From cd0f6fea9413dad9101a52ff7576d32b86ca74c4 Mon Sep 17 00:00:00 2001
From: Pierre Hubert <pierre.git@communiquons.org>
Date: Wed, 31 Aug 2022 14:35:52 +0200
Subject: [PATCH] Client can authenticate using TLS certificate

---
 Cargo.lock                            |  1 +
 tcp_relay_client/Cargo.toml           |  3 +-
 tcp_relay_client/src/client_config.rs | 75 ++++++++++++++++++++++-----
 tcp_relay_client/src/main.rs          | 25 ++++++++-
 tcp_relay_client/src/relay_client.rs  | 31 ++++++++++-
 5 files changed, 118 insertions(+), 17 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 9baec6d..1800b9d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1566,6 +1566,7 @@ name = "tcp_relay_client"
 version = "0.1.0"
 dependencies = [
  "base",
+ "bytes",
  "clap",
  "env_logger",
  "futures",
diff --git a/tcp_relay_client/Cargo.toml b/tcp_relay_client/Cargo.toml
index cc87933..e6195e7 100644
--- a/tcp_relay_client/Cargo.toml
+++ b/tcp_relay_client/Cargo.toml
@@ -15,4 +15,5 @@ tokio-tungstenite = { version = "0.17.2", features = ["__rustls-tls", "rustls-tl
 urlencoding = "2.1.0"
 rustls = { version = "0.20.6" }
 hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
-rustls-pemfile = { version = "1.0.1" }
\ No newline at end of file
+rustls-pemfile = { version = "1.0.1" }
+bytes = "1.2.1"
\ No newline at end of file
diff --git a/tcp_relay_client/src/client_config.rs b/tcp_relay_client/src/client_config.rs
index e09a690..7809a75 100644
--- a/tcp_relay_client/src/client_config.rs
+++ b/tcp_relay_client/src/client_config.rs
@@ -1,7 +1,6 @@
+use bytes::BufMut;
 use clap::Parser;
 
-static mut ROOT_CERT: Option<Vec<u8>> = None;
-
 /// TCP relay client
 #[derive(Parser, Debug, Clone)]
 #[clap(author, version, about, long_about = None)]
@@ -18,28 +17,80 @@ pub struct ClientConfig {
     #[clap(short, long, default_value = "127.0.0.1")]
     pub listen_address: String,
 
-    /// Optional root certificate to use for server authentication
+    /// Alternative root certificate to use for server authentication
     #[clap(short = 'c', long)]
     pub root_certificate: Option<String>,
+
+    #[clap(skip)]
+    _root_certificate_cache: Option<Vec<u8>>,
+
+    /// TLS certificate for TLS authentication.
+    #[clap(long)]
+    pub tls_cert: Option<String>,
+
+    #[clap(skip)]
+    _tls_cert_cache: Option<Vec<u8>>,
+
+    /// TLS key for TLS authentication.
+    #[clap(long)]
+    pub tls_key: Option<String>,
+
+    #[clap(skip)]
+    _tls_key_cache: Option<Vec<u8>>,
 }
 
 impl ClientConfig {
+    /// Load certificates and put them in cache
+    pub fn load_certificates(&mut self) {
+        self._root_certificate_cache = self.root_certificate.as_ref()
+            .map(|c| std::fs::read(c)
+                .expect("Failed to read root certificate!"));
+
+        self._tls_cert_cache = self.tls_cert.as_ref()
+            .map(|c| std::fs::read(c)
+                .expect("Failed to read client certificate!"));
+
+        self._tls_key_cache = self.tls_key.as_ref()
+            .map(|c| std::fs::read(c)
+                .expect("Failed to read client key!"));
+    }
+
     /// Get client token, returning a dummy token if none was specified
     pub fn get_auth_token(&self) -> &str {
         self.token.as_deref().unwrap_or("none")
     }
 
-    /// Load root certificate
+    /// Get root certificate content
     pub fn get_root_certificate(&self) -> Option<Vec<u8>> {
-        self.root_certificate.as_ref()?;
+        self._root_certificate_cache.clone()
+    }
 
