diff --git a/common/Cargo.toml b/common/Cargo.toml new file mode 100644 index 0000000..9e99cbe --- /dev/null +++ b/common/Cargo.toml @@ -0,0 +1,13 @@ +[package] +name = "common" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +anyhow = "1.0.75" +serde = "1.0.92" +serde_derive = "1.0.92" +tokio = { version = "1", features = ["full"] } +tonic = { version = "0.8.1", features = ["tls", "transport"] } \ No newline at end of file diff --git a/common/src/lib.rs b/common/src/lib.rs new file mode 100644 index 0000000..dbdc4f3 --- /dev/null +++ b/common/src/lib.rs @@ -0,0 +1 @@ +pub mod tls; diff --git a/common/src/tls.rs b/common/src/tls.rs new file mode 100644 index 0000000..245abae --- /dev/null +++ b/common/src/tls.rs @@ -0,0 +1,48 @@ +use anyhow::bail; +use std::path::Path; +use tonic::transport::{Certificate, Identity}; + +#[derive(Clone)] +pub struct Config { + pub ca_cert: Certificate, + pub identity: Identity, +} + +impl Config { + pub async fn new( + ca_cert_path: String, + cert_path: String, + key_path: String, + ) -> anyhow::Result { + let (ca_cert, identity) = get_cert_and_identity(ca_cert_path, cert_path, key_path).await?; + Ok(Config { ca_cert, identity }) + } +} + +async fn get_cert_and_identity( + ca_cert_path: String, + cert_path: String, + key_path: String, +) -> anyhow::Result<(Certificate, Identity)> { + let ca_cert_path = Path::new(&ca_cert_path); + let cert_path = Path::new(&cert_path); + let key_path = Path::new(&key_path); + if !ca_cert_path.is_file() || !cert_path.is_file() || !key_path.is_file() { + bail!("both ca_cert_path, cert_path and key_path should be valid file") + } + + let ca_cert = tokio::fs::read(ca_cert_path) + .await + .unwrap_or_else(|err| panic!("Failed to read {:?}, err: {:?}", ca_cert_path, err)); + let ca_cert = Certificate::from_pem(ca_cert); + + let cert = tokio::fs::read(cert_path) + .await + .unwrap_or_else(|err| panic!("Failed to read {:?}, err: {:?}", cert_path, err)); + let key = tokio::fs::read(key_path) + .await + .unwrap_or_else(|err| panic!("Failed to read {:?}, err: {:?}", key_path, err)); + let identity = Identity::from_pem(cert, key); + + Ok((ca_cert, identity)) +} diff --git a/service/Cargo.toml b/service/Cargo.toml index 939670e..6f0e4d2 100644 --- a/service/Cargo.toml +++ b/service/Cargo.toml @@ -9,6 +9,7 @@ edition = "2021" prover = { path = "../prover" } stage = {path = "../stage"} executor = {path = "../executor"} +common = {path = "../common"} tonic = "0.8.1" prost = "0.11.0" tokio = { version = "1.21.0", features = ["macros", "rt-multi-thread", "signal"] } @@ -21,5 +22,6 @@ env_logger = "0.10" toml = "0.5.1" lazy_static = "1.4" clap = "4.5.2" +anyhow = "1.0.75" [build-dependencies] tonic-build = "0.8.0" \ No newline at end of file diff --git a/service/config/README.md b/service/config/README.md new file mode 100644 index 0000000..945560b --- /dev/null +++ b/service/config/README.md @@ -0,0 +1,19 @@ +# README + +## Description + +The script file `gen_config.sh` allow you generate multi prover toml in a easy way. + +First, you should set these variables according to your environment. + +- provers +- stage +- snarks +- tls +- base_dir + +Then you can run this script in below way. + +```bash +bash gen_config.sh +``` \ No newline at end of file diff --git a/service/config/gen_config.sh b/service/config/gen_config.sh new file mode 100755 index 0000000..5ebbcd9 --- /dev/null +++ b/service/config/gen_config.