From 12a74cfda3419253ae161d27a26a6b6270f9a18d Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Thu, 3 Oct 2024 12:28:15 +0200 Subject: [PATCH 1/8] feat!: renaming of TLS configuration parameters Signed-off-by: Gabriele Baldoni --- DEFAULT_CONFIG.json5 | 25 +++---- commons/zenoh-config/src/lib.rs | 20 +++--- io/zenoh-links/zenoh-link-quic/src/lib.rs | 30 ++++---- io/zenoh-links/zenoh-link-quic/src/utils.rs | 66 ++++++++--------- io/zenoh-links/zenoh-link-tls/src/lib.rs | 28 ++++---- io/zenoh-links/zenoh-link-tls/src/utils.rs | 66 ++++++++--------- io/zenoh-transport/tests/endpoints.rs | 8 +-- .../tests/unicast_authenticator.rs | 8 +-- io/zenoh-transport/tests/unicast_multilink.rs | 8 +-- io/zenoh-transport/tests/unicast_openclose.rs | 8 +-- io/zenoh-transport/tests/unicast_time.rs | 8 +-- io/zenoh-transport/tests/unicast_transport.rs | 68 +++++++++--------- zenoh/tests/authentication.rs | 72 +++++++++---------- zenoh/tests/open_time.rs | 8 +-- 14 files changed, 212 insertions(+), 211 deletions(-) diff --git a/DEFAULT_CONFIG.json5 b/DEFAULT_CONFIG.json5 index 1e56dbe50a..b6e1f61436 100644 --- a/DEFAULT_CONFIG.json5 +++ b/DEFAULT_CONFIG.json5 @@ -431,20 +431,21 @@ /// or the client's keys and certificates, depending on the node's mode. If not specified /// on router mode then the default WebPKI certificates are used instead. root_ca_certificate: null, - /// Path to the TLS server private key - server_private_key: null, - /// Path to the TLS server public certificate - server_certificate: null, - /// Client authentication, if true enables mTLS (mutual authentication) - client_auth: false, - /// Path to the TLS client private key - client_private_key: null, - /// Path to the TLS client public certificate - client_certificate: null, - // Whether or not to use server name verification, if set to false zenoh will disregard the common names of the certificates when verifying servers. + /// Path to the TLS listening side private key + listen_private_key: null, + /// Path to the TLS listening side public certificate + listen_certificate: null, + /// Enables mTLS (mutual authentication), client authentication + enable_mtls: false, + /// Path to the TLS connecting side private key + connect_private_key: null, + /// Path to the TLS client connecting side certificate + connect_certificate: null, + // Whether or not to verify the mathching between hostname/dns and certificate when connecting, + // if set to false zenoh will disregard the common names of the certificates when verifying servers. // This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your // ca to verify that the server at baz.com is actually baz.com, let this be true (default). - server_name_verification: null, + verify_name_on_connect: null, }, }, /// Shared memory configuration. diff --git a/commons/zenoh-config/src/lib.rs b/commons/zenoh-config/src/lib.rs index 52b3fa8b79..728aeb6c44 100644 --- a/commons/zenoh-config/src/lib.rs +++ b/commons/zenoh-config/src/lib.rs @@ -463,23 +463,23 @@ validated_struct::validator! { pub tls: #[derive(Default)] TLSConf { root_ca_certificate: Option, - server_private_key: Option, - server_certificate: Option, - client_auth: Option, - client_private_key: Option, - client_certificate: Option, - server_name_verification: Option, + listen_private_key: Option, + listen_certificate: Option, + enable_mtls: Option, + connect_private_key: Option, + connect_certificate: Option, + verify_name_on_connect: Option, // Skip serializing field because they contain secrets #[serde(skip_serializing)] root_ca_certificate_base64: Option, #[serde(skip_serializing)] - server_private_key_base64: Option, + listen_private_key_base64: Option, #[serde(skip_serializing)] - server_certificate_base64: Option, + listen_certificate_base64: Option, #[serde(skip_serializing)] - client_private_key_base64 : Option, + connect_private_key_base64 : Option, #[serde(skip_serializing)] - client_certificate_base64 : Option, + connect_certificate_base64 : Option, }, pub unixpipe: #[derive(Default)] UnixPipeConf { diff --git a/io/zenoh-links/zenoh-link-quic/src/lib.rs b/io/zenoh-links/zenoh-link-quic/src/lib.rs index feb9ce755a..d4c22788bd 100644 --- a/io/zenoh-links/zenoh-link-quic/src/lib.rs +++ b/io/zenoh-links/zenoh-link-quic/src/lib.rs @@ -92,24 +92,24 @@ pub mod config { pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw"; pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64"; - pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file"; - pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw"; - pub const TLS_SERVER_PRIVATE_KEY_BASE64: &str = "server_private_key_base64"; + pub const TLS_LISTEN_PRIVATE_KEY_FILE: &str = "listen_private_key_file"; + pub const TLS_LISTEN_PRIVATE_KEY_RAW: &str = "listen_private_key_raw"; + pub const TLS_LISTEN_PRIVATE_KEY_BASE64: &str = "listen_private_key_base64"; - pub const TLS_SERVER_CERTIFICATE_FILE: &str = "server_certificate_file"; - pub const TLS_SERVER_CERTIFICATE_RAW: &str = "server_certificate_raw"; - pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "server_certificate_base64"; + pub const TLS_LISTEN_CERTIFICATE_FILE: &str = "listen_certificate_file"; + pub const TLS_LISTEN_CERTIFICATE_RAW: &str = "listen_certificate_raw"; + pub const TLS_LISTEN_CERTIFICATE_BASE64: &str = "listen_certificate_base64"; - pub const TLS_CLIENT_PRIVATE_KEY_FILE: &str = "client_private_key_file"; - pub const TLS_CLIENT_PRIVATE_KEY_RAW: &str = "client_private_key_raw"; - pub const TLS_CLIENT_PRIVATE_KEY_BASE64: &str = "client_private_key_base64"; + pub const TLS_CONNECT_PRIVATE_KEY_FILE: &str = "connect_private_key_file"; + pub const TLS_CONNECT_PRIVATE_KEY_RAW: &str = "connect_private_key_raw"; + pub const TLS_CONNECT_PRIVATE_KEY_BASE64: &str = "connect_private_key_base64"; - pub const TLS_CLIENT_CERTIFICATE_FILE: &str = "client_certificate_file"; - pub const TLS_CLIENT_CERTIFICATE_RAW: &str = "client_certificate_raw"; - pub const TLS_CLIENT_CERTIFICATE_BASE64: &str = "client_certificate_base64"; + pub const TLS_CONNECT_CERTIFICATE_FILE: &str = "connect_certificate_file"; + pub const TLS_CONNECT_CERTIFICATE_RAW: &str = "connect_certificate_raw"; + pub const TLS_CONNECT_CERTIFICATE_BASE64: &str = "connect_certificate_base64"; - pub const TLS_CLIENT_AUTH: &str = "client_auth"; + pub const TLS_ENABLE_MTLS: &str = "enable_mtls"; - pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; - pub const TLS_SERVER_NAME_VERIFICATION_DEFAULT: &str = "true"; + pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; + pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: &str = "true"; } diff --git a/io/zenoh-links/zenoh-link-quic/src/utils.rs b/io/zenoh-links/zenoh-link-quic/src/utils.rs index b5cc7c49f8..b7f0e42af3 100644 --- a/io/zenoh-links/zenoh-link-quic/src/utils.rs +++ b/io/zenoh-links/zenoh-link-quic/src/utils.rs @@ -62,81 +62,81 @@ impl ConfigurationInspector for TlsConfigurator { _ => {} } - match (c.server_private_key(), c.server_private_key_base64()) { + match (c.listen_private_key(), c.listen_private_key_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") } (Some(server_private_key), None) => { - ps.push((TLS_SERVER_PRIVATE_KEY_FILE, server_private_key)); + ps.push((TLS_LISTEN_PRIVATE_KEY_FILE, server_private_key)); } (None, Some(server_private_key)) => { ps.push(( - TLS_SERVER_PRIVATE_KEY_BASE64, + TLS_LISTEN_PRIVATE_KEY_BASE64, server_private_key.expose_secret(), )); } _ => {} } - match (c.server_certificate(), c.server_certificate_base64()) { + match (c.listen_certificate(), c.listen_certificate_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") } (Some(server_certificate), None) => { - ps.push((TLS_SERVER_CERTIFICATE_FILE, server_certificate)); + ps.push((TLS_LISTEN_CERTIFICATE_FILE, server_certificate)); } (None, Some(server_certificate)) => { ps.push(( - TLS_SERVER_CERTIFICATE_BASE64, + TLS_LISTEN_CERTIFICATE_BASE64, server_certificate.expose_secret(), )); } _ => {} } - if let Some(client_auth) = c.client_auth() { + if let Some(client_auth) = c.enable_mtls() { match client_auth { - true => ps.push((TLS_CLIENT_AUTH, "true")), - false => ps.push((TLS_CLIENT_AUTH, "false")), + true => ps.push((TLS_ENABLE_MTLS, "true")), + false => ps.push((TLS_ENABLE_MTLS, "false")), }; } - match (c.client_private_key(), c.client_private_key_base64()) { + match (c.connect_private_key(), c.connect_private_key_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") } (Some(client_private_key), None) => { - ps.push((TLS_CLIENT_PRIVATE_KEY_FILE, client_private_key)); + ps.push((TLS_CONNECT_PRIVATE_KEY_FILE, client_private_key)); } (None, Some(client_private_key)) => { ps.push(( - TLS_CLIENT_PRIVATE_KEY_BASE64, + TLS_CONNECT_PRIVATE_KEY_BASE64, client_private_key.expose_secret(), )); } _ => {} } - match (c.client_certificate(), c.client_certificate_base64()) { + match (c.connect_certificate(), c.connect_certificate_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") } (Some(client_certificate), None) => { - ps.push((TLS_CLIENT_CERTIFICATE_FILE, client_certificate)); + ps.push((TLS_CONNECT_CERTIFICATE_FILE, client_certificate)); } (None, Some(client_certificate)) => { ps.push(( - TLS_CLIENT_CERTIFICATE_BASE64, + TLS_CONNECT_CERTIFICATE_BASE64, client_certificate.expose_secret(), )); } _ => {} } - if let Some(server_name_verification) = c.server_name_verification() { + if let Some(server_name_verification) = c.verify_name_on_connect() { match server_name_verification { - true => ps.push((TLS_SERVER_NAME_VERIFICATION, "true")), - false => ps.push((TLS_SERVER_NAME_VERIFICATION, "false")), + true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")), + false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")), }; } @@ -150,7 +150,7 @@ pub(crate) struct TlsServerConfig { impl TlsServerConfig { pub async fn new(config: &Config<'_>) -> ZResult { - let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) { + let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, @@ -224,9 +224,9 @@ impl TlsServerConfig { async fn load_tls_private_key(config: &Config<'_>) -> ZResult> { load_tls_key( config, - TLS_SERVER_PRIVATE_KEY_RAW, - TLS_SERVER_PRIVATE_KEY_FILE, - TLS_SERVER_PRIVATE_KEY_BASE64, + TLS_LISTEN_PRIVATE_KEY_RAW, + TLS_LISTEN_PRIVATE_KEY_FILE, + TLS_LISTEN_PRIVATE_KEY_BASE64, ) .await } @@ -234,9 +234,9 @@ impl TlsServerConfig { async fn load_tls_certificate(config: &Config<'_>) -> ZResult> { load_tls_certificate( config, - TLS_SERVER_CERTIFICATE_RAW, - TLS_SERVER_CERTIFICATE_FILE, - TLS_SERVER_CERTIFICATE_BASE64, + TLS_LISTEN_CERTIFICATE_RAW, + TLS_LISTEN_CERTIFICATE_FILE, + TLS_LISTEN_CERTIFICATE_BASE64, ) .await } @@ -248,14 +248,14 @@ pub(crate) struct TlsClientConfig { impl TlsClientConfig { pub async fn new(config: &Config<'_>) -> ZResult { - let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) { + let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, None => false, }; - let tls_server_name_verification: bool = match config.get(TLS_SERVER_NAME_VERIFICATION) { + let tls_server_name_verification: bool = match config.get(TLS_VERIFY_NAME_ON_CONNECT) { Some(s) => { let s: bool = s .parse() @@ -360,9 +360,9 @@ impl TlsClientConfig { async fn load_tls_private_key(config: &Config<'_>) -> ZResult> { load_tls_key( config, - TLS_CLIENT_PRIVATE_KEY_RAW, - TLS_CLIENT_PRIVATE_KEY_FILE, - TLS_CLIENT_PRIVATE_KEY_BASE64, + TLS_CONNECT_PRIVATE_KEY_RAW, + TLS_CONNECT_PRIVATE_KEY_FILE, + TLS_CONNECT_PRIVATE_KEY_BASE64, ) .await } @@ -370,9 +370,9 @@ impl TlsClientConfig { async fn load_tls_certificate(config: &Config<'_>) -> ZResult> { load_tls_certificate( config, - TLS_CLIENT_CERTIFICATE_RAW, - TLS_CLIENT_CERTIFICATE_FILE, - TLS_CLIENT_CERTIFICATE_BASE64, + TLS_CONNECT_CERTIFICATE_RAW, + TLS_CONNECT_CERTIFICATE_FILE, + TLS_CONNECT_CERTIFICATE_BASE64, ) .await } diff --git a/io/zenoh-links/zenoh-link-tls/src/lib.rs b/io/zenoh-links/zenoh-link-tls/src/lib.rs index dbcba1f061..aad7958e0d 100644 --- a/io/zenoh-links/zenoh-link-tls/src/lib.rs +++ b/io/zenoh-links/zenoh-link-tls/src/lib.rs @@ -88,23 +88,23 @@ pub mod config { pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw"; pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64"; - pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file"; - pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw"; - pub const TLS_SERVER_PRIVATE_KEY_BASE_64: &str = "server_private_key_base64"; + pub const TLS_LISTEN_PRIVATE_KEY_FILE: &str = "listen_private_key_file"; + pub const TLS_LISTEN_PRIVATE_KEY_RAW: &str = "listen_private_key_raw"; + pub const TLS_LISTEN_PRIVATE_KEY_BASE_64: &str = "listen_private_key_base64"; - pub const TLS_SERVER_CERTIFICATE_FILE: &str = "server_certificate_file"; - pub const TLS_SERVER_CERTIFICATE_RAW: &str = "server_certificate_raw"; - pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "server_certificate_base64"; + pub const TLS_LISTEN_CERTIFICATE_FILE: &str = "listen_certificate_file"; + pub const TLS_LISTEN_CERTIFICATE_RAW: &str = "listen_certificate_raw"; + pub const TLS_LISTEN_CERTIFICATE_BASE64: &str = "listen_certificate_base64"; - pub const TLS_CLIENT_PRIVATE_KEY_FILE: &str = "client_private_key_file"; - pub const TLS_CLIENT_PRIVATE_KEY_RAW: &str = "client_private_key_raw"; - pub const TLS_CLIENT_PRIVATE_KEY_BASE64: &str = "client_private_key_base64"; + pub const TLS_CONNECT_PRIVATE_KEY_FILE: &str = "connect_private_key_file"; + pub const TLS_CONNECT_PRIVATE_KEY_RAW: &str = "connect_private_key_raw"; + pub const TLS_CONNECT_PRIVATE_KEY_BASE64: &str = "connect_private_key_base64"; - pub const TLS_CLIENT_CERTIFICATE_FILE: &str = "client_certificate_file"; - pub const TLS_CLIENT_CERTIFICATE_RAW: &str = "client_certificate_raw"; - pub const TLS_CLIENT_CERTIFICATE_BASE64: &str = "client_certificate_base64"; + pub const TLS_CONNECT_CERTIFICATE_FILE: &str = "connect_certificate_file"; + pub const TLS_CONNECT_CERTIFICATE_RAW: &str = "connect_certificate_raw"; + pub const TLS_CONNECT_CERTIFICATE_BASE64: &str = "connect_certificate_base64"; - pub const TLS_CLIENT_AUTH: &str = "client_auth"; + pub const TLS_ENABLE_MTLS: &str = "enable_mtls"; - pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; + pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; } diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index d6fde3d243..e8a20049dc 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -64,81 +64,81 @@ impl ConfigurationInspector for TlsConfigurator { _ => {} } - match (c.server_private_key(), c.server_private_key_base64()) { + match (c.listen_private_key(), c.listen_private_key_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") } (Some(server_private_key), None) => { - ps.push((TLS_SERVER_PRIVATE_KEY_FILE, server_private_key)); + ps.push((TLS_LISTEN_PRIVATE_KEY_FILE, server_private_key)); } (None, Some(server_private_key)) => { ps.push(( - TLS_SERVER_PRIVATE_KEY_BASE_64, + TLS_LISTEN_PRIVATE_KEY_BASE_64, server_private_key.expose_secret(), )); } _ => {} } - match (c.server_certificate(), c.server_certificate_base64()) { + match (c.listen_certificate(), c.listen_certificate_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") } (Some(server_certificate), None) => { - ps.push((TLS_SERVER_CERTIFICATE_FILE, server_certificate)); + ps.push((TLS_LISTEN_CERTIFICATE_FILE, server_certificate)); } (None, Some(server_certificate)) => { ps.push(( - TLS_SERVER_CERTIFICATE_BASE64, + TLS_LISTEN_CERTIFICATE_BASE64, server_certificate.expose_secret(), )); } _ => {} } - if let Some(client_auth) = c.client_auth() { + if let Some(client_auth) = c.enable_mtls() { match client_auth { - true => ps.push((TLS_CLIENT_AUTH, "true")), - false => ps.push((TLS_CLIENT_AUTH, "false")), + true => ps.push((TLS_ENABLE_MTLS, "true")), + false => ps.push((TLS_ENABLE_MTLS, "false")), }; } - match (c.client_private_key(), c.client_private_key_base64()) { + match (c.connect_private_key(), c.connect_private_key_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") } (Some(client_private_key), None) => { - ps.push((TLS_CLIENT_PRIVATE_KEY_FILE, client_private_key)); + ps.push((TLS_CONNECT_PRIVATE_KEY_FILE, client_private_key)); } (None, Some(client_private_key)) => { ps.push(( - TLS_CLIENT_PRIVATE_KEY_BASE64, + TLS_CONNECT_PRIVATE_KEY_BASE64, client_private_key.expose_secret(), )); } _ => {} } - match (c.client_certificate(), c.client_certificate_base64()) { + match (c.connect_certificate(), c.connect_certificate_base64()) { (Some(_), Some(_)) => { bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") } (Some(client_certificate), None) => { - ps.push((TLS_CLIENT_CERTIFICATE_FILE, client_certificate)); + ps.push((TLS_CONNECT_CERTIFICATE_FILE, client_certificate)); } (None, Some(client_certificate)) => { ps.push(( - TLS_CLIENT_CERTIFICATE_BASE64, + TLS_CONNECT_CERTIFICATE_BASE64, client_certificate.expose_secret(), )); } _ => {} } - if let Some(server_name_verification) = c.server_name_verification() { + if let Some(server_name_verification) = c.verify_name_on_connect() { match server_name_verification { - true => ps.push((TLS_SERVER_NAME_VERIFICATION, "true")), - false => ps.push((TLS_SERVER_NAME_VERIFICATION, "false")), + true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")), + false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")), }; } @@ -152,7 +152,7 @@ pub(crate) struct TlsServerConfig { impl TlsServerConfig { pub async fn new(config: &Config<'_>) -> ZResult { - let tls_server_client_auth: bool = match config.get(TLS_CLIENT_AUTH) { + let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, @@ -226,9 +226,9 @@ impl TlsServerConfig { async fn load_tls_private_key(config: &Config<'_>) -> ZResult> { load_tls_key( config, - TLS_SERVER_PRIVATE_KEY_RAW, - TLS_SERVER_PRIVATE_KEY_FILE, - TLS_SERVER_PRIVATE_KEY_BASE_64, + TLS_LISTEN_PRIVATE_KEY_RAW, + TLS_LISTEN_PRIVATE_KEY_FILE, + TLS_LISTEN_PRIVATE_KEY_BASE_64, ) .await } @@ -236,9 +236,9 @@ impl TlsServerConfig { async fn load_tls_certificate(config: &Config<'_>) -> ZResult> { load_tls_certificate( config, - TLS_SERVER_CERTIFICATE_RAW, - TLS_SERVER_CERTIFICATE_FILE, - TLS_SERVER_CERTIFICATE_BASE64, + TLS_LISTEN_CERTIFICATE_RAW, + TLS_LISTEN_CERTIFICATE_FILE, + TLS_LISTEN_CERTIFICATE_BASE64, ) .await } @@ -250,14 +250,14 @@ pub(crate) struct TlsClientConfig { impl TlsClientConfig { pub async fn new(config: &Config<'_>) -> ZResult { - let tls_client_server_auth: bool = match config.get(TLS_CLIENT_AUTH) { + let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, None => false, }; - let tls_server_name_verification: bool = match config.get(TLS_SERVER_NAME_VERIFICATION) { + let tls_server_name_verification: bool = match config.get(TLS_VERIFY_NAME_ON_CONNECT) { Some(s) => { let s: bool = s .parse() @@ -362,9 +362,9 @@ impl TlsClientConfig { async fn load_tls_private_key(config: &Config<'_>) -> ZResult> { load_tls_key( config, - TLS_CLIENT_PRIVATE_KEY_RAW, - TLS_CLIENT_PRIVATE_KEY_FILE, - TLS_CLIENT_PRIVATE_KEY_BASE64, + TLS_CONNECT_PRIVATE_KEY_RAW, + TLS_CONNECT_PRIVATE_KEY_FILE, + TLS_CONNECT_PRIVATE_KEY_BASE64, ) .await } @@ -372,9 +372,9 @@ impl TlsClientConfig { async fn load_tls_certificate(config: &Config<'_>) -> ZResult> { load_tls_certificate( config, - TLS_CLIENT_CERTIFICATE_RAW, - TLS_CLIENT_CERTIFICATE_FILE, - TLS_CLIENT_CERTIFICATE_BASE64, + TLS_CONNECT_CERTIFICATE_RAW, + TLS_CONNECT_CERTIFICATE_FILE, + TLS_CONNECT_CERTIFICATE_BASE64, ) .await } diff --git a/io/zenoh-transport/tests/endpoints.rs b/io/zenoh-transport/tests/endpoints.rs index 3ebb015981..21f67b327c 100644 --- a/io/zenoh-transport/tests/endpoints.rs +++ b/io/zenoh-transport/tests/endpoints.rs @@ -319,8 +319,8 @@ AXVFFIgCSluyrolaD6CWD9MqOex4YOfJR2bNxI7lFvuK4AwjyUJzT1U1HXib17mM .config_mut() .extend_from_iter( [ - (TLS_SERVER_CERTIFICATE_RAW, cert), - (TLS_SERVER_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), ] .iter() .copied(), @@ -398,8 +398,8 @@ AXVFFIgCSluyrolaD6CWD9MqOex4YOfJR2bNxI7lFvuK4AwjyUJzT1U1HXib17mM .config_mut() .extend_from_iter( [ - (TLS_SERVER_CERTIFICATE_RAW, cert), - (TLS_SERVER_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), ] .iter() .copied(), diff --git a/io/zenoh-transport/tests/unicast_authenticator.rs b/io/zenoh-transport/tests/unicast_authenticator.rs index 77f025717d..ad9ec8c402 100644 --- a/io/zenoh-transport/tests/unicast_authenticator.rs +++ b/io/zenoh-transport/tests/unicast_authenticator.rs @@ -796,8 +796,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_CERTIFICATE_RAW, cert), - (TLS_SERVER_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), ] .iter() .copied(), @@ -896,8 +896,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_CERTIFICATE_RAW, cert), - (TLS_SERVER_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), ] .iter() .copied(), diff --git a/io/zenoh-transport/tests/unicast_multilink.rs b/io/zenoh-transport/tests/unicast_multilink.rs index 205de6b007..d4de6777b6 100644 --- a/io/zenoh-transport/tests/unicast_multilink.rs +++ b/io/zenoh-transport/tests/unicast_multilink.rs @@ -615,8 +615,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), @@ -713,8 +713,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), diff --git a/io/zenoh-transport/tests/unicast_openclose.rs b/io/zenoh-transport/tests/unicast_openclose.rs index 82e3eb600a..f2300a2a8e 100644 --- a/io/zenoh-transport/tests/unicast_openclose.rs +++ b/io/zenoh-transport/tests/unicast_openclose.rs @@ -643,8 +643,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), @@ -741,8 +741,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), diff --git a/io/zenoh-transport/tests/unicast_time.rs b/io/zenoh-transport/tests/unicast_time.rs index 95e455006b..f0ee2573e0 100644 --- a/io/zenoh-transport/tests/unicast_time.rs +++ b/io/zenoh-transport/tests/unicast_time.rs @@ -401,8 +401,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), @@ -500,8 +500,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), diff --git a/io/zenoh-transport/tests/unicast_transport.rs b/io/zenoh-transport/tests/unicast_transport.rs index 7306813564..3a39a9059f 100644 --- a/io/zenoh-transport/tests/unicast_transport.rs +++ b/io/zenoh-transport/tests/unicast_transport.rs @@ -1009,8 +1009,8 @@ async fn transport_unicast_tls_only_server() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, SERVER_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), ] .iter() .copied(), @@ -1054,8 +1054,8 @@ async fn