diff --git a/config_kme1.json b/config_kme1.json index 2f550df..0d247a3 100644 --- a/config_kme1.json +++ b/config_kme1.json @@ -21,6 +21,7 @@ "id": 2, "key_directory_to_watch": "raw_keys/kme-1-2", "inter_kme_bind_address": "127.0.0.1:4001", + "ignore_system_proxy_settings": true, "https_client_authentication_certificate": "certs/inter_kmes/client-kme1-to-kme2.pfx", "https_client_authentication_certificate_password": "" } diff --git a/config_kme2.json b/config_kme2.json index 57f5c8f..44d9c09 100644 --- a/config_kme2.json +++ b/config_kme2.json @@ -21,6 +21,7 @@ "id": 1, "key_directory_to_watch": "raw_keys/kme-1-2", "inter_kme_bind_address": "127.0.0.1:3001", + "ignore_system_proxy_settings": true, "https_client_authentication_certificate": "certs/inter_kmes/client-kme2-to-kme1.pfx", "https_client_authentication_certificate_password": "" } diff --git a/src/config/mod.rs b/src/config/mod.rs index 8386d10..c29b041 100644 --- a/src/config/mod.rs +++ b/src/config/mod.rs @@ -85,6 +85,8 @@ pub struct OtherKmeConfig { pub(crate) key_directory_to_watch: String, /// IP address of the other KME, used to send keys to it using "classical channel" pub(crate) inter_kme_bind_address: String, + /// If true, the KME will ignore system proxy settings when contacting the other KME + pub(crate) ignore_system_proxy_settings: bool, /// Client certificate for inter KME HTTPS authentication pub(crate) https_client_authentication_certificate: String, /// Password for the client certificate diff --git a/src/qkd_manager/config_extractor.rs b/src/qkd_manager/config_extractor.rs index 67afd3f..7d9e3b6 100644 --- a/src/qkd_manager/config_extractor.rs +++ b/src/qkd_manager/config_extractor.rs @@ -144,7 +144,8 @@ impl ConfigExtractor { qkd_manager.add_kme_classical_net_info(other_kme_config.id, &other_kme_config.inter_kme_bind_address, &other_kme_config.https_client_authentication_certificate, - &other_kme_config.https_client_authentication_certificate_password) + &other_kme_config.https_client_authentication_certificate_password, + other_kme_config.ignore_system_proxy_settings) .map_err(|e| io_err(&format!("Cannot add KME classical network info: {:?}", e)) )?; diff --git a/src/qkd_manager/key_handler.rs b/src/qkd_manager/key_handler.rs index 88d758f..344bcb2 100644 --- a/src/qkd_manager/key_handler.rs +++ b/src/qkd_manager/key_handler.rs @@ -129,8 +129,11 @@ impl KeyHandler { error!("Error QKD manager sending response"); } } - QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, kme_addr_or_domain, conn_client_cert, conn_cert_password) => { - let add_kme_response = match self.qkd_router.add_kme_to_ip_domain_port_association(kme_id, &kme_addr_or_domain, &conn_client_cert, &conn_cert_password) { + QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, kme_addr_or_domain, conn_client_cert, conn_cert_password, should_ignore_sysetem_proxy_settings) => { + let add_kme_response = match self.qkd_router.add_kme_to_ip_domain_port_association(kme_id, + &kme_addr_or_domain, + &conn_client_cert, &conn_cert_password, + should_ignore_sysetem_proxy_settings) { Ok(_) => QkdManagerResponse::Ok, Err(e) => { error!("Error adding KME classical network info: {:?}", e); @@ -386,13 +389,23 @@ impl KeyHandler { }, }; - let kme_client_builer = reqwest::blocking::Client::builder().identity(kme_classical_info.tls_client_cert_identity.clone()); + let kme_client_builder = reqwest::blocking::Client::builder().identity(kme_classical_info.tls_client_cert_identity.clone()); - let kme_client = if danger_should_ignore_remote_kme_cert { - kme_client_builer.danger_accept_invalid_certs(true) + let kme_client_builder = if danger_should_ignore_remote_kme_cert { + warn!("Because of {}, remote KME server certificate check is disabled. This is a dangerous setting, it breaks the whole protocol security", crate::DANGER_IGNORE_CERTS_INTER_KME_NETWORK_ENV_VARIABLE); + kme_client_builder.danger_accept_invalid_certs(true) } else { - kme_client_builer - }.build() + info!("Remote KME server certificate check is enabled. This is the default setting"); + kme_client_builder + }; + let kme_client_builder = if kme_classical_info.should_ignore_system_proxy_settings { + info!("Ignoring system proxy settings for remote KME route"); + kme_client_builder.no_proxy() + } else { + info!("Using system proxy settings for remote KME route"); + kme_client_builder + }; + let kme_client = kme_client_builder.build() .map_err(|_| { error!("Error building reqwest client"); QkdManagerResponse::Ko @@ -956,13 +969,15 @@ mod tests { command_tx.send(super::QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, String::from("wrong_data"), String::from("wrong_data"), - String::from("wrong_data"))).unwrap(); + String::from("wrong_data"), + true)).unwrap(); let qkd_manager_response = response_rx.recv().unwrap(); assert!(matches!(qkd_manager_response, QkdManagerResponse::Ko)); command_tx.send(super::QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, String::from("test.fr:1234"), String::from("certs/inter_kmes/client-kme1-to-kme2.pfx"), - String::from(""))).unwrap(); + String::from(""), + true)).unwrap(); let qkd_manager_response = response_rx.recv().unwrap(); assert!