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# You should provide some variable to use this config bash +provers=("localhost:50001" "localhost:50002") +stage="localhost:50000" +snarks=("localhost:50051") +tls=false +base_dir="/tmp/zkm/test/test_proof" + +# Generate tls certs +if [ "$tls" = true ]; then + IFS=':' read -r host port <<< "$stage" + cd ./../../tools/certs + bash certgen.sh --cn stage --ssl-dns $host + rm -rf stage.csr + id=1 + for prover in "${provers[@]}"; do + prover_name="prover${id}" + IFS=':' read -r host port <<< "$prover" + bash certgen.sh --cn $prover_name --ssl-dns ${host} + rm -rf ${prover_name}.csr + ((id++)) + done + bash certgen.sh --cn client --ssl-dns localhost + rm -rf client.csr + rm -rf ca.srl + rm -rf openssl.cnf + cd - +fi + +# Generate stage toml +# Read templeta content first +if [ "$tls" = true ]; then + stage_template_content=$(cat stage_tls.toml.template) +else + stage_template_content=$(cat stage.toml.template) +fi +stage_config="$stage_template_content" +IFS=':' read -r host port <<< "$stage" +stage_config="${stage_config//\{\{addr\}\}/0.0.0.0:${port}}" +# generate prover addrs +prover_addrs="" +for prover in "${provers[@]}"; do + if [ -z "$prover_addrs" ]; then + prover_addrs="$prover\"" + else + prover_addrs="$prover_addrs, \"$prover" + fi +done +stage_config="${stage_config//\{\{prover_addrs\}\}/\"${prover_addrs}\"}" +# generate snark addrs +snark_addrs="" +for snark in "${snarks[@]}"; do + if [ -z "$snark_addrs" ]; then + snark_addrs="$snark\"" + else + snark_addrs="$snark_addrs, \"$snark" + fi +done +stage_config="${stage_config//\{\{snark_addrs\}\}/\"${snark_addrs}\"}" +stage_config="${stage_config//\{\{base_dir\}\}/${base_dir}}" +if [ "$tls" = true ]; then + echo "$stage_config" > stage_tls.toml +else + echo "$stage_config" > stage.toml +fi + +# Generate provers toml +# Read templeta content first +if [ "$tls" = true ]; then + prover_template_content=$(cat prover_tls.toml.template) +else + prover_template_content=$(cat prover.toml.template) +fi + +id=1 +for prover in "${provers[@]}"; do + if [ "$tls" = true ]; then + prover_path="prover${id}_tls.toml" + else + prover_path="prover${id}.toml" + fi + IFS=':' read -r host port <<< "$prover" + prover_config="$prover_template_content" + addr="0.0.0.0:${port}" + prover_config="${prover_config//\{\{addr\}\}/${addr}}" + prover_config="${prover_config//\{\{prover_addrs\}\}/\"${addr}\"}" + prover_config="${prover_config//\{\{base_dir\}\}/${base_dir}}" + prover_config="${prover_config//\{\{prover_name\}\}/prover${id}}" + if [ "$tls" = true ]; then + echo "$prover_config" > "prover${id}_tls.toml" + else + echo "$prover_config" > "prover${id}.toml" + fi + ((id++)) +done diff --git a/service/config/prover.toml.template b/service/config/prover.toml.template new file mode 100644 index 0000000..021ec64 --- /dev/null +++ b/service/config/prover.toml.template @@ -0,0 +1,4 @@ +addr = "{{addr}}" +prover_addrs = [{{prover_addrs}}] +snark_addrs = [] +base_dir = "{{base_dir}}" \ No newline at end of file diff --git a/service/config/prover1.toml b/service/config/prover1.toml deleted file mode 100644 index 964c609..0000000 --- a/service/config/prover1.toml +++ /dev/null @@ -1,4 +0,0 @@ -addr = "0.0.0.0:50001" -prover_addrs = ["127.0.0.1:50001"] -snark_addrs = [] -base_dir = "/tmp/zkm/test/test_proof" \ No newline at end of file diff --git a/service/config/prover2.toml b/service/config/prover2.toml deleted file mode 100644 index 8910d91..0000000 --- a/service/config/prover2.toml +++ /dev/null @@ -1,4 +0,0 @@ -addr = "0.0.0.0:50002" -prover_addrs = ["127.0.0.1:50002"] -snark_addrs = [] -base_dir = "/tmp/zkm/test/test_proof" \ No newline at end of file diff --git a/service/config/prover_tls.toml.template