add SessionSecurity with peer certificate

[jarlah]

To enable reading certificate later for authentication etc. plus booleans are not very descriptive.
discussion: could probably map the Certificate into a struct with common name etc instead of passing the knowledge of the tls framework deep into the rest of the code

• Find a way to not pass tls cert inside the session

related to #7

[jarlah]

might not need a review actually, and naming can be fixed later. Actually the real work here is how I get the common name out

[guillaumepellegrino]

If I understand well, you retrieve the CN from peer certificate which may be used to authenticate the peer later. We will also need to authenticate the peer certificate with appropriate CA. Code looks good to me.

For next step, I am not sure how you see the thing but I guess we will need a dedicated command to generate peer certificate and private key from a unique identifier like the Serial Number.
Then it's up to the user to ensure the peer certificate and private key are well installed on the corresponding CPE.

[jarlah]

If I understand well, you retrieve the CN from peer certificate which may be used to authenticate the peer later. We will also need to authenticate the peer certificate with appropriate CA. Code looks good to me.

For next step, I am not sure how you see the thing but I guess we will need a dedicated command to generate peer certificate and private key from a unique identifier like the Serial Number. Then it's up to the user to ensure the peer certificate and private key are well installed on the corresponding CPE.

Yeah something like that. Right now Im struggling however getting the peer certificate into the server. Seems to be some problems with self signed or just messing things up from my side. Currently its logging None for common name.

[guillaumepellegrino]

It may be implemented like that: cf168a6

I guess it may be improved maybe with intermediate CAs for more flexibility ?

Double auth can be tested like that:

mkdir /tmp/acsrs
cd tmp/acsrs
CN=ACSRS ~/Workspace/acsrs/ssl/ssl.sh all
CN=CPE1234 ~/Workspace/acsrs/ssl/ssl.sh genpeercert

openssl s_server -key key.pem -cert cert.pem -verifyCAfile ca.pem -Verify 2 -verify_return_error -verify_hostname CPE1234
openssl s_client -CAfile ca.pem -cert CPE1234/cert.pem -key CPE1234/key.pem -verify_return_error -verify_hostname ACSRS

[jarlah]

been testing out a valid tls flow now.

Been using PUBLIC_IP=127.0.0.1 cargo run --bin acsrs to start server, to generate localhost certificate. Then ran ssl script to generate peer certificate when inside the ~/.acsrs folder.

Then sent a request with curl to server:

