TLS With Certificate Management for PVXS

.github/workflows/ci-scripts-build.yml

@@ -151,8 +151,10 @@ jobs:
     - name: "apt-get install"
       run: |
         sudo apt-get update
-        sudo apt-get -y install g++-mingw-w64-x86-64 cmake gdb qemu-system-x86
+        sudo apt-get -y install g++-mingw-w64-x86-64 cmake gdb qemu-system-x86 libssl-dev
       if: runner.os == 'Linux'
+    - name: Host Info
+      run: openssl version -a
     - name: Automatic core dumper analysis
       uses: mdavidsaver/ci-core-dumper@master
     - name: Prepare and compile dependencies

.gitignore

@@ -15,4 +15,49 @@ __pycache__/
 *.orig
 *.log
 .*.swp
-.vscode
+.vscode
+.clang-format
+.iocsh_history
+EPICS_CA.pem
+login_certs.txt
+system_certs.txt
+.idea/editor.xml
+.idea/misc.xml
+.idea/modules.xml
+.idea/pvxs.iml
+.idea/vcs.xml
+.idea/workspace.xml
+.idea/codeStyles/codeStyleConfig.xml
+.idea/copyright/profiles_settings.xml
+.idea/inspectionProfiles/Project_Default.xml
+.idea/shelf/Add_detailed_documentation_for_certificate_testing_code__Enhanced_the__testtlswithcmsandst.xml
+.idea/shelf/authenticator_framework.xml
+.idea/shelf/big_refactor.xml
+.idea/shelf/Changes.xml
+.idea/shelf/Don_t_kn.xml
+.idea/shelf/framework_updates.xml
+.idea/shelf/Kerberos_spike.xml
+.idea/shelf/move_lambdas_into_subscribe_and_watch_methods.xml
+.idea/shelf/rename_CertificateStatus_and_change_OCSPStatus_creation_and_verification.xml
+.idea/shelf/statuslistener.xml
+.idea/shelf/subdirectories_for_each_auth_method1.xml
+.idea/shelf/Add_detailed_documentation_for_certificate_testing_code__Enhanced_the_`testtlswithcmsandst/shelved.patch
+.idea/shelf/authenticator_framework/shelved.patch
+.idea/shelf/big_refactor/shelved.patch
+.idea/shelf/Changes/shelved.patch
+.idea/shelf/Don't_kn/shelved.patch
+.idea/shelf/framework_updates/shelved.patch
+.idea/shelf/Kerberos_spike/shelved.patch
+.idea/shelf/move_lambdas_into_subscribe_and_watch_methods/shelved.patch
+.idea/shelf/rename_CertificateStatus_and_change_OCSPStatus_creation_and_verification/shelved.patch
+.idea/shelf/statuslistener/shelved.patch
+.idea/shelf/subdirectories_for_each_auth_method1/shelved.patch
+configure/TOOLCHAIN.tmp
+test/testioc.db
+test/testiocg.db
+test/slac-test/Sign In.htm
+test/slac-test/Sign In.mhtml
+test/slac-test/Sign In_files/doe-logo.png
+test/slac-test/Sign In_files/logo.png
+test/slac-test/Sign In_files/stanford-logo.png
+test/slac-test/Sign In_files/style.css

.gitmodules

@@ -4,3 +4,9 @@
 [submodule "bundle/libevent"]
 	path = bundle/libevent
 	url = https://github.com/libevent/libevent
+[submodule "bundle/jwt-cpp"]
+	path = bundle/jwt-cpp
+	url = https://github.com/Thalhammer/jwt-cpp.git
+[submodule "bundle/CLI11"]
+	path = bundle/CLI11
+	url = https://github.com/CLIUtils/CLI11.git

MANIFEST.in

@@ -4,6 +4,7 @@ include LICENSE
 include README.md
 
 include configure/CONFIG_PVXS_VERSION
+include configure/probe-openssl.c
 include src/*.h
 include src/*.h@
 include src/*.cpp

Makefile

@@ -5,8 +5,11 @@ include $(TOP)/configure/CONFIG
 # Directories to build, any order
 DIRS += configure
 
+DIRS += setup
+setup_DEPEND_DIRS = configure
+
 DIRS += src
-src_DEPEND_DIRS = configure
+src_DEPEND_DIRS = setup
 
 DIRS += tools
 tools_DEPEND_DIRS = src
@@ -22,6 +25,9 @@ endif
 DIRS += test
 test_DEPEND_DIRS = src ioc
 
+DIRS += certs
+certs_DEPEND_DIRS = src
+
 DIRS += example
 example_DEPEND_DIRS = src
 

bundle/Makefile

@@ -1,5 +1,7 @@
 TOP=..
 