b/service/config/prover_tls.toml.template new file mode 100644 index 0000000..f51d074 --- /dev/null +++ b/service/config/prover_tls.toml.template @@ -0,0 +1,7 @@ +addr = "{{addr}}" +prover_addrs = [{{prover_addrs}}] +snark_addrs = [] +base_dir = "{{base_dir}}" +ca_cert_path = "tools/certs/ca.pem" +cert_path = "tools/certs/{{prover_name}}.pem" +key_path = "tools/certs/{{prover_name}}.key" \ No newline at end of file diff --git a/service/config/stage.toml b/service/config/stage.toml deleted file mode 100644 index 31c09a2..0000000 --- a/service/config/stage.toml +++ /dev/null @@ -1,4 +0,0 @@ -addr = "0.0.0.0:50000" -prover_addrs = ["127.0.0.1:50001", "127.0.0.1:50002"] -snark_addrs = ["127.0.0.1:50051"] -base_dir = "/tmp/zkm/test/test_proof" \ No newline at end of file diff --git a/service/config/stage.toml.template b/service/config/stage.toml.template new file mode 100644 index 0000000..1cd2493 --- /dev/null +++ b/service/config/stage.toml.template @@ -0,0 +1,4 @@ +addr = "{{addr}}" +prover_addrs = [{{prover_addrs}}] +snark_addrs = [{{snark_addrs}}] +base_dir = "{{base_dir}}" \ No newline at end of file diff --git a/service/config/stage_tls.toml.template b/service/config/stage_tls.toml.template new file mode 100644 index 0000000..90c456c --- /dev/null +++ b/service/config/stage_tls.toml.template @@ -0,0 +1,7 @@ +addr = "{{addr}}" +prover_addrs = [{{prover_addrs}}] +snark_addrs = [{{snark_addrs}}] +base_dir = "{{base_dir}}" +ca_cert_path = "tools/certs/ca.pem" +cert_path = "tools/certs/stage.pem" +key_path = "tools/certs/stage.key" \ No newline at end of file diff --git a/service/examples/README.md b/service/examples/README.md index 15d95a6..e8bfe36 100644 --- a/service/examples/README.md +++ b/service/examples/README.md @@ -28,6 +28,7 @@ cargo build --release * Start prover_server. ``` +# use prover1_tls.toml and prover2_tls.toml instead if tls is enabled $ ./target/release/service --config ./service/config/prover1.toml $ ./target/release/service --config ./service/config/prover2.toml ``` @@ -35,12 +36,14 @@ $ ./target/release/service --config ./service/config/prover2.toml * Start stage_server. ``` +# use stage_tls.toml instead if tls is enabled ./target/release/service --config ./service/config/stage.toml ``` * Start example stage ``` +# set CA_CERT_PATH, CERT_PATH and KEY_PATH if tls is enabled cargo run --release --example stage ``` diff --git a/service/examples/stage.rs b/service/examples/stage.rs index d8b301c..2167d01 100644 --- a/service/examples/stage.rs +++ b/service/examples/stage.rs @@ -1,11 +1,12 @@ +use common::tls::Config; use stage_service::stage_service_client::StageServiceClient; use stage_service::{BlockFileItem, GenerateProofRequest}; - use std::env; use std::fs; use std::path::Path; - use std::time::Instant; +use tonic::transport::ClientTlsConfig; +use tonic::transport::Endpoint; pub mod stage_service { tonic::include_proto!("stage.v1"); @@ -17,8 +18,17 @@ async fn main() -> Result<(), Box> { let block_path = env::var("BLOCK_PATH").unwrap_or("/tmp/zkm/test/0_13284491".to_string()); let block_no = env::var("BLOCK_NO").unwrap_or("13284491".to_string()); let block_no = block_no.parse::<_>().unwrap_or(13284491); - let seg_size = env::var("SEG_SIZE").unwrap_or("262144".to_string()); - let seg_size = seg_size.parse::<_>().unwrap_or(262144); + let seg_size = env::var("SEG_SIZE").unwrap_or("16384".to_string()); + let seg_size = seg_size.parse::<_>().unwrap_or(16384); + let endpoint = env::var("ENDPOINT").unwrap_or("http://127.0.0.1:50000".to_string()); + let ca_cert_path = env::var("CA_CERT_PATH").unwrap_or("".to_string()); + let cert_path = env::var("CERT_PATH").unwrap_or("".to_string()); + let key_path = env::var("KEY_PATH").unwrap_or("".to_string()); + let ssl_config = if ca_cert_path.is_empty() { + None + } else { + Some(Config::new(ca_cert_path, cert_path, key_path).await?) + }; let elf_data = prover::provers::read_file_bin(&elf_path).unwrap(); let mut block_data = Vec::new(); @@ -47,7 +57,16 @@ async fn main() -> Result<(), Box> { }; println!