diff --git a/Cargo.toml b/Cargo.toml index a5b9460..ccaf00b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,10 +29,10 @@ rustls-pemfile = "2.0.0" log = "0.4.20" simple_logger = "4.3.3" notify = "6.1.1" -clap = { version = "4.4.18", features = ["derive"] } +reqwest = { version = "0.11.24" , features = ["native-tls", "blocking", "json"] } [dev-dependencies] assert_cmd = "2.0.12" -reqwest = {version = "0.11.23", features = ["native-tls"]} +reqwest = {version = "0.11.24", features = ["native-tls"]} serial_test = "2.0.0" const_format = "0.2.32" \ No newline at end of file diff --git a/certs/zone2/CA-zone2.crt b/certs/zone2/CA-zone2.crt new file mode 100644 index 0000000..de9e44b --- /dev/null +++ b/certs/zone2/CA-zone2.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFGTCCAwGgAwIBAgIUKhp/O8QyH/mEdqwvDk4CGu6RrnowDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3IgS01FIGluIHpvbmUyMB4XDTI0MDIw +NzA5NTcwNVoXDTM0MDIwNDA5NTcwNVowIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3Ig +S01FIGluIHpvbmUyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0kE/ +jcYF4GC6kE9cG+1y2J8q4oiPfuNxTCdLceXPJqzFkNB9HJgdumfAhfUEseC8q+iB +HohVT/y6RMoX2ZnsrdqMv8mC9r14OQiL2P2tdeQhitePlwcQINLnlEPnf2rPlKAQ +jXZYV6YpIVsBWwsRmmQAPv5tpGHuxeV/NzrkMX0X2d5JNGS2WzkuHApD5CS79m1d +rHHEMx1qzObdz8QoIyv0UgeYDyWtONCY/d1Rs0YgWg75reDxQ41e6oa+FwthOQ2x +2chE5f2NvKRGy5KZLlS42oh0RhaB0jmN+5sycRYge11T61wgGedhjM5dbDgGZVkh +EkHTnNEYph3AiYz27pA7KY4lZwpKYktoFZ5nTpD2hpqDVMk1BJ6rncExZQSkdkT7 ++U84oxja0X+joSp8zR7+lyST5xXq22kPp1g4e36itBE92w32PcXz3NujHSZ6oRPO +Bb/4bvvbFvP8ctgb70NW0Sv9LY8KCpw/fFfh8cSRCOSVn9yckjKMIMAGf5Ljax4u +CHhpJQevGUejtzhc/B5Nrw5YA4w16TbX1Ca2+LOnshYsvizOnYLbssAFPP1s8NZI +yeubRtMFgDYwNm5pPDWEINkRYpwTpc3cXo83Sx/vSHpxzOYFWqdpqPzdXZcgJiP0 +rS0o+TM/lkLKpLWaTNdmBKS+W9hU5W+MQ6gyCSsCAwEAAaNFMEMwEgYDVR0TAQH/ +BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAUYwHQYDVR0OBBYEFKXWS0lEiUtH9cGS +c8F7BswxSfujMA0GCSqGSIb3DQEBCwUAA4ICAQDJ88RClc+gC7Jip73Wg8HAq/fq +yOBDFPW/5gVMgGrUdR7p+0TXH/L2T6zToDCWZ/PgLk3dLd+0WVu88nC3tc+DzWXE +g+8rnE9QjIlCabDN7TaZGD8U+wxmI+MY+0iwy4BPhHl6B3QY1kYbAqm4kp4ALr41 +FdIjwl0K4zZ+ldQZerxrzGcDOPFtiRSnRSx0ADK8/ghBysly4vVZvHxIS8xhqgRR +Emj5jk1hZrgVPWvoCbU9v7dj2syNT7vWkbvRobSzewkbL4Ott3oIn8Vs4FTR+D8B +FT86x1+6rMBVDdDtLTYBC8mqxLmwiOWDe7M72a8Tq+grXjCcIkjPNsJLHEJoY2kw +1urvCRarH2dbJnvsiKK3Hof6/Mt8una5xZn2FyegM0EyHowyKCRrGhJrjSMWfdaj +DYitv2fTEorWhiNt8s6vRQ7RTq0p2P0nTFjwvz+GXq1uQWx/EMZe8knQgKMNaNqD +HyLbUP0lsVGuZ56sx0SH2KWjTg4b7s6eu23r5SYtapHqkdw3Uliae4dBInZptenf +YAbEDdItcZ/PBdwOoVv6HO7jgPlGsoEOafrF7j56oUiKvuIkbpCspOwyUU8MVUqy +gZgOYWjXTW4WZZmyw0Ieh9JvWCyKpYIKUUeEnILGn7YV0fbaopz9OqQ5waZibo7l +1EYvq7zJyBDsV9Z/jw== +-----END CERTIFICATE----- diff --git a/certs/zone2/CA-zone2.csr b/certs/zone2/CA-zone2.csr new file mode 100644 index 0000000..549decb --- /dev/null +++ b/certs/zone2/CA-zone2.csr @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEaDCCAlACAQAwIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3IgS01FIGluIHpvbmUy +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0kE/jcYF4GC6kE9cG+1y +2J8q4oiPfuNxTCdLceXPJqzFkNB9HJgdumfAhfUEseC8q+iBHohVT/y6RMoX2Zns +rdqMv8mC9r14OQiL2P2tdeQhitePlwcQINLnlEPnf2rPlKAQjXZYV6YpIVsBWwsR +mmQAPv5tpGHuxeV/NzrkMX0X2d5JNGS2WzkuHApD5CS79m1drHHEMx1qzObdz8Qo +Iyv0UgeYDyWtONCY/d1Rs0YgWg75reDxQ41e6oa+FwthOQ2x2chE5f2NvKRGy5KZ +LlS42oh0RhaB0jmN+5sycRYge11T61wgGedhjM5dbDgGZVkhEkHTnNEYph3AiYz2 +7pA7KY4lZwpKYktoFZ5nTpD2hpqDVMk1BJ6rncExZQSkdkT7+U84oxja0X+joSp8 +zR7+lyST5xXq22kPp1g4e36itBE92w32PcXz3NujHSZ6oRPOBb/4bvvbFvP8ctgb +70NW0Sv9LY8KCpw/fFfh8cSRCOSVn9yckjKMIMAGf5Ljax4uCHhpJQevGUejtzhc +/B5Nrw5YA4w16TbX1Ca2+LOnshYsvizOnYLbssAFPP1s8NZIyeubRtMFgDYwNm5p +PDWEINkRYpwTpc3cXo83Sx/vSHpxzOYFWqdpqPzdXZcgJiP0rS0o+TM/lkLKpLWa +TNdmBKS+W9hU5W+MQ6gyCSsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQCm+uwQ +iWLF4llWEEKycNwCzaDodEE1SSht8bTGosSKMFgRjLIQEw2amHMfUwYiQ7c7vzPn +oUE8ZA2Dt0zsW9Y8pNQNiHz6uMuGnmAGy9F/aOM+MZ5K6p6UM/9nly2uiwHD3CG0 +v4823m64h7J/cDtDcovcsFjqRNQSTGuUFNAUx+e1d9IuF5/FKUC3I0XOCAiu/7z9 +bJX85oL9gSEEu0qnKa5T0CGvbvym+jXY/tmOJXvRjqon+pPFZwpsdWnKHl4QwJWK +Q0/y/1EzCYRLM5rNffRDodNfmjtFZdjCIc1f22lSBtw92YiH2OPJ05Tyw0Axd86b +mmmavhvyWFxGyhBMQTezAxbOlT9CO9oShrAM8D+Dva6FzB4PxQzYTtA9x5/Nm5iy +W+N/o3Iy/qju2ahfuyE+MpANvX0rv8yAfEwcZchxSzH2qTEXaaqXpCImJtSm1Ch3 +WrKNYxw05UxYfeDme6eKgYxzsklEGFqE45hLa95LTs6+QAULd7SCAn4xlFV5YQEB +eYYsy2dLEMvv4/MEiAgsn+6yW1bq09sj7mPMaZuYzaTZjaRjA1tI4CmjS8gxj9gv +OjtF2JvcdD9UQc4PKQibmnHJf89XtPBtS3d91WrUYteZZ91jaexe/mqQv9BGQVZU +PKnqm6a3A1pBJFFEBVOc+Ji9JvFIhsFB67PUqg== +-----END CERTIFICATE REQUEST----- diff --git a/certs/zone2/CA-zone2.key b/certs/zone2/CA-zone2.key new file mode 100644 index 0000000..8c5e0fd --- /dev/null +++ b/certs/zone2/CA-zone2.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDSQT+NxgXgYLqQ +T1wb7XLYnyriiI9+43FMJ0tx5c8mrMWQ0H0cmB26Z8CF9QSx4Lyr6IEeiFVP/LpE +yhfZmeyt2oy/yYL2vXg5CIvY/a115CGK14+XBxAg0ueUQ+d/as+UoBCNdlhXpikh +WwFbCxGaZAA+/m2kYe7F5X83OuQxfRfZ3kk0ZLZbOS4cCkPkJLv2bV2sccQzHWrM +5t3PxCgjK/RSB5gPJa040Jj93VGzRiBaDvmt4PFDjV7qhr4XC2E5DbHZyETl/Y28 +pEbLkpkuVLjaiHRGFoHSOY37mzJxFiB7XVPrXCAZ52GMzl1sOAZlWSESQdOc0Rim +HcCJjPbukDspjiVnCkpiS2gVnmdOkPaGmoNUyTUEnqudwTFlBKR2RPv5TzijGNrR +f6OhKnzNHv6XJJPnFerbaQ+nWDh7fqK0ET3bDfY9xfPc26MdJnqhE84Fv/hu+9sW +8/xy2BvvQ1bRK/0tjwoKnD98V+HxxJEI5JWf3JySMowgwAZ/kuNrHi4IeGklB68Z +R6O3OFz8Hk2vDlgDjDXpNtfUJrb4s6eyFiy+LM6dgtuywAU8/Wzw1kjJ65tG0wWA +NjA2bmk8NYQg2RFinBOlzdxejzdLH+9IenHM5gVap2mo/N1dlyAmI/StLSj5Mz+W +QsqktZpM12YEpL5b2FTlb4xDqDIJKwIDAQABAoICAGc3iuihlw7wzYW8v94h8mhv +sxDks3U6WMtm2v2+MLSuyopuH41jC+0PtA7PGw/r4ROPn5uKmD8dNaBBifXUP8GV +cdVRKs7Qcu2kyWqsFnSymtjbO+2LlRpYD0HVGBeQKvmunpGj0Hiu5LAwSfkU9P5T +K1/BbbfuL9bM9Gf7rDyzSXs2Sb/D1VXxOzaev3eHpRKz2/GlJAln3p9akvfFN2MU +1+tROQ/ukhw7I3A1Lz+QJJ+xjFcU/7wG8dq2bSlI9+CXXYEpdNFnaSZ7ixmzDSoW +g20c4d/qeq7mfFJRfTDRCP8m8OSxJD0zPstuH6TZ2CH24GpjEGyCpdQe9P9RyYKu +UzL5MwHl/pNLfEpzAml2iP5v3jgsIpkHdmpmnSkV7IRvoqeO84OrB9mXmswQSrGH +CKwOE35ZP3w7BVwegYthtlAK8fMndKQMBUmjGlcKg2zr7ib1pPrgdTJVS8VFgGNB +AarZA17Iwi1nhw1ktNShN70xDM88dX2mPw/BQTs2qA58Lp0rL3Tuwn7gYKsTlBrY +AbuMEWuyQR+RxE2H91osTuoHcFHn+jsrSjLe48DY97kpkbIa7jXWOfHQG340N+bA +Ndv4L7AGmKUWMaXFDaiJ+i72tux/8y8bb6DKUuoHfPzGYHHuYx/FUVfbaXir0rt5 +acRZ3sl4YUzT3TXMa2VhAoIBAQDq0QuG0BBWQNUoX9TEHu2FPWl6s3bY9Z3u+/LI +vXYKCcoRNEPGeoxfHSLMC62IgSpxDPbU5j10cLqurpFUqLkKuP/TWVYyoTjT4ScL +mDod8qqY8SeZqOPxyGzrH4RosXYFRm7uYgwAVJ6BcdhlmbyWfdizINveOj5s8Do1 +ftNXbH1bfdQple1rYJ7ualzIbMS+wP0ujN1JqGhGquPutUCbqRPAvxqJ9dOHo1/A +BoRX9GoKjk1HfEV80CCNMwUyOACduao9sMMJLb1tB2ned/qo1bglDNVXWVpsK3fc +dVJgZJwjYuqY5rUvQKujVT/Tde83zYB+bzNEJ/9Nn8gusJ0xAoIBAQDlOPby4Ehh +dLrFCCBkzIpyRupWAHOztG5dQZujHiLBHDWgR+L4vpPB2lq8X/4sz3On5yVq6zDK +Rhntwr+2qv9KMmaovTPmMezOiuEYdY6YUWoLWFZPRhP/2PxWdWwlOkvH84BF2QGV +1Jq6HUZHWzjlP+1XHdNI7WHyBOqzOuRittaOWLLXaN8IHsli4SWBZP9hCnlx4k5f +qzVfIPPonu6cFniJBMFmnIOAj2mAam3YUcBKZ54UTdmOaxlR6dCJRVEDIjgtFJnD +UaXV1VymmUh+x9J7FF55U2hLvWgFrmeTQ6IZ3OU5pPBgUdnJsQ4L5aeEzXzbIWtH +5s3i42Pil4UbAoIBAQCVisYleBI/bBCUItu0fuHTTfYD35EbwOhwz2Gh+A7Ze7yF +UlyrZVZKKJsFiZZdba0izBfSJEMVCcnJ/4Csgrs9me3KooVjvwsa3LPqDWtNsUJ2 +HnaSxF1OmM7Muoivx/yahW2WQTjVaQ5874zZv5u716+O/KkpkLw60o6vjPJ5Ja17 ++9mHFmVaUfFFctVeCu8NcIiNAcbX5vlpr+FzH1ljCL18rffvzm+FXUVYXI4iGZUC +3fdXRExYnY9tfQWdIs85o4lIum6rRMbzTZpdxNkMdvdMGS0w8MXGR7SQ4OKyYsCR +RKiU8bCHxE7KuTrpp5zOVAC2BImIqVRNEioBmhaxAoIBABjEO+JoG0n0W824IA/k +Db1lLiKWr+mlwBrxYMiSE/07eAvWWI65wKs8VXtu/76Ft6BXmDJiMQZZ5qlK1n39 +IdI5eeAXeUkQ8d4rIUEMSpjoiwWoyMKN9tE496K70zB+iPuUsrJZTROMQh+D1DkX +gSE78//qqA6EH4YPw/ATl+OWj74XlVMy8I4nDWlSnEPLztAEWrTUV9V8YSrjG5dx +vKQ+xU1Ap0jX9llopWSLm0y5IIaphWn6M1xw8+5mzfJW+/bTtrAgPrDc3IcrI3SY +sT2Jh5Nm0wJW4bj1QQ0EGArQTu5ucJH24UX28goZyEO+z4fI0Am5JadCJ9Kw8PTl +nCsCggEAMCuMT3NrfeHWdU/DblRzyzDrvCwaj9mswrHpvcAAPUj9Nj0DnyZGYatA +3xBT+oBk8NoZ+gpyj9juG4PLRth2lWDMCPs24KgqW16nsbjE5zIrR36xc8yoQY+B +IiTkdMZl7ExsAXZnkAnxqnwfTgysYTjyrmq6HxWxyvd34aEcnxM/675YwsSLi2E1 +MOC46SOTleRoh1/v4+B6gkX6KoyO7fBzD0Ic6bbDhRegGvR22rCIHM8BUFpeL1SY +SRmNflqeyyMj4Mx9W7p+9yPUZIZR1+PzXNqFxUWycKNyjdafeWh0Blo6EesWt3Z4 +VfEy61yXWfUf3pC9b+OrbHDGq9jc4A== +-----END PRIVATE KEY----- diff --git a/certs/zone2/CA-zone2.srl b/certs/zone2/CA-zone2.srl new file mode 100644 index 0000000..2175166 --- /dev/null +++ b/certs/zone2/CA-zone2.srl @@ -0,0 +1 @@ +2D286EC177465AB8DF0090DB0469A0AB0A973851 diff --git a/certs/zone2/client.cnf b/certs/zone2/client.cnf new file mode 100644 index 0000000..882150d --- /dev/null +++ b/certs/zone2/client.cnf @@ -0,0 +1,8 @@ +[client] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "SAE Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection diff --git a/certs/zone2/generate-client-cert.sh b/certs/zone2/generate-client-cert.sh new file mode 100755 index 0000000..a552132 --- /dev/null +++ b/certs/zone2/generate-client-cert.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +SAE="sae3" + +openssl genrsa -out "$SAE.key" 4096 +openssl req -new -key "$SAE.key" -out "$SAE.csr" -sha256 -subj "/CN=$SAE Client certificate" +openssl x509 -req -days 3650 -in "$SAE.csr" -sha256 -CA "CA-zone2.crt" -CAkey "CA-zone2.key" -CAcreateserial -out "$SAE.crt" -extfile "client.cnf" -extensions client +cat "$SAE.key" "$SAE.crt" "CA-zone2.crt" > "$SAE.pem" +openssl pkcs12 -export -out "$SAE.pfx" -inkey "$SAE.key" -in "$SAE.pem" -certfile "CA-zone2.crt" diff --git a/certs/zone2/generate-root-ca.sh b/certs/zone2/generate-root-ca.sh new file mode 100755 index 0000000..0360500 --- /dev/null +++ b/certs/zone2/generate-root-ca.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +openssl genrsa -out "CA-zone2.key" 4096 +openssl req -new -key "CA-zone2.key" -out "CA-zone2.csr" -sha256 -subj '/CN=Root CA for KME in zone2' +openssl x509 -req -days 3650 -in "CA-zone2.csr" -signkey "CA-zone2.key" -sha256 -out "CA-zone2.crt" -extfile "root-ca.cnf" -extensions root_ca +sudo cp CA-zone2.crt /usr/local/share/ca-certificates/ +sudo update-ca-certificates diff --git a/certs/zone2/generate_kme2_server_cert.sh b/certs/zone2/generate_kme2_server_cert.sh new file mode 100755 index 0000000..adaaaa3 --- /dev/null +++ b/certs/zone2/generate_kme2_server_cert.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +openssl req -new -nodes -out kme2.csr -newkey rsa:4096 -keyout kme2.key -subj '/CN=localhost/C=FR/ST=Biot/L=Biot/O=Unice' +openssl x509 -req -in kme2.csr -CA CA-zone2.crt -CAkey CA-zone2.key -CAcreateserial -out kme2.crt -days 3650 -sha256 -extfile kme2.v3.ext diff --git a/certs/zone2/kme2.crt b/certs/zone2/kme2.crt new file mode 100644 index 0000000..426ca65 --- /dev/null +++ b/certs/zone2/kme2.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFdjCCA16gAwIBAgIULShuwXdGWrjfAJDbBGmgqwqXOFAwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3IgS01FIGluIHpvbmUyMB4XDTI0MDIw +NzEwMDQzM1oXDTM0MDIwNDEwMDQzM1owTzESMBAGA1UEAwwJbG9jYWxob3N0MQsw +CQYDVQQGEwJGUjENMAsGA1UECAwEQmlvdDENMAsGA1UEBwwEQmlvdDEOMAwGA1UE +CgwFVW5pY2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDBjdqdE5Kd +r+7ot5PcX4hjWcr/j3BNtti5It0u9DB2fCU0s64teaCh5hO7G69aViZr1xlN7kSX +Z3N3pYgxj5f5PLZWdMepNJQ2uABNX84TzNMaIdfZtn5emcyleGTeN+/K3Yb9XZ8k +azuZ2GSG6YihH6cHQ7DFnSXRr8oP7JliN3Mp1QqLH1qvnWhEQ37MBPYwvLqWMLTt +8cW28FsX1z7ShnclUwsRCz5CiRNR/sdvzPXw66zKfwXrlPqqOZC7RtxvEjF+wMyx +hk1b9b2WUo6jbJnfaoUKW21G5rdsDW+hpluNFG/ppjwO3l/3pxb9aB6uCW5/u002 +yW4BwhGnrknDZmT9iTDLJ0ePfxIfqRFGJBC18d4lRhDxMfnExb7EcdRV082dRcko +lDDHigAtqKIHQLiFMO4dQtJ9NxE7TmM/RgZFOajVB/7uoTqPNEOdIwPmBKRmOs4X +KcOTmHuPZ4GPHTNVzwBjNkKn5KwtTL/U4iO4sBqgrViTltUjhzTR//CVrhbymYtb +6ixo3zeE0odt4s15vjJXWLYo0+T1sORvv/MUV+I2KD24i0ZckVdaXzgL1DTXwQKI +jkBzlvqh6QrUwv2733l2mRhQjm8eBKex1yMR+qICbiW4vuOSif2RMlD0acD9OqLR ++JbJ2UAK2Of30iMgppo8/7LKcv+OVHvC8QIDAQABo3YwdDAfBgNVHSMEGDAWgBSl +1ktJRIlLR/XBknPBewbMMUn7ozAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAaBgNV +HREEEzARgglsb2NhbGhvc3SHBH8AAAEwHQYDVR0OBBYEFJn/3fLgfciNtZv373Pz +zkJ3ypb8MA0GCSqGSIb3DQEBCwUAA4ICAQA68mjO8pz37vAqAdiewt5oAro0tiO7 +VS8uFpqQadTh/Pkt+rGK/mdBBRnB/QBfrkJvoNXW1w+l4OOvSyNu1guMqidwnpt2 +Q+q20yzd0N5gNqOVp4n2puHR9Ih7CRqiBxL8TnrPaciRw2CEAXHNSIvwQPAEi1CN +LaE/YAXmuhh2WPD4hM7n2PQPcfPuyEWu9Adfq5c3zT8iE6ePY8A54H8v3LvNBCk2 ++NGUNVqono+HlENf2fMBL9SsEHEEifhVxD3KZgQspvsUfB9bIkJp73/GGUD4UQ3E +C5E4g4u05y+zJ/dQzM5kiE0OJii5oRlHuS/dgDhuNc4Uly3R3JSOHX3mh7mPAhYM +HJCoOmXm2K56+O9EQfhuKk+AaM6UF+7GeHwDsouu00p4dY8vEVYVxwF0fqlFMTPR +gumdinF6Vr0xswFlORkKFWBC1Qu86zhTW8NcTcM3eLBFsHsX36biYA5GIN4hPyfM +w8p5qXNMR+FLRL4NvBjMmfON0VQbA9+vh5tgWBI5odR+50CutvYN+qiM4zqx7Y1K +PjTtKU7bduY0amqFEAijZ7uvFBr6X4DrjG7EcJBAc8d6Nz1sLCJxUa7jeMRSesgE +gwxDSFgj1FOcH134TFq2lLsUjOp5dzz/MsLbRS+fFid1gdOIeTLRYiq5HG65jXpR +i1bNC0+kXSpzPQ== +-----END CERTIFICATE----- diff --git a/certs/zone2/kme2.csr b/certs/zone2/kme2.csr new file mode 100644 index 0000000..2d25033 --- /dev/null +++ b/certs/zone2/kme2.csr @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIElDCCAnwCAQAwTzESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJGUjEN +MAsGA1UECAwEQmlvdDENMAsGA1UEBwwEQmlvdDEOMAwGA1UECgwFVW5pY2UwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDBjdqdE5Kdr+7ot5PcX4hjWcr/ +j3BNtti5It0u9DB2fCU0s64teaCh5hO7G69aViZr1xlN7kSXZ3N3pYgxj5f5PLZW +dMepNJQ2uABNX84TzNMaIdfZtn5emcyleGTeN+/K3Yb9XZ8kazuZ2GSG6YihH6cH +Q7DFnSXRr8oP7JliN3Mp1QqLH1qvnWhEQ37MBPYwvLqWMLTt8cW28FsX1z7Shncl +UwsRCz5CiRNR/sdvzPXw66zKfwXrlPqqOZC7RtxvEjF+wMyxhk1b9b2WUo6jbJnf +aoUKW21G5rdsDW+hpluNFG/ppjwO3l/3pxb9aB6uCW5/u002yW4BwhGnrknDZmT9 +iTDLJ0ePfxIfqRFGJBC18d4lRhDxMfnExb7EcdRV082dRckolDDHigAtqKIHQLiF +MO4dQtJ9NxE7TmM/RgZFOajVB/7uoTqPNEOdIwPmBKRmOs4XKcOTmHuPZ4GPHTNV +zwBjNkKn5KwtTL/U4iO4sBqgrViTltUjhzTR//CVrhbymYtb6ixo3zeE0odt4s15 +vjJXWLYo0+T1sORvv/MUV+I2KD24i0ZckVdaXzgL1DTXwQKIjkBzlvqh6QrUwv27 +33l2mRhQjm8eBKex1yMR+qICbiW4vuOSif2RMlD0acD9OqLR+JbJ2UAK2Of30iMg +ppo8/7LKcv+OVHvC8QIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAHMC3J/D6ZNq +RXUDjdXjV96WKxk3q+zD5ETWUUlTzrtCQLWbXBsL7D+aELXEZGCdckrx3WSHxyH5 +/mnGNtw/eRVNQGLISMuLp9oLBgKuNId6Jx4WwE7sEggLV9rzdL2F/umaCqxQWR1g +BDa2zo8Sw54K31OwNR/Grti97zJ7M7FV4Xvr68nTx0lRz3fTclZ8P4nkZ3qhJCDm ++LukbMK7eELcHDceveYQOgwfrsbwVWjmMBPqJRe2lBr++HZG6TtXhYpfo/k5g68O +HEdrQCtC1GdGaQGzpyxLIFYm0m8P4cChotnYAp65VW3BB58daCv5CTTBacWJGdXI +EhruYfLgmpniJWA3E/Y25wzTYT1SdUefwyADE71IcsfIwRsxpXpu7IgeQHgrj/y1 +WU3De6Y/M+zyvYWHb7XQnzvT4F0eY3myyTjGKalV9CwX9vermYlCpxW3x7TFOfc/ +0nTJx8Uo0k7Cac/SQUJmbLUAXR5Ht2jeWYD8dteflZyIh7MXFgRXeU0ytPvl3u9q +ibs9fp04x5bVstrICtW5TIZHK+ggKtZ+q6S4KhuztO2VZBfjX0uqVkP+3ECLttOw +hGbuaMncpMRy47aMAJgZ58586vafsyToYR3iyAxJ/JloYd11P3kAu6h7zNNsnFRP +VY8ZJrUWKvtHJTvbmZAB1Zx14fyYfI6G +-----END CERTIFICATE REQUEST----- diff --git a/certs/zone2/kme2.key b/certs/zone2/kme2.key new file mode 100644 index 0000000..7b5d7fb --- /dev/null +++ b/certs/zone2/kme2.