+_PVXS_BOOTSTRAP = YES
+
 include $(TOP)/configure/CONFIG
 
 CMAKE ?= cmake
@@ -21,7 +23,6 @@ LIBEVENT_$(T_A) = $(INSTALL_LOCATION)/bundle/usr/$(T_A)
 CMAKEFLAGS += -DCMAKE_INSTALL_PREFIX:PATH="$(abspath $(LIBEVENT_$(T_A)))"
 
 # not needed, and may not be available on embedded targets, so never try
-CMAKEFLAGS += -DEVENT__DISABLE_OPENSSL=ON
 CMAKEFLAGS += -DEVENT__DISABLE_MBEDTLS=ON
 
 # not run, so why bother?

certs/Makefile

@@ -0,0 +1,55 @@
+TOP=..
+
+include $(TOP)/configure/CONFIG
+# cfg/ sometimes isn't correctly included due to a Base bug
+# so we do here (maybe again) as workaround
+-include $(wildcard $(TOP)/cfg/CONFIG*)
+#----------------------------------------
+#  ADD MACRO DEFINITIONS AFTER THIS LINE
+#=============================
+
+ifeq ($(EVENT2_HAS_OPENSSL),YES)
+USR_CPPFLAGS += -DPVXS_ENABLE_OPENSSL -I$(TOP)/bundle/CLI11/include
+AUTHN = $(TOP)/certs/authn
+SRC_DIRS += $(TOP)/src
+SRC_DIRS += $(TOP)/ioc
+SRCS += p12filefactory.cpp
+SRCS += pemfilefactory.cpp
+SRCS += certfilefactory.cpp
+SRCS += certfactory.cpp
+
+PROD_LIBS = pvxs Com
+
+# access to API and private headers
+USR_CPPFLAGS += -I$(TOP)/src/pvxs
+USR_CPPFLAGS += -I$(TOP)/src
+USR_CPPFLAGS += -I$(TOP)/ioc
+
+#INC += certstatus.h
+INC += security.h
+
+PROD += pvacms
+pvacms_SRCS += pvacms.cpp
+pvacms_SRCS += configcms.cpp
+pvacms_SRCS += certstatus.cpp
+pvacms_SRCS += certstatusfactory.cpp
+pvacms_SRCS += credentials.cpp
+pvacms_SRCS += securityclient.cpp
+
+pvacms_LIBS += $(EPICS_BASE_IOC_LIBS)
+pvacms_SYS_LIBS += sqlite3 ssl crypto
+
+#PROD += ocsppva
+#pvaocsp_SRCS += ocsppva.cpp
+#pvaocsp_SRCS += configocsp.cpp
+
+include $(AUTHN)/Makefile
+
+endif # EVENT2_HAS_OPENSSL
+
+#===========================
+
+include $(TOP)/configure/RULES
+-include $(wildcard $(TOP)/cfg/RULES*)
+#----------------------------------------
+#  ADD RULES AFTER THIS LINE

certs/authn/Makefile

@@ -0,0 +1,23 @@
+# This is a Makefile fragment, see cert/Makefile.
+
+SRC_DIRS += $(AUTHN)
+
+#--------------------------------------------
+#  ADD AUTHENTICATION PLUGINS AFTER THIS LINE
+
+SRCS += auth.cpp
+SRCS += ccrmanager.cpp
+
+include $(AUTHN)/std/Makefile
+
+ifeq ($(PVXS_ENABLE_JWT_AUTH),YES)
+include $(AUTHN)/jwt/Makefile
+endif
+
+ifeq ($(PVXS_ENABLE_KRB_AUTH),YES)
+include $(AUTHN)/krb/Makefile
+endif
+
+ifeq ($(PVXS_ENABLE_LDAP_AUTH),YES)
+include $(AUTHN)/ldap/Makefile
+endif