("request: {:?}", request.proof_id.clone()); let start = Instant::now(); - let mut stage_client = StageServiceClient::connect("http://127.0.0.1:50000").await?; + let endpoint = match ssl_config { + Some(config) => { + let tls_config = ClientTlsConfig::new() + .ca_certificate(config.ca_cert) + .identity(config.identity); + Endpoint::new(endpoint)?.tls_config(tls_config)? + } + None => Endpoint::new(endpoint)?, + }; + let mut stage_client = StageServiceClient::connect(endpoint).await?; let response = stage_client.generate_proof(request).await?.into_inner(); println!("response: {:?}", response); let end = Instant::now(); diff --git a/service/src/config.rs b/service/src/config.rs index 84d002b..ecad0b8 100644 --- a/service/src/config.rs +++ b/service/src/config.rs @@ -11,12 +11,15 @@ pub fn instance() -> &'static Mutex { INSTANCE.get_or_init(|| Mutex::new(RuntimeConfig::new())) } -#[derive(Debug, Deserialize)] +#[derive(Debug, Deserialize, Clone)] pub struct RuntimeConfig { pub addr: String, pub prover_addrs: Vec, pub snark_addrs: Vec, pub base_dir: String, + pub ca_cert_path: Option, + pub cert_path: Option, + pub key_path: Option, } impl RuntimeConfig { @@ -26,6 +29,9 @@ impl RuntimeConfig { prover_addrs: ["0.0.0.0:50000".to_string()].to_vec(), snark_addrs: ["0.0.0.0:50000".to_string()].to_vec(), base_dir: "/tmp".to_string(), + ca_cert_path: None, + cert_path: None, + key_path: None, } } @@ -50,6 +56,17 @@ impl RuntimeConfig { return None; } }; + // both of ca_cert_path, cert_path, key_path should be some or none + if (config.ca_cert_path.is_some() + || config.cert_path.is_some() + || config.key_path.is_some()) + && (config.ca_cert_path.is_none() + || config.cert_path.is_none() + || config.key_path.is_none()) + { + error!("both of ca_cert_path, cert_path, key_path should be some or none"); + return None; + } instance().lock().unwrap().addr.clone_from(&config.addr); instance() .lock() @@ -66,6 +83,21 @@ impl RuntimeConfig { .unwrap() .snark_addrs .clone_from(&config.snark_addrs); + instance() + .lock() + .unwrap() + .ca_cert_path + .clone_from(&config.ca_cert_path); + instance() + .lock() + .unwrap() + .cert_path + .clone_from(&config.cert_path); + instance() + .lock() + .unwrap() + .key_path + .clone_from(&config.key_path); Some(config) } } diff --git a/service/src/main.rs b/service/src/main.rs index 65f8097..6eea15b 100644 --- a/service/src/main.rs +++ b/service/src/main.rs @@ -1,9 +1,11 @@ use clap::Parser; use prover_node::ProverNode; +use common::tls::Config as TlsConfig; use prover_service::prover_service::prover_service_server::ProverServiceServer; use stage_service::stage_service::stage_service_server::StageServiceServer; use tonic::transport::Server; +use tonic::transport::ServerTlsConfig; mod config; mod prover_client; @@ -28,19 +30,39 @@ async fn main() -> Result<(), Box> { let nodes_lock = crate::prover_node::instance(); { let mut nodes_data = nodes_lock.lock().unwrap(); - for node in runtime_config.prover_addrs { - nodes_data.add_node(ProverNode::new(&node)); + for node in &runtime_config.prover_addrs { + nodes_data.add_node(ProverNode::new(node)); } - for