-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkey_broker.rs
80 lines (75 loc) · 2.4 KB
/
key_broker.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
use anyhow::{bail, Ok, Result};
use reqwest::header::{HeaderMap, ACCEPT};
use rustls::{
cipher_suite::TLS13_AES_256_GCM_SHA384, version::TLS13, ClientConfig, OwnedTrustAnchor,
RootCertStore,
};
use serde::{Deserialize, Serialize};
#[derive(Serialize, Deserialize, Debug)]
pub struct RetrieveKeyRequest {
pub quote: Vec<u8>, // quote
}
#[derive(Serialize, Deserialize, Debug)]
pub struct RetrieveKeyResponse {
pub wrapped_key: String,
pub wrapped_swk: String,
}
/// The function retreive_key_from_kbs works to retrieve the key
/// encrypting the disk. This a dummy implementation and users
/// should implement a concrete one according their KBS API.
///
/// Example, to query the KBS:
///
/// ```no_run
/// let url = format!("https://{}/key/{}", _domain_name, _id);
/// let tls_config = default_cipher_suite_with_version()?;
/// let builder = reqwest::ClientBuilder::new().use_preconfigured_tls(tls_config);
/// let client = builder.build()?;
/// let headers = default_request_headers()?;
/// let resp: RetrieveKeyResponse = client
/// .post(url)
/// .headers(headers)
/// .json(_req)
/// .send()
/// .await?
/// .json()
/// .await?;
/// Ok(resp)
/// ```
pub async fn retreive_key_from_kbs(
_domain_name: &str,
_keyid: String,
_req: &RetrieveKeyRequest,
) -> Result<RetrieveKeyResponse> {
bail!(
"Panic: this is a dummy client of the KBS!\n \
Please consult your KBS provider and implement it!"
);
}
#[allow(unused)]
fn default_cipher_suite_with_version() -> Result<ClientConfig> {
let suites = vec![TLS13_AES_256_GCM_SHA384];
let versions = vec![&TLS13];
let mut root_store = RootCertStore::empty();
root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
let tls_config = ClientConfig::builder()
.with_cipher_suites(&suites)
.with_safe_default_kx_groups()
.with_protocol_versions(&versions)
.expect("inconsistent cipher-suite/versions selected")
.with_root_certificates(root_store)
.with_no_client_auth();
Ok(tls_config)
}
#[allow(unused)]
fn default_request_headers() -> Result<HeaderMap> {
let mut headers = HeaderMap::new();
headers.insert(ACCEPT, "application/json".parse()?);
Ok(headers)
}