From 0709eea03e153c49ae0cf6335149bac7550d46e7 Mon Sep 17 00:00:00 2001 From: themanforfree Date: Wed, 6 Mar 2024 10:44:47 +0800 Subject: [PATCH] chore: rename server_cert to peer_cert Signed-off-by: themanforfree --- crates/utils/src/config.rs | 36 ++++++++++++------------- crates/xline/src/server/xline_server.rs | 10 +++---- crates/xline/src/utils/args.rs | 12 ++++----- scripts/certgen.sh | 18 ++++++++----- 4 files changed, 40 insertions(+), 36 deletions(-) diff --git a/crates/utils/src/config.rs b/crates/utils/src/config.rs index 2c92f5e4b..f6e5383bb 100644 --- a/crates/utils/src/config.rs +++ b/crates/utils/src/config.rs @@ -945,16 +945,16 @@ impl AuthConfig { #[non_exhaustive] #[derive(Clone, Debug, Deserialize, PartialEq, Eq, Getters, Default)] pub struct TlsConfig { - /// The CA certificate file used by server to verify client certificates + /// The CA certificate file used by peer to verify client certificates #[getset(get = "pub")] - pub server_ca_cert_path: Option, - /// The public key file used by server + pub peer_ca_cert_path: Option, + /// The public key file used by peer #[getset(get = "pub")] - pub server_cert_path: Option, - /// The private key file used by server + pub peer_cert_path: Option, + /// The private key file used by peer #[getset(get = "pub")] - pub server_key_path: Option, - /// The CA certificate file used by client to verify server certificates + pub peer_key_path: Option, + /// The CA certificate file used by client to verify peer certificates #[getset(get = "pub")] pub client_ca_cert_path: Option, /// The public key file used by client @@ -970,17 +970,17 @@ impl TlsConfig { #[must_use] #[inline] pub fn new( - server_ca_cert_path: Option, - server_cert_path: Option, - server_key_path: Option, + peer_ca_cert_path: Option, + peer_cert_path: Option, + peer_key_path: Option, client_ca_cert_path: Option, client_cert_path: Option, client_key_path: Option, ) -> Self { Self { - server_ca_cert_path, - server_cert_path, - server_key_path, + peer_ca_cert_path, + peer_cert_path, + peer_key_path, client_ca_cert_path, client_cert_path, client_key_path, @@ -991,7 +991,7 @@ impl TlsConfig { #[must_use] #[inline] pub fn server_tls_enabled(&self) -> bool { - self.server_cert_path.is_some() && self.server_key_path.is_some() + self.peer_cert_path.is_some() && self.peer_key_path.is_some() } } @@ -1237,8 +1237,8 @@ mod tests { auth_private_key = './private_key.pem' [tls] - server_cert_path = './cert.pem' - server_key_path = './key.pem' + peer_cert_path = './cert.pem' + peer_key_path = './key.pem' client_ca_cert_path = './ca.pem' [metrics] @@ -1344,8 +1344,8 @@ mod tests { assert_eq!( config.tls, TlsConfig { - server_cert_path: Some(PathBuf::from("./cert.pem")), - server_key_path: Some(PathBuf::from("./key.pem")), + peer_cert_path: Some(PathBuf::from("./cert.pem")), + peer_key_path: Some(PathBuf::from("./key.pem")), client_ca_cert_path: Some(PathBuf::from("./ca.pem")), ..Default::default() } diff --git a/crates/xline/src/server/xline_server.rs b/crates/xline/src/server/xline_server.rs index 25f7a54da..b92a25ec9 100644 --- a/crates/xline/src/server/xline_server.rs +++ b/crates/xline/src/server/xline_server.rs @@ -662,9 +662,9 @@ impl XlineServer { _ => None, }; let server_tls_config = match ( - tls_config.server_ca_cert_path().as_ref(), - tls_config.server_cert_path().as_ref(), - tls_config.server_key_path().as_ref(), + tls_config.peer_ca_cert_path().as_ref(), + tls_config.peer_cert_path().as_ref(), + tls_config.peer_key_path().as_ref(), ) { (Some(ca_path), Some(cert_path), Some(key_path)) => { let ca = fs::read(ca_path).await?; @@ -682,9 +682,7 @@ impl XlineServer { Some(ServerTlsConfig::new().identity(Identity::from_pem(cert, key))) } (_, Some(_), None) | (_, None, Some(_)) => { - return Err(anyhow!