(matches!(qkd_manager_response, QkdManagerResponse::Ok)); } diff --git a/src/qkd_manager/mod.rs b/src/qkd_manager/mod.rs index c560975..5c21864 100644 --- a/src/qkd_manager/mod.rs +++ b/src/qkd_manager/mod.rs @@ -236,12 +236,14 @@ impl QkdManager { /// Ok if the KME classical network information was added successfully, an error otherwise /// # Notes /// You should also add target KME's CA certificate to the trust store of the source KME operating system - pub fn add_kme_classical_net_info(&self, kme_id: KmeId, kme_addr: &str, client_auth_certificate_path: &str, client_auth_certificate_password: &str) -> Result { + pub fn add_kme_classical_net_info(&self, kme_id: KmeId, kme_addr: &str, client_auth_certificate_path: &str, client_auth_certificate_password: &str, should_ignore_system_proxy_config: bool) -> Result { self.command_tx.send(QkdManagerCommand::AddKmeClassicalNetInfo( kme_id, kme_addr.to_string(), client_auth_certificate_path.to_string(), - client_auth_certificate_password.to_string()) + client_auth_certificate_password.to_string(), + should_ignore_system_proxy_config + ) ).map_err(|_| { TransmissionError })?; @@ -342,7 +344,7 @@ enum QkdManagerCommand { /// Returns the KME ID from belonging SAE ID GetKmeIdFromSaeId(SaeId), // SAE id /// Add classical network information to a KME, used to activate keys on it for slave KMEs using "classical channel" - AddKmeClassicalNetInfo(KmeId, String, String, String), // KME id + KME address + client auth certificate path + client auth certificate password + AddKmeClassicalNetInfo(KmeId, String, String, String, bool), // KME id + KME address + client auth certificate path + client auth certificate password + should ignore system proxy settings } /// All possible responses from the QKD manager @@ -546,23 +548,23 @@ mod test { const SQLITE_DB_PATH: &'static str = ":memory:"; let qkd_manager = super::QkdManager::new(SQLITE_DB_PATH, 1); - let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234;bad_addr", "certs/inter_kmes/client-kme1-to-kme2.pfx", ""); + let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234;bad_addr", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true); assert!(response.is_err()); assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko); - let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "not-exists.pfx", ""); + let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "not-exists.pfx", "", true); assert!(response.is_err()); assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko); - let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "bad_password"); + let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "bad_password", true); assert!(response.is_err()); assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko); - let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "tests/data/bad_certs/invalid_client_cert_data.pfx", ""); + let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "tests/data/bad_certs/invalid_client_cert_data.pfx", "", true); assert!(response.is_err()); assert_eq!(response.err().unwrap(), super::QkdManagerResponse::Ko); - let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", ""); + let response = qkd_manager.add_kme_classical_net_info(1, "test.fr:1234", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true); assert!(response.is_ok()); assert_eq!(response.unwrap(), super::QkdManagerResponse::Ok); } diff --git a/src/qkd_manager/router.rs b/src/qkd_manager/router.rs index b7ad2a5..09c7e7f 100644 --- a/src/qkd_manager/router.rs +++ b/src/qkd_manager/router.rs @@ -18,7 +18,7 @@ impl QkdRouter { } } - pub(super) fn add_kme_to_ip_domain_port_association(&mut self, kme_id: KmeId, ip_or_domain: &str, client_cert_path: &str, client_cert_password: &str) -> Result<(), io::Error> { + pub(super) fn add_kme_to_ip_domain_port_association(&mut self, kme_id: KmeId, ip_or_domain: &str, client_cert_path: &str, client_cert_password: &str, should_ignore_system_proxy_settings: bool) -> Result<(), io::Error> { if !Self::check_ip_port_domain_url_validity(ip_or_domain) { return Err(io_err("Invalid IP, domain and port")); } @@ -32,6 +32,7 @@ impl QkdRouter { self.kme_to_classical_network_info_associations.insert(kme_id, KmeInfoClassicalNetwork { ip_domain_port: ip_or_domain.to_string(), tls_client_cert_identity, + should_ignore_system_proxy_settings, }); Ok(()) } @@ -50,6 +51,7 @@ impl QkdRouter { pub(super) struct KmeInfoClassicalNetwork { pub(super) ip_domain_port: String, pub(super) tls_client_cert_identity: reqwest::tls::Identity, + pub(super) should_ignore_system_proxy_settings: bool, } #[cfg(test)] @@ -65,7 +67,7 @@ mod tests { let client_cert_password = ""; assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); - assert!(qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password).is_ok()); + assert!(qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true).is_ok()); assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_some()); } @@ -78,7 +80,7 @@ mod tests { let client_cert_password = ""; assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); - let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password); + let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true); assert!