node in runtime_config.snark_addrs { - nodes_data.add_snark_node(ProverNode::new(&node)); + for node in &runtime_config.snark_addrs { + nodes_data.add_snark_node(ProverNode::new(node)); } } let prover = prover_service::ProverServiceSVC::default(); - let stage = stage_service::StageServiceSVC::default(); - Server::builder() - .add_service(ProverServiceServer::new(prover)) - .add_service(StageServiceServer::new(stage)) - .serve(addr) + let stage = stage_service::StageServiceSVC::new(runtime_config.clone()).await?; + if runtime_config.ca_cert_path.is_some() { + let tls_config = TlsConfig::new( + runtime_config.ca_cert_path.unwrap(), + runtime_config.cert_path.unwrap(), + runtime_config.key_path.unwrap(), + ) .await?; + Server::builder() + .tls_config( + ServerTlsConfig::new() + .identity(tls_config.identity) + .client_ca_root(tls_config.ca_cert), + )? + .add_service(ProverServiceServer::new(prover)) + .add_service(StageServiceServer::new(stage)) + .serve(addr) + .await?; + } else { + Server::builder() + .add_service(ProverServiceServer::new(prover)) + .add_service(StageServiceServer::new(stage)) + .serve(addr) + .await?; + } + Ok(()) } diff --git a/service/src/prover_client.rs b/service/src/prover_client.rs index 040ac80..1169c94 100644 --- a/service/src/prover_client.rs +++ b/service/src/prover_client.rs @@ -1,3 +1,4 @@ +use common::tls::Config as TlsConfig; use prover_service::prover_service_client::ProverServiceClient; use prover_service::AggregateAllRequest; use prover_service::FinalProofRequest; @@ -5,6 +6,7 @@ use prover_service::GetTaskResultRequest; use prover_service::ProveRequest; use prover_service::SplitElfRequest; use prover_service::{get_status_response, GetStatusRequest}; +use tonic::transport::ClientTlsConfig; use stage::tasks::{ AggAllTask, FinalTask, ProveTask, SplitTask, TASK_STATE_FAILED, TASK_STATE_PROCESSING, @@ -28,10 +30,12 @@ pub fn get_nodes() -> Vec { nodes_data.get_nodes() } -pub async fn get_idle_client() -> Option> { +pub async fn get_idle_client( + tls_config: Option, +) -> Option> { let nodes: Vec = get_nodes(); for node in nodes { - let client = is_active(&node.addr).await; + let client = is_active(&node.addr, tls_config.clone()).await; if let Some(client) = client { return Some(client); } @@ -46,10 +50,12 @@ pub fn get_snark_nodes() -> Vec { nodes_data.get_snark_nodes() } -pub async fn get_snark_client() -> Option> { +pub async fn get_snark_client( + tls_config: Option, +) -> Option> { let nodes: Vec = get_snark_nodes(); for node in nodes { - let client = is_active(&node.addr).await; + let client = is_active(&node.addr, tls_config.clone()).await; if let Some(client) = client { return Some(client); } @@ -58,12 +64,21 @@ pub async fn get_snark_client() -> Option> { None } -pub async fn is_active(addr: &String) -> Option> { +pub async fn is_active( + addr: &String, + tls_config: Option, +) -> Option> { let uri = format!("grpc://{}", addr).parse::().unwrap(); - let endpoint = tonic::transport::Channel::builder(uri) + let mut endpoint = tonic::transport::Channel::builder(uri) .connect_timeout(Duration::from_secs(5)) .timeout(Duration::from_secs(TASK_TIMEOUT)) .concurrency_limit(256); + if let Some(config) = tls_config { + let tls_config = ClientTlsConfig::new() + .ca_certificate(config.ca_cert) + .identity(config.identity); + endpoint = endpoint.tls_config(tls_config).unwrap(); + } let client = ProverServiceClient::connect(endpoint).await; if let Ok(mut client) = client { let request = GetStatusRequest {}; @@ -93,9 +108,9 @@ pub fn result_code_to_state(code: i32) -> u32 { } } -pub async fn split(mut split_task: SplitTask) -> Option { +pub async fn split(mut split_task: SplitTask, tls_config: Option) -> Option { split_task.state = TASK_STATE_UNPROCESSED; - let client = get_idle_client().await; + let client = get_idle_client(tls_config).await; if let Some(mut client) = client { let request = SplitElfRequest { chain_id: 0, @@ -124,9 +139,9 @@ pub async fn split(mut split_task: SplitTask) -> Option { Some(split_task) } -pub async fn prove(mut prove_task: ProveTask) -> Option { +pub async fn prove(mut prove_task: ProveTask, tls_config: Option) -> Option { prove_task.state = TASK_STATE_UNPROCESSED; - let client = get_idle_client().await; + let client = get_idle_client(tls_config).await; if let Some(mut client) = client { let request = ProveRequest { chain_id: 0, @@ -156,9 +171,12 @@ pub async fn prove(mut prove_task: ProveTask) -> Option { Some(prove_task) } -pub async fn aggregate_all(mut agg_all_task: AggAllTask) -> Option { +pub async fn aggregate_all( + mut agg_all_task: AggAllTask, + tls_config: Option, +) -> Option { agg_all_task.state = TASK_STATE_UNPROCESSED; - let client = get_idle_client().await; + let client = get_idle_client(tls_config).await; if let Some(mut client) = client { let request = AggregateAllRequest { chain_id: 0, @@ -190,8 +208,11 @@ pub async fn aggregate_all(mut agg_all_task: AggAllTask) -> Option { Some(agg_all_task) } -pub async fn final_proof(mut final_task: FinalTask) -> Option { - let client = get_snark_client().await; +pub async fn final_proof( + mut final_task: FinalTask, + _tls_config: Option, +) -> Option { + let client = get_snark_client(None).await; if let Some(mut client) = client { let request = FinalProofRequest { chain_id: 0, diff --git a/service/src/stage_service.rs b/service/src/stage_service.rs index b913674..a4957b2 100644 --- a/service/src/stage_service.rs +++ b/service/src/stage_service.rs @@ -1,3 +1,4 @@ +use common::tls::Config as TlsConfig; use stage_service::stage_service_server::StageService; use stage_service::{GenerateProofRequest, GenerateProofResponse}; use stage_service::{GetStatusRequest, GetStatusResponse}; @@ -27,8 +28,27 @@ lazy_static! { static ref GLOBAL_TASKMAP: Mutex> = Mutex::new(HashMap::new()); } -#[derive(Debug, Default)] -pub struct StageServiceSVC {} +pub struct StageServiceSVC { + tls_config: Option, +} + +impl StageServiceSVC { + pub async fn new(config: config::RuntimeConfig) -> anyhow::Result { + let tls_config = if config.ca_cert_path.is_some() { + Some( + TlsConfig::new( + config.ca_cert_path.unwrap(), + config.cert_path.unwrap(), + config.key_path.unwrap(), + ) + .await?, + ) + } else { + None + }; + Ok(StageServiceSVC { tls_config }) + } +} #[tonic::async_trait] impl StageService for StageServiceSVC { @@ -129,8 +149,9 @@ impl StageService for StageServiceSVC { let split_task = stage.get_split_task(); if let Some(split_task) = split_task { let tx = tx.clone(); + let tls_config = self.tls_config.clone(); tokio::spawn(async move { - let response = prover_client::split(split_task).await; + let response = prover_client::split(split_task, tls_config).await; if let Some(split_task) = response { tx.send(Task::Split(split_task)).await.unwrap(); } @@ -139,8 +160,9 @@ impl StageService for StageServiceSVC { let prove_task = stage.get_prove_task(); if let Some(prove_task) = prove_task { let tx = tx.clone(); + let tls_config = self.tls_config.clone(); tokio::spawn(async move { - let response = prover_client::prove(prove_task).await; + let response = prover_client::prove(prove_task, tls_config).await; if