transport_unicast_quic_only_server() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, SERVER_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), ] .iter() .copied(), @@ -1102,9 +1102,9 @@ async fn transport_unicast_tls_only_mutual_success() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, SERVER_CA), - (TLS_CLIENT_CERTIFICATE_RAW, CLIENT_CERT), - (TLS_CLIENT_PRIVATE_KEY_RAW, CLIENT_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_CONNECT_CERTIFICATE_RAW, CLIENT_CERT), + (TLS_CONNECT_PRIVATE_KEY_RAW, CLIENT_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1118,9 +1118,9 @@ async fn transport_unicast_tls_only_mutual_success() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, CLIENT_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1180,9 +1180,9 @@ async fn transport_unicast_tls_only_mutual_no_client_certs_failure() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, CLIENT_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, "true"), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, "true"), ] .iter() .copied(), @@ -1243,9 +1243,9 @@ fn transport_unicast_tls_only_mutual_wrong_client_certs_failure() { // wrong certificates and keys. The SERVER_CA (cetificate authority) will not recognize // these certificates as it is expecting to receive CLIENT_CERT and CLIENT_KEY from the // client. - (TLS_CLIENT_CERTIFICATE_RAW, SERVER_CERT), - (TLS_CLIENT_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_CONNECT_CERTIFICATE_RAW, SERVER_CERT), + (TLS_CONNECT_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1259,9 +1259,9 @@ fn transport_unicast_tls_only_mutual_wrong_client_certs_failure() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, CLIENT_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1318,9 +1318,9 @@ async fn transport_unicast_quic_only_mutual_success() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, SERVER_CA), - (TLS_CLIENT_CERTIFICATE_RAW, CLIENT_CERT), - (TLS_CLIENT_PRIVATE_KEY_RAW, CLIENT_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_CONNECT_CERTIFICATE_RAW, CLIENT_CERT), + (TLS_CONNECT_PRIVATE_KEY_RAW, CLIENT_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1334,9 +1334,9 @@ async fn transport_unicast_quic_only_mutual_success() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, CLIENT_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1396,9 +1396,9 @@ async fn transport_unicast_quic_only_mutual_no_client_certs_failure() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, CLIENT_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, "true"), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, "true"), ] .iter() .copied(), @@ -1459,9 +1459,9 @@ fn transport_unicast_quic_only_mutual_wrong_client_certs_failure() { // wrong certificates and keys. The SERVER_CA (cetificate authority) will not recognize // these certificates as it is expecting to receive CLIENT_CERT and CLIENT_KEY from the // client. - (TLS_CLIENT_CERTIFICATE_RAW, SERVER_CERT), - (TLS_CLIENT_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_CONNECT_CERTIFICATE_RAW, SERVER_CERT), + (TLS_CONNECT_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), @@ -1475,9 +1475,9 @@ fn transport_unicast_quic_only_mutual_wrong_client_certs_failure() { .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, CLIENT_CA), - (TLS_SERVER_CERTIFICATE_RAW, SERVER_CERT), - (TLS_SERVER_PRIVATE_KEY_RAW, SERVER_KEY), - (TLS_CLIENT_AUTH, client_auth), + (TLS_LISTEN_CERTIFICATE_RAW, SERVER_CERT), + (TLS_LISTEN_PRIVATE_KEY_RAW, SERVER_KEY), + (TLS_ENABLE_MTLS, client_auth), ] .iter() .copied(), diff --git a/zenoh/tests/authentication.rs b/zenoh/tests/authentication.rs index cd9b3848d2..2877807023 100644 --- a/zenoh/tests/authentication.rs +++ b/zenoh/tests/authentication.rs @@ -287,8 +287,8 @@ client2name:client2passwd"; "tls" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false }, }, }"#, @@ -298,13 +298,13 @@ client2name:client2passwd"; .transport .link .tls - .set_server_private_key(Some(format!("{}/serversidekey.pem", cert_path))) + .set_listen_private_key(Some(format!("{}/serversidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_server_certificate(Some(format!("{}/serverside.pem", cert_path))) + .set_listen_certificate(Some(format!("{}/serverside.pem", cert_path))) .unwrap(); config .transport @@ -340,8 +340,8 @@ client2name:client2passwd"; "quic" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false }, }, }"#, @@ -351,13 +351,13 @@ client2name:client2passwd"; .transport .link .tls - .set_server_private_key(Some(format!("{}/serversidekey.pem", cert_path))) + .set_listen_private_key(Some(format!("{}/serversidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_server_certificate(Some(format!("{}/serverside.pem", cert_path))) + .set_listen_certificate(Some(format!("{}/serverside.pem", cert_path))) .unwrap(); config .transport @@ -428,8 +428,8 @@ client2name:client2passwd"; "quic", "tcp" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false }, }, "auth": { @@ -454,13 +454,13 @@ client2name:client2passwd"; .transport .link .tls - .set_server_private_key(Some(format!("{}/serversidekey.pem", cert_path))) + .set_listen_private_key(Some(format!("{}/serversidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_server_certificate(Some(format!("{}/serverside.pem", cert_path))) + .set_listen_certificate(Some(format!("{}/serverside.pem", cert_path))) .unwrap(); config .transport @@ -493,8 +493,8 @@ client2name:client2passwd"; "tls" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false } } }"#, @@ -504,13 +504,13 @@ client2name:client2passwd"; .transport .link .tls - .set_client_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) + .set_connect_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_client_certificate(Some(format!