➜  CPE1234 curl -X POST -H "Content-Type: text/xml" -u "EOJusYmoh7hHpPSppzhryoUyJhMXLo:NeNW5WqKtN5RbecRkWdo1Ynj39kkz3" https://127.0.0.1:8443/cwmpWeb/CPEMgt --cacert ~/.acsrs/ca.pem --cert cert.pem --key key.pem --cert-type PEM -v -d '<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">1</cwmp:ID></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:Inform><DeviceId><Manufacturer>FakeManufacturer</Manufacturer><OUI>000000</OUI><ProductClass>FakeProductClass</ProductClass><SerialNumber>FakeSerialNumber</SerialNumber></DeviceId><Event SOAP-ENC:arrayType="cwmp:EventStruct[3]"><EventStruct><EventCode>0 BOOTSTRAP</EventCode><CommandKey>TR069_FakeManufacturer_HOMEGATEWAY</CommandKey></EventStruct><EventStruct><EventCode>1 BOOT</EventCode><CommandKey/></EventStruct><EventStruct><EventCode>4 VALUE CHANGE</EventCode><CommandKey/></EventStruct></Event><MaxEnvelopes>1</MaxEnvelopes><CurrentTime>1970-01-02T00:08:34</CurrentTime><RetryCount>0</RetryCount><ParameterList SOAP-ENC:arrayType="cwmp:ParameterValueStruct[4]"><ParameterValueStruct><Name>InternetGatewayDevice.DeviceSummary</Name><Value xsi:type="xsd:string">InternetGatewayDevice:1.0[](Baseline:1, EthernetLAN:4,GE:4,WiFi:1, PONWAN:1, Voip:0, Time:1, IPPing:1)</Value></ParameterValueStruct><ParameterValueStruct><Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name><Value xsi:type="xsd:string">1.0</Value></ParameterValueStruct><ParameterValueStruct><Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name><Value xsi:type="xsd:string">V5.2</Value></ParameterValueStruct><ParameterValueStruct><Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name><Value xsi:type="xsd:string">V5.2.10P4T26</Value></ParameterValueStruct></ParameterList></cwmp:Inform></SOAP-ENV:Body></SOAP-ENV:Envelope>'
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:8443...
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /Users/jarlah/.acsrs/ca.pem
*  CApath: none
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Server finished (14):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=127.0.0.1
*  start date: May  4 10:57:18 2023 GMT
*  expire date: May  1 10:57:18 2033 GMT
*  common name: 127.0.0.1 (matched)
*  issuer: OU=ACS Management Server; CN=ACSRS Root CA
*  SSL certificate verify ok.
* Server auth using Basic with user 'EOJusYmoh7hHpPSppzhryoUyJhMXLo'
> POST /cwmpWeb/CPEMgt HTTP/1.1
> Host: 127.0.0.1:8443
> Authorization: Basic RU9KdXNZbW9oN2hIcFBTcHB6aHJ5b1V5SmhNWExvOk5lTlc1V3FLdE41UmJlY1JrV2RvMVluajM5a2t6Mw==
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Type: text/xml
> Content-Length: 1812
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< user-agent: acsrs
< content-type: text/xml; charset="utf-8"
< content-length: 470
< date: Thu, 04 May 2023 11:01:47 GMT
<
* Connection #0 to host 127.0.0.1 left intact
<soapenv:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><cwmp:ID soapenv:mustUnderstand="1">1</cwmp:ID></soapenv:Header><soapenv:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soapenv:Body></soapenv:Envelope>%
➜  CPE1234

Got back

Did not find a peer certificate
TR069Session {
    acs: RwLock {
        mr: 536870911,
        s: Semaphore {
            permits: 536870911,
        },
        c: UnsafeCell { .. },
    },
    cpe: None,
    observer: None,
    refcount: None,
    srvaddr: [::]:8443,
    security: Secure {
        cn: None,
    },
    sn: "",
    id: "0",
    counter: 0,
}
[SN:FakeSerialNumber][SID:1][1] Received: Inform message
[SN:FakeSerialNumber][SID:1][1]      Event: 0 BOOTSTRAP
[SN:FakeSerialNumber][SID:1][1]      Event: 1 BOOT
[SN:FakeSerialNumber][SID:1][1]      Event: 4 VALUE CHANGE
[SN:FakeSerialNumber][SID:1][1] Inform message does not contain ConnectionRequestURL
[SN:FakeSerialNumber][SID:1][1] Send: Inform Response

so not able to get a hold on the peer certificate in hyper. I wonder if its a bug in hyper or im doing it wrong in the curl command

[jarlah]

as you can see im using --cacert ~/.acsrs/ca.pem --cert cert.pem --key key.pem --cert-type PEM in the curl command. My current work directory is the CPE1234 folder

[jarlah]

this IS the wrong end of the problem. I mean we don't get a better ACS by working on this, its just that I had already been using a bit of time on this problem, so better finish it ;) and then move on instead of having it in the back of my mind. ..

[jarlah]

Btw i have a cpe laying around somewhere. And i have been using it extensively in the past. For certain things i find it much more easier to test quick and dirty curl commands or postman ..

[jarlah]

Added issue in rust-native-tls: sfackler/rust-native-tls#262

[guillaumepellegrino]

I have already made some programs with peer cert authentication with openssl in C but I don't know much about rust-native-tls. I try to had a quick look to jarlah/addPeerCert but I had some linking issues with openssl. I will try to look into it later.

[jarlah]

It would be equally as hard to implement cross platform in c 😓

[jarlah]

So if i make rust native tls work with requesting Peer certificate from client in server session i do open source a huge favour. Its just pain in the butt. But i will figure it out. Will maybe work on other things in parallell.