Skip to content

Commit

Permalink
Can ignore system proxy settings when contacting other KME for remote…
Browse files Browse the repository at this point in the history
… key publishing
  • Loading branch information
Thomas Prévost committed Feb 9, 2024
1 parent 888a094 commit 97b6212
Show file tree
Hide file tree
Showing 10 changed files with 55 additions and 29 deletions.
1 change: 1 addition & 0 deletions config_kme1.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"id": 2,
"key_directory_to_watch": "raw_keys/kme-1-2",
"inter_kme_bind_address": "127.0.0.1:4001",
"ignore_system_proxy_settings": true,
"https_client_authentication_certificate": "certs/inter_kmes/client-kme1-to-kme2.pfx",
"https_client_authentication_certificate_password": ""
}
Expand Down
1 change: 1 addition & 0 deletions config_kme2.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"id": 1,
"key_directory_to_watch": "raw_keys/kme-1-2",
"inter_kme_bind_address": "127.0.0.1:3001",
"ignore_system_proxy_settings": true,
"https_client_authentication_certificate": "certs/inter_kmes/client-kme2-to-kme1.pfx",
"https_client_authentication_certificate_password": ""
}
Expand Down
2 changes: 2 additions & 0 deletions src/config/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ pub struct OtherKmeConfig {
pub(crate) key_directory_to_watch: String,
/// IP address of the other KME, used to send keys to it using "classical channel"
pub(crate) inter_kme_bind_address: String,
/// If true, the KME will ignore system proxy settings when contacting the other KME
pub(crate) ignore_system_proxy_settings: bool,
/// Client certificate for inter KME HTTPS authentication
pub(crate) https_client_authentication_certificate: String,
/// Password for the client certificate
Expand Down
3 changes: 2 additions & 1 deletion src/qkd_manager/config_extractor.rs
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,8 @@ impl ConfigExtractor {
qkd_manager.add_kme_classical_net_info(other_kme_config.id,
&other_kme_config.inter_kme_bind_address,
&other_kme_config.https_client_authentication_certificate,
&other_kme_config.https_client_authentication_certificate_password)
&other_kme_config.https_client_authentication_certificate_password,
other_kme_config.ignore_system_proxy_settings)
.map_err(|e|
io_err(&format!("Cannot add KME classical network info: {:?}", e))
)?;
Expand Down
33 changes: 24 additions & 9 deletions src/qkd_manager/key_handler.rs
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,11 @@ impl KeyHandler {
error!("Error QKD manager sending response");
}
}
QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, kme_addr_or_domain, conn_client_cert, conn_cert_password) => {
let add_kme_response = match self.qkd_router.add_kme_to_ip_domain_port_association(kme_id, &kme_addr_or_domain, &conn_client_cert, &conn_cert_password) {
QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, kme_addr_or_domain, conn_client_cert, conn_cert_password, should_ignore_sysetem_proxy_settings) => {
let add_kme_response = match self.qkd_router.add_kme_to_ip_domain_port_association(kme_id,
&kme_addr_or_domain,
&conn_client_cert, &conn_cert_password,
should_ignore_sysetem_proxy_settings) {
Ok(_) => QkdManagerResponse::Ok,
Err(e) => {
error!("Error adding KME classical network info: {:?}", e);
Expand Down Expand Up @@ -386,13 +389,23 @@ impl KeyHandler {
},
};

let kme_client_builer = reqwest::blocking::Client::builder().identity(kme_classical_info.tls_client_cert_identity.clone());
let kme_client_builder = reqwest::blocking::Client::builder().identity(kme_classical_info.tls_client_cert_identity.clone());