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDBjdqdE5Kdr+7o +t5PcX4hjWcr/j3BNtti5It0u9DB2fCU0s64teaCh5hO7G69aViZr1xlN7kSXZ3N3 +pYgxj5f5PLZWdMepNJQ2uABNX84TzNMaIdfZtn5emcyleGTeN+/K3Yb9XZ8kazuZ +2GSG6YihH6cHQ7DFnSXRr8oP7JliN3Mp1QqLH1qvnWhEQ37MBPYwvLqWMLTt8cW2 +8FsX1z7ShnclUwsRCz5CiRNR/sdvzPXw66zKfwXrlPqqOZC7RtxvEjF+wMyxhk1b +9b2WUo6jbJnfaoUKW21G5rdsDW+hpluNFG/ppjwO3l/3pxb9aB6uCW5/u002yW4B +whGnrknDZmT9iTDLJ0ePfxIfqRFGJBC18d4lRhDxMfnExb7EcdRV082dRckolDDH +igAtqKIHQLiFMO4dQtJ9NxE7TmM/RgZFOajVB/7uoTqPNEOdIwPmBKRmOs4XKcOT +mHuPZ4GPHTNVzwBjNkKn5KwtTL/U4iO4sBqgrViTltUjhzTR//CVrhbymYtb6ixo +3zeE0odt4s15vjJXWLYo0+T1sORvv/MUV+I2KD24i0ZckVdaXzgL1DTXwQKIjkBz +lvqh6QrUwv2733l2mRhQjm8eBKex1yMR+qICbiW4vuOSif2RMlD0acD9OqLR+JbJ +2UAK2Of30iMgppo8/7LKcv+OVHvC8QIDAQABAoICAAJVOUo/4w+YqtlDZITujNhf +tnE+nhn9sckyI6GDgCBezjGqAcKFZFuB3avZa/4Q1ZfiqOjWI0hXjvN6pgnXjdDL +UR+j0DKYp48CSD9RKozKtk0AFUKH7ygo6T0hq/DmvTKVhCFCfd7PQRG8DeLMu/YZ +3tDuWVovEvaJocvv1t3GxnyoV0nGfWNqUwhRmkdkvuqRonEZfLDKg3l5QQEoTxb0 +AnR2IVxu+teL9eo81ylgj81RKze/Rge+d7KnYiMeZJ1HxkYda5+Ee3hiiEq1y4d/ +kVo5Rd8SVjPu0iKmBc9YZThDLmHN/GF/Kip0E97xiz8fQ3rxe78vjdkiaO/mYKK0 +0v6GcJz8TngA460O3YlmjA/0MmPWzOROrfBCaGmyOwtt5jSlAATwxIrffGmdioEz +Da2nUgINc+EG+WGeoyUoWMKhOobUW1rS2QFfJK4Ub1OmU7XNSgtnnom+dSjftXzE +WIRtdUIGqpUzMm7RYbguNB6aggO+IzTyTZIbOwkEGlWBQzfha+mtN0S+Vvzbu+gm +vWveZk8weEjxgwW8QrpUEQyOwhH3qWLSnGEC5PJcq44WezYETswO5IJMvclL+HR3 +OcIuVQnhHbqEFWFShQwE5cVI/BwvgDLZCEsmHYsMsTChZLKMhNE9o3T+2sagmOw9 +QSoR2LG3t4MFYlktp60RAoIBAQDyV8SLJDtCHSPHXcegiPU85l/V5IDvDfF1TKxx +ftI/JMZdjwI3k1OzvH3ou6CnhK/1INx3oFfU0S4mQS3VhuQySyQqxuUoM2iFBpam +YDXmYpOdrbhUB13lfMdcurV8F4C6zG8t5/q3yFGA9Ckmx39fOb6Umle7+kP1KQEO +mES4NPZFtWIhYgAe3tJol+1jC69ay5iWRPjp6rtRCGxJGPDg2F4rQGKGuG4GPInt +9o4mVtP05ONlMy64SdEHDn0cGIu+n4+zoTv6OXpcnYAjvLkg7J44oGmabIjRlpk1 +n9GHhRS46U35u1MAv8IDcECS8admIvs8ZDOcSh2Ojyaz5mqpAoIBAQDMdjiN+pl7 +UBOBJWKwDbnMXACFWnNeT1AkFmpYaDT3ixN2r9vw2sGHF+ejmxpEMDHs+OYA2N8u +IOnkCaDX+ZAYNriZMGaUvJWgrJFCEA3+yYj17i8vO2Kn7JWgYslFlPODLWwbMC33 +n5HLoD7Cfay9/T3TrZNaHkAErLst8fMGbKVmJfC7NMAxFV9Hox6Is/uuhdrXHk3J +dziJAM7iSKvnprrhzuHlhJgO2BcX9EgDACOGMz8ilpk2wxH3W849no6VMCff8Ajg +n+vjXrSEFTmZydMXTTBGFPPJ0lSCBuT+5lgdhU4DEw4lm1sGJbuDtglII7C9qI2J +JPj6W21THssJAoIBAG364tl6keIJM2mQ5721KgZ/TlLVpqXWoBPpvgCr22KIn/Vp +p0ntdHkHO+TY8anUj74hMaygefu9CsKVpeVXmEwyybEYHntGCVMFkGzlENEDP5a5 +dgO8bCJvpFIy8ZXlXKhpirM8qg2pvUNWiy5sLyPaIuFxwgsvIpQqDa6/77/hWTp9 +fJFF1mQsHzUUbckbTnNYHmFj38rYmjXGKs5poTeJOgNK7uvQ2y29X6M813oSwZJM +Jd6Rgcxkw5X+P0z23sSdyStuKrf+SceqOrL9PM7yU0PDmOlaBCWJwPITG5XzEVpx +ls+U8bBPVg8VbFjDjoLNsVLQ7pMpF4zQ7nGKSjECggEBAIAeDC4bO5VjhfVE4eQD +lcsSU1k8ZlJQTJ1wVk7zbU04HogehikUSnRGbGW+SOU1dfNRu34IZ0DWavjzd5Ad +10b08xM6muzUhsXZnGPS/5IJ4wKHr5VfFuC2hMOtYwVw4m3uRnF67TLfEFKSJQFm +EpoyV02O1GiB0Aed3ORbWbdK2RF68K+9zDh1dfDDq9xpO2oOgiSN3pxBUnG2yexN +MTrE5RGduztArK+QhFgEQCNxMNFkx0j7KSKBdX6UTlWaRyoAtNvD4ywtyXf93gtt +6VwOdXGCcp9XfbOXUlDv1QpMeCZ3Y3zVseWqxYzClA9iP8quYo9VUOsA+eqW45hU +EVECggEADmbZWF+Ln7JayKkRNHuGgU376v9+wq3NjKoPfFooHZvhAdb83Jsgbkx1 +z+Xmprr/RW8kRiNXraA8bSgtAISLDiDr+FwpbC8YrPNXPVmUZjl0PqPTUO6QhBID +PYAdKtFd/q2JNtIO45daq+lkouloMS7IPZ5m1Uxkv+3igmuqTuhXzDfxeLz1YUOJ +8Ltcqlq/FlnhrSMAz+CcYJt1bOZXm7ZNttG2OECv+KiurZcuRV1IgSFJMcs+1Nvo +gN5+eFKVeIOZOKeyOppcPk7S+vNumFb3eWMKQG+Xjk5kl8RLKq42NmaUNuO5+qyu +9f5Ji+xpe6Lp/fDYsyit7iriFhdrHQ== +-----END PRIVATE KEY----- diff --git a/certs/zone2/kme2.v3.ext b/certs/zone2/kme2.v3.ext new file mode 100644 index 0000000..68e35be --- /dev/null +++ b/certs/zone2/kme2.v3.ext @@ -0,0 +1,8 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +IP.1 = 127.0.0.1 diff --git a/certs/zone2/root-ca.cnf b/certs/zone2/root-ca.cnf new file mode 100644 index 0000000..b87de32 --- /dev/null +++ b/certs/zone2/root-ca.cnf @@ -0,0 +1,4 @@ +[root_ca] +basicConstraints = critical,CA:TRUE,pathlen:1 +keyUsage = critical, nonRepudiation, cRLSign, keyCertSign +subjectKeyIdentifier=hash diff --git a/certs/zone2/sae3.crt b/certs/zone2/sae3.crt new file mode 100644 index 0000000..80f786b --- /dev/null +++ b/certs/zone2/sae3.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFizCCA3OgAwIBAgIULShuwXdGWrjfAJDbBGmgqwqXOFEwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3IgS01FIGluIHpvbmUyMB4XDTI0MDIw +NzEwMTEzNloXDTM0MDIwNDEwMTEzNlowIjEgMB4GA1UEAwwXc2FlMyBDbGllbnQg +Y2VydGlmaWNhdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDC2jub +RZjDpHHr1U5p4186+LyfCOS04n8RwQDmAn3106TYHB0W682V6HuYbeAjHwW8wIII +wTV2JPWTpPiLM/BI3KjAnY9DPXV5PzPqIM8dhODt92hp6Ab+LMHN5fr1wXWbCOIa +yWFbG4eE4EhHJb5nhRY0xtje5qVmtpPqXsynbsxgSiojo1uc8iHmQDUNDjKT7Y2Z +OiTjgbYZ1j7BIRoG1QdgQsKZCKMzYht7+cTKElpkMiGu6KRSFDf5FPAgyxCAeYT5 +fG9x2MZf5ipfdL9KN3TGX+5asaM2keEKq1Nh8+BIoPZjEvIKFuXjUKnUnYzJfsyc +VcOoamWgYNevqhOiyZmi5dS3dTS5LiHzYB91nSAX9hXtR78EPxz8PKSaxNXyl8gq +l3v2qivH+FFmkv5WKpcjGQ9mIVhFPK9LsS+S1CyY5bjuSZazs6YojhlrADFtOCz3 +8LiyEHJCPyPmYoNf6bocPFJ7fPMFRJQMnK8hUOhacZlgoa4TnfcssuD3sUNGfUfB +QQ+De4TuWPl7Xxm2XxAuOuVN+vFokbiVTUzw6egohfE9MFnyZX/bRYWTAycId8U/ +UwRg4cY5TiDgX7PptQkj9bTyYb9FNA6lbLCotvrA2vOwAjvK3v6AY9Z2v7GBwEXj +8XrTwQ/pBGETNepyrhnrn558/0pKzIeqNPfOdQIDAQABo4G3MIG0MAkGA1UdEwQC +MAAwEQYJYIZIAYb4QgEBBAQDAgWgMCUGCWCGSAGG+EIBDQQYFhZTQUUgQ2xpZW50 +IENlcnRpZmljYXRlMB0GA1UdDgQWBBSudix0zbKugHVMEmF2obJ5kTJvyTAfBgNV +HSMEGDAWgBSl1ktJRIlLR/XBknPBewbMMUn7ozAOBgNVHQ8BAf8EBAMCBeAwHQYD +VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQBk +wau2aOK1Y9DQlV85IUaWFgUPkej7AXpgAOugrnWOLfBATdE8WG4bpvCOfVgw15zn +fF088lgc1kDYhb+c0iMKiuVjhokT3R+WfDY2P33QTI1a9eQmc/pG1tb/69tOEa3/ +qPCYMNO0Xfhi+/ZRe/a5QltnXJmlQY5vf3rSxGaKBhph/FVlxQbUYoMpcwX4KmDN +YrBg3epRYAEso4beAw1GrmHwtBWAGvH0rLOi1qVuPPToc3yn2Q07bsuerPUMUCY4 +SxFqXnCzJcwepJPqdL7qfLEhPEXEKEoVmvu2vA2blTI/6RdIq/ClrS/6er48qQgt +n7iBOR5ilYPfbuDuLPd7FbSfpGa7v1kd8sSFH5jkXuA3hFP4ErSTjJqxg37VezUe +FPph+pTUAK9oH3tqD5KL3oAErfAmioAMxyGMpO7lgJyaJmDvYMGye6o1cEuwXZ19 +91QZ8pvnr+JgdyaQRDYoazGUyBKgZl+wwrC68dssm8r2ddbWHbBEtOXwywa90Gaa +iqr9imROrIr0sYrFBlupDOGUdl9k/oZEmiyINbq6aXdn72w8uxBYIltygtTI6XaJ +t6cMkahp5WWnJ7thtRHJZVktCMTkGzQAbEVEuWp6spQw1gSJMoy5UnE4B0a2KuIO ++lnGDDu6yLpf8AMuGxzRFoQxXoehX0VFfr+O3MQj0w== +-----END CERTIFICATE----- diff --git