client: unify Provision and Run TLS configurations

Author: phlip9

common/src/client/certs.rs

@@ -13,10 +13,12 @@
 //! that clients and nodes can authenticate each other and build a secure
 //! channel via mTLS (mutual-auth TLS).
 
+use asn1_rs::FromDer;
 use rcgen::{
     date_time_ymd, BasicConstraints, CertificateParams, DnType, IsCa,
     RcgenError, SanType,
 };
+use x509_parser::x509::X509Name;
 
 use crate::{constants, ed25519};
 
@@ -41,10 +43,30 @@ pub struct NodeCert(rcgen::Certificate);
 
 // -- impl CaCert -- //
 
+/// Parse CommonName from x509 DistinguishedName DER bytes
+fn is_matching_issuer_der(der: &[u8], expected: &str) -> Option<()> {
+    let (_rest, name) = X509Name::from_der(der).ok()?;
+    let common_name = name.iter_common_name().next()?;
+    let common_name = common_name.as_str().ok()?;
+    if common_name == expected {
+        Some(())
+    } else {
+        None
+    }
+}
+
 impl CaCert {
+    const COMMON_NAME: &'static str = "lexe node-client CA";
+
+    /// Returns `true` if the given DER bytes are an x509 DistinguishedName with
+    /// a CommonName matching the standard node-client CA CommonName.
+    pub fn is_matching_issuer_der(issuer_der: &[u8]) -> bool {
+        is_matching_issuer_der(issuer_der, Self::COMMON_NAME).is_some()
+    }
+
     pub fn from_key_pair(key_pair: rcgen::KeyPair) -> Result<Self, RcgenError> {
         let mut name = constants::lexe_distinguished_name_prefix();
-        name.push(DnType::CommonName, "client CA cert");
+        name.push(DnType::CommonName, Self::COMMON_NAME);
 
         let mut params = CertificateParams::default();
         params.alg = &rcgen::PKCS_ED25519;
@@ -74,7 +96,7 @@ impl CaCert {
 impl ClientCert {
     pub fn from_key_pair(key_pair: rcgen::KeyPair) -> Result<Self, RcgenError> {
         let mut name = constants::lexe_distinguished_name_prefix();
-        name.push(DnType::CommonName, "client cert");
+        name.push(DnType::CommonName, "lexe client cert");
 
         let mut params = CertificateParams::default();
         params.alg = &rcgen::PKCS_ED25519;
@@ -116,7 +138,7 @@ impl NodeCert {
         dns_names: Vec<String>,
     ) -> Result<Self, RcgenError> {
         let mut name = constants::lexe_distinguished_name_prefix();
-        name.push(DnType::CommonName, "node cert");
+        name.push(DnType::CommonName, "lexe node cert");
 
         let subject_alt_names = dns_names
             .into_iter()

common/src/client/provision.rs

@@ -1,27 +1,30 @@
 // TODO
 
-use anyhow::{Context, Result};
+use anyhow::Context;
 use reqwest::{Client, Proxy};
 
 use crate::api::provision::ProvisionRequest;
 use crate::api::UserPk;
-use crate::attest::EnclavePolicy;
+use crate::attest;
 use crate::client::tls;
+use crate::rng::Crng;
+use crate::root_seed::RootSeed;
 
 pub struct ProvisionClient {
     client: Client,
     provision_url: String,
 }
 
 impl ProvisionClient {
-    pub fn new(
+    pub fn new<R: Crng>(
+        rng: &mut R,
+        seed: &RootSeed,
         user_pk: &UserPk,
         proxy_url: &str,
         proxy_ca: &rustls::Certificate,
         provision_url: String,
-        expect_dummy_quote: bool,
-        enclave_policy: EnclavePolicy,
-    ) -> Result<Self> {
+        attest_verifier: attest::ServerCertVerifier,
+    ) -> anyhow::Result<Self> {
         // TODO(phlip9): actual auth in proxy header
         // TODO(phlip9): https only mode
 
@@ -30,15 +33,11 @@ impl ProvisionClient {
             // TODO(phlip9): should be bearer auth
             .basic_auth(&user_pk.to_string(), "");
 
-        let tls = tls::client_provision_tls_config(
-            proxy_ca,
-            expect_dummy_quote,
-            enclave_policy,
-        )?;
+        let tls = tls::client_tls_config(rng, proxy_ca, seed, attest_verifier)?;
 
         let client = Client::builder()
             .proxy(proxy)
-            .user_agent("lexe-provision-client")
+            .user_agent("lexe-client")
             .use_preconfigured_tls(tls)
             .build()
             .context("Failed to build client")?;
@@ -49,7 +48,7 @@ impl ProvisionClient {
         })
     }
 
-    pub async fn provision(&self, req: ProvisionRequest) -> Result<()> {
+    pub async fn provision(&self, req: ProvisionRequest) -> anyhow::Result<()> {
         let provision_url = &self.provision_url;
         let url = format!("{provision_url}/provision");