(qkd_router_add_result.is_err()); assert_eq!(qkd_router_add_result.err().unwrap().to_string(), "Invalid IP, domain and port"); assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); @@ -93,7 +95,7 @@ mod tests { let client_cert_password = ""; assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); - let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password); + let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true); assert!(qkd_router_add_result.is_err()); assert_eq!(qkd_router_add_result.err().unwrap().to_string(), "Cannot open client certificate file: Os { code: 2, kind: NotFound, message: \"No such file or directory\" }"); assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); @@ -108,7 +110,7 @@ mod tests { let client_cert_password = ""; assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); - let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password); + let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true); assert!(qkd_router_add_result.is_err()); assert!(qkd_router_add_result.err().unwrap().to_string().starts_with("Cannot create client certificate identity: ")); assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); @@ -123,7 +125,7 @@ mod tests { let client_cert_password = "this is not the password"; assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); - let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password); + let qkd_router_add_result = qkd_router.add_kme_to_ip_domain_port_association(kme_id, ip_domain_port, client_cert_path, client_cert_password, true); assert!(qkd_router_add_result.is_err()); assert!(qkd_router_add_result.err().unwrap().to_string().starts_with("Cannot create client certificate identity: ")); assert!(qkd_router.get_classical_connection_info_from_kme_id(kme_id).is_none()); diff --git a/tests/common/mod.rs b/tests/common/mod.rs index 98674a7..62ed583 100644 --- a/tests/common/mod.rs +++ b/tests/common/mod.rs @@ -117,7 +117,7 @@ pub fn setup_2_kmes_network() { 2, &None ).unwrap(); - kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "").unwrap(); + kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true).unwrap(); kme1_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new( 2, b"this_is_secret_key_1_of_32_bytes", @@ -136,7 +136,7 @@ pub fn setup_2_kmes_network() { 2, &Some([0x2d, 0x28, 0x6e, 0xc1, 0x77, 0x46, 0x5a, 0xb8, 0xdf, 0x00, 0x90, 0xdb, 0x04, 0x69, 0xa0, 0xab, 0x0a, 0x97, 0x38, 0x51]) ).unwrap(); - kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "").unwrap(); + kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "", true).unwrap(); kme2_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new( 1, b"this_is_secret_key_1_of_32_bytes", @@ -200,7 +200,7 @@ pub fn setup_2_kmes_network_keys_not_sync() { 2, &None ).unwrap(); - kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "").unwrap(); + kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true).unwrap(); kme1_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new( 2, b"this_is_secret_key_1_of_32_bytes", @@ -215,7 +215,7 @@ pub fn setup_2_kmes_network_keys_not_sync() { 2, &Some([0x2d, 0x28, 0x6e, 0xc1, 0x77, 0x46, 0x5a, 0xb8, 0xdf, 0x00, 0x90, 0xdb, 0x04, 0x69, 0xa0, 0xab, 0x0a, 0x97, 0x38, 0x51]) ).unwrap(); - kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "").unwrap(); + kme2_qkd_manager.add_kme_classical_net_info(1, "127.0.0.1:3001", "certs/inter_kmes/client-kme2-to-kme1.pfx", "", true).unwrap(); kme2_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new( 1, // Aie aie aie, this is not the same key :o @@ -264,7 +264,7 @@ pub fn setup_2_kmes_network_1_kme_down() { 2, &None ).unwrap(); - kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "").unwrap(); + kme1_qkd_manager.add_kme_classical_net_info(2, "127.0.0.1:4001", "certs/inter_kmes/client-kme1-to-kme2.pfx", "", true).unwrap(); kme1_qkd_manager.add_pre_init_qkd_key(PreInitQkdKeyWrapper::new( 2, b"this_is_secret_key_1_of_32_bytes", diff --git a/tests/data/test_kme2_config.json b/tests/data/test_kme2_config.json index 146fc8e..4ca37fc 100644 --- a/tests/data/test_kme2_config.json +++ b/tests/data/test_kme2_config.json @@ -21,6 +21,7 @@ "id": 1, "key_directory_to_watch": "tests/data/raw_keys/kme-1-2", "inter_kme_bind_address": "127.0.0.1:3001", + "ignore_system_proxy_settings": true, "https_client_authentication_certificate": "certs/inter_kmes/client-kme2-to-kme1.pfx", "https_client_authentication_certificate_password": "" } diff --git a/tests/data/test_kme_config.json b/tests/data/test_kme_config.json index f787146..43edcb0 100644 --- a/tests/data/test_kme_config.json +++ b/tests/data/test_kme_config.json @@ -21,6 +21,7 @@ "id": 2, "key_directory_to_watch": "tests/data/raw_keys/kme-1-2", "inter_kme_bind_address": "127.0.0.1:4001", + "ignore_system_proxy_settings": true, "https_client_authentication_certificate": "certs/inter_kmes/client-kme1-to-kme2.pfx", "https_client_authentication_certificate_password": "" }