Skip to content

Commit

Permalink
grpc-plugin: Generate mTLS certificates and use them in grpc
Browse files Browse the repository at this point in the history
  • Loading branch information
@cdecker
cdecker committed Jan 21, 2022
1 parent a50a9ef commit 7b74cf0
Show file tree
Hide file tree
Showing 3 changed files with 176 additions and 2 deletions.
19 changes: 19 additions & 0 deletions plugins/grpc-plugin/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,14 @@ use log::{debug, warn};
use std::net::SocketAddr;
use std::path::{Path, PathBuf};

mod tls;

#[derive(Clone, Debug)]
struct PluginState {
rpc_path: PathBuf,
bind_address: SocketAddr,
identity: tls::Identity,
ca_cert: Vec<u8>,
}

#[tokio::main]
Expand All @@ -18,9 +22,14 @@ async fn main() -> Result<()> {
let path = Path::new("lightning-rpc");
let addr: SocketAddr = "0.0.0.0:50051".parse().unwrap();

let directory = std::env::current_dir()?;
let (identity, ca_cert) = tls::init(&directory)?;

let state = PluginState {
rpc_path: path.into(),
bind_address: addr,
identity,
ca_cert,
};

let (plugin, i) = Builder::new(state.clone(), tokio::io::stdin(), tokio::io::stdout()).build();
Expand All @@ -40,7 +49,17 @@ async fn run_interface(state: PluginState) -> Result<()> {
"Connecting to {:?} and serving grpc on {:?}",
&state.rpc_path, &state.bind_address
);

let identity = state.identity.to_tonic_identity();
let ca_cert = tonic::transport::Certificate::from_pem(state.ca_cert);

let tls = tonic::transport::ServerTlsConfig::new()
.identity(identity)
.client_ca_root(ca_cert);

tonic::transport::Server::builder()
.tls_config(tls)
.context("configuring tls")?
.add_service(NodeServer::new(
cln_grpc::Server::new(&state.rpc_path)
.await
Expand Down
107 changes: 107 additions & 0 deletions plugins/grpc-plugin/src/tls.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
//! Utilities to manage TLS certificates.
use anyhow::{Context, Result};
use log::debug;
use rcgen::{Certificate, KeyPair};
use std::path::Path;

/// Just a wrapper around a certificate and an associated keypair.
#[derive(Clone, Debug)]
pub(crate) struct Identity {
key: Vec<u8>,
certificate: Vec<u8>,
}

impl Identity {
fn to_certificate(&self) -> Result<Certificate> {
let keystr = String::from_utf8_lossy(&self.key);
let key = KeyPair::from_pem(&keystr)?;
let certstr = String::from_utf8_lossy(&self.certificate);
let params = rcgen::CertificateParams::from_ca_cert_pem(&certstr, key)?;
let cert = Certificate::from_params(params)?;
Ok(cert)
}

pub fn to_tonic_identity(&self) -> tonic::transport::Identity {
tonic::transport::Identity::from_pem(&self.certificate, &self.key)
}
}

/// Ensure that we have a certificate authority, and child keypairs
/// and certificates for the server and the client. It'll generate
/// them in the provided `directory`. The following files are
/// included:
///
/// - `ca.pem`: The self-signed certificate of the CA
/// - `ca-key.pem`: The key used by the CA to sign certificates
/// - `server.pem`: The server certificate, signed by the CA
/// - `server-key.pem`: The server private key
/// - `client.pem`: The client certificate, signed by the CA
/// - `client-key.pem`: The client private key
///
/// The `grpc-plugin` will use the `server.pem` certificate, while a
/// client is supposed to use the `client.pem` and associated
/// keys. Notice that this isn't strictly necessary since the server
/// will accept any client that is signed by the CA. In future we
/// might add runes, making the distinction more important.
///
/// Returns the server identity and the root CA certificate.
pub(crate) fn init(directory: &Path) -> Result<(Identity, Vec<u8>)> {
let ca = generate_or_load_identity("cln Root CA", directory, "ca", None)?;
let server = generate_or_load_identity("cln grpc Server", directory, "server", Some(&ca))?;
let _client = generate_or_load_identity("cln grpc Client", directory, "client", Some(&ca))?;
Ok((server, ca.certificate))
}