("{}/clientside.pem", cert_path))) + .set_connect_certificate(Some(format!("{}/clientside.pem", cert_path))) .unwrap(); config .transport @@ -546,8 +546,8 @@ client2name:client2passwd"; "tls" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false } } }"#, @@ -557,13 +557,13 @@ client2name:client2passwd"; .transport .link .tls - .set_client_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) + .set_connect_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_client_certificate(Some(format!("{}/clientside.pem", cert_path))) + .set_connect_certificate(Some(format!("{}/clientside.pem", cert_path))) .unwrap(); config .transport @@ -604,8 +604,8 @@ client2name:client2passwd"; "quic" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false } } }"#, @@ -615,13 +615,13 @@ client2name:client2passwd"; .transport .link .tls - .set_client_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) + .set_connect_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_client_certificate(Some(format!("{}/clientside.pem", cert_path))) + .set_connect_certificate(Some(format!("{}/clientside.pem", cert_path))) .unwrap(); config .transport @@ -649,8 +649,8 @@ client2name:client2passwd"; "quic" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false } } }"#, @@ -660,13 +660,13 @@ client2name:client2passwd"; .transport .link .tls - .set_client_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) + .set_connect_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_client_certificate(Some(format!("{}/clientside.pem", cert_path))) + .set_connect_certificate(Some(format!("{}/clientside.pem", cert_path))) .unwrap(); config .transport @@ -753,8 +753,8 @@ client2name:client2passwd"; "quic" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false } }, "auth": { @@ -770,13 +770,13 @@ client2name:client2passwd"; .transport .link .tls - .set_client_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) + .set_connect_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_client_certificate(Some(format!("{}/clientside.pem", cert_path))) + .set_connect_certificate(Some(format!("{}/clientside.pem", cert_path))) .unwrap(); config .transport @@ -805,8 +805,8 @@ client2name:client2passwd"; "quic" ], "tls": { - "client_auth": true, - "server_name_verification": false + "enable_mtls": true, + "verify_name_on_connect": false } }, "auth": { @@ -822,13 +822,13 @@ client2name:client2passwd"; .transport .link .tls - .set_client_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) + .set_connect_private_key(Some(format!("{}/clientsidekey.pem", cert_path))) .unwrap(); config .transport .link .tls - .set_client_certificate(Some(format!("{}/clientside.pem", cert_path))) + .set_connect_certificate(Some(format!("{}/clientside.pem", cert_path))) .unwrap(); config .transport diff --git a/zenoh/tests/open_time.rs b/zenoh/tests/open_time.rs index bc5939fca8..9c1c7f02d6 100644 --- a/zenoh/tests/open_time.rs +++ b/zenoh/tests/open_time.rs @@ -311,8 +311,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), @@ -410,8 +410,8 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== .extend_from_iter( [ (TLS_ROOT_CA_CERTIFICATE_RAW, ca), - (TLS_SERVER_PRIVATE_KEY_RAW, key), - (TLS_SERVER_CERTIFICATE_RAW, cert), + (TLS_LISTEN_PRIVATE_KEY_RAW, key), + (TLS_LISTEN_CERTIFICATE_RAW, cert), ] .iter() .copied(), From 898b9755d7a7ac46a54e33d3f6d959a14a414077 Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Thu, 3 Oct 2024 12:32:01 +0200 Subject: [PATCH 2/8] chore: fix typo Signed-off-by: Gabriele Baldoni --- DEFAULT_CONFIG.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DEFAULT_CONFIG.json5 b/DEFAULT_CONFIG.json5 index b6e1f61436..a7889577d5 100644 --- a/DEFAULT_CONFIG.json5 +++ b/DEFAULT_CONFIG.json5 @@ -441,7 +441,7 @@ connect_private_key: null, /// Path to the TLS client connecting side certificate connect_certificate: null, - // Whether or not to verify the mathching between hostname/dns and certificate when connecting, + // Whether or not to verify the matching between hostname/dns and certificate when connecting, // if set to false zenoh will disregard the common names of the certificates when verifying servers. // This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your // ca to verify that the server at baz.com is actually baz.com, let this be true (default). From 3d5da78abaac21b5ee7a65b979058bd84d98609d Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Thu, 3 Oct 2024 13:01:11 +0200 Subject: [PATCH 3/8] fix: setting proper default value in default config file Signed-off-by: Gabriele Baldoni --- DEFAULT_CONFIG.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DEFAULT_CONFIG.json5 b/DEFAULT_CONFIG.json5 index a7889577d5..32863479dc 100644 --- a/DEFAULT_CONFIG.json5 +++ b/DEFAULT_CONFIG.json5 @@ -445,7 +445,7 @@ // if set to false zenoh will disregard the common names of the certificates when verifying servers. // This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your // ca to verify that the server at baz.com is actually baz.com, let this be true (default). - verify_name_on_connect: null, + verify_name_on_connect: true, }, }, /// Shared memory configuration. From 22261211a774b56d4b04f135c1d4abbeeaf2c26c Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Thu, 3 Oct 2024 13:04:33 +0200 Subject: [PATCH 4/8] fix: using default values for verify_name_on_connect Signed-off-by: Gabriele Baldoni --- io/zenoh-links/zenoh-link-quic/src/lib.rs | 2 +- io/zenoh-links/zenoh-link-quic/src/utils.rs | 13 +++++++------ io/zenoh-links/zenoh-link-tls/src/lib.rs | 1 + io/zenoh-links/zenoh-link-tls/src/utils.rs | 13 +++++++------ 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/io/zenoh-links/zenoh-link-quic/src/lib.rs b/io/zenoh-links/zenoh-link-quic/src/lib.rs index d4c22788bd..abaefd199c 100644 --- a/io/zenoh-links/zenoh-link-quic/src/lib.rs +++ b/io/zenoh-links/zenoh-link-quic/src/lib.rs @@ -111,5 +111,5 @@ pub mod config { pub const TLS_ENABLE_MTLS: &str = "enable_mtls"; pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; - pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: &str = "true"; + pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true; } diff --git a/io/zenoh-links/zenoh-link-quic/src/utils.rs b/io/zenoh-links/zenoh-link-quic/src/utils.rs index b7f0e42af3..d6bd9f9898 100644 --- a/io/zenoh-links/zenoh-link-quic/src/utils.rs +++ b/io/zenoh-links/zenoh-link-quic/src/utils.rs @@ -133,12 +133,13 @@ impl ConfigurationInspector for TlsConfigurator { _ => {} } - if let Some(server_name_verification) = c.verify_name_on_connect() { - match server_name_verification { - true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")), - false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")), - }; - } + match c + .verify_name_on_connect() + .unwrap_or(TLS_VERIFY_NAME_ON_CONNECT_DEFAULT) + { + true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")), + false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")), + }; Ok(parameters::from_iter(ps.drain(..))) } diff --git a/io/zenoh-links/zenoh-link-tls/src/lib.rs b/io/zenoh-links/zenoh-link-tls/src/lib.rs index aad7958e0d..2a18e3b5b3 100644 --- a/io/zenoh-links/zenoh-link-tls/src/lib.rs +++ b/io/zenoh-links/zenoh-link-tls/src/lib.rs @@ -107,4 +107,5 @@ pub mod config { pub const TLS_ENABLE_MTLS: &str = "enable_mtls"; pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; + pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true; } diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index e8a20049dc..7df072f1cf 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -135,12 +135,13 @@ impl ConfigurationInspector for TlsConfigurator { _ => {} } - if let Some(server_name_verification) = c.verify_name_on_connect() { - match server_name_verification { - true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")), - false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")), - }; - } + match c + .verify_name_on_connect() + .unwrap_or(TLS_VERIFY_NAME_ON_CONNECT_DEFAULT) + { + true => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "true")), + false => ps.push((TLS_VERIFY_NAME_ON_CONNECT, "false")), + }; Ok(parameters::from_iter(ps.drain(..))) } From 22ee3f9958bb63ac96fb5a47b799cca6c8e8c147 Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Thu, 3 Oct 2024 15:27:00 +0200 Subject: [PATCH 5/8] chore: fix default config Signed-off-by: Gabriele Baldoni --- DEFAULT_CONFIG.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DEFAULT_CONFIG.json5 b/DEFAULT_CONFIG.json5 index 32863479dc..54f6aca3b0 100644 --- a/DEFAULT_CONFIG.json5 +++ b/DEFAULT_CONFIG.json5 @@ -439,7 +439,7 @@ enable_mtls: false, /// Path to the TLS connecting side private key connect_private_key: null, - /// Path to the TLS client connecting side certificate + /// Path to the TLS connecting side certificate connect_certificate: null, // Whether or not to verify the matching between hostname/dns and certificate when connecting, // if set to false zenoh will disregard the common names of the certificates when verifying servers. From bf10a916e460320e9b08ce958206eb992a188f64 Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Fri, 4 Oct 2024 12:30:03 +0200 Subject: [PATCH 6/8] chore: updating error strings Signed-off-by: Gabriele Baldoni --- io/zenoh-links/zenoh-link-quic/src/utils.rs | 12 ++++++------ io/zenoh-links/zenoh-link-tls/src/utils.rs | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/io/zenoh-links/zenoh-link-quic/src/utils.rs b/io/zenoh-links/zenoh-link-quic/src/utils.rs index d6bd9f9898..4c413a648d 100644 --- a/io/zenoh-links/zenoh-link-quic/src/utils.rs +++ b/io/zenoh-links/zenoh-link-quic/src/utils.rs @@ -64,7 +64,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.listen_private_key(), c.listen_private_key_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") + bail!("Only one between 'listen_private_key' and 'listen_private_key_base64' can be present!") } (Some(server_private_key), None) => { ps.push((TLS_LISTEN_PRIVATE_KEY_FILE, server_private_key)); @@ -80,7 +80,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.listen_certificate(), c.listen_certificate_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") + bail!("Only one between 'listen_certificate' and 'listen_certificate_base64' can be present!") } (Some(server_certificate), None) => { ps.push((TLS_LISTEN_CERTIFICATE_FILE, server_certificate)); @@ -103,7 +103,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.connect_private_key(), c.connect_private_key_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") + bail!("Only one between 'connect_private_key' and 'connect_private_key_base64' can be present!") } (Some(client_private_key), None) => { ps.push((TLS_CONNECT_PRIVATE_KEY_FILE, client_private_key)); @@ -154,7 +154,7 @@ impl TlsServerConfig { let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() - .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, + .map_err(|_| zerror!("Unknown enable mTLS argument: {}", s))?, None => false, }; let tls_server_private_key = TlsServerConfig::load_tls_private_key(config).await?; @@ -203,7 +203,7 @@ impl TlsServerConfig { let root_cert_store = load_trust_anchors(config)?.map_or_else( || { Err(zerror!