a/certs/zone2/sae3.csr b/certs/zone2/sae3.csr new file mode 100644 index 0000000..9aa0b92 --- /dev/null +++ b/certs/zone2/sae3.csr @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEZzCCAk8CAQAwIjEgMB4GA1UEAwwXc2FlMyBDbGllbnQgY2VydGlmaWNhdGUw +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDC2jubRZjDpHHr1U5p4186 ++LyfCOS04n8RwQDmAn3106TYHB0W682V6HuYbeAjHwW8wIIIwTV2JPWTpPiLM/BI +3KjAnY9DPXV5PzPqIM8dhODt92hp6Ab+LMHN5fr1wXWbCOIayWFbG4eE4EhHJb5n +hRY0xtje5qVmtpPqXsynbsxgSiojo1uc8iHmQDUNDjKT7Y2ZOiTjgbYZ1j7BIRoG +1QdgQsKZCKMzYht7+cTKElpkMiGu6KRSFDf5FPAgyxCAeYT5fG9x2MZf5ipfdL9K +N3TGX+5asaM2keEKq1Nh8+BIoPZjEvIKFuXjUKnUnYzJfsycVcOoamWgYNevqhOi +yZmi5dS3dTS5LiHzYB91nSAX9hXtR78EPxz8PKSaxNXyl8gql3v2qivH+FFmkv5W +KpcjGQ9mIVhFPK9LsS+S1CyY5bjuSZazs6YojhlrADFtOCz38LiyEHJCPyPmYoNf +6bocPFJ7fPMFRJQMnK8hUOhacZlgoa4TnfcssuD3sUNGfUfBQQ+De4TuWPl7Xxm2 +XxAuOuVN+vFokbiVTUzw6egohfE9MFnyZX/bRYWTAycId8U/UwRg4cY5TiDgX7Pp +tQkj9bTyYb9FNA6lbLCotvrA2vOwAjvK3v6AY9Z2v7GBwEXj8XrTwQ/pBGETNepy +rhnrn558/0pKzIeqNPfOdQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAF/S7zP/ +XCSbgq4LXdchpRlMHEQg5OObcmr/8AZZQMC1yPB67q0F9QvTEwqBKbq7qAF1XVMn +Zm/Get2ZxWeCwZcP7sEAQOJG+/gjRsHxnjpAQI4t2M52tGN0akRM/EReo52TDFu2 +ymuBA8vdB3HvCUYfRq1wzzfJr8kKA7lC+46/UKA4RzHYoAvjTENtjdxS8oyUjwhT +Six6GZt7fp7ip/HwFJmHFj8Xzl9R/iomKKnwEzJEH2Q78A3FklkbU41jKH1L7na0 +bC5Jrs3WnOlBqACcqoise771XW19l4VLk7bmoX/DKbxBK1Ex0Jgz68dFztpyelyu +jO7EQqzmUjzlBKHhp1iZ0AlvkkhTAvJIuOxHpandvIszCCNUuclGRtRescaYlUjO +3HBKv36diZKylcNoRxEHU6Q+8zDQZkCZcPI+npdyf/SdBZNL/S70hEJfIDuzKcxH +KR3bzsv/17UOgkT1ZNvhuRrRmlkOEhDy230d8UNjy9GCRNlgQS1SU4XpQzF/vO2X +ygePPTYJlx97eooq6115VcX0hVdowfIetjK9SbbwjY/0mOWWB/CAvVmWvLWGxhKr +nwGV7kM28227agkOG0R+MnXZ13tHVOWZJ5XXZ0yb58ssfNvrdo5xKuGOpb4uThcZ +Lc1iMQUwAoYCMp+6/Vqp2dZCCQI0AKSIcCMt +-----END CERTIFICATE REQUEST----- diff --git a/certs/zone2/sae3.key b/certs/zone2/sae3.key new file mode 100644 index 0000000..e3fac1a --- /dev/null +++ b/certs/zone2/sae3.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDC2jubRZjDpHHr +1U5p4186+LyfCOS04n8RwQDmAn3106TYHB0W682V6HuYbeAjHwW8wIIIwTV2JPWT +pPiLM/BI3KjAnY9DPXV5PzPqIM8dhODt92hp6Ab+LMHN5fr1wXWbCOIayWFbG4eE +4EhHJb5nhRY0xtje5qVmtpPqXsynbsxgSiojo1uc8iHmQDUNDjKT7Y2ZOiTjgbYZ +1j7BIRoG1QdgQsKZCKMzYht7+cTKElpkMiGu6KRSFDf5FPAgyxCAeYT5fG9x2MZf +5ipfdL9KN3TGX+5asaM2keEKq1Nh8+BIoPZjEvIKFuXjUKnUnYzJfsycVcOoamWg +YNevqhOiyZmi5dS3dTS5LiHzYB91nSAX9hXtR78EPxz8PKSaxNXyl8gql3v2qivH ++FFmkv5WKpcjGQ9mIVhFPK9LsS+S1CyY5bjuSZazs6YojhlrADFtOCz38LiyEHJC +PyPmYoNf6bocPFJ7fPMFRJQMnK8hUOhacZlgoa4TnfcssuD3sUNGfUfBQQ+De4Tu +WPl7Xxm2XxAuOuVN+vFokbiVTUzw6egohfE9MFnyZX/bRYWTAycId8U/UwRg4cY5 +TiDgX7PptQkj9bTyYb9FNA6lbLCotvrA2vOwAjvK3v6AY9Z2v7GBwEXj8XrTwQ/p +BGETNepyrhnrn558/0pKzIeqNPfOdQIDAQABAoICAAZB/XuTXOBdoeX9y/6lFXwe +nGosHjI7+vI+RVHdvx9bvHXPU1TW3luj44JF9xaRqrzA3vw6fkXM0pE7EVthH+Sr +J4VGGiGB8gmikL+CbbxoNdQWp8UM9VqI4/GBoxFs9OK1gpNzJ7wGEpBfJpsYWHjZ +Ipkv0Ku58xJtJyt1/3MaIRivkRJjbvAHq7SKF9oTPGcZUDydTC19TzSdt5a6wiv5 +f/rksfy5tQoTqsfMwffuZnZE0OWd5ZcYPKL0e/DFrMI/hNiBWU/p8xcF3JMDvBf9 +V3P+hThm75OzVCukTHF/JFMYzkjoxRqzWQ83mjiwlaKr/pS/wWChiCGCMrMaznYT +0wj8l7ii3yxBzlyVYbXXh6JZnYi6S/mcwqj7nvN6QucZENOD5mJow59EQbWPLVIS +vHnxzPsCjt2etfodUEyQGiG5LwfKqLdTeysJwGKthlhXNO9FE3kRP9uU9hjLNnfE +PyJYqz0J443yMnl3Z59mfeEOE91NkwUGIkccC7/vR1LRrxIbU9GujAvVLpKtYNH9 +vBQavEIB2PHlBHH+bnb+DhzW6O5OBYiGFj2fo7b65PqTH/u37hk0d3IrUVpwtZL6 +tBqzmayBjLfSRrL9qFqMTMuM2UqWZRq7EYDMy2ryMH/Xd24WIbWkatVxBqdbN972 +fGhtALmaJ7MNzTkRyaqxAoIBAQDlhCc4j74b2tH/OcLkUnKNr2bBSduKrIUY3hO5 +K/t+fi8jH9+e4aKlC79kx/ez04i7nkDuVC6yvPgGV6YGjFjKXHkkXtsLtzbVMV/m +YWCSoBTPtJEz8KIuq7YLFoABoWllDpKAcNT6K89Xf5If+kSpWRnpGAbfg2zki0Mj +ONc22PkKMcskRCXgwkGvwnZdWQHMj5GY8O/CdgcLqM25/LXu2H/mhIJh1EjAu9fk +q5rztV0j8aB2eJuGfv2tGbOk2DeK7sxUC57Heicb+9ygE1LitlaXvfzjs7gpCS2x +N30n6dHLOj91GrM3WgMts7D6Rj0sdNNJLgzO7H0mGnxnk0MlAoIBAQDZVh8xPiKK +LaUE7imkipr6GNwcdHRHdk4LDww9Dj68Xlk/FrkEt5p0t22ih9gIzz7oM1W+AOcm +3DrtmJaUXAcOn8RfgBZhijopWbA/bkfsNjsPAjXm3cFnXUw3vYTerT0we+ihBXm8 +U/yT2An+kNKLnJCZ6HoHNodTPw/tJXAsLQzVOVH8VAu70OOrsHvgF5CX952ZD9t0 +uZCo5ckcXVhh2xjakI3PPb5d6iYeP5s+Xh78EFUx5DWscpuX153Wfyx1r4CQvVok +t9R6eCFVKau96A47cdpxnJUyyF3SMBSNHRkUbFyvul+WZLJgOpRj7xxgfHN6wfpn +u2b+ms5CzCURAoIBAQC+uwnU6S80+q1Uie25zAJCWCbuLbByF1gsCDEfyrserUIC +0HQHFr8QpSiSWdMw73NLZwHSjMaZ5ou+yYvBGVSYJizN2r3xiHnaxUNKslWMw9dH +nGimXyyH2E5Z/IK32Ck7v9ZjQmDa3RlbPzpxtIrmqJLtr/fWOuN9MXXDiXLfs4OR +wztrke5gT05C/zlZ7aOfGRgHnwG/+lF0kP0VuDqAmA4BxNCM99rVv8Rz1V/ZczhJ +rHyKt0OXi2TIOvmc3cmafUPz/Awg/RQPH0iDBkv0904Sn+HOYAWEpIoCIXiyeI7N +ckRVzrBsKTNHAXLrKP+hOBx1Tf163/BIf+4uLKS5AoIBAFP1DgWy0Br6+QWHj3St +yqKUmeswHX9Bt3JUNNEdQKT5+ZYCjCTDXJp8BZFE0vLMRKvksNm+dY0whF8mk/zp +9Bv1IiIWVA8IG+G/cPOAAa7BYF0y6Gmv/reUdg4OW1a+K6YgJ8SUXeufsjHWwj2h +6oPeTon2IbXJnctN0DQ3Qzb9jDiOdRp5yTKbxmebvK7by5K5KBtp4cgcq0JjyiX3 +9V2QCvDb6LxHSNP00RbcUXdtWqDbGl40n3tnpq2osKOc6yrnSk4fp8QJc75/y7if +aWXqUB0spUtARu6gMoYw5q+AryCRn9iOscBiU/oShyJ3y0mGqgGhD7+kyGvQl598 +R1ECggEAQt7fs3ucfChDpuxKolqC/BmYX2wXEbeasAfnQwKcYDtC08fvg1eQKnWK +93rOtdHJWOf1UBZsz8WgK4tHWxwLpq23/FCho5zxVXiZHmqKpUgSjUzr6T+NHdq9 +RESP/H4dJleLLIodgqpdOU26n3OQI+dRRPjPQsBvuTEotsm/S+3JsX3z7GHmWBWQ +Q5G5M+P/5/1tIf7c/bVmU1JPBwLscmJcekGePsqd94YWDWP9M/kllI5K0d0c/8sZ +Uv+FH7cLLoOy78ZuBT38uAgj3HGcTIdc+DGI4ccFACATYVCKFAAeckMKuAEBxvIr +36O+/C7Fm7vMYiD/ZCNbNFlKDNM+dA== +-----END PRIVATE KEY----- diff --git a/certs/zone2/sae3.pem b/certs/zone2/sae3.pem new file mode 100644 index 0000000..73a4715 --- /dev/null +++ b/certs/zone2/sae3.pem @@ -0,0 +1,114 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDC2jubRZjDpHHr +1U5p4186+LyfCOS04n8RwQDmAn3106TYHB0W682V6HuYbeAjHwW8wIIIwTV2JPWT +pPiLM/BI3KjAnY9DPXV5PzPqIM8dhODt92hp6Ab+LMHN5fr1wXWbCOIayWFbG4eE +4EhHJb5nhRY0xtje5qVmtpPqXsynbsxgSiojo1uc8iHmQDUNDjKT7Y2ZOiTjgbYZ +1j7BIRoG1QdgQsKZCKMzYht7+cTKElpkMiGu6KRSFDf5FPAgyxCAeYT5fG9x2MZf +5ipfdL9KN3TGX+5asaM2keEKq1Nh8+BIoPZjEvIKFuXjUKnUnYzJfsycVcOoamWg +YNevqhOiyZmi5dS3dTS5LiHzYB91nSAX9hXtR78EPxz8PKSaxNXyl8gql3v2qivH ++FFmkv5WKpcjGQ9mIVhFPK9LsS+S1CyY5bjuSZazs6YojhlrADFtOCz38LiyEHJC +PyPmYoNf6bocPFJ7fPMFRJQMnK8hUOhacZlgoa4TnfcssuD3sUNGfUfBQQ+De4Tu +WPl7Xxm2XxAuOuVN+vFokbiVTUzw6egohfE9MFnyZX/bRYWTAycId8U/UwRg4cY5 +TiDgX7PptQkj9bTyYb9FNA6lbLCotvrA2vOwAjvK3v6AY9Z2v7GBwEXj8XrTwQ/p +BGETNepyrhnrn558/0pKzIeqNPfOdQIDAQABAoICAAZB/XuTXOBdoeX9y/6lFXwe +nGosHjI7+vI+RVHdvx9bvHXPU1TW3luj44JF9xaRqrzA3vw6fkXM0pE7EVthH+Sr +J4VGGiGB8gmikL+CbbxoNdQWp8UM9VqI4/GBoxFs9OK1gpNzJ7wGEpBfJpsYWHjZ +Ipkv0Ku58xJtJyt1/3MaIRivkRJjbvAHq7SKF9oTPGcZUDydTC19TzSdt5a6wiv5 +f/rksfy5tQoTqsfMwffuZnZE0OWd5ZcYPKL0e/DFrMI/hNiBWU/p8xcF3JMDvBf9 +V3P+hThm75OzVCukTHF/JFMYzkjoxRqzWQ83mjiwlaKr/pS/wWChiCGCMrMaznYT +0wj8l7ii3yxBzlyVYbXXh6JZnYi6S/mcwqj7nvN6QucZENOD5mJow59EQbWPLVIS +vHnxzPsCjt2etfodUEyQGiG5LwfKqLdTeysJwGKthlhXNO9FE3kRP9uU9hjLNnfE +PyJYqz0J443yMnl3Z59mfeEOE91NkwUGIkccC7/vR1LRrxIbU9GujAvVLpKtYNH9 +vBQavEIB2PHlBHH+bnb+DhzW6O5OBYiGFj2fo7b65PqTH/u37hk0d3IrUVpwtZL6 +tBqzmayBjLfSRrL9qFqMTMuM2UqWZRq7EYDMy2ryMH/Xd24WIbWkatVxBqdbN972 +fGhtALmaJ7MNzTkRyaqxAoIBAQDlhCc4j74b2tH/OcLkUnKNr2bBSduKrIUY3hO5 +K/t+fi8jH9+e4aKlC79kx/ez04i7nkDuVC6yvPgGV6YGjFjKXHkkXtsLtzbVMV/m +YWCSoBTPtJEz8KIuq7YLFoABoWllDpKAcNT6K89Xf5If+kSpWRnpGAbfg2zki0Mj +ONc22PkKMcskRCXgwkGvwnZdWQHMj5GY8O/CdgcLqM25/LXu2H/mhIJh1EjAu9fk +q5rztV0j8aB2eJuGfv2tGbOk2DeK7sxUC57Heicb+9ygE1LitlaXvfzjs7gpCS2x +N30n6dHLOj91GrM3WgMts7D6Rj0sdNNJLgzO7H0mGnxnk0MlAoIBAQDZVh8xPiKK +LaUE7imkipr6GNwcdHRHdk4LDww9Dj68Xlk/FrkEt5p0t22ih9gIzz7oM1W+AOcm +3DrtmJaUXAcOn8RfgBZhijopWbA/bkfsNjsPAjXm3cFnXUw3vYTerT0we+ihBXm8 +U/yT2An+kNKLnJCZ6HoHNodTPw/tJXAsLQzVOVH8VAu70OOrsHvgF5CX952ZD9t0 +uZCo5ckcXVhh2xjakI3PPb5d6iYeP5s+Xh78EFUx5DWscpuX153Wfyx1r4CQvVok +t9R6eCFVKau96A47cdpxnJUyyF3SMBSNHRkUbFyvul+WZLJgOpRj7xxgfHN6wfpn +u2b+ms5CzCURAoIBAQC+uwnU6S80+q1Uie25zAJCWCbuLbByF1gsCDEfyrserUIC +0HQHFr8QpSiSWdMw73NLZwHSjMaZ5ou+yYvBGVSYJizN2r3xiHnaxUNKslWMw9dH +nGimXyyH2E5Z/IK32Ck7v9ZjQmDa3RlbPzpxtIrmqJLtr/fWOuN9MXXDiXLfs4OR +wztrke5gT05C/zlZ7aOfGRgHnwG/+lF0kP0VuDqAmA4BxNCM99rVv8Rz1V/ZczhJ +rHyKt0OXi2TIOvmc3cmafUPz/Awg/RQPH0iDBkv0904Sn+HOYAWEpIoCIXiyeI7N +ckRVzrBsKTNHAXLrKP+hOBx1Tf163/BIf+4uLKS5AoIBAFP1DgWy0Br6+QWHj3St +yqKUmeswHX9Bt3JUNNEdQKT5+ZYCjCTDXJp8BZFE0vLMRKvksNm+dY0whF8mk/zp +9Bv1IiIWVA8IG+G/cPOAAa7BYF0y6Gmv/reUdg4OW1a+K6YgJ8SUXeufsjHWwj2h +6oPeTon2IbXJnctN0DQ3Qzb9jDiOdRp5yTKbxmebvK7by5K5KBtp4cgcq0JjyiX3 +9V2QCvDb6LxHSNP00RbcUXdtWqDbGl40n3tnpq2osKOc6yrnSk4fp8QJc75/y7if +aWXqUB0spUtARu6gMoYw5q+AryCRn9iOscBiU/oShyJ3y0mGqgGhD7+kyGvQl598 +R1ECggEAQt7fs3ucfChDpuxKolqC/BmYX2wXEbeasAfnQwKcYDtC08fvg1eQKnWK +93rOtdHJWOf1UBZsz8WgK4tHWxwLpq23/FCho5zxVXiZHmqKpUgSjUzr6T+NHdq9 +RESP/H4dJleLLIodgqpdOU26n3OQI+dRRPjPQsBvuTEotsm/S+3JsX3z7GHmWBWQ +Q5G5M+P/5/1tIf7c/bVmU1JPBwLscmJcekGePsqd94YWDWP9M/kllI5K0d0c/8sZ +Uv+FH7cLLoOy78ZuBT38uAgj3HGcTIdc+DGI4ccFACATYVCKFAAeckMKuAEBxvIr +36O+/C7Fm7vMYiD/ZCNbNFlKDNM+dA== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIFizCCA3OgAwIBAgIULShuwXdGWrjfAJDbBGmgqwqXOFEwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3IgS01FIGluIHpvbmUyMB4XDTI0MDIw +NzEwMTEzNloXDTM0MDIwNDEwMTEzNlowIjEgMB4GA1UEAwwXc2FlMyBDbGllbnQg +Y2VydGlmaWNhdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDC2jub +RZjDpHHr1U5p4186+LyfCOS04n8RwQDmAn3106TYHB0W682V6HuYbeAjHwW8wIII +wTV2JPWTpPiLM/BI3KjAnY9DPXV5PzPqIM8dhODt92hp6Ab+LMHN5fr1wXWbCOIa +yWFbG4eE4EhHJb5nhRY0xtje5qVmtpPqXsynbsxgSiojo1uc8iHmQDUNDjKT7Y2Z +OiTjgbYZ1j7BIRoG1QdgQsKZCKMzYht7+cTKElpkMiGu6KRSFDf5FPAgyxCAeYT5 +fG9x2MZf5ipfdL9KN3TGX+5asaM2keEKq1Nh8+BIoPZjEvIKFuXjUKnUnYzJfsyc +VcOoamWgYNevqhOiyZmi5dS3dTS5LiHzYB91nSAX9hXtR78EPxz8PKSaxNXyl8gq +l3v2qivH+FFmkv5WKpcjGQ9mIVhFPK9LsS+S1CyY5bjuSZazs6YojhlrADFtOCz3 +8LiyEHJCPyPmYoNf6bocPFJ7fPMFRJQMnK8hUOhacZlgoa4TnfcssuD3sUNGfUfB +QQ+De4TuWPl7Xxm2XxAuOuVN+vFokbiVTUzw6egohfE9MFnyZX/bRYWTAycId8U/ +UwRg4cY5TiDgX7PptQkj9bTyYb9FNA6lbLCotvrA2vOwAjvK3v6AY9Z2v7GBwEXj +8XrTwQ/pBGETNepyrhnrn558/0pKzIeqNPfOdQIDAQABo4G3MIG0MAkGA1UdEwQC +MAAwEQYJYIZIAYb4QgEBBAQDAgWgMCUGCWCGSAGG+EIBDQQYFhZTQUUgQ2xpZW50 +IENlcnRpZmljYXRlMB0GA1UdDgQWBBSudix0zbKugHVMEmF2obJ5kTJvyTAfBgNV +HSMEGDAWgBSl1ktJRIlLR/XBknPBewbMMUn7ozAOBgNVHQ8BAf8EBAMCBeAwHQYD +VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQBk +wau2aOK1Y9DQlV85IUaWFgUPkej7AXpgAOugrnWOLfBATdE8WG4bpvCOfVgw15zn +fF088lgc1kDYhb+c0iMKiuVjhokT3R+WfDY2P33QTI1a9eQmc/pG1tb/69tOEa3/ +qPCYMNO0Xfhi+/ZRe/a5QltnXJmlQY5vf3rSxGaKBhph/FVlxQbUYoMpcwX4KmDN +YrBg3epRYAEso4beAw1GrmHwtBWAGvH0rLOi1qVuPPToc3yn2Q07bsuerPUMUCY4 +SxFqXnCzJcwepJPqdL7qfLEhPEXEKEoVmvu2vA2blTI/6RdIq/ClrS/6er48qQgt +n7iBOR5ilYPfbuDuLPd7FbSfpGa7v1kd8sSFH5jkXuA3hFP4ErSTjJqxg37VezUe +FPph+pTUAK9oH3tqD5KL3oAErfAmioAMxyGMpO7lgJyaJmDvYMGye6o1cEuwXZ19 +91QZ8pvnr+JgdyaQRDYoazGUyBKgZl+wwrC68dssm8r2ddbWHbBEtOXwywa90Gaa +iqr9imROrIr0sYrFBlupDOGUdl9k/oZEmiyINbq6aXdn72w8uxBYIltygtTI6XaJ +t6cMkahp5WWnJ7thtRHJZVktCMTkGzQAbEVEuWp6spQw1gSJMoy5UnE4B0a2KuIO ++lnGDDu6yLpf8AMuGxzRFoQxXoehX0VFfr+O3MQj0w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFGTCCAwGgAwIBAgIUKhp/O8QyH/mEdqwvDk4CGu6RrnowDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3IgS01FIGluIHpvbmUyMB4XDTI0MDIw +NzA5NTcwNVoXDTM0MDIwNDA5NTcwNVowIzEhMB8GA1UEAwwYUm9vdCBDQSBmb3Ig +S01FIGluIHpvbmUyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0kE/ +jcYF4GC6kE9cG+1y2J8q4oiPfuNxTCdLceXPJqzFkNB9HJgdumfAhfUEseC8q+iB +HohVT/y6RMoX2ZnsrdqMv8mC9r14OQiL2P2tdeQhitePlwcQINLnlEPnf2rPlKAQ +jXZYV6YpIVsBWwsRmmQAPv5tpGHuxeV/NzrkMX0X2d5JNGS2WzkuHApD5CS79m1d +rHHEMx1qzObdz8QoIyv0UgeYDyWtONCY/d1Rs0YgWg75reDxQ41e6oa+FwthOQ2x +2chE5f2NvKRGy5KZLlS42oh0RhaB0jmN+5sycRYge11T61wgGedhjM5dbDgGZVkh +EkHTnNEYph3AiYz27pA7KY4lZwpKYktoFZ5nTpD2hpqDVMk1BJ6rncExZQSkdkT7 ++U84oxja0X+joSp8zR7+lyST5xXq22kPp1g4e36itBE92w32PcXz3NujHSZ6oRPO +Bb/4bvvbFvP8ctgb70NW0Sv9LY8KCpw/fFfh8cSRCOSVn9yckjKMIMAGf5Ljax4u +CHhpJQevGUejtzhc/B5Nrw5YA4w16TbX1Ca2+LOnshYsvizOnYLbssAFPP1s8NZI +yeubRtMFgDYwNm5pPDWEINkRYpwTpc3cXo83Sx/vSHpxzOYFWqdpqPzdXZcgJiP0 +rS0o+TM/lkLKpLWaTNdmBKS+W9hU5W+MQ6gyCSsCAwEAAaNFMEMwEgYDVR0TAQH/ +BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAUYwHQYDVR0OBBYEFKXWS0lEiUtH9cGS +c8F7BswxSfujMA0GCSqGSIb3DQEBCwUAA4ICAQDJ88RClc+gC7Jip73Wg8HAq/fq +yOBDFPW/5gVMgGrUdR7p+0TXH/L2T6zToDCWZ/PgLk3dLd+0WVu88nC3tc+DzWXE +g+8rnE9QjIlCabDN7TaZGD8U+wxmI+MY+0iwy4BPhHl6B3QY1kYbAqm4kp4ALr41 +FdIjwl0K4zZ+ldQZerxrzGcDOPFtiRSnRSx0ADK8/ghBysly4vVZvHxIS8xhqgRR +Emj5jk1hZrgVPWvoCbU9v7dj2syNT7vWkbvRobSzewkbL4Ott3oIn8Vs4FTR+D8B +FT86x1+6rMBVDdDtLTYBC8mqxLmwiOWDe7M72a8Tq+grXjCcIkjPNsJLHEJoY2kw +1urvCRarH2dbJnvsiKK3Hof6/Mt8una5xZn2FyegM0EyHowyKCRrGhJrjSMWfdaj +DYitv2fTEorWhiNt8s6vRQ7RTq0p2P0nTFjwvz+GXq1uQWx/EMZe8knQgKMNaNqD +HyLbUP0lsVGuZ56sx0SH2KWjTg4b7s6eu23r5SYtapHqkdw3Uliae4dBInZptenf +YAbEDdItcZ/PBdwOoVv6HO7jgPlGsoEOafrF7j56oUiKvuIkbpCspOwyUU8MVUqy +gZgOYWjXTW4WZZmyw0Ieh9JvWCyKpYIKUUeEnILGn7YV0fbaopz9OqQ5waZibo7l +1EYvq7zJyBDsV9Z/jw== +-----END CERTIFICATE----- diff --git a/certs/zone2/sae3.pfx b/certs/zone2/sae3.pfx new file mode 100644 index 0000000..0c1691f Binary files /dev/null and b/certs/zone2/sae3.pfx differ diff --git a/config_kme1.json b/config_kme1.json index cebd987..2f550df 100644 --- a/config_kme1.json +++ b/config_kme1.json @@ -20,8 +20,9 @@ { "id": 2, "key_directory_to_watch": "raw_keys/kme-1-2", - "inter_kme_bind_address": "127.0.0.1:3001", - "https_client_authentication_certificate": "certs/inter_kmes/client-kme1-to-kme2.pfx" + "inter_kme_bind_address": "127.0.0.1:4001", + "https_client_authentication_certificate": "certs/inter_kmes/client-kme1-to-kme2.pfx", + "https_client_authentication_certificate_password": "" } ], "saes": [ @@ -76,6 +77,10 @@ 59, 146 ] + }, + { + "id": 3, + "kme_id": 2 } ] } \ No newline at end of file diff --git a/config_kme2.json b/config_kme2.json new file mode 100644 index 0000000..57f5c8f --- /dev/null +++ b/config_kme2.json @@ -0,0 +1,64 @@ +{ + "this_kme": { + "id": 