let kme_client = if danger_should_ignore_remote_kme_cert {
kme_client_builer.danger_accept_invalid_certs(true)
let kme_client_builder = if danger_should_ignore_remote_kme_cert {
warn!("Because of {}, remote KME server certificate check is disabled. This is a dangerous setting, it breaks the whole protocol security", crate::DANGER_IGNORE_CERTS_INTER_KME_NETWORK_ENV_VARIABLE);
kme_client_builder.danger_accept_invalid_certs(true)
} else {
kme_client_builer
}.build()
info!("Remote KME server certificate check is enabled. This is the default setting");
kme_client_builder
};
let kme_client_builder = if kme_classical_info.should_ignore_system_proxy_settings {
info!("Ignoring system proxy settings for remote KME route");
kme_client_builder.no_proxy()
} else {
info!("Using system proxy settings for remote KME route");
kme_client_builder
};
let kme_client = kme_client_builder.build()
.map_err(|_| {
error!("Error building reqwest client");
QkdManagerResponse::Ko
Expand Down Expand Up @@ -956,13 +969,15 @@ mod tests {
command_tx.send(super::QkdManagerCommand::AddKmeClassicalNetInfo(kme_id,
String::from("wrong_data"),
String::from("wrong_data"),
String::from("wrong_data"))).unwrap();
String::from("wrong_data"),
true)).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Ko));
command_tx.send(super::QkdManagerCommand::AddKmeClassicalNetInfo(kme_id,
String::from("test.fr:1234"),
String::from("certs/inter_kmes/client-kme1-to-kme2.pfx"),
String::from(""))).unwrap();
String::from(""),
true)).unwrap();
let qkd_manager_response = response_rx.recv().unwrap();
assert!(matches!(qkd_manager_response, QkdManagerResponse::Ok));
}
Expand Down
18 changes: 10 additions & 8 deletions src/qkd_manager/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -236,12 +236,14 @@ impl QkdManager {
/// Ok if the KME classical network information was added successfully, an error otherwise
/// # Notes
/// You should also add target KME's CA certificate to the trust store of the source KME operating system
pub fn add_kme_classical_net_info(&self, kme_id: KmeId, kme_addr: &str, client_auth_certificate_path: &str, client_auth_certificate_password: &str) -> Result<QkdManagerResponse, QkdManagerResponse> {
pub fn add_kme_classical_net_info(&self, kme_id: KmeId, kme_addr: &str, client_auth_certificate_path: &str, client_auth_certificate_password: &str, should_ignore_system_proxy_config: bool) -> Result<QkdManagerResponse, QkdManagerResponse> {
self.command_tx.send(QkdManagerCommand::AddKmeClassicalNetInfo(
kme_id,
kme_addr.to_string(),
client_auth_certificate_path.to_string(),
client_auth_certificate_password.to_string())
client_auth_certificate_password.to_string(),
should_ignore_system_proxy_config
)
).map_err(|_| {
TransmissionError
})?;
Expand Down Expand Up @@ -342,7 +344,7 @@ enum QkdManagerCommand {
/// Returns the KME ID from belonging SAE ID
GetKmeIdFromSaeId(SaeId), // SAE id
/// Add classical network information to a KME, used to activate keys on it for slave KMEs using "classical channel"
AddKmeClassicalNetInfo(KmeId, String, String, String), // KME id + KME address + client auth certificate path + client auth certificate password
AddKmeClassicalNetInfo(KmeId, String, String, String, bool), // KME id + KME address + client auth certificate path + client auth certificate password + should ignore system proxy settings
}

/// All possible responses from the QKD manager
Expand Down Expand Up @@ -546,23 +548,23 @@ mod test {
const SQLITE_DB_PATH: &'static str = ":memory:";
let qkd_manager = super::QkdManager::new(SQLITE_DB_PATH, 1);

let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234;bad_addr", "certs/inter_kmes/client-kme1-to-kme2.pfx", "");
let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234;bad_addr", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true);
assert!(response.is_err());
assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko);

let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "not-exists.pfx", "");
let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "not-exists.pfx", "", true);
assert!(response.is_err());
assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko);

let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "bad_password");
let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "bad_password", true);
assert!(response.is_err());
assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko);

let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "tests/data/bad_certs/invalid_client_cert_data.pfx", "");
let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "tests/data/bad_certs/invalid_client_cert_data.pfx", "", true);
assert!(response.is_err());
assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko);

let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "");
let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true);
assert!(response.is_ok());
assert_eq!(response.unwrap(), super::QkdManagerResponse::Ok);
}
Expand Down
14 changes: 8 additions & 6 deletions src/qkd_manager/router.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ impl QkdRouter {
}
}

pub(super) fn add_kme_to_ip_domain_port_association(&mut self, kme_id: KmeId, ip_or_domain: &str, client_cert_path: &str, client_cert_password: &str) -> Result<(), io::Error> {
pub(super) fn add_kme_to_ip_domain_port_association(&mut self, kme_id: KmeId, ip_or_domain: &str, client_cert_path: &str, client_cert_password: &str, should_ignore_system_proxy_settings: bool) -> Result<(), io::Error> {
if !Self::check_ip_port_domain_url_validity(ip_or_domain) {
return Err(io_err("Invalid IP, domain and port"));
}
Expand All @@ -32,6 +32,7 @@ impl QkdRouter {
self.kme_to_classical_network_info_associations.insert(kme_id, KmeInfoClassicalNetwork {
ip_domain_port: ip_or_domain.to_string(),
tls_client_cert_identity,
should_ignore_system_proxy_settings,
});
Ok(())
}
Expand All @@ -50,6 +51,7 @@ impl QkdRouter {
pub(super) struct KmeInfoClassicalNetwork {
pub(super) ip_domain_port: String,
pub(super) tls_client_cert_identity: reqwest::tls::Identity,
pub(super) should_ignore_system_proxy_settings: bool,
}

