Add support for CA signed client certs

Squashed commit of the following:

commit 04a0557
Author: Michał Papierski <[email protected]>
Date:   Tue Aug 30 15:49:52 2022 +0200

    Remove ca_cert from the identity struct.

commit 8491fed
Author: Michał Papierski <[email protected]>
Date:   Tue Aug 30 15:14:02 2022 +0200

    Remove outdated TODO comment

commit 6060eed
Author: Michał Papierski <[email protected]>
Date:   Tue Aug 30 15:12:17 2022 +0200

    Apply @marc-casperlabs comments

commit 2f04a17
Author: Michał Papierski <[email protected]>
Date:   Thu Aug 25 17:20:51 2022 +0200

    Remove unnecessary arg.

commit a158903
Author: Michał Papierski <[email protected]>
Date:   Thu Aug 25 16:19:23 2022 +0200

    Simplify CA validation.

    This does not enforce ECC algorithm used, only basic expiration dates
    etc.

commit b98f083
Author: Michał Papierski <[email protected]>
Date:   Thu Aug 25 14:00:25 2022 +0200

    Use #[source] instead of #[from]

Author: Michał Papierski

node/CHANGELOG.md

@@ -13,6 +13,11 @@ All notable changes to this project will be documented in this file.  The format
 
 ## 1.4.8
 
+### Added
+* Add an `identity` option to load existing network identity certificates signed by a CA.
+
+
+
 ### Changed
 * Update `casper-execution-engine`.
 

node/src/components/small_network.rs

@@ -73,6 +73,7 @@ use tracing::{debug, error, info, trace, warn, Instrument, Span};
 
 use self::{
     chain_info::ChainInfo,
+    config::IdentityConfig,
     counting_format::{ConnectionId, CountingFormat, Role},
     error::{ConnectionError, Result},
     event::{IncomingConnection, OutgoingConnection},
@@ -100,7 +101,10 @@ use crate::{
         EffectBuilder, EffectExt, Effects,
     },
     reactor::{EventQueueHandle, Finalize, ReactorEvent},
-    tls::{self, TlsCert, ValidationError},
+    tls::{
+        self, validate_cert_with_authority, LoadCertError, LoadSecretKeyError, TlsCert,
+        ValidationError,
+    },
     types::NodeId,
     utils::{self, display_error, WithDir},
     NodeRng,
@@ -275,10 +279,31 @@ where
             .map_err(Error::LoadConsensusKeys)?
             .map(|(secret_key, public_key)| ConsensusKeyPair::new(secret_key, public_key));
 
+        // Load a ca certificate (if present)
+        let ca_certificate = match &cfg.identity {
+            Some(identity) => {
+                let ca_cert = tls::load_cert(&identity.ca_certificate)?;
+
+                // A quick sanity check for the loaded cert against supplied CA.
+                validate_cert_with_authority(
+                    small_network_identity.tls_certificate.as_x509().clone(),
+                    &ca_cert,
+                )
+                .map_err(|error| {
+                    warn!(%error, "the given node certificate is not signed by the network CA");
+                    Error::CertValidationError(error)
+                })?;
+
+                Some(ca_cert)
+            }
+            None => None,
+        };
+
         let context = Arc::new(NetworkContext {
             event_queue,
             our_id: NodeId::from(&small_network_identity),
             our_cert: small_network_identity.tls_certificate,
+            network_ca: ca_certificate.map(Arc::new),
             secret_key: small_network_identity.secret_key,
             net_metrics: Arc::downgrade(&net_metrics),
             chain_info: chain_info_source.into(),
@@ -967,6 +992,10 @@ pub(crate) enum SmallNetworkIdentityError {
     CouldNotGenerateTlsCertificate(OpenSslErrorStack),
     #[error(transparent)]
     ValidationError(#[from] ValidationError),
+    #[error(transparent)]
+    LoadCertError(#[from] LoadCertError),
+    #[error(transparent)]
+    LoadSecretKeyError(#[from] LoadSecretKeyError),
 }
 
 /// An ephemeral [PKey<Private>] and [TlsCert] that identifies this node
@@ -977,14 +1006,37 @@ pub(crate) struct SmallNetworkIdentity {
 }
 