2, + "sqlite_db_path": ":memory:", + "key_directory_to_watch": "raw_keys/kme-2-2", + "saes_https_interface": { + "listen_address": "127.0.0.1:4000", + "ca_client_cert_path": "certs/zone2/CA-zone2.crt", + "server_cert_path": "certs/zone2/kme2.crt", + "server_key_path": "certs/zone2/kme2.key" + }, + "kmes_https_interface": { + "listen_address": "0.0.0.0:4001", + "ca_client_cert_path": "certs/inter_kmes/root-ca-kme2.crt", + "server_cert_path": "certs/zone2/kme2.crt", + "server_key_path": "certs/zone2/kme2.key" + } + }, + "other_kmes": [ + { + "id": 1, + "key_directory_to_watch": "raw_keys/kme-1-2", + "inter_kme_bind_address": "127.0.0.1:3001", + "https_client_authentication_certificate": "certs/inter_kmes/client-kme2-to-kme1.pfx", + "https_client_authentication_certificate_password": "" + } + ], + "saes": [ + { + "id": 1, + "kme_id": 1 + }, + { + "id": 2, + "kme_id": 1 + }, + { + "id": 3, + "kme_id": 2, + "https_client_certificate_serial": [ + 45, + 40, + 110, + 193, + 119, + 70, + 90, + 184, + 223, + 0, + 144, + 219, + 4, + 105, + 160, + 171, + 10, + 151, + 56, + 81 + ] + } + ] +} \ No newline at end of file diff --git a/raw_keys/kme-2-2/211202_1159_CD6ADBF2.cor b/raw_keys/kme-2-2/211202_1159_CD6ADBF2.cor new file mode 100755 index 0000000..bbb4623 Binary files /dev/null and b/raw_keys/kme-2-2/211202_1159_CD6ADBF2.cor differ diff --git a/src/config/mod.rs b/src/config/mod.rs index 2733844..6191ce3 100644 --- a/src/config/mod.rs +++ b/src/config/mod.rs @@ -86,7 +86,9 @@ pub struct OtherKmeConfig { /// IP address of the other KME, used to send keys to it using "classical channel" pub(crate) inter_kme_bind_address: String, /// Client certificate for inter KME HTTPS authentication - pub(crate) https_client_authentication_certificate: String + pub(crate) https_client_authentication_certificate: String, + /// Password for the client certificate + pub(crate) https_client_authentication_certificate_password: String } /// Config for specific SAE: its ID, KME ID and optional client certificate serial diff --git a/src/main.rs b/src/main.rs index 603038c..11933cb 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,6 +1,8 @@ use log::error; +use tokio::select; use qkd_kme_server::qkd_manager::QkdManager; use qkd_kme_server::routes::EtsiSaeQkdRoutesV1; +use qkd_kme_server::routes::inter_kmes_routes::InterKMEsRoutes; #[tokio::main] async fn main() { @@ -37,8 +39,12 @@ async fn main() { println!("{:?}", qkd_manager.is_err()); let qkd_manager = qkd_manager.unwrap(); - if sae_https_server.run::(&qkd_manager).await.is_err() { - error!("Error running SAEs HTTPS server"); - return; + select! { + x = inter_kme_https_server.run::(&qkd_manager) => { + error!("Error running inter-KMEs HTTPS server: {:?}", x); + }, + x = sae_https_server.run::(&qkd_manager) => { + error!("Error running SAEs HTTPS server: {:?}", x); + } } } \ No newline at end of file diff --git a/src/qkd_manager/config_extractor.rs b/src/qkd_manager/config_extractor.rs index 398913b..ed2faeb 100644 --- a/src/qkd_manager/config_extractor.rs +++ b/src/qkd_manager/config_extractor.rs @@ -15,6 +15,7 @@ impl ConfigExtractor { let qkd_manager = Arc::new(QkdManager::new(&config.this_kme_config.sqlite_db_path, config.this_kme_config.id)); Self::extract_all_saes(Arc::clone(&qkd_manager), config)?; Self::extract_other_kmes_and_keys(Arc::clone(&qkd_manager), config)?; + Self::add_classical_net_routing_info_kmes(Arc::clone(&qkd_manager), config)?; Ok(qkd_manager) } @@ -99,4 +100,17 @@ impl ConfigExtractor { let file_ext = Path::new(file_path).extension(); file_ext.is_some() && file_ext.unwrap() == crate::QKD_KEY_FILE_EXTENSION } + + fn add_classical_net_routing_info_kmes(qkd_manager: Arc, config: &Config) -> Result<(), io::Error> { + for other_kme_config in &config.other_kme_configs { + qkd_manager.add_kme_classical_net_info(other_kme_config.id, + other_kme_config.inter_kme_bind_address.clone(), + other_kme_config.https_client_authentication_certificate.clone(), + other_kme_config.https_client_authentication_certificate_password.clone()) + .map_err(|e| + io_err(&format!("Cannot add KME classical network info: {:?}", e)) + )?; + } + Ok(()) + } } \ No newline at end of file diff --git a/src/qkd_manager/http_request_obj.rs b/src/qkd_manager/http_request_obj.rs index b131492..912031d 100644 --- a/src/qkd_manager/http_request_obj.rs +++ b/src/qkd_manager/http_request_obj.rs @@ -1,6 +1,7 @@ //! Objects deserialized from HTTP request body -use serde::Deserialize; +use serde::{Deserialize, Serialize}; +use crate::SaeId; /// Request from the slave SAE to get key(s) from UUIDs provided by the master SAE #[derive(Deserialize, Debug)] @@ -14,4 +15,14 @@ pub(crate) struct RequestKeyId { #[allow(non_snake_case)] pub(crate) struct RequestListKeysIds { pub(crate) key_IDs: Vec, +} + +/// From inter-KME network: a key has been requested on a remote KME for a specific target SAE +#[derive(Serialize, Deserialize, Debug)] +#[allow(non_snake_case)] +pub(crate) struct ActivateKeyRemoteKME { + pub(crate) key_ID: String, + /// Master SAE that requested the key + pub(crate) origin_SAE_ID: SaeId, + pub(crate) remote_SAE_ID: SaeId, } \ No newline at end of file diff --git a/src/qkd_manager/key_handler.rs b/src/qkd_manager/key_handler.rs index 9ddef37..6c50b21 100644 --- a/src/qkd_manager/key_handler.rs +++ b/src/qkd_manager/key_handler.rs @@ -5,7 +5,7 @@ use std::io; use uuid::Bytes; use x509_parser::nom::AsBytes; use crate::{io_err, KmeId, qkd_manager, SaeClientCertSerial, SaeId}; -use crate::qkd_manager::{KMEInfo, PreInitQkdKeyWrapper, QkdManagerCommand, QkdManagerResponse, SAEInfo}; +use crate::qkd_manager::{http_request_obj, KMEInfo, PreInitQkdKeyWrapper, QkdManagerCommand, QkdManagerResponse, router, SAEInfo}; use base64::{engine::general_purpose, Engine as _}; use log::{error, info, warn}; use crate::qkd_manager::http_response_obj::{ResponseQkdKey, ResponseQkdKeysList}; @@ -21,6 +21,8 @@ pub(super) struct KeyHandler { sqlite_db: sqlite::Connection, /// The ID of this KME this_kme_id: KmeId, + /// Router on classical network, used to connect to other KMEs over unsecure classical network + qkd_router: router::QkdRouter, } impl KeyHandler { @@ -45,6 +47,7 @@ impl KeyHandler { io::Error::new(io::ErrorKind::NotConnected, format!("Error opening sqlite database: {:?}", e)) })?, this_kme_id, + qkd_router: router::QkdRouter::new(), }; // Create the tables if they do not exist key_handler.sqlite_db.execute(DATABASE_INIT_REQ).map_err(|e| { @@ -120,6 +123,24 @@ impl KeyHandler { error!("Error QKD manager sending response"); } }, + QkdManagerCommand::ActivateKeyFromRemote(origin_sae_id, target_sae_id, target_key_uuid) => { + let key_activate_response = self.activate_key_uuid_sae(origin_sae_id, target_sae_id, target_key_uuid).unwrap_or_else(identity); + if self.response_tx.send(key_activate_response).is_err() { + error!