( - "Missing root certificates while client authentication is enabled." + "Missing root certificates while mTLS is enabled." )) }, Ok, @@ -252,7 +252,7 @@ impl TlsClientConfig { let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() - .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, + .map_err(|_| zerror!("Unknown enable mTLS argument: {}", s))?, None => false, }; diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index 7df072f1cf..8990350d99 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -66,7 +66,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.listen_private_key(), c.listen_private_key_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") + bail!("Only one between 'listen_private_key' and 'listen_private_key' can be present!") } (Some(server_private_key), None) => { ps.push((TLS_LISTEN_PRIVATE_KEY_FILE, server_private_key)); @@ -82,7 +82,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.listen_certificate(), c.listen_certificate_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") + bail!("Only one between 'listen_certificate' and 'listen_certificate_base64' can be present!") } (Some(server_certificate), None) => { ps.push((TLS_LISTEN_CERTIFICATE_FILE, server_certificate)); @@ -105,7 +105,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.connect_private_key(), c.connect_private_key_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") + bail!("Only one between 'connect_private_key' and 'connect_private_key_base64' can be present!") } (Some(client_private_key), None) => { ps.push((TLS_CONNECT_PRIVATE_KEY_FILE, client_private_key)); @@ -156,7 +156,7 @@ impl TlsServerConfig { let tls_server_client_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() - .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, + .map_err(|_| zerror!("Unknown enable mTLS argument: {}", s))?, None => false, }; let tls_server_private_key = TlsServerConfig::load_tls_private_key(config).await?; @@ -205,7 +205,7 @@ impl TlsServerConfig { let root_cert_store = load_trust_anchors(config)?.map_or_else( || { Err(zerror!( - "Missing root certificates while client authentication is enabled." + "Missing root certificates while mTLS is enabled." )) }, Ok, @@ -254,7 +254,7 @@ impl TlsClientConfig { let tls_client_server_auth: bool = match config.get(TLS_ENABLE_MTLS) { Some(s) => s .parse() - .map_err(|_| zerror!("Unknown client auth argument: {}", s))?, + .map_err(|_| zerror!("Unknown enable mTLS auth argument: {}", s))?, None => false, }; From 55f41b27c9498c3b5190147960f1a39b7f622e4b Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Fri, 4 Oct 2024 12:31:09 +0200 Subject: [PATCH 7/8] chore: updating error strings Signed-off-by: Gabriele Baldoni --- io/zenoh-links/zenoh-link-quic/src/utils.rs | 2 +- io/zenoh-links/zenoh-link-tls/src/utils.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/io/zenoh-links/zenoh-link-quic/src/utils.rs b/io/zenoh-links/zenoh-link-quic/src/utils.rs index 4c413a648d..ffb6dd580b 100644 --- a/io/zenoh-links/zenoh-link-quic/src/utils.rs +++ b/io/zenoh-links/zenoh-link-quic/src/utils.rs @@ -119,7 +119,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.connect_certificate(), c.connect_certificate_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") + bail!("Only one between 'connect_certificate' and 'connect_certificate_base64' can be present!") } (Some(client_certificate), None) => { ps.push((TLS_CONNECT_CERTIFICATE_FILE, client_certificate)); diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index 8990350d99..c3b9903069 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -121,7 +121,7 @@ impl ConfigurationInspector for TlsConfigurator { match (c.connect_certificate(), c.connect_certificate_base64()) { (Some(_), Some(_)) => { - bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") + bail!("Only one between 'connect_certificate' and 'connect_certificate_base64' can be present!") } (Some(client_certificate), None) => { ps.push((TLS_CONNECT_CERTIFICATE_FILE, client_certificate)); From d82231ce33478615663eb42103bce3b88f9bc519 Mon Sep 17 00:00:00 2001 From: Gabriele Baldoni Date: Fri, 4 Oct 2024 12:32:06 +0200 Subject: [PATCH 8/8] style: make cargo fmt happy Signed-off-by: Gabriele Baldoni --- io/zenoh-links/zenoh-link-quic/src/utils.rs | 6 +----- io/zenoh-links/zenoh-link-tls/src/utils.rs | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/io/zenoh-links/zenoh-link-quic/src/utils.rs b/io/zenoh-links/zenoh-link-quic/src/utils.rs index ffb6dd580b..afd361f634 100644 --- a/io/zenoh-links/zenoh-link-quic/src/utils.rs +++ b/io/zenoh-links/zenoh-link-quic/src/utils.rs @@ -201,11 +201,7 @@ impl TlsServerConfig { let sc = if tls_server_client_auth { let root_cert_store = load_trust_anchors(config)?.map_or_else( - || { - Err(zerror!( - "Missing root certificates while mTLS is enabled." - )) - }, + || Err(zerror!("Missing root certificates while mTLS is enabled.")), Ok, )?; let client_auth = WebPkiClientVerifier::builder(root_cert_store.into()).build()?; diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index c3b9903069..2894bcf337 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -203,11 +203,7 @@ impl TlsServerConfig { let sc = if tls_server_client_auth { let root_cert_store = load_trust_anchors(config)?.map_or_else( - || { - Err(zerror!( - "Missing root certificates while mTLS is enabled." - )) - }, + || Err(zerror!("Missing root certificates while mTLS is enabled.")), Ok, )?; let client_auth = WebPkiClientVerifier::builder(root_cert_store.into()).build()?;