Encryption and One-Way-Control (#200)

This is a major rewrite of the core networking logic enabling one-way control and encryption through the webrtc-dtls crate. closes #164 closes #104
2026-03-30 16:40:52 +03:00 · 2024-11-09 13:54:43 +01:00
parent 0d074e19f1
commit 7677fae14b
38 changed files with 4003 additions and 1374 deletions
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -0,0 +1,71 @@
+use std::fs;
+use std::io::{self, BufWriter, Read, Write};
+use std::path::Path;
+use std::{fs::File, io::BufReader};
+
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
+
+use sha2::{Digest, Sha256};
+use thiserror::Error;
+use webrtc_dtls::crypto::Certificate;
+
+#[derive(Debug, Error)]
+pub enum Error {
+    #[error(transparent)]
+    Io(#[from] io::Error),
+    #[error(transparent)]
+    Dtls(#[from] webrtc_dtls::Error),
+}
+
+pub fn generate_fingerprint(cert: &[u8]) -> String {
+    let mut hash = Sha256::new();
+    hash.update(cert);
+    let bytes = hash
+        .finalize()
+        .iter()
+        .map(|x| format!("{x:02x}"))
+        .collect::<Vec<_>>();
+    bytes.join(":").to_lowercase()
+}
+
+pub fn certificate_fingerprint(cert: &Certificate) -> String {
+    let certificate = cert.certificate.first().expect("certificate missing");
+    generate_fingerprint(certificate)
+}
+
+/// load certificate from file
+pub fn load_certificate(path: &Path) -> Result<Certificate, Error> {
+    let f = File::open(path)?;
+
+    let mut reader = BufReader::new(f);
+    let mut pem = String::new();
+    reader.read_to_string(&mut pem)?;
+    Ok(Certificate::from_pem(pem.as_str())?)
+}
+
+pub(crate) fn load_or_generate_key_and_cert(path: &Path) -> Result<Certificate, Error> {
+    if path.exists() && path.is_file() {
+        Ok(load_certificate(path)?)
+    } else {
+        generate_key_and_cert(path)
+    }
+}
+
+pub(crate) fn generate_key_and_cert(path: &Path) -> Result<Certificate, Error> {
+    let cert = Certificate::generate_self_signed(["ignored".to_owned()])?;
+    let serialized = cert.serialize_pem();
+    let parent = path.parent().expect("is a path");
+    fs::create_dir_all(parent)?;
+    let f = File::create(path)?;
+    #[cfg(unix)]
+    {
+        let mut perm = f.metadata()?.permissions();
+        perm.set_mode(0o400); /* r-- --- --- */
+        f.set_permissions(perm)?;
+    }
+    /* FIXME windows permissions */
+    let mut writer = BufWriter::new(f);
+    writer.write_all(serialized.as_bytes())?;
+    Ok(cert)
+}