 impl SmallNetworkIdentity {
-    pub(crate) fn new() -> result::Result<Self, SmallNetworkIdentityError> {
-        let (not_yet_validated_x509_cert, secret_key) = tls::generate_node_cert()
-            .map_err(SmallNetworkIdentityError::CouldNotGenerateTlsCertificate)?;
-        let tls_certificate = tls::validate_cert(not_yet_validated_x509_cert)?;
-        Ok(SmallNetworkIdentity {
+    fn new(secret_key: PKey<Private>, tls_certificate: TlsCert) -> Self {
+        Self {
             secret_key: Arc::new(secret_key),
             tls_certificate: Arc::new(tls_certificate),
-        })
+        }
+    }
+
+    pub(crate) fn from_config(
+        config: WithDir<Config>,
+    ) -> result::Result<Self, SmallNetworkIdentityError> {
+        match &config.value().identity {
+            Some(identity) => Self::from_identity_config(identity),
+            None => Self::with_generated_certs(),
+        }
+    }
+
+    fn from_identity_config(
+        identity: &IdentityConfig,
+    ) -> result::Result<Self, SmallNetworkIdentityError> {
+        let not_yet_validated_x509_cert = tls::load_cert(&identity.tls_certificate)?;
+        let secret_key = tls::load_secret_key(&identity.secret_key)?;
+        let x509_cert = tls::tls_cert_from_x509(not_yet_validated_x509_cert)?;
+
+        Ok(SmallNetworkIdentity::new(secret_key, x509_cert))
+    }
+
+    pub(crate) fn with_generated_certs() -> result::Result<Self, SmallNetworkIdentityError> {
+        let (not_yet_validated_x509_cert, secret_key) = tls::generate_node_cert()
+            .map_err(SmallNetworkIdentityError::CouldNotGenerateTlsCertificate)?;
+        let tls_certificate = tls::validate_self_signed_cert(not_yet_validated_x509_cert)?;
+        Ok(SmallNetworkIdentity::new(secret_key, tls_certificate))
     }
 }
 

node/src/components/small_network/config.rs

@@ -1,6 +1,6 @@
 #[cfg(test)]
 use std::net::{Ipv4Addr, SocketAddr};
-use std::str::FromStr;
+use std::{path::PathBuf, str::FromStr};
 
 use datasize::DataSize;
 use serde::{Deserialize, Serialize};
@@ -35,10 +35,24 @@ impl Default for Config {
             max_outgoing_byte_rate_non_validators: 0,
             max_incoming_message_rate_non_validators: 0,
             estimator_weights: Default::default(),
+            identity: None,
         }
     }
 }
 
+/// Small network identity configuration.
+#[derive(DataSize, Debug, Clone, Deserialize, Serialize)]
+// Disallow unknown fields to ensure config files and command-line overrides contain valid keys.
+#[serde(deny_unknown_fields)]
+pub struct IdentityConfig {
+    /// Path to a signed certificate
+    pub tls_certificate: PathBuf,
+    /// Path to a secret key.
+    pub secret_key: PathBuf,
+    /// Path to a certificate authority certificate
+    pub ca_certificate: PathBuf,
+}
+
 /// Small network configuration.
 #[derive(DataSize, Debug, Clone, Deserialize, Serialize)]
 // Disallow unknown fields to ensure config files and command-line overrides contain valid keys.
@@ -64,6 +78,11 @@ pub struct Config {
     pub max_incoming_message_rate_non_validators: u32,
     /// Weight distribution for the payload impact estimator.
     pub estimator_weights: PayloadWeights,
+    /// Small network identity configuration option.
+    ///
+    /// An identity will be automatically generated when starting up a node if this option is
+    /// unspecified.
+    pub identity: Option<IdentityConfig>,
 }
 
 #[cfg(test)]

node/src/components/small_network/error.rs

@@ -8,7 +8,7 @@ use thiserror::Error;
 
 use crate::{
     crypto,
-    tls::ValidationError,
+    tls::{LoadCertError, ValidationError},
     utils::{LoadError, Loadable, ResolveAddressError},
 };
 
@@ -63,14 +63,27 @@ pub enum Error {
         #[source]
         ResolveAddressError,
     ),
-
     /// Instantiating metrics failed.
     #[error(transparent)]
     Metrics(
         #[serde(skip_serializing)]
         #[from]
         prometheus::Error,
     ),
+    /// Failed to load a certificate.
+    #[error("failed to load a certificate: {0}")]
+    LoadCertificate(
+        #[serde(skip_serializing)]
+        #[from]
+        LoadCertError,
+    ),
+    /// Failed to validate a network CA certificate.
+    #[error("failed to validate a cert against network CA: {0:?}")]
+    CertValidationError(
+        #[serde(skip_serializing)]
+        #[source]
+        ValidationError,
+    ),
 }
 
 // Manual implementation for `DataSize` - the type contains too many FFI variants that are hard to

node/src/components/small_network/tasks.rs

@@ -19,6 +19,7 @@ use futures::{
 use openssl::{
     pkey::{PKey, Private},
     ssl::Ssl,
+    x509::X509,
 };
 use prometheus::IntGauge;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
@@ -45,7 +46,7 @@ use super::{
 };
 use crate::{
     reactor::{EventQueueHandle, QueueKind},
-    tls::{self, TlsCert},
+    tls::{self, TlsCert, ValidationError},
     types::NodeId,
     utils::display_error,
 };
@@ -87,11 +88,11 @@ where
         .peer_certificate()
         .ok_or(ConnectionError::NoPeerCertificate)?;
 
-    let peer_id = NodeId::from(
-        tls::validate_cert(peer_cert)
-            .map_err(ConnectionError::PeerCertificateInvalid)?
-            .public_key_fingerprint(),
-    );
+    let validated_peer_cert = context
+        .validate_peer_cert(peer_cert)
+        .map_err(ConnectionError::PeerCertificateInvalid)?;
+
+    let peer_id = NodeId::from(validated_peer_cert.public_key_fingerprint());
 
