diff --git a/Cargo.lock b/Cargo.lock index 19d0099..16b4765 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2411,7 +2411,7 @@ dependencies = [ [[package]] name = "omnect-cli" -version = "0.25.1" +version = "0.26.0" dependencies = [ "actix-web", "anyhow", diff --git a/Cargo.toml b/Cargo.toml index 77c1e1f..22a7626 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,7 @@ license = "MIT OR Apache-2.0" name = "omnect-cli" readme = "README.md" repository = "https://github.com/omnect/omnect-cli" -version = "0.25.1" +version = "0.26.0" [dependencies] actix-web = "4.9" diff --git a/conf/config.toml.est.template b/conf/config.toml.est.template index d65b30b..6a8a91b 100644 --- a/conf/config.toml.est.template +++ b/conf/config.toml.est.template @@ -24,6 +24,7 @@ retry = "4%" [cert_issuance.est] trusted_certs = [ "file:///mnt/cert/ca/ca.crt", + "file:///mnt/cert/ca/edge_ca.crt", ] [cert_issuance.est.auth] @@ -32,3 +33,15 @@ bootstrap_identity_pk = "file:///mnt/cert/priv/device_id_cert_key.pem" [cert_issuance.est.urls] default = "https://omnect-est.url:8080/.well-known/est" + +[edge_ca] +method = "est" +common_name = "test-omnect-est" +url = "https://omnect-est.url2/.well-known/est" +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" diff --git a/conf/config.toml.tpm.template b/conf/config.toml.tpm.template index 36f9dad..641502f 100644 --- a/conf/config.toml.tpm.template +++ b/conf/config.toml.tpm.template @@ -1,5 +1,5 @@ ## Hostname -hostname = "my-omnect-iot-tpm-device" +hostname = "test-omnect-tpm" ## DPS provisioning with tpm [provisioning] @@ -9,7 +9,28 @@ id_scope = "my-scope-id" [provisioning.attestation] method = "tpm" -registration_id = "my-reg-id" +registration_id = "test-omnect-tpm" + +[cert_issuance.est] +trusted_certs = [ + "file:///mnt/cert/ca/edge_ca.crt", +] + +[cert_issuance.est.auth] +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[cert_issuance.est.urls] +default = "https://omnect-est.url:8080/.well-known/est" + +[edge_ca] +method = "est" +common_name = "test-omnect-tpm" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" # [tpm] # tcti = "device:/dev/tpmrm0" # adapt if using e.g. abrmd, default is "device" diff --git a/src/validators/identity.rs b/src/validators/identity.rs index 13c6d2f..c0c413c 100644 --- a/src/validators/identity.rs +++ b/src/validators/identity.rs @@ -121,8 +121,14 @@ struct Tpm { #[serde(deny_unknown_fields)] #[allow(dead_code)] struct EdgeCA { - cert: String, - pk: String, + cert: Option, + pk: Option, + method: String, + common_name: String, + url: Option, + bootstrap_identity_cert: Option, + bootstrap_identity_pk: Option, + auto_renew: Option, } #[derive(Debug, Deserialize)] @@ -307,14 +313,17 @@ pub fn validate_identity( .as_ref() .and_then(|ci| ci.est.as_ref()) .map(|est| { - est.auth.bootstrap_identity_cert.as_str() + (est.auth.bootstrap_identity_cert.as_str() == "file:///mnt/cert/priv/device_id_cert.pem" - && est.auth.bootstrap_identity_cert.as_str() - == "file:///mnt/cert/priv/device_id_cert.pem" - && est - .trusted_certs - .iter() - .any(|e| e == "file:///mnt/cert/ca/ca.crt") + || est.auth.bootstrap_identity_cert.as_str() + == "file:///mnt/cert/priv/edge_ca_cert.pem") + && (est.auth.bootstrap_identity_pk.as_str() + == "file:///mnt/cert/priv/device_id_cert_key.pem" + || est.auth.bootstrap_identity_pk.as_str() + == "file:///mnt/cert/priv/edge_ca_cert_key.pem") + && est.trusted_certs.iter().any(|e| { + e == "file:///mnt/cert/ca/ca.crt" || e == "file:///mnt/cert/ca/edge_ca.crt" + }) }) { out.push(WARN_UNEXPECTED_PATH) diff --git a/testfiles/identity_config_dps_tpm.toml b/testfiles/identity_config_dps_tpm.toml index 7c0f67a..ed748ec 100644 --- a/testfiles/identity_config_dps_tpm.toml +++ b/testfiles/identity_config_dps_tpm.toml @@ -6,4 +6,25 @@ global_endpoint = "https://global.azure-devices-provisioning.net" id_scope = "my-scope-id" [provisioning.attestation] -method = "tpm" \ No newline at end of file +method = "tpm" + +[cert_issuance.est] +trusted_certs = [ + "file:///mnt/cert/ca/edge_ca.crt", +] + +[cert_issuance.est.auth] +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[cert_issuance.est.urls] +default = "my-est-url" + +[edge_ca] +method = "est" +common_name = "test" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%" \ No newline at end of file diff --git a/testfiles/identity_config_dps_x509_est.toml b/testfiles/identity_config_dps_x509_est.toml index 6223e10..9271523 100644 --- a/testfiles/identity_config_dps_x509_est.toml +++ b/testfiles/identity_config_dps_x509_est.toml @@ -21,6 +21,7 @@ retry = "4%" [cert_issuance.est] trusted_certs = [ "file:///mnt/cert/ca/ca.crt", + "file:///mnt/cert/ca/edge_ca.crt", ] [cert_issuance.est.auth] @@ -29,3 +30,15 @@ bootstrap_identity_pk = "file:///mnt/cert/priv/device_id_cert_key.pem" [cert_issuance.est.urls] default = "my-est-url" + +[edge_ca] +method = "est" +common_name = "test-omnect-est" +url = "my-est-url" +bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem" +bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem" + +[edge_ca.auto_renew] +rotate_key = true +threshold = "80%" +retry = "4%"