("Error QKD manager sending response"); + } + } + QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, kme_addr_or_domain, conn_client_cert, conn_cert_password) => { + let add_kme_response = match self.qkd_router.add_kme_to_ip_or_domain_association(kme_id, &kme_addr_or_domain, &conn_client_cert, &conn_cert_password) { + Ok(_) => QkdManagerResponse::Ok, + Err(e) => { + error!("Error adding KME classical network info: {:?}", e); + QkdManagerResponse::Ko + }, + }; + if self.response_tx.send(add_kme_response).is_err() { + error!("Error QKD manager sending response"); + } + } } } Err(e) => { @@ -269,10 +290,14 @@ impl KeyHandler { QkdManagerResponse::Ko })?; if origin_kme_id != target_kme_id { - // send key to other KME TODO + // send key to other KME // We must ensure: - // - other KME is authenticated - // - other SAE belongs to other KME + // - other KME is authenticated (client certificate and operating system trust store) + // - other SAE belongs to other KME (statically managed for now) + self.activate_key_on_other_kme(origin_sae_id, target_kme_id, target_sae_id, &key_uuid).map_err(|_| { + error!("Error activating key on other KME"); + QkdManagerResponse::Ko + })?; } self.delete_pre_init_key_with_id(id).map_err(|_| { @@ -281,14 +306,96 @@ impl KeyHandler { })?; info!("Saving key {} in init keys", key_uuid); + + self.insert_activated_key(&key_uuid, &key, origin_sae_id, target_sae_id).map_err(|_| { + error!("Error inserting activated key"); + QkdManagerResponse::Ko + })?; + + // Encode the key in base64 + let response_qkd_key = ResponseQkdKey { + key_ID: key_uuid, + key: general_purpose::STANDARD.encode(&key) + }; + + // Return a list of key objects + Ok(QkdManagerResponse::Keys(ResponseQkdKeysList { + keys: vec![response_qkd_key], + })) + } + + fn activate_key_uuid_sae(&self, origin_sae_id: SaeId, target_sae_id: SaeId, key_uuid: String) -> Result { + const GET_PRE_INIT_KEY_PREPARED_STATEMENT: &'static str = "SELECT id, key, other_kme_id FROM uninit_keys WHERE key_uuid = ? LIMIT 1;"; + + let mut stmt = ensure_prepared_statement_ok!(self.sqlite_db, GET_PRE_INIT_KEY_PREPARED_STATEMENT); + stmt.bind((1, key_uuid.as_str())).map_err(|_| { + error!("Error binding key UUID"); + QkdManagerResponse::Ko + })?; + let sql_execution_state = stmt.next().map_err(|_| { + error!("Error executing SQL statement"); + QkdManagerResponse::Ko + })?; + + if sql_execution_state != sqlite::State::Row { + return Err(QkdManagerResponse::NotFound); + } + + let key_id = stmt.read::(0).map_err(|_| { + error!("Error reading SQL statement result"); + QkdManagerResponse::Ko + })?; + let key: Vec = stmt.read::, usize>(1).map_err(|_| { + error!("Error reading SQL statement result"); + QkdManagerResponse::Ko + })?; + let _other_kme_id = stmt.read::(2).map_err(|_| { + error!("Error reading SQL statement result"); + QkdManagerResponse::Ko + })?; + + self.insert_activated_key(&key_uuid, &key, origin_sae_id, target_sae_id).map_err(|_| { + error!("Error inserting activated key"); + QkdManagerResponse::Ko + })?; + self.delete_pre_init_key_with_id(key_id).map_err(|_| { + error!("Error deleting pre-init key {}", key_id); + QkdManagerResponse::Ko + })?; + + info!("Key {} activated between saes {} and {}", key_uuid, origin_sae_id, target_sae_id); + Ok(QkdManagerResponse::Ok) + } + + fn activate_key_on_other_kme(&self, caller_master_sae_id: SaeId, other_kme_id: KmeId, other_sae_id: SaeId, key_uuid: &str) -> Result<(), io::Error> { + let req_body = http_request_obj::ActivateKeyRemoteKME { + key_ID: key_uuid.to_string(), + origin_SAE_ID: caller_master_sae_id, + remote_SAE_ID: other_sae_id, + }; + let kme_classical_info = self.qkd_router.get_classical_connection_info_from_kme_id(other_kme_id).ok_or(io_err("KME ID not found"))?; + let kme_client = reqwest::blocking::Client::builder() + .identity(kme_classical_info.tls_client_cert_identity.clone()) + .build().map_err(|_| io_err("Error building reqwest client"))?; + let response = kme_client.post(&format!("https://{}/keys/activate", kme_classical_info.ip_or_domain)) + .json(&req_body) + .send().map_err(|_| io_err("Error sending HTTP request"))?; + + if response.status() != reqwest::StatusCode::OK { + return Err(io_err("Error activating key on other KME")); + } + Ok(()) + } + + fn insert_activated_key(&self, key_uuid: &str, key: &[u8], origin_sae_id: SaeId, target_sae_id: SaeId)-> Result { const INSERT_INIT_KEY_PREPARED_STATEMENT: &'static str = "INSERT INTO keys (key_uuid, key, origin_sae_id, target_sae_id) VALUES (?, ?, ?, ?);"; let mut stmt = ensure_prepared_statement_ok!(self.sqlite_db, INSERT_INIT_KEY_PREPARED_STATEMENT); - stmt.bind((1, key_uuid.as_str())).map_err(|_| { + stmt.bind((1, key_uuid)).map_err(|_| { error!("Error binding key UUID"); QkdManagerResponse::Ko })?; - stmt.bind((2, key.as_slice())).map_err(|_| { + stmt.bind((2, key)).map_err(|_| { error!("Error binding key"); QkdManagerResponse::Ko })?; @@ -304,17 +411,7 @@ impl KeyHandler { error!("Error executing SQL statement"); QkdManagerResponse::Ko })?; - - // Encode the key in base64 - let response_qkd_key = ResponseQkdKey { - key_ID: key_uuid, - key: general_purpose::STANDARD.encode(&key) - }; - - // Return a list of key objects - Ok(QkdManagerResponse::Keys(ResponseQkdKeysList { - keys: vec![response_qkd_key], - })) + Ok(QkdManagerResponse::Ok) } /// Delete a pre-init key from the pre-init keys database diff --git a/src/qkd_manager/mod.rs b/src/qkd_manager/mod.rs index e73af0d..e51d968 100644 --- a/src/qkd_manager/mod.rs +++ b/src/qkd_manager/mod.rs @@ -199,6 +199,47 @@ impl QkdManager { _ => None, } } + + /// From a remote KME, activate a key after master SAE requested it, to be requested by the slave SAE + /// # Arguments + /// * `origin_sae_id` - The ID of the origin (master) SAE, belonging to another KME + /// * `target_sae_id` - The ID of the target (slave) SAE, to which master SAE wants to communicate, belonging to this KME + /// * `key_uuid` - The UUID of the key to activate + /// # Returns + /// Ok if the key was activated successfully, an error otherwise + pub fn activate_key_from_remote(&self, origin_sae_id: SaeId, target_sae_id: SaeId, key_uuid: String) -> Result { + self.command_tx.send(QkdManagerCommand::ActivateKeyFromRemote(origin_sae_id, target_sae_id, key_uuid)).map_err(|_| { + TransmissionError + })?; + match self.response_rx.recv().map_err(|_| { + TransmissionError + })? { + QkdManagerResponse::Ok => Ok(QkdManagerResponse::Ok), // Ok is the QkdManagerResponse expected here + qkd_response_error => Err(qkd_response_error), + } + } + + /// Add classical network information to a KME, used to activate keys on it for slave KMEs using "classical channel" + /// # Arguments + /// * `kme_id` - The ID of the KME + /// * `kme_addr` - The IP address or domain of the KME on the classical network + /// * `client_auth_certificate_path` - The path to the client authentication certificate of the KME + /// * `client_auth_certificate_password` - The password of the client