#[cfg(test)]
Expand All @@ -65,7 +67,7 @@ mod tests {
let client_cert_password = "";

assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
assert!(qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password).is_ok());
assert!(qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true).is_ok());
assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_some());
}

Expand All @@ -78,7 +80,7 @@ mod tests {
let client_cert_password = "";

assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password);
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true);
assert!(qkd_router_add_result.is_err());
assert_eq!(qkd_router_add_result.err().unwrap().to_string(), "Invalid IP, domain and port");
assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
Expand All @@ -93,7 +95,7 @@ mod tests {
let client_cert_password = "";

assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password);
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true);
assert!(qkd_router_add_result.is_err());
assert_eq!(qkd_router_add_result.err().unwrap().to_string(), "Cannot open client certificate file: Os { code: 2, kind: NotFound, message: \"No such file or directory\" }");
assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
Expand All @@ -108,7 +110,7 @@ mod tests {
let client_cert_password = "";

assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password);
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true);
assert!(qkd_router_add_result.is_err());
assert!(qkd_router_add_result.err().unwrap().to_string().starts_with("Cannot create client certificate identity: "));
assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
Expand All @@ -123,7 +125,7 @@ mod tests {
let client_cert_password = "this is not the password";

assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password);
let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true);
assert!(qkd_router_add_result.is_err());
assert!(qkd_router_add_result.err().unwrap().to_string().starts_with("Cannot create client certificate identity: "));
assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none());
Expand Down
10 changes: 5 additions & 5 deletions tests/common/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ pub fn setup_2_kmes_network() {
2,
&None
).unwrap();
kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "").unwrap();
kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true).unwrap();
kme1_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new(
2,
b"this_is_secret_key_1_of_32_bytes",
Expand All @@ -136,7 +136,7 @@ pub fn setup_2_kmes_network() {
2,
&Some([0x2d, 0x28, 0x6e, 0xc1, 0x77, 0x46, 0x5a, 0xb8, 0xdf, 0x00, 0x90, 0xdb, 0x04, 0x69, 0xa0, 0xab, 0x0a, 0x97, 0x38, 0x51])
).unwrap();
kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "").unwrap();
kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "", true).unwrap();
kme2_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new(
1,
b"this_is_secret_key_1_of_32_bytes",
Expand Down Expand Up @@ -200,7 +200,7 @@ pub fn setup_2_kmes_network_keys_not_sync() {
2,
&None
).unwrap();
kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "").unwrap();
kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true).unwrap();
kme1_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new(
2,
b"this_is_secret_key_1_of_32_bytes",
Expand All @@ -215,7 +215,7 @@ pub fn setup_2_kmes_network_keys_not_sync() {
2,
&Some([0x2d, 0x28, 0x6e, 0xc1, 0x77, 0x46, 0x5a, 0xb8, 0xdf, 0x00, 0x90, 0xdb, 0x04, 0x69, 0xa0, 0xab, 0x0a, 0x97, 0x38, 0x51])
).unwrap();
kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "").unwrap();
kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "", true).unwrap();
kme2_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new(
1,
// Aie aie aie, this is not the same key :o
Expand Down Expand Up @@ -264,7 +264,7 @@ pub fn setup_2_kmes_network_1_kme_down() {
2,
&None
).unwrap();
kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "").unwrap();
kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true).unwrap();
kme1_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new(
2,
b"this_is_secret_key_1_of_32_bytes",
Expand Down
1 change: 1 addition & 0 deletions tests/data/test_kme2_config.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"id": 1,
"key_directory_to_watch": "tests/data/raw_keys/kme-1-2",
"inter_kme_bind_address": "127.0.0.1:3001",
"ignore_system_proxy_settings": true,
"https_client_authentication_certificate": "certs/inter_kmes/client-kme2-to-kme1.pfx",
"https_client_authentication_certificate_password": ""
}
Expand Down
1 change: 1 addition & 0 deletions tests/data/test_kme_config.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"id": 2,
"key_directory_to_watch": "tests/data/raw_keys/kme-1-2",
"inter_kme_bind_address": "127.0.0.1:4001",
"ignore_system_proxy_settings": true,
"https_client_authentication_certificate": "certs/inter_kmes/client-kme1-to-kme2.pfx",
"https_client_authentication_certificate_password": ""
}
Expand Down

0 comments on commit 97b6212

Please sign in to comment.