certs/authn/auth.cpp

@@ -0,0 +1,93 @@
+/**
+ * Copyright - See the COPYRIGHT that is included with this distribution.
+ * pvxs is distributed subject to a Software License Agreement found
+ * in file LICENSE that is included with this distribution.
+ */
+
+#include "auth.h"
+
+#include <iostream>
+#include <memory>
+#include <string>
+
+#include <pvxs/log.h>
+
+#include "ccrmanager.h"
+#include "certfactory.h"
+#include "ownedptr.h"
+#include "p12filefactory.h"
+#include "security.h"
+
+namespace pvxs {
+namespace certs {
+
+/**
+ * @brief Creates a signed certificate.
+ *
+ * Create a PVStructure that corresponds to the ccr parameter of a certificate
+ * creation request. This request will be sent to the PVACMS through the default
+ * channel (PVAccess) and will be used to create the certificate.
+ *
+ * @param credentials the credentials that describe the subject of the
+ * certificate
+ * @param key_pair the public/private key to be used in the certificate, only
+ * public key is used
+ * @param usage the desired certificate usage
+ * @return A managed shared CertCreationRequest object.
+ */
+std::shared_ptr<CertCreationRequest> Auth::createCertCreationRequest(const std::shared_ptr<Credentials> &credentials, const std::shared_ptr<KeyPair> &key_pair,
+                                                                     const uint16_t &usage) const {
+    // Create a new CertCreationRequest object.
+    auto cert_creation_request = std::make_shared<CertCreationRequest>(type_, verifier_fields_);
+    cert_creation_request->credentials = credentials;
+
+    // Fill in the ccr from the base data we've gathered so far.
+    cert_creation_request->ccr["name"] = credentials->name;
+    cert_creation_request->ccr["country"] = credentials->country;
+    cert_creation_request->ccr["organization"] = credentials->organization;
+    cert_creation_request->ccr["organization_unit"] = credentials->organization_unit;
+    cert_creation_request->ccr["type"] = type_;
+    cert_creation_request->ccr["usage"] = usage;
+    cert_creation_request->ccr["not_before"] = credentials->not_before;
+    cert_creation_request->ccr["not_after"] = credentials->not_after;
+    cert_creation_request->ccr["pub_key"] = key_pair->public_key;
+    return cert_creation_request;
+}
+
+/**
+ * @brief Signs a certificate.
+ *
+ * This function takes a certificate creation request and sends its ccr
+ * PVStructure to PVACMS to be signed. It will wait for the signed signature or
+ * any reported error.
+ *
+ * @param cert_creation_request A shared pointer to a CertCreationRequest object
+ * containing the ccr PVStructure which contains the certificate, and its
+ * validity as well as any verifier specific required fields.
+ * @return the signed certificate
+ * @throws std::runtime_error when exceptions arise
+ *
+ * @note It is the responsibility of the caller to ensure that the
+ * cert_creation_request object is valid and contains the required information
+ * before calling this function.
+ */
+std::string Auth::processCertificateCreationRequest(const std::shared_ptr<CertCreationRequest> &cert_creation_request) const {
+    // Forward the ccr to the certificate management service
+    std::string p12_pem_string(ccr_manager_.createCertificate(cert_creation_request));
+    return p12_pem_string;
+}
+
+std::shared_ptr<KeyPair> Auth::createKeyPair(const ConfigCommon &config) {
+    // Create a key pair
+    const auto key_pair(IdFileFactory::createKeyPair());
+
+    // Create private key file containing private key
+    if ( config.tls_private_key_filename.empty()) {
+        IdFileFactory::create(config.tls_cert_filename, config.tls_cert_password, key_pair)->writeIdentityFile();
+    } else {
+        IdFileFactory::create(config.tls_private_key_filename, config.tls_private_key_password, key_pair)->writeIdentityFile();
+    }
+    return key_pair;
+}
+}  // namespace certs
+}  // namespace pvxs