From b509e8aaf15de37b5029d8d41ab009cf48ecbcd8 Mon Sep 17 00:00:00 2001 From: Florian Loitsch Date: Thu, 20 Jun 2024 12:35:19 +0200 Subject: [PATCH 1/3] Use 'cert.install' instead of passing in root certificates. --- src/cli/brokers/http/base.toit | 9 +++------ src/cli/utils/utils.toit | 2 +- src/service/brokers/broker.toit | 3 +-- src/service/brokers/http/connection.toit | 11 +++++------ 4 files changed, 10 insertions(+), 15 deletions(-) diff --git a/src/cli/brokers/http/base.toit b/src/cli/brokers/http/base.toit index 6466235d..564de4d4 100644 --- a/src/cli/brokers/http/base.toit +++ b/src/cli/brokers/http/base.toit @@ -28,6 +28,8 @@ class BrokerCliHttp implements BrokerCli: client_/http.Client? := null constructor .server-config_ --.id: + // We are on the host. Just install all certificate roots. + certificate-roots.install-all-trusted-roots network_ = net.open add-finalizer this:: close @@ -125,13 +127,8 @@ class BrokerCliHttp implements BrokerCli: send-request_ encoded/ByteArray -> http.Response: if not client_: - root-names := server-config_.root-certificate-names - if root-names: - root-certificates := root-names.map: - der/tls.RootCertificate := certificate-roots.MAP[it] - x509.Certificate.parse der.raw + if server-config_.root-certificate-names: client_ = http.Client.tls network_ - --root-certificates=root-certificates else: client_ = http.Client network_ diff --git a/src/cli/utils/utils.toit b/src/cli/utils/utils.toit index 8ca360c3..73fec079 100644 --- a/src/cli/utils/utils.toit +++ b/src/cli/utils/utils.toit @@ -108,9 +108,9 @@ download-url url/string --out-path/string --ui/Ui -> none: ui.info "Downloading $url." network := net.open + certificate-roots.install-all-trusted-roots try: client := http.Client.tls network - --root-certificates=certificate-roots.ALL response := client.get --uri=url if response.status-code != http.STATUS-OK: diff --git a/src/service/brokers/broker.toit b/src/service/brokers/broker.toit index fc79ce64..23a5425f 100644 --- a/src/service/brokers/broker.toit +++ b/src/service/brokers/broker.toit @@ -80,13 +80,12 @@ interface BrokerService: if colon-pos >= 0: port = int.parse host[colon-pos + 1..] host = host[..colon-pos] - // TODO(florian): get the path from the config. der := supabase-config.root-certificate-der http-config := ServerConfigHttp server-config.name --host=host --port=port - --path="/functions/v1/b" + --path="/functions/v1/b" // TODO(florian): get the path from the config. --poll-interval=supabase-config.poll-interval --root-certificate-names=null --root-certificate-ders=der ? [der] : null diff --git a/src/service/brokers/http/connection.toit b/src/service/brokers/http/connection.toit index 9498336e..ba9958f2 100644 --- a/src/service/brokers/http/connection.toit +++ b/src/service/brokers/http/connection.toit @@ -4,7 +4,7 @@ import encoding.json import encoding.base64 import http import net -import net.x509 +import tls import reader show Reader import system.storage import certificate-roots @@ -18,8 +18,9 @@ class HttpConnection_: constructor .network_ .config_: if config_.root-certificate-ders: - root-certificates_ = config_.root-certificate-ders.map: - x509.Certificate.parse it + config_.root-certificate-ders.do: + certificate := tls.RootCertificate it + certificate.install create-fresh-client_ create-fresh-client_ -> none: @@ -28,9 +29,7 @@ class HttpConnection_: client_ = null if config_.root-certificate-ders: - client_ = http.Client.tls network_ - --root-certificates=root-certificates_ - --security-store=HttpSecurityStore_ + client_ = http.Client.tls network_ --security-store=HttpSecurityStore_ else: client_ = http.Client network_ From 5b3f9d31a0df59db761585edf1d7663b3340be14 Mon Sep 17 00:00:00 2001 From: Florian Loitsch Date: Fri, 21 Jun 2024 16:31:26 +0200 Subject: [PATCH 2/3] Feedback. --- src/cli/brokers/http/base.toit | 3 +-- src/cli/cli.toit | 3 +++ src/cli/utils/utils.toit | 2 -- src/service/brokers/http/connection.toit | 12 +++++----- src/shared/server-config.toit | 22 +++++++++++++++++++ tools/service_image_uploader/downloader.toit | 3 +++ .../sdk-downloader.toit | 3 +++ tools/service_image_uploader/uploader.toit | 3 +++ 8 files changed, 41 insertions(+), 10 deletions(-) diff --git a/src/cli/brokers/http/base.toit b/src/cli/brokers/http/base.toit index 564de4d4..706fd4de 100644 --- a/src/cli/brokers/http/base.toit +++ b/src/cli/brokers/http/base.toit @@ -28,8 +28,7 @@ class BrokerCliHttp implements BrokerCli: client_/http.Client? := null constructor .server-config_ --.id: - // We are on the host. Just install all certificate roots. - certificate-roots.install-all-trusted-roots + server-config_.install-root-certificates network_ = net.open add-finalizer this:: close diff --git a/src/cli/cli.toit b/src/cli/cli.toit index 97f43098..299e03ff 100644 --- a/src/cli/cli.toit +++ b/src/cli/cli.toit @@ -1,5 +1,6 @@ // Copyright (C) 2022 Toitware ApS. All rights reserved. +import certificate-roots import cli import .cache @@ -75,6 +76,8 @@ main args: main args --config=config --cache=cache --ui=ui main args --config/Config --cache/Cache --ui/Ui: + certificate-roots.install-all-trusted-roots + // We don't want to add a `--version` option to the root command, // as that would make the option available to all subcommands. // Fundamentally, getting the version isn't really an option, but a diff --git a/src/cli/utils/utils.toit b/src/cli/utils/utils.toit index 73fec079..f263266e 100644 --- a/src/cli/utils/utils.toit +++ b/src/cli/utils/utils.toit @@ -1,6 +1,5 @@ // Copyright (C) 2023 Toitware ApS. All rights reserved. -import certificate-roots import cli import encoding.base64 import encoding.json @@ -108,7 +107,6 @@ download-url url/string --out-path/string --ui/Ui -> none: ui.info "Downloading $url." network := net.open - certificate-roots.install-all-trusted-roots try: client := http.Client.tls network diff --git a/src/service/brokers/http/connection.toit b/src/service/brokers/http/connection.toit index ba9958f2..ac1cc9ef 100644 --- a/src/service/brokers/http/connection.toit +++ b/src/service/brokers/http/connection.toit @@ -1,10 +1,10 @@ // Copyright (C) 2022 Toitware ApS. All rights reserved. +import certificate-roots import encoding.json import encoding.base64 import http import net -import tls import reader show Reader import system.storage import certificate-roots @@ -14,13 +14,13 @@ class HttpConnection_: client_/http.Client? := null config_/ServerConfigHttp network_/net.Interface - root-certificates_/List? := null + static certificates-are-installed_/bool := false constructor .network_ .config_: - if config_.root-certificate-ders: - config_.root-certificate-ders.do: - certificate := tls.RootCertificate it - certificate.install + if not certificates-are-installed_: + certificates-are-installed_ = true + certificate-roots.install-common-trusted-roots + config_.install-root-certificates create-fresh-client_ create-fresh-client_ -> none: diff --git a/src/shared/server-config.toit b/src/shared/server-config.toit index 92dc81af..a8671852 100644 --- a/src/shared/server-config.toit +++ b/src/shared/server-config.toit @@ -4,11 +4,13 @@ import crypto.sha1 import encoding.ubjson import encoding.base64 import supabase +import tls abstract class ServerConfig: name/string cache-key_/string? := null + ders-already-installed_/bool := false constructor.from-sub_ .name: @@ -59,6 +61,11 @@ abstract class ServerConfig: */ abstract to-service-json [--der-serializer] -> Map + /** + A list of DER certificates that are required for this broker to work. + */ + abstract root-certificate-ders -> List? + /** A unique key that can be used for caching. */ @@ -68,6 +75,18 @@ abstract class