file") && strncmp(uri.scheme, "file", uri.scheme_len) == 0) {
rc = tls->load_key(key, uri.path, uri.path_len);
Expand Down
32 changes: 24 additions & 8 deletions library/ziti_enroll.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,11 +100,12 @@
ecfg->own_cert = opts->enroll_cert;
ecfg->private_key = opts->enroll_key;
ecfg->name = opts->enroll_name;
ecfg->use_keychain = opts->use_keychain;

if (opts->jwt) {
TRY(ziti, load_jwt(opts->jwt, ecfg, &ecfg->zejh, &ecfg->zej));
} else {
ecfg->raw_jwt = opts->jwt_content;

Check warning on line 108 in library/ziti_enroll.c

View workflow job for this annotation

GitHub Actions / Linux x86_64 

assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

Check warning on line 108 in library/ziti_enroll.c

View workflow job for this annotation

GitHub Actions / MacOS x86_64 

assigning to 'char *' from 'const char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]

Check warning on line 108 in library/ziti_enroll.c

View workflow job for this annotation

GitHub Actions / Linux ARM 

assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

Check warning on line 108 in library/ziti_enroll.c

View workflow job for this annotation

GitHub Actions / Linux ARM64 

assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

Check warning on line 108 in library/ziti_enroll.c

View workflow job for this annotation

GitHub Actions / MacOS arm64 

assigning to 'char *' from 'const char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
TRY(ziti, load_jwt_content(ecfg, &ecfg->zejh, &ecfg->zej));
}
TRY(ziti, check_cert_required(ecfg));
Expand Down Expand Up @@ -175,11 +176,27 @@
size_t len;
if (enroll_req->ecfg->private_key == NULL) {
ziti_err = ZITI_KEY_GENERATION_FAILED;
TRY(TLS, tls->generate_key(&enroll_req->ecfg->pk));
TRY(TLS,
enroll_req->ecfg->pk->to_pem(enroll_req->ecfg->pk, (char **) &enroll_req->ecfg->private_key, &len));
}
else {
if (enroll_req->ecfg->use_keychain && tls->generate_keychain_key) {
tlsuv_private_key_t pk = NULL;
struct tlsuv_url_s url;
tlsuv_parse_url(&url, enroll_req->ecfg->zej->controller);

string_buf_t *keyname_buf = new_string_buf();
string_buf_fmt(keyname_buf, "keychain:%s@%.*s",
enroll_req->ecfg->zej->subject,
(int)url.hostname_len, url.hostname);
char *keyname_ref = string_buf_to_string(keyname_buf, NULL);
delete_string_buf(keyname_buf);

char *keyname = strchr(keyname_ref, ':') + 1;
enroll_req->ecfg->private_key = keyname_ref;
TRY(TLS, tls->generate_keychain_key(&pk, keyname));
enroll_req->ecfg->pk = pk;
} else {
TRY(TLS, tls->generate_key(&enroll_req->ecfg->pk));
TRY(TLS, enroll_req->ecfg->pk->to_pem(
enroll_req->ecfg->pk, (char **) &enroll_req->ecfg->private_key, &len));
}
}

ziti_err = ZITI_CSR_GENERATION_FAILED;
Expand All @@ -190,9 +207,8 @@
"DC", enroll_req->ecfg->zej->controller,
"CN", enroll_req->ecfg->zej->subject,
NULL));
}
else if (enroll_req->ecfg->zej->method == ziti_enrollment_methods.ottca ||
enroll_req->ecfg->zej->method == ziti_enrollment_methods.ca) {
} else if (enroll_req->ecfg->zej->method == ziti_enrollment_methods.ottca ||
enroll_req->ecfg->zej->method == ziti_enrollment_methods.ca) {
ziti_err = ZITI_KEY_LOAD_FAILED;
tlsuv_certificate_t cert;
TRY(TLS, tls->load_cert(&cert, enroll_req->ecfg->own_cert, strlen(enroll_req->ecfg->own_cert)));
Expand Down
12 changes: 12 additions & 0 deletions programs/ziti-prox-c/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@

add_executable(ziti-prox-c proxy.c)

FetchContent_Declare(subcommand
GIT_REPOSITORY https://github.com/openziti/subcommands.c.git
GIT_TAG main
)
FetchContent_GetProperties(subcommand)
if (NOT subcommand_POPULATED)
FetchContent_Populate(subcommand)
endif ()
add_library(subcommand INTERFACE)
target_include_directories(subcommand INTERFACE ${subcommand_SOURCE_DIR})


if(WIN32)
target_include_directories(ziti-prox-c PRIVATE win32/include)
target_sources(ziti-prox-c PRIVATE win32/src/getopt.c)
Expand Down
Loading