web: switch to https

Fixes #6

Signed-off-by: Boris Glimcher <[email protected]>

README.md

@@ -182,8 +182,8 @@ $ jq -r .\"ietf-sztp-bootstrap-server:output\".\"conveyed-information\" /tmp/pos
   "ietf-sztp-conveyed-info:onboarding-information": {
     "boot-image": {
       "download-uri": [
-        "http://web:80/my-boot-image.img",
-        "ftp://web:82/my-boot-image.img"
+        "https://web:443/my-boot-image.img",
+        "ftps://web:990/my-boot-image.img"
       ],
       "image-verification": [
         {
@@ -292,7 +292,7 @@ $ jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"post-configuration
 echo "inside the post-configuration-script..."
 
 $ jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"download-uri\"[] /tmp/post_rpc_fixed.json
-http://web:80/my-boot-image.img
+https://web:443/my-boot-image.img
 
 $ jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"image-verification\"[] /tmp/post_rpc_fixed.json
 {
@@ -412,11 +412,11 @@ docker-compose up --build web
 ## Test HTTP server from agent
 
 ```text
-docker-compose run --rm -T agent curl --fail http://web:80/
+docker-compose run --rm -T agent curl --fail --key /private_key.pem --cert /my_cert.pem --cacert /opi.pem https://web:443/var/lib/
 ```
 
 OR
 
 ```text
-docker run --network=sztp_opi --security-opt seccomp=unconfined -it --rm fedora:36 curl --fail http://web:80/
+docker run --network=sztp_opi --security-opt seccomp=unconfined -it --rm fedora:36 curl --fail https://web:443/
 ```

docker-compose.yml

@@ -79,14 +79,45 @@ services:
       - opi
     command: --script=dns-service-discovery -p 5353 avahi
 
+  # TODO: remove this and use sztp keys and certificates
+  setup-cert:
+    image: ghcr.io/opiproject/opi-sztp-server:main
+    volumes:
+      - certs:/certs
+    user: "0"
+    entrypoint: /bin/bash
+    command: >
+      -c '
+        set -e
+        openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365 \
+          -subj "/C=GB/ST=London/L=London/O=Alros/OU=IT Department/CN=localhost"
+        cp key.pem  /certs/server.key
+        cp cert.pem /certs/server.crt
+        echo "Certificates created succcessfully."
+      '
+
   web:
     image: docker.io/library/httpd:2.4.57-alpine3.17
+    depends_on:
+      setup-cert:
+        condition: service_completed_successfully
     volumes:
+      - certs:/usr/local/apache2/conf/
       - ./sztp-server/images:/usr/local/apache2/htdocs
     ports:
-      - 80:80
+      - 443:443
     networks:
       - opi
+    entrypoint: /bin/ash
+    command: |
+        -x -e -c '
+        sed -i \
+        -e "s/^#\(Include .*httpd-ssl.conf\)/\1/" \
+        -e "s/^#\(LoadModule .*mod_ssl.so\)/\1/" \
+        -e "s/^#\(LoadModule .*mod_socache_shmcb.so\)/\1/" \
+        conf/httpd.conf
+        httpd-foreground
+        '
 
   client:
     image: docker.io/modularitycontainers/dhcp-client:latest
@@ -122,6 +153,7 @@ services:
       - opi
 
 volumes:
+  certs:
   dhcp-leases-folder:
 
 networks:

scripts/change_image.sh

@@ -27,8 +27,8 @@ cat << EOM > /tmp/boot-images.json
             {
                 "name": "my-boot-image.img",
                 "download-uri": [
-                    "http://web:80/${BOOT_IMG_PATH}",
-                    "ftp://web:82/${BOOT_IMG_PATH}"
+                    "https://web:443/${BOOT_IMG_PATH}",
+                    "ftps://web:990/${BOOT_IMG_PATH}"
                 ],
                 "image-verification": [
                     {

scripts/tests.sh

@@ -76,12 +76,13 @@ jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"post-configuration-s
 jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"download-uri\"[] /tmp/post_rpc_fixed.json
 jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"image-verification\"[] /tmp/post_rpc_fixed.json
 
-docker-compose run -T agent curl --fail --output /tmp/my-boot-image.tst http://web:80/my-boot-image.img
+# TODO: remove --insecure
+docker-compose run -T agent curl --insecure --fail --key /private_key.pem --cert /my_cert.pem --cacert /opi.pem --output /tmp/my-boot-image.tst https://web:443/my-boot-image.img
 
 # actually go and download the image from the web server
 URL=$(jq -r .\"ietf-sztp-conveyed-info:onboarding-information\".\"boot-image\".\"download-uri\"[0] /tmp/post_rpc_fixed.json)
 BASENAME=$(basename "${URL}")
-docker-compose run -T agent curl --output "/tmp/${BASENAME}" --fail "${URL}"
+docker-compose run -T agent curl --insecure --fail --key /private_key.pem --cert /my_cert.pem --cacert /opi.pem --output "/tmp/${BASENAME}" "${URL}"
 
 # Validate signature
 SIGNATURE=$(docker-compose run -T agent ash -c "openssl dgst -sha256 -c \"/tmp/${BASENAME}\" | awk '{print \$2}'")

sztp-agent/pkg/secureagent/daemon.go

@@ -11,12 +11,15 @@ package secureagent
 import (
 	"bytes"
 	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"net/url"
@@ -224,11 +227,23 @@ func (a *Agent) downloadAndValidateImage() error {
 			return err
 		}
 
+		caCert, _ := ioutil.ReadFile(a.GetBootstrapTrustAnchorCert())
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		cert, _ := tls.LoadX509KeyPair(a.GetDeviceEndEntityCert(), a.GetDevicePrivateKey())
+
 		check := http.Client{
 			CheckRedirect: func(r *http.Request, via []*http.Request) error {
 				r.URL.Opaque = r.URL.Path
 				return nil
 			},
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{ //nolint:gosec
+					InsecureSkipVerify: true, // TODO: remove skip verify
+					RootCAs:            caCertPool,
+					Certificates:       []tls.Certificate{cert},
+				},
+			},
 		}
 
 		response, err := check.Get(item)

sztp-server/config/sztpd.running.json.template

@@ -132,8 +132,8 @@
       {
         "name": "my-boot-image.img",
         "download-uri": [
-          "http://web:80/my-boot-image.img",
-          "ftp://web:82/my-boot-image.img"
+          "https://web:443/my-boot-image.img",
+          "ftps://web:990/my-boot-image.img"
         ],
         "image-verification": [
           {