pierre/tcp-over-http
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add new test for TLS mutual authentication

Browse Source
This commit is contained in:
Pierre HUBERT
2022-09-02 10:57:53 +02:00
parent 019ae92605
commit 4f89bc06a0
6 changed files with 134 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/tcp_relay_server/tls_cert_client_verifier.rs
View File

@ -7,7 +7,7 @@ use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate};
use crate::base::cert_utils::parse_pem_certificates;
use crate::base::err_utils::{encpasulate_error, new_err};
use crate::tcp_relay_server::server_config::ServerConfig;
pub struct CustomCertClientVerifier {
@ -16,21 +16,28 @@ pub struct CustomCertClientVerifier {
}
impl CustomCertClientVerifier {
pub fn new(conf: Arc<ServerConfig>) -> Self {
pub fn new(conf: Arc<ServerConfig>) -> std::io::Result<Self> {
// Build root certifications list
let cert_path = conf
.tls_client_auth_root_cert
.as_deref()
.expect("No root certificates for client authentication provided!");
let cert_file = std::fs::read(cert_path)
.expect("Failed to read root certificates for client authentication!");
let cert_file = std::fs::read(cert_path).map_err(|e| {
encpasulate_error(
e,
"Failed to read root certificates for client authentication!",
)
})?;
let root_certs = parse_pem_certificates(&cert_file)
.expect("Failed to read root certificates for server authentication!");
let root_certs = parse_pem_certificates(&cert_file).map_err(|e| {
encpasulate_error(
e,
"Failed to read root certificates for server authentication!",
)
})?;
if root_certs.is_empty() {
log::error!("No certificates found for client authentication!");
panic!();
return Err(new_err("No certificates found for client authentication!"));
}
let mut store = RootCertStore::empty();
@ -42,19 +49,21 @@ impl CustomCertClientVerifier {
// Parse CRL file (if any)
let crl = if let Some(crl_file) = &conf.tls_revocation_list {
let crl_file = std::fs::read(crl_file).expect("Failed to open / read CRL file!");
let crl_file = std::fs::read(crl_file)
.map_err(|e| encpasulate_error(e, "Failed to open / read CRL file!"))?;
let parsed_crl = pem::parse(crl_file).expect("Failed to decode CRL file!");
let parsed_crl = pem::parse(crl_file)
.map_err(|e| encpasulate_error(e, "Failed to decode CRL file!"))?;
Some(parsed_crl.contents)
} else {
None
};
Self {
Ok(Self {
upstream_cert_verifier: Box::new(AllowAnyAuthenticatedClient::new(store)),
crl,
}
})
}
}