authentication certificate of the KME + /// # Returns + /// Ok if the KME classical network information was added successfully, an error otherwise + /// # Notes + /// You should also add target KME's CA certificate to the trust store of the source KME operating system + pub fn add_kme_classical_net_info(&self, kme_id: KmeId, kme_addr: String, client_auth_certificate_path: String, client_auth_certificate_password: String) -> Result { + self.command_tx.send(QkdManagerCommand::AddKmeClassicalNetInfo(kme_id, kme_addr, client_auth_certificate_path, client_auth_certificate_password)).map_err(|_| { + TransmissionError + })?; + match self.response_rx.recv().map_err(|_| { + TransmissionError + })? { + QkdManagerResponse::Ok => Ok(QkdManagerResponse::Ok), // Ok is the QkdManagerResponse expected here + qkd_response_error => Err(qkd_response_error), + } + } } /// A Pre-init QKD key, with its origin and target KME IDs @@ -276,6 +317,8 @@ enum QkdManagerCommand { AddPreInitKey(PreInitQkdKeyWrapper), /// Get a QKD key from the database (shall be called by the master SAE) GetKeys(SaeClientCertSerial, SaeId), // origin certificate + target id + /// Activate a key from a remote KME, after master SAE requested it + ActivateKeyFromRemote(SaeId, SaeId, String), // Origin SAE ID + Target SAE ID + Key UUID /// Get a list of QKD keys from the database (shall be called by the slave SAE) GetKeysWithIds(SaeClientCertSerial, SaeId, Vec), // origin certificate + target id /// Get the status of a key exchange between two SAEs (shall be called by the master SAE) @@ -286,6 +329,8 @@ enum QkdManagerCommand { GetSaeInfoFromCertificate(SaeClientCertSerial), // caller's certificate /// Returns the KME ID from belonging SAE ID GetKmeIdFromSaeId(SaeId), // SAE id + /// Add classical network information to a KME, used to activate keys on it for slave KMEs using "classical channel" + AddKmeClassicalNetInfo(KmeId, String, String, String), // KME id + KME address + client auth certificate path + client auth certificate password } /// All possible responses from the QKD manager diff --git a/src/qkd_manager/router.rs b/src/qkd_manager/router.rs index 4d91719..d04a135 100644 --- a/src/qkd_manager/router.rs +++ b/src/qkd_manager/router.rs @@ -1,27 +1,45 @@ -//! QKD network routing manager, get route to SAE +//! QKD network routing manager, get route to SAE and KME info on classical network use std::collections::HashMap; -use crate::{KmeId, SaeId}; +use std::fs::File; +use std::io; +use std::io::Read; +use crate::{io_err, KmeId}; -#[allow(dead_code)] #[derive(Clone)] pub(super) struct QkdRouter { - sae_to_kme_associations: HashMap, + kme_to_classical_network_info_associations: HashMap, } -#[allow(dead_code)] impl QkdRouter { pub(super) fn new() -> Self { Self { - sae_to_kme_associations: HashMap::new(), + kme_to_classical_network_info_associations: HashMap::new(), } } - pub(super) fn add_sae_to_kme_association(&mut self, sae_id: SaeId, kme_id: KmeId) { - self.sae_to_kme_associations.insert(sae_id, kme_id); + pub(super) fn add_kme_to_ip_or_domain_association(&mut self, kme_id: KmeId, ip_or_domain: &str, client_cert_path: &str, client_cert_password: &str) -> Result<(), io::Error> { + let mut buf = Vec::new(); + File::open(client_cert_path) + .map_err(|e| io_err(&format!("Cannot open client certificate file: {:?}", e)))? + .read_to_end(&mut buf) + .map_err(|e| io_err(&format!("Cannot read client certificate file: {:?}", e)))?; + let tls_client_cert_identity = reqwest::tls::Identity::from_pkcs12_der(&buf, client_cert_password) + .map_err(|e| io_err(&format!("Cannot create client certificate identity: {:?}", e)))?; + self.kme_to_classical_network_info_associations.insert(kme_id, KmeInfoClassicalNetwork { + ip_or_domain: ip_or_domain.to_string(), + tls_client_cert_identity, + }); + Ok(()) } - pub(super) fn get_kme_id_from_sae_id(&self, sae_id: SaeId) -> Option<&KmeId> { - self.sae_to_kme_associations.get(&sae_id) + pub(super) fn get_classical_connection_info_from_kme_id(&self, kme_id: KmeId) -> Option<&KmeInfoClassicalNetwork> { + self.kme_to_classical_network_info_associations.get(&kme_id) } +} + +#[derive(Clone)] +pub(super) struct KmeInfoClassicalNetwork { + pub(super) ip_or_domain: String, + pub(super) tls_client_cert_identity: reqwest::tls::Identity, } \ No newline at end of file diff --git a/src/routes/inter_kmes_routes/mod.rs b/src/routes/inter_kmes_routes/mod.rs new file mode 100644 index 0000000..3b0bf13 --- /dev/null +++ b/src/routes/inter_kmes_routes/mod.rs @@ -0,0 +1,51 @@ +//! Describes routes for specific inter KME channels over public network, generally to activate keys on remote KMEs + +use std::convert::Infallible; +use async_trait::async_trait; +use http_body_util::Full; +use hyper::body::{Bytes, Incoming}; +use hyper::{Request, Response, StatusCode}; +use http_body_util::BodyExt; +use rustls_pki_types::CertificateDer; +use crate::qkd_manager::http_request_obj::ActivateKeyRemoteKME; +use crate::qkd_manager::QkdManager; +use crate::routes::Routes; + +/// Routes for inter KMEs communication over public network +pub struct InterKMEsRoutes {} + +#[async_trait] +impl Routes for InterKMEsRoutes { + async fn handle_request(req: Request, _client_cert: Option<&CertificateDer>, qkd_manager: QkdManager) -> Result>, Infallible> { + let path = req.uri().path().to_owned(); + if path != "/keys/activate" { + return Ok(Response::builder().status(StatusCode::NOT_FOUND).body(Full::new(Bytes::from(String::from("Not found")))).unwrap()); + } + + let post_body_bytes = match req.into_body().collect().await { + Ok(bytes) => bytes.to_bytes(), + Err(_) => { + return Self::bad_request(); + } + }; + + let key_to_activate_obj: ActivateKeyRemoteKME = match serde_json::from_slice(&post_body_bytes) { + Ok(request_list_keys_ids) => request_list_keys_ids, + Err(_) => { + return Self::bad_request(); + } + }; + let response = qkd_manager.activate_key_from_remote(key_to_activate_obj.origin_SAE_ID, key_to_activate_obj.remote_SAE_ID, key_to_activate_obj.key_ID); + let http_response = match response { + Ok(_) => Ok(Response::builder().status(StatusCode::OK).body(Full::new(Bytes::from(String::from("OK")))).unwrap()), + Err(_) => Ok(Response::builder().status(StatusCode::BAD_REQUEST).body(Full::new(Bytes::from(String::from("Cannot activate key")))).unwrap()) + }; + http_response + } +} + +impl InterKMEsRoutes { + fn bad_request() -> Result>, Infallible> { + Ok(Response::builder().status(StatusCode::BAD_REQUEST).body(Full::new(Bytes::from(String::from("Bad request")))).unwrap()) + } +} \ No newline at end of file diff --git a/src/routes/mod.rs b/src/routes/mod.rs index babba5d..87abbd9 100644 --- a/src/routes/mod.rs +++ b/src/routes/mod.rs @@ -3,6 +3,7 @@ mod keys; mod request_context; mod sae; +pub mod inter_kmes_routes; use std::convert::Infallible; use request_context::RequestContext;