[CBR-470] Ensure 600 file permission on generated x509 certificates and keys

KtorZ · KtorZ · commit 9f6fd9ca3aba · 2018-10-22T17:22:50.000+02:00
It is of the utmost importance that those files aren't readable by anyone but the user generating them.
Files are generated upon start and used to secure the communication between cardano-sl and its clients (e.g. Daedalus)

Note that, we do assume that users are able to secure their own environment from potential adversary services,
so this is really about preventing one user to have access to certificates of another user.
diff --git a/x509/cardano-sl-x509.cabal b/x509/cardano-sl-x509.cabal
@@ -37,6 +37,7 @@ library
                , optparse-applicative
                , text
                , universum
+               , unix
                , unordered-containers
                , x509
                , x509-store
diff --git a/x509/src/Data/X509/Extra.hs b/x509/src/Data/X509/Extra.hs
@@ -1,6 +1,11 @@
+{-# LANGUAGE CPP               #-}
 {-# LANGUAGE FlexibleInstances #-}
 {-# LANGUAGE LambdaCase        #-}
 
+#if !defined(mingw32_HOST_OS)
+#define POSIX
+#endif
+
 --
 -- | Cryptographic & Data.X509 specialized methods for RSA with SHA256
 --
@@ -50,6 +55,11 @@ import           Data.X509.CertificateStore (CertificateStore,
 import           Data.X509.Validation
 import           Net.IPv4 (IPv4 (..))
 import           Net.IPv6 (IPv6 (..))
+#ifdef POSIX
+import           System.Posix.Files (ownerReadMode, ownerWriteMode, setFileMode,
+                     unionFileModes)
+import           System.Posix.Types (FileMode)
+#endif
 
 import qualified Crypto.PubKey.RSA.Types as RSA
 import qualified Data.ByteString as BS
@@ -231,21 +241,20 @@ writeCredentials
     -> (PrivateKey, SignedCertificate)
     -> IO ()
 writeCredentials filename (key, cert) = do
-    BS.writeFile (filename <> ".pem") (BS.concat [keyBytes, "\n", certBytes])
-    BS.writeFile (filename <> ".key") keyBytes
-    BS.writeFile (filename <> ".crt") certBytes
+    writeFile600 (filename <> ".pem") (BS.concat [keyBytes, "\n", certBytes])
+    writeFile600 (filename <> ".key") keyBytes
+    writeFile600 (filename <> ".crt") certBytes
   where
     keyBytes  = encodePEM key
     certBytes = encodePEM cert
 
-
 -- | Write a certificate to the given location
 writeCertificate
     :: FilePath
     -> SignedCertificate
     -> IO ()
 writeCertificate filename cert =
-    BS.writeFile (filename <> ".crt") (encodePEM cert)
+    writeFile600 (filename <> ".crt") (encodePEM cert)
 
 
 --
@@ -330,3 +339,18 @@ validateCertificateIP ip cert =
             []
         else
             [NameMismatch $ B8.unpack ip]
+
+
+writeFile600 :: FilePath -> ByteString -> IO ()
+#ifdef POSIX
+writeFile600 filepath bytes = do
+    BS.writeFile filepath mempty
+    setFileMode filepath mode600
+    BS.appendFile filepath bytes
+  where
+    mode600 :: FileMode
+    mode600 = unionFileModes ownerReadMode ownerWriteMode
+#else
+writeFile600 _ _ =
+    return ()
+#endif