ServerConfig: cache-key_ = "$(base64.encode --url-mode hash)-$name" return cache-key_ + /** + Installs the DER certificates if they exist and if they aren't already installed. + */ + install-root-certificates -> none: + if ders-already-installed_: return + ders-already-installed_ = true + ders := root-certificate-ders + if ders: + ders.do: | der/ByteArray | + certificate := tls.RootCertificate der + certificate.install + class ServerConfigSupabase extends ServerConfig implements supabase.ServerConfig: static DEFAULT-POLL-INTERVAL ::= Duration --s=20 @@ -147,6 +166,9 @@ class ServerConfigSupabase extends ServerConfig implements supabase.ServerConfig to-service-json [--der-serializer] -> Map: return to-json --der-serializer=der-serializer + root-certificate-ders -> List?: + return root-certificate-der and [root-certificate-der] + /** A broker configuration for an HTTP-based broker. diff --git a/tools/service_image_uploader/downloader.toit b/tools/service_image_uploader/downloader.toit index 24d649a2..18fc3856 100755 --- a/tools/service_image_uploader/downloader.toit +++ b/tools/service_image_uploader/downloader.toit @@ -3,6 +3,7 @@ // Copyright (C) 2023 Toitware ApS. All rights reserved. import ar +import certificate-roots import cli import io // TODO(florian): these should come from the cli package. @@ -30,6 +31,8 @@ main args: main --config=config --cache=cache --ui=ui args main --config/cli.Config --cache/cli.Cache --ui/Ui args: + certificate-roots.install-all-trusted-roots + cmd := cli.Command "downloader" --help=""" Downloads snapshots from the Artemis server and stores them in the Jaguar cache. diff --git a/tools/service_image_uploader/sdk-downloader.toit b/tools/service_image_uploader/sdk-downloader.toit index fe8782f2..999e0f56 100644 --- a/tools/service_image_uploader/sdk-downloader.toit +++ b/tools/service_image_uploader/sdk-downloader.toit @@ -2,6 +2,7 @@ // Copyright (C) 2023 Toitware ApS. All rights reserved. +import certificate-roots import cli import log // TODO(florian): these should come from the cli package. @@ -30,6 +31,8 @@ main args: main --config=config --cache=cache --ui=ui args main --config/cli.Config --cache/cli.Cache --ui/ui.Ui args: + certificate-roots.install-all-trusted-roots + cmd := cli.Command "sdk downloader" --help="Downloads SDKs and envelopes into the cache." --options=[ diff --git a/tools/service_image_uploader/uploader.toit b/tools/service_image_uploader/uploader.toit index 350c4a16..9c3401d2 100755 --- a/tools/service_image_uploader/uploader.toit +++ b/tools/service_image_uploader/uploader.toit @@ -3,6 +3,7 @@ // Copyright (C) 2023 Toitware ApS. All rights reserved. import ar +import certificate-roots import cli import encoding.url as url-encoding @@ -40,6 +41,8 @@ main args: main --config=config --cache=cache --ui=ui args main --config/cli.Config --cache/cli.Cache --ui/ui.Ui args: + certificate-roots.install-all-trusted-roots + cmd := cli.Command "uploader" --help=""" Administrative tool to upload CLI snapshots and Artemis service From 9c3e6b6f831a49adca37c13c39667640d125022d Mon Sep 17 00:00:00 2001 From: Florian Loitsch Date: Mon, 24 Jun 2024 14:51:09 +0200 Subject: [PATCH 3/3] Update src/service/brokers/http/connection.toit Co-authored-by: Kasper Lund --- src/service/brokers/http/connection.toit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/service/brokers/http/connection.toit b/src/service/brokers/http/connection.toit index ac1cc9ef..ed675f33 100644 --- a/src/service/brokers/http/connection.toit +++ b/src/service/brokers/http/connection.toit @@ -18,8 +18,8 @@ class HttpConnection_: constructor .network_ .config_: if not certificates-are-installed_: - certificates-are-installed_ = true certificate-roots.install-common-trusted-roots + certificates-are-installed_ = true config_.install-root-certificates create-fresh-client_