     Ok((peer_id, transport))
 }
@@ -171,6 +172,8 @@ where
     pub(super) our_id: NodeId,
     /// TLS certificate associated with this node's identity.
     pub(super) our_cert: Arc<TlsCert>,
+    /// TLS certificate authority associated with this node's identity.
+    pub(super) network_ca: Option<Arc<X509>>,
     /// Secret key associated with `our_cert`.
     pub(super) secret_key: Arc<PKey<Private>>,
     /// Weak reference to the networking metrics shared by all sender/receiver tasks.
@@ -185,6 +188,15 @@ where
     pub(super) payload_weights: PayloadWeights,
 }
 
+impl<REv> NetworkContext<REv> {
+    pub(crate) fn validate_peer_cert(&self, peer_cert: X509) -> Result<TlsCert, ValidationError> {
+        match &self.network_ca {
+            Some(ca_cert) => tls::validate_cert_with_authority(peer_cert, ca_cert),
+            None => tls::validate_self_signed_cert(peer_cert),
+        }
+    }
+}
+
 /// Handles an incoming connection.
 ///
 /// Sets up a TLS stream and performs the protocol handshake.
@@ -199,13 +211,12 @@ where
     for<'de> P: Serialize + Deserialize<'de>,
     for<'de> Message<P>: Serialize + Deserialize<'de>,
 {
-    let (peer_id, transport) =
-        match server_setup_tls(stream, &context.our_cert, &context.secret_key).await {
-            Ok(value) => value,
-            Err(error) => {
-                return IncomingConnection::FailedEarly { peer_addr, error };
-            }
-        };
+    let (peer_id, transport) = match server_setup_tls(&context, stream).await {
+        Ok(value) => value,
+        Err(error) => {
+            return IncomingConnection::FailedEarly { peer_addr, error };
+        }
+    };
 
     // Register the `peer_id` on the [`Span`] for logging the ID from here on out.
     Span::current().record("peer_id", &field::display(peer_id));
@@ -256,15 +267,17 @@ where
 /// Server-side TLS setup.
 ///
 /// This function groups the TLS setup into a convenient function, enabling the `?` operator.
-pub(super) async fn server_setup_tls(
+pub(super) async fn server_setup_tls<REv>(
+    context: &NetworkContext<REv>,
     stream: TcpStream,
-    cert: &TlsCert,
-    secret_key: &PKey<Private>,
 ) -> Result<(NodeId, Transport), ConnectionError> {
-    let mut tls_stream = tls::create_tls_acceptor(cert.as_x509().as_ref(), secret_key.as_ref())
-        .and_then(|ssl_acceptor| Ssl::new(ssl_acceptor.context()))
-        .and_then(|ssl| SslStream::new(ssl, stream))
-        .map_err(ConnectionError::TlsInitialization)?;
+    let mut tls_stream = tls::create_tls_acceptor(
+        context.our_cert.as_x509().as_ref(),
+        context.secret_key.as_ref(),
+    )
+    .and_then(|ssl_acceptor| Ssl::new(ssl_acceptor.context()))
+    .and_then(|ssl| SslStream::new(ssl, stream))
+    .map_err(ConnectionError::TlsInitialization)?;
 
     SslStream::accept(Pin::new(&mut tls_stream))
         .await
@@ -276,12 +289,12 @@ pub(super) async fn server_setup_tls(
         .peer_certificate()
         .ok_or(ConnectionError::NoPeerCertificate)?;
 
+    let validated_peer_cert = context
+        .validate_peer_cert(peer_cert)
+        .map_err(ConnectionError::PeerCertificateInvalid)?;
+
     Ok((
-        NodeId::from(
-            tls::validate_cert(peer_cert)
-                .map_err(ConnectionError::PeerCertificateInvalid)?
-                .public_key_fingerprint(),
-        ),
+        NodeId::from(validated_peer_cert.public_key_fingerprint()),
         tls_stream,
     ))
 }

node/src/components/small_network/tests.rs

@@ -143,7 +143,7 @@ impl Reactor for TestReactor {
         event_queue: EventQueueHandle<Self::Event>,
         _rng: &mut NodeRng,
     ) -> anyhow::Result<(Self, Effects<Self::Event>)> {
-        let small_network_identity = SmallNetworkIdentity::new()?;
+        let small_network_identity = SmallNetworkIdentity::with_generated_certs()?;
         let (net, effects) = SmallNetwork::new(
             event_queue,
             cfg,

node/src/reactor/initializer.rs

@@ -311,7 +311,8 @@ impl Reactor {
 
         let effects = reactor::wrap_effects(Event::Chainspec, chainspec_effects);
 
-        let small_network_identity = SmallNetworkIdentity::new()?;
+        let network_config = config.map_ref(|config| config.network.clone());
+        let small_network_identity = SmallNetworkIdentity::from_config(network_config)?;
 
         let reactor = Reactor {
             config,