let Some(prove_task) = response { tx.send(Task::Prove(prove_task)).await.unwrap(); } @@ -149,8 +171,9 @@ impl StageService for StageServiceSVC { let agg_task = stage.get_agg_all_task(); if let Some(agg_task) = agg_task { let tx = tx.clone(); + let tls_config = self.tls_config.clone(); tokio::spawn(async move { - let response = prover_client::aggregate_all(agg_task).await; + let response = prover_client::aggregate_all(agg_task, tls_config).await; if let Some(agg_task) = response { tx.send(Task::Agg(agg_task)).await.unwrap(); } @@ -159,8 +182,9 @@ impl StageService for StageServiceSVC { let final_task = stage.get_final_task(); if let Some(final_task) = final_task { let tx = tx.clone(); + let tls_config = self.tls_config.clone(); tokio::spawn(async move { - let response = prover_client::final_proof(final_task).await; + let response = prover_client::final_proof(final_task, tls_config).await; if let Some(final_task) = response { tx.send(Task::Final(final_task)).await.unwrap(); } diff --git a/tools/certs/ca.key b/tools/certs/ca.key new file mode 100644 index 0000000..13a667b --- /dev/null +++ b/tools/certs/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjQp/xn07gjnHE +8BUHZ8Ouiibq1Dj3mLVudWhU+oB9N57GJVmcXGHP7iAzvgJPrHARVgn25gYmEF/X +pqsGh5omtghD7NgNSk7/XlazdmelC3rgbk+r7nDzZW6eNKVOqJusHMEFAotylsEo +5RKCVtm34LE2HHgvTyGAdOzqKrJC7FRhSVeCOCqnAm60MjbkBUP8smNeyBqQwfcJ +0/gu0zNP4jxiTbN0E5AyLalKu12a2b8HepqGj2CmPWRRdclzAaMp0l+0E1WSncxq +UiRjl312gwBIMFi/GeT6i5zqV+iIqkLRnK7VyTLlA1vYXd0z8vdzTxS59hGHVzVM +IyoD3pcZAgMBAAECggEADEUyg3zZVy4JjbdMI1B4j/aU7ncZGX3WHAlRuDpUHCUp +JyQRQDvew5uWesEUCCQyD5F/gfmfmm6GX41Iox7ftntds2o6gkQ0nAOdgVM7vrc2 +SuYrkYTkIxz7Y4NaLcdlHNpT5QIgFDKRrbbKzXZE2om2E/avj0Gzp0WSdVaUa4xc +GcSSnS9NPvYY7fXwyPYeOC1bsmL6UpblvnLN9J5WxVq8g8wxyH29V3sa9QoBJ558 +Hb3LPLFxwfWhr3NYVRdmrf1dqxYH8ACqzD65870IxlJp25sAcSlOd+c10gfQwoN+ +Va0pWv3Sb/fKrHsYe08yLMlcQx354/O09E4n1QfxAQKBgQDUe3+tK5OIwRAAK+W9 +Y71voCNmOTRmDHQGvkTNor9iKtKfRIXWSG3drUG8Byg42OKqRfXq4sQ7NAzSBDIf +FCmcv5vz64pHdv5kLsCZZpIV2pEpI5xkegmEGlVm7eRB8GZ5NlS6ZXj6ApPYp395 +e9E+DOmdRx1w7MhJEb6/XqqHAQKBgQDEsmWXQD2WGyzz4R76mCkn8D4ZafbpMc4h +6Vcu5BQby0iYlh67l7y0QV9PcK0qYJlreWqzXpugPMy0QxAh6XNR0GVU30hhPl4l +VBDrMur9HFqb3C4i649UN0o3JJ0IQS8GkZTwNuZc+k4qE0nb3dQ4W7HOWUuoC88i +R4x5ZV9oGQKBgQDB3NPGmaWH9i21GlgIDcI+4CqsD7FBEkeiB2MbA0v+MvfsHEbI +FVk4EeWRui32f9t+Y0pVvgQvx/OSggWA2ZKF00RkrhiBz42Wthk/XJgYnEwo7ra3 +7ahVAPm+aXoCt2WnXey8C+zunf9qgpgJrPBh3sIen027RC4QjMIuNB7+AQKBgG7q +mlb8Jr5qfKLZo3p0K2EWHC6AjndZWn/M8RjEDILP0xQYMyRdoE+VPYWyaDOpXVo5 +kW2sP93P6y8LUiGNXzYXacy+TDZp0PUDvraic9hfEMkrE+klJCG9O+B0iQiKmVX+ +6hm7G5P6ofEgB1owcOeG7XEK8ZrFbfxKlHAwNeihAoGAWQ9S6BlJ864sP8sUyFaY +Wh4Es4pLod1QBB9KgXO89q6c7yMPmauyKIAiYZPGzTAuKK+tgwFAJRBHeE3Ll8U0 +Oa2DsnKTiAIFvYhsFjJdCYWXev8st7+F78x6VHBmOqGkupOYf1MFemIArAhkHhzs +h6Hq4hqK5yUCwYYqT3qvd2E= +-----END PRIVATE KEY----- diff --git a/tools/certs/ca.pem b/tools/certs/ca.pem new file mode 100644 index 0000000..759e691 --- /dev/null +++ b/tools/certs/ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCzCCAfOgAwIBAgIULSqN37UVXR26pJl0tLAPmiTr1xUwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKY2EtcHJvdmVyMTAeFw0yNDAzMjYxNjQ5NDhaFw0zNDAz +MjQxNjQ5NDhaMBUxEzARBgNVBAMMCmNhLXByb3ZlcjEwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCjQp/xn07gjnHE8BUHZ8Ouiibq1Dj3mLVudWhU+oB9 +N57GJVmcXGHP7iAzvgJPrHARVgn25gYmEF/XpqsGh5omtghD7NgNSk7/Xlazdmel +C3rgbk+r7nDzZW6eNKVOqJusHMEFAotylsEo5RKCVtm34LE2HHgvTyGAdOzqKrJC +7FRhSVeCOCqnAm60MjbkBUP8smNeyBqQwfcJ0/gu0zNP4jxiTbN0E5AyLalKu12a +2b8HepqGj2CmPWRRdclzAaMp0l+0E1WSncxqUiRjl312gwBIMFi/GeT6i5zqV+iI +qkLRnK7VyTLlA1vYXd0z8vdzTxS59hGHVzVMIyoD3pcZAgMBAAGjUzBRMB0GA1Ud +DgQWBBRSls/+/J9oo3WU2r75jNFFQu85XTAfBgNVHSMEGDAWgBRSls/+/J9oo3WU +2r75jNFFQu85XTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAy +Wkbie0RuepmkHmUJhounjMuscOBRQZSL89AI7bnrqP20ydq4HS6EY13U0VNzH/2m +uAt4Mqd91e3cnZ9bJUiNdxITwrKrLRmLI8NCldRoJ5C8IaT6roMapFQ/uRxwjCJA +JD0oHISipv48dUc9XOWwi1gzbNqyFN+IRLKRX9cHeOYMce1WKp4XGHdwqrDRspjz +xGmGcnC5ZvbcBGNDaysyziSjhkOFy97PaAWpn5ixzQhmbEn39Ssm2wYo9P8B4tC4 +coBRjwVicHHj3vRkj2maNtHOuy7nfuH6RcoZM5KPPb0Ity8jwmzfJgRkrxYAhsBQ +wcXlWhbUTuctyrSbxBX+ +-----END CERTIFICATE----- diff --git a/tools/certs/certgen.sh b/tools/certs/certgen.sh new file mode 100644 index 0000000..76f3500 --- /dev/null +++ b/tools/certs/certgen.sh @@ -0,0 +1,161 @@ +#!/bin/bash -e + +CN='' +SSL_IP='' +SSL_DNS='' + +C=CN + +SSL_SIZE=2048 + +DATE=${DATE:-3650} + +SSL_CONFIG='openssl.cnf' + +help() { + cat <<-EOF + +Usage: ./certgen.sh [OPTIONS] COMMAND + +A script for zkm cert generation. + +Options: +--help Get the help info and exit +--cn Common name of the server +--ssl-ip Extended trust ips, such as 127.0.0.1, 0.0.0.0 +--ssl-dns Extended trust dns, such as demo.zkm.com +--ssl-size The key size +--date Validity of the certificate +--ssl-config Address of config file +EOF + exit 0 +} + +echo 'cn', $2 + +while [ -n "$1" ]; do + case "$1" in + --cn) + CN="$2" + shift + ;; + --ssl-ip) + SSL_IP="$2" + shift + ;; + --ssl-dns) + SSL_DNS="$2" + shift + ;; + --ssl-size) + SSL_SIZE=$2 + shift + ;; + --date) + DATE=$2 + shift + ;; + --ssl-config) + SSL_CONFIG="$2" + shift + ;; + -h | --help) + help + ;; + --) + shift + break + ;; + *) + echo "Error: not defined option." + exit 1 + ;; + esac + shift +done + +echo "----------------------------" +echo "| SSL Cert Generator |" +echo "----------------------------" +echo + +export CA_KEY=${CA_KEY-"ca.key"} +export CA_CERT=${CA_CERT-"ca.pem"} +export CA_SUBJECT=ca-$CN +export CA_EXPIRE=${DATE} + +export SSL_CONFIG=${SSL_CONFIG} +export SSL_KEY=$CN.key +export SSL_CSR=$CN.csr +export SSL_CERT=$CN.pem +export SSL_EXPIRE=${DATE} + +export SSL_SUBJECT=${CN} +export SSL_DNS=${SSL_DNS} +export SSL_IP=${SSL_IP} + +echo ${CA_SUBJECT} +echo ${CN} +echo "--> Certificate Authority" + +if [[ -e ./${CA_KEY} ]]; then + echo "====> Using existing CA Key ${CA_KEY}" +else + echo "====> Generating new CA key ${CA_KEY}" + openssl genrsa -out ${CA_KEY} ${SSL_SIZE} >/dev/null +fi + +if [[ -e ./${CA_CERT} ]]; then + echo "====> Using existing CA Certificate ${CA_CERT}" +else + echo "====> Generating new CA Certificate ${CA_CERT}" + openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} \ + -days ${CA_EXPIRE} -out ${CA_CERT} -subj "/CN=${CA_SUBJECT}" >/dev/null || exit 1 +fi + +echo "====> Generating new config file ${SSL_CONFIG}" +cat >${SSL_CONFIG} <>${SSL_CONFIG} <>${SSL_CONFIG} + done + + if [[ -n ${SSL_IP} ]]; then + ip=(${SSL_IP}) + for i in "${!ip[@]}"; do + echo IP.$((i + 1)) = ${ip[$i]} >>${SSL_CONFIG} + done + fi +fi + +echo "====> Generating new SSL KEY ${SSL_KEY}" +openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} >/dev/null || exit 1 + +echo "====> Generating new SSL CSR ${SSL_CSR}" +openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} \ + -subj "/CN=${SSL_SUBJECT}" -config ${SSL_CONFIG} >/dev/null || exit 1 + +echo "====> Generating new SSL CERT ${SSL_CERT}" +openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} \ + -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \ + -days ${SSL_EXPIRE} -extensions v3_req \ + -extfile ${SSL_CONFIG} >/dev/null || exit 1 + +echo "====> Complete" \ No newline at end of file