Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(WIP) : HTTPS support for manufacturing-server and manufacturing-client for DI #579

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

(WIP) : HTTPS support for manufacturing-server and manufacturing-client for DI #579

wants to merge 3 commits into from

Conversation

sarmahaj
Copy link
Contributor

@sarmahaj sarmahaj commented Nov 23, 2023
edited
Loading

This PR (currently in draft state) contains-

  • changes in manufacturing_server and manufacturing_client to support HTTPS requests.
  • HTTP & HTTPS both requests work
  • accordingly changes in manufacturing_server config file for http & https port number
  • CI tests are still WIP

(Meanwhile to test manually, use following commands )

To create key & certs:
openssl genpkey -algorithm RSA -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Mention this address in manufacturing_server_https_key and manufacturing_server_https_cert fields in manufacturing_server.config file.
(This part to generate cert and key will be taken care in separate PR as a part of admin-tool)

sudo MANUFACTURING_SERVER_CONF=/usr/share/fdo/manufacturing_server.yml LOG_LEVEL=trace ./target/debug/fdo-manufacturing-server

HTTPS request:
sudo DEV_ENVIRONMENT=1 MANUFACTURING_SERVER_URL=https://localhost:8084 LOG_LEVEL=trace DIUN_PUB_KEY_ROOTCERTS=aio-dir/keys/diun_cert.pem ./target/debug/fdo-manufacturing-client

HTTP request:
sudo DEV_ENVIRONMENT=0 MANUFACTURING_SERVER_URL=http://localhost:8080 LOG_LEVEL=trace DIUN_PUB_KEY_ROOTCERTS=aio-dir/keys/diun_cert.pem ./target/debug/fdo-manufacturing-client

DI should work and create device_credentials file under /etc/device-credentials.

@7flying 7flying self-requested a review November 27, 2023 09:41
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 18, 2024
View reviewed changes
integration-tests/tests/di_diun.rs Fixed Show fixed Hide fixed
integration-tests/tests/di_diun.rs Fixed Show fixed Hide fixed
integration-tests/tests/di_diun.rs Fixed Show fixed Hide fixed
@sarmahaj sarmahaj changed the title HTTPS support for manufacturing-server and manufacturing-client for DI (WIP) : HTTPS support for manufacturing-server and manufacturing-client for DI Jan 18, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 18, 2024
View reviewed changes
integration-tests/tests/di_diun_https.rs Dismissed Show dismissed Hide dismissed
@sarmahaj sarmahaj force-pushed the fdo_di_https branch 2 times, most recently from 3a58471 to f0c60c0 Compare February 7, 2024 11:54
@sarmahaj
feat(manufacturing-server): add https support
6c187f8 
- warp::service and hyper::server combination used to run https server
- separate bind address for http and https
- tls_config containes tls config for htpps
- now manufacturing-server supports both http and https requests from
client.

Signed-off-by: Sarita Mahajan <sarmahaj@redhat.com>
@sarmahaj
feat(manufacturing-client): add https support
4535683 
- changes on client side to support https request

Signed-off-by: Sarita Mahajan <sarmahaj@redhat.com>
@sarmahaj
ci(https support ): add test for https support DI
5d71f77 
- still WIP

Signed-off-by: Sarita Mahajan <sarmahaj@redhat.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 7, 2024
View reviewed changes
integration-tests/tests/di_diun_https.rs
// cfg.insert("manufacturing_server_https_cert_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
// cfg.insert("manufacturing_server_https_key_path", "/workspaces/fido-device-onboard-rs/integration-tests/tests/test-data/https-test");
// cfg.insert("bind_http", "8085");
// cfg.insert("bind_https", &("127.0.0.1:{}" ));

Check notice

Code scanning / devskim

Accessing localhost could indicate debug code, or could hinder scaling. Note test

Do not leave debug code in production
integration-tests/tests/common/mod.rs
@@ -801,6 +900,7 @@
"bind",
&format!("127.0.0.1:{}", self.server_number.server_port().unwrap()),
);
cfg.insert("bind_https", &format!("127.0.0.1:{}", 6000));

Check notice

Code scanning / devskim

Accessing localhost could indicate debug code, or could hinder scaling. Note test

Do not leave debug code in production
integration-tests/tests/common/mod.rs

// Set subject for the certificate
let mut name_builder = X509NameBuilder::new()?;
name_builder.append_entry_by_nid(openssl::nid::Nid::COMMONNAME, "localhost")?;

Check notice

Code scanning / devskim

Accessing localhost could indicate debug code, or could hinder scaling. Note test

Do not leave debug code in production
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@7flying 7flying Awaiting requested review from 7flying

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sarmahaj