Client can authenticate using TLS certificate

2022-08-31 14:35:52 +02:00 · 2022-08-31 14:35:52 +02:00 · cd0f6fea94
commit cd0f6fea94
parent 27b52dfcb7
5 changed files with 118 additions and 17 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1566,6 +1566,7 @@ name = "tcp_relay_client"
 version = "0.1.0"
 dependencies = [
 "base",
+ "bytes",
 "clap",
 "env_logger",
 "futures",
--- a/tcp_relay_client/Cargo.toml
+++ b/tcp_relay_client/Cargo.toml
@ -15,4 +15,5 @@ tokio-tungstenite = { version = "0.17.2", features = ["__rustls-tls", "rustls-tl
 urlencoding = "2.1.0"
 rustls = { version = "0.20.6" }
 hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
-rustls-pemfile = { version = "1.0.1" }
+rustls-pemfile = { version = "1.0.1" }
+bytes = "1.2.1"
--- a/tcp_relay_client/src/client_config.rs
+++ b/tcp_relay_client/src/client_config.rs
@ -1,7 +1,6 @@
+use bytes::BufMut;
 use clap::Parser;

-static mut ROOT_CERT: Option<Vec<u8>> = None;
-
 /// TCP relay client
 #[derive(Parser, Debug, Clone)]
 #[clap(author, version, about, long_about = None)]
@ -18,28 +17,80 @@ pub struct ClientConfig {
    #[clap(short, long, default_value = "127.0.0.1")]
    pub listen_address: String,

-    /// Optional root certificate to use for server authentication
+    /// Alternative root certificate to use for server authentication
    #[clap(short = 'c', long)]
    pub root_certificate: Option<String>,
+
+    #[clap(skip)]
+    _root_certificate_cache: Option<Vec<u8>>,
+
+    /// TLS certificate for TLS authentication.
+    #[clap(long)]
+    pub tls_cert: Option<String>,
+
+    #[clap(skip)]
+    _tls_cert_cache: Option<Vec<u8>>,
+
+    /// TLS key for TLS authentication.
+    #[clap(long)]
+    pub tls_key: Option<String>,
+
+    #[clap(skip)]
+    _tls_key_cache: Option<Vec<u8>>,
 }

 impl ClientConfig {
+    /// Load certificates and put them in cache
+    pub fn load_certificates(&mut self) {
+        self._root_certificate_cache = self.root_certificate.as_ref()
+            .map(|c| std::fs::read(c)
+                .expect("Failed to read root certificate!"));
+
+        self._tls_cert_cache = self.tls_cert.as_ref()
+            .map(|c| std::fs::read(c)
+                .expect("Failed to read client certificate!"));
+
+        self._tls_key_cache = self.tls_key.as_ref()
+            .map(|c| std::fs::read(c)
+                .expect("Failed to read client key!"));
+    }
+
    /// Get client token, returning a dummy token if none was specified
    pub fn get_auth_token(&self) -> &str {
        self.token.as_deref().unwrap_or("none")
    }

-    /// Load root certificate
+    /// Get root certificate content
    pub fn get_root_certificate(&self) -> Option<Vec<u8>> {
-        self.root_certificate.as_ref()?;
+        self._root_certificate_cache.clone()
+    }

-        if unsafe { ROOT_CERT.is_none() } {
-            log::info!("Loading root certificate from disk");
-            let cert = self.root_certificate.as_ref().map(|c| std::fs::read(c)
-                .expect("Failed to read root certificate!"));
-            unsafe { ROOT_CERT = cert }
-        }
+    /// Get client certificate & key pair, if available
+    pub fn get_client_keypair(&self) -> Option<(&Vec<u8>, &Vec<u8>)> {
+        if let (Some(cert), Some(key)) = (&self._tls_cert_cache, &self._tls_key_cache) {
+            Some((cert, key))
+        } else { None }
+    }

-        unsafe { ROOT_CERT.clone() }
+    /// Get client certificate & key pair, in a single memory buffer
+    pub fn get_merged_client_keypair(&self) -> Option<Vec<u8>> {
+        self.get_client_keypair()
+            .map(|(c, k)| {
+                let mut out = k.to_vec();
+                out.put_slice("\n".as_bytes());
+                out.put_slice(c);
+                out
+            })
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use crate::client_config::ClientConfig;
+
+    #[test]
+    fn verify_cli() {
+        use clap::CommandFactory;
+        ClientConfig::command().debug_assert()
    }
 }
--- a/tcp_relay_client/src/main.rs
+++ b/tcp_relay_client/src/main.rs
@ -1,9 +1,11 @@
+extern crate core;
+
 use std::error::Error;
 use std::sync::Arc;

 use clap::Parser;
 use futures::future::join_all;
-use reqwest::Certificate;
+use reqwest::{Certificate, Identity};

 use base::RemoteConfig;
 use tcp_relay_client::client_config::ClientConfig;
@ -20,6 +22,14 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
        client = client.add_root_certificate(Certificate::from_pem(&cert)?);
    }

+    // Specify client certificate, if any
+    if let Some(kp) = config.get_merged_client_keypair() {
+        let identity = Identity::from_pem(&kp)
+            .expect("Failed to load certificates for reqwest!");
+        client = client.identity(identity)
+            .use_rustls_tls();
+    }
+
    let client = client.build().expect("Failed to build reqwest client");

    let req = client.get(url)
@ -38,9 +48,20 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
 async fn main() -> Result<(), Box<dyn Error>> {
    env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));

-    let args: ClientConfig = ClientConfig::parse();
+    let mut args: ClientConfig = ClientConfig::parse();
+    args.load_certificates();
    let args = Arc::new(args);

+    // Check arguments coherence
+    if args.tls_cert.is_some() != args.tls_key.is_some() {
+        log::error!("If you specify one of TLS certificate / key, you must then specify the other!");
+        panic!();
+    }
+
+    if args.get_client_keypair().is_some() {
+        log::info!("Using client-side authentication");
+    }
+
    // Get server relay configuration (fetch the list of port to forward)
    let conf = get_server_config(&args).await?;

--- a/tcp_relay_client/src/relay_client.rs
+++ b/tcp_relay_client/src/relay_client.rs
@ -3,7 +3,8 @@ use std::sync::Arc;

 use futures::{SinkExt, StreamExt};
 use hyper_rustls::ConfigBuilderExt;
-use rustls::{Certificate, RootCertStore};
+use rustls::{Certificate, PrivateKey, RootCertStore};
+use rustls_pemfile::{Item, read_one};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
 use tokio_tungstenite::tungstenite::Message;
@ -54,7 +55,33 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
            }
        };

-        let config = config.with_no_client_auth();
+        let config = match conf.get_client_keypair() {
+            None => config.with_no_client_auth(),
+            Some((certs, key)) => {
+                let certs = rustls_pemfile::certs(&mut Cursor::new(certs))
+                    .expect("Failed to parse client certificates!")
+                    .into_iter()
+                    .map(Certificate)
+                    .collect::<Vec<_>>();
+
+                let key = match read_one(&mut Cursor::new(key))
+                    .expect("Failed to read client private key!") {
+                    None => {
+                        log::error!("Failed to extract private key!");
+                        panic!();
+                    }
+                    Some(Item::PKCS8Key(key)) => key,
+                    Some(Item::RSAKey(key)) => key,
+                    _ => {
+                        log::error!("Unsupported private key type!");
+                        panic!();
+                    }
+                };
+
+                config.with_single_cert(certs, PrivateKey(key))
+                    .expect("Failed to set client certificate!")
+            }
+        };
        let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));

        let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(