/// Generate a given identity
fn generate_or_load_identity(
name: &str,
directory: &Path,
filename: &str,
parent: Option<&Identity>,
) -> Result<Identity> {
// Just our naming convention here.
let cert_path = directory.join(format!("{}.pem", filename));
let key_path = directory.join(format!("{}-key.pem", filename));
// Did we have to generate a new key? In that case we also need to
// regenerate the certificate
if !key_path.exists() || !cert_path.exists() {
debug!(
"Generating a new keypair in {:?}, it didn't exist",
&key_path
);
let keypair = KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256)?;
std::fs::write(&key_path, keypair.serialize_pem())?;
debug!(
"Generating a new certificate for key {:?} at {:?}",
&key_path, &cert_path
);

// Configure the certificate we want.
let subject_alt_names = vec!["cln".to_string(), "localhost".to_string()];
let mut params = rcgen::CertificateParams::new(subject_alt_names);
params.key_pair = Some(keypair);
params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
if parent.is_none() {
params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
} else {
params.is_ca = rcgen::IsCa::SelfSignedOnly;
}
params
.distinguished_name
.push(rcgen::DnType::CommonName, name);

let cert = Certificate::from_params(params)?;
std::fs::write(
&cert_path,
match parent {
None => cert.serialize_pem()?,
Some(ca) => cert.serialize_pem_with_signer(&ca.to_certificate()?)?,
},
)
.context("writing certificate to file")?;
}

let key = std::fs::read(&key_path)?;
let certificate = std::fs::read(cert_path)?;
Ok(Identity { certificate, key })
}
52 changes: 50 additions & 2 deletions tests/test_cln_rs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,60 @@ def test_rpc_client(node_factory):
def test_grpc_connect(node_factory):
"""Attempts to connect to the grpc interface and call getinfo"""
bin_path = Path.cwd() / "target" / "debug" / "grpc-plugin"
node_factory.get_node(options={"plugin": str(bin_path)})
channel = grpc.insecure_channel("localhost:50051")
l1 = node_factory.get_node(options={"plugin": str(bin_path)})

p = Path(l1.daemon.lightning_dir) / TEST_NETWORK
cert_path = p / "client.pem"
key_path = p / "client-key.pem"
ca_cert_path = p / "ca.pem"
creds = grpc.ssl_channel_credentials(
root_certificates=ca_cert_path.open('rb').read(),
private_key=key_path.open('rb').read(),
certificate_chain=cert_path.open('rb').read()
)

channel = grpc.secure_channel(
"localhost:50051",
creds,
options=(('grpc.ssl_target_name_override', 'cln'),)
)
stub = NodeStub(channel)

response = stub.Getinfo(nodepb.GetinfoRequest())
print(response)

response = stub.ListFunds(nodepb.ListfundsRequest())
print(response)


def test_grpc_generate_certificate(node_factory):
"""Test whether we correctly generate the certificates.
- If we have no certs, we need to generate them all
- If we have certs, we they should just get loaded
- If we delete one cert or its key it should get regenerated.
"""
bin_path = Path.cwd() / "target" / "debug" / "grpc-plugin"
l1 = node_factory.get_node(options={
"plugin": str(bin_path),
}, start=False)

p = Path(l1.daemon.lightning_dir) / TEST_NETWORK
files = [p / f for f in ['ca.pem', 'ca-key.pem', 'client.pem', 'client-key.pem', 'server-key.pem', 'server.pem']]

# Before starting no files exist.
assert [f.exists() for f in files] == [False]*len(files)

l1.start()
assert [f.exists() for f in files] == [True]*len(files)

# The files exist, restarting should not change them
contents = [f.open().read() for f in files]
l1.restart()
assert contents == [f.open().read() for f in files]

# Now we delete the last file, we should regenerate it as well as its key
files[-1].unlink()
l1.restart()
assert contents[-2] != files[-2].open().read()
assert contents[-1] != files[-1].open().read()

0 comments on commit 7b74cf0

Please sign in to comment.