pierre/tcp-over-http
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add client TLS auth on server side

Browse Source
This commit is contained in:
Pierre HUBERT
2022-08-31 12:24:54 +02:00
parent 1b95b10553
commit 27b52dfcb7
9 changed files with 144 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
tcp_relay_server/src/tls_cert_client_verifier.rs Normal file
View File

@@ -0,0 +1,61 @@
use std::fs::File;
use std::io::BufReader;
use std::sync::Arc;
use std::time::SystemTime;
use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier};
use rustls_pemfile::certs;
use crate::server_config::ServerConfig;
pub struct CustomCertClientVerifier {
upstream_cert_verifier: Box<Arc<dyn ClientCertVerifier>>,
}
impl CustomCertClientVerifier {
pub fn new(conf: Arc<ServerConfig>) -> Self {
let cert_path = conf.tls_client_auth_root_cert.as_deref()
.expect("No root certificates for client authentication provided!");
let cert_file = &mut BufReader::new(File::open(cert_path)
.expect("Failed to read root certificates for client authentication!"));
let root_certs = certs(cert_file).unwrap()
.into_iter()
.map(Certificate)
.collect::<Vec<_>>();
if root_certs.is_empty() {
log::error!("No certificates found for client authentication!");
panic!();
}
let mut store = RootCertStore::empty();
for cert in root_certs {
store.add(&cert).expect("Failed to add certificate to root store");
}
Self {
upstream_cert_verifier: Box::new(AllowAnyAuthenticatedClient::new(store)),
}
}
}
impl ClientCertVerifier for CustomCertClientVerifier {
fn offer_client_auth(&self) -> bool {
true
}
fn client_auth_mandatory(&self) -> Option<bool> {
Some(true)
}
fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
Some(vec![])
}
fn verify_client_cert(&self, end_entity: &Certificate, intermediates: &[Certificate], now: SystemTime) -> Result<ClientCertVerified, Error> {
self.upstream_cert_verifier.verify_client_cert(end_entity, intermediates, now)
}
}