( - "client_cert_path and client_key_path must be both set" - )) + return Err(anyhow!("peer_cert_path and peer_key_path must be both set")) } _ => None, }; diff --git a/crates/xline/src/utils/args.rs b/crates/xline/src/utils/args.rs index 98997023f..85377682b 100644 --- a/crates/xline/src/utils/args.rs +++ b/crates/xline/src/utils/args.rs @@ -193,13 +193,13 @@ pub struct ServerArgs { quota: Option, /// Server ca certificate path, used to verify client certificate #[clap(long)] - server_ca_cert_path: Option, + peer_ca_cert_path: Option, /// Server certificate path #[clap(long)] - server_cert_path: Option, + peer_cert_path: Option, /// Server private key path #[clap(long)] - server_key_path: Option, + peer_key_path: Option, /// Client ca certificate path, used to verify server certificate #[clap(long)] client_ca_cert_path: Option, @@ -315,9 +315,9 @@ impl From for XlineServerConfig { auto_compactor_cfg, ); let tls = TlsConfig::new( - args.server_ca_cert_path, - args.server_cert_path, - args.server_key_path, + args.peer_ca_cert_path, + args.peer_cert_path, + args.peer_key_path, args.client_ca_cert_path, args.client_cert_path, args.client_key_path, diff --git a/scripts/certgen.sh b/scripts/certgen.sh index 2c57986a3..51cb57c73 100755 --- a/scripts/certgen.sh +++ b/scripts/certgen.sh @@ -1,21 +1,27 @@ #!/usr/bin/bash -x DIR=$(cd $(dirname $0); pwd) +# root ca key and cert CA_KEY=${DIR}/certs/ca.key CA_CRT=${DIR}/certs/ca.crt -SERVER_KEY=${DIR}/certs/server.key -SERVER_CSR=${DIR}/certs/server.csr -SERVER_CRT=${DIR}/certs/server.crt +# the peer key and cert +PEER_KEY=${DIR}/certs/peer.key +PEER_CSR=${DIR}/certs/peer.csr +PEER_CRT=${DIR}/certs/peer.crt + +# the client key and cert of user "root" ROOT_CLIENT_KEY=${DIR}/certs/root_client.key ROOT_CLIENT_CSR=${DIR}/certs/root_client.csr ROOT_CLIENT_CRT=${DIR}/certs/root_client.crt +# the client key and cert of user "u1" U1_CLIENT_KEY=${DIR}/certs/u1_client.key U1_CLIENT_CSR=${DIR}/certs/u1_client.csr U1_CLIENT_CRT=${DIR}/certs/u1_client.crt +# the client key and cert of user "u2" U2_CLIENT_KEY=${DIR}/certs/u2_client.key U2_CLIENT_CSR=${DIR}/certs/u2_client.csr U2_CLIENT_CRT=${DIR}/certs/u2_client.crt @@ -45,9 +51,9 @@ EOF [ -f ${CA_CRT} ] || openssl req -x509 -new -nodes -key ${CA_KEY} -subj "/CN=ca" -days ${DAYS} -out ${CA_CRT} || exit 1 -[ -f ${SERVER_KEY} ] || openssl genrsa -out ${SERVER_KEY} 2048 || exit 1 -[ -f ${SERVER_CSR} ] || openssl req -new -key ${SERVER_KEY} -subj "/CN=server" -out ${SERVER_CSR} -config ${OPENSSL_CONF} || exit 1 -[ -f ${SERVER_CRT} ] || openssl x509 -req -in ${SERVER_CSR} -CA ${CA_CRT} -CAkey ${CA_KEY} -CAcreateserial -out ${SERVER_CRT} -days ${DAYS} -extensions v3_req -extfile ${OPENSSL_CONF} || exit 1 +[ -f ${PEER_KEY} ] || openssl genrsa -out ${PEER_KEY} 2048 || exit 1 +[ -f ${PEER_CSR} ] || openssl req -new -key ${PEER_KEY} -subj "/CN=peer" -out ${PEER_CSR} -config ${OPENSSL_CONF} || exit 1 +[ -f ${PEER_CRT} ] || openssl x509 -req -in ${PEER_CSR} -CA ${CA_CRT} -CAkey ${CA_KEY} -CAcreateserial -out ${PEER_CRT} -days ${DAYS} -extensions v3_req -extfile ${OPENSSL_CONF} || exit 1 [ -f ${ROOT_CLIENT_KEY} ] || openssl genrsa -out ${ROOT_CLIENT_KEY} 2048 || exit 1 [ -f ${ROOT_CLIENT_CSR} ] || openssl req -new -key ${ROOT_CLIENT_KEY} -subj "/CN=root" -out ${ROOT_CLIENT_CSR} -config ${OPENSSL_CONF} || exit 1