-        if unsafe { ROOT_CERT.is_none() } {
-            log::info!("Loading root certificate from disk");
-            let cert = self.root_certificate.as_ref().map(|c| std::fs::read(c)
-                .expect("Failed to read root certificate!"));
-            unsafe { ROOT_CERT = cert }
-        }
+    /// Get client certificate & key pair, if available
+    pub fn get_client_keypair(&self) -> Option<(&Vec<u8>, &Vec<u8>)> {
+        if let (Some(cert), Some(key)) = (&self._tls_cert_cache, &self._tls_key_cache) {
+            Some((cert, key))
+        } else { None }
+    }
 
-        unsafe { ROOT_CERT.clone() }
+    /// Get client certificate & key pair, in a single memory buffer
+    pub fn get_merged_client_keypair(&self) -> Option<Vec<u8>> {
+        self.get_client_keypair()
+            .map(|(c, k)| {
+                let mut out = k.to_vec();
+                out.put_slice("\n".as_bytes());
+                out.put_slice(c);
+                out
+            })
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use crate::client_config::ClientConfig;
+
+    #[test]
+    fn verify_cli() {
+        use clap::CommandFactory;
+        ClientConfig::command().debug_assert()
     }
 }
\ No newline at end of file
diff --git a/tcp_relay_client/src/main.rs b/tcp_relay_client/src/main.rs
index 814243a..5be6308 100644
--- a/tcp_relay_client/src/main.rs
+++ b/tcp_relay_client/src/main.rs
@@ -1,9 +1,11 @@
+extern crate core;
+
 use std::error::Error;
 use std::sync::Arc;
 
 use clap::Parser;
 use futures::future::join_all;
-use reqwest::Certificate;
+use reqwest::{Certificate, Identity};
 
 use base::RemoteConfig;
 use tcp_relay_client::client_config::ClientConfig;
@@ -20,6 +22,14 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
         client = client.add_root_certificate(Certificate::from_pem(&cert)?);
     }
 
+    // Specify client certificate, if any
+    if let Some(kp) = config.get_merged_client_keypair() {
+        let identity = Identity::from_pem(&kp)
+            .expect("Failed to load certificates for reqwest!");
+        client = client.identity(identity)
+            .use_rustls_tls();
+    }
+
     let client = client.build().expect("Failed to build reqwest client");
 
     let req = client.get(url)
@@ -38,9 +48,20 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
 async fn main() -> Result<(), Box<dyn Error>> {
     env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
 
-    let args: ClientConfig = ClientConfig::parse();
+    let mut args: ClientConfig = ClientConfig::parse();
+    args.load_certificates();
     let args = Arc::new(args);
 
+    // Check arguments coherence
+    if args.tls_cert.is_some() != args.tls_key.is_some() {
+        log::error!("If you specify one of TLS certificate / key, you must then specify the other!");
+        panic!();
+    }
+
+    if args.get_client_keypair().is_some() {
+        log::info!("Using client-side authentication");
+    }
+
     // Get server relay configuration (fetch the list of port to forward)
     let conf = get_server_config(&args).await?;
 
diff --git a/tcp_relay_client/src/relay_client.rs b/tcp_relay_client/src/relay_client.rs
index 6875bd2..e861216 100644
--- a/tcp_relay_client/src/relay_client.rs
+++ b/tcp_relay_client/src/relay_client.rs
@@ -3,7 +3,8 @@ use std::sync::Arc;
 
 use futures::{SinkExt, StreamExt};
 use hyper_rustls::ConfigBuilderExt;
-use rustls::{Certificate, RootCertStore};
+use rustls::{Certificate, PrivateKey, RootCertStore};
+use rustls_pemfile::{Item, read_one};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
 use tokio_tungstenite::tungstenite::Message;
@@ -54,7 +55,33 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
             }
         };
 
-        let config = config.with_no_client_auth();
+        let config = match conf.get_client_keypair() {
+            None => config.with_no_client_auth(),
+            Some((certs, key)) => {
+                let certs = rustls_pemfile::certs(&mut Cursor::new(certs))
+                    .expect("Failed to parse client certificates!")
+                    .into_iter()
+                    .map(Certificate)
+                    .collect::<Vec<_>>();
+
+                let key = match read_one(&mut Cursor::new(key))
+                    .expect("Failed to read client private key!") {
+                    None => {
+                        log::error!("Failed to extract private key!");
+                        panic!();
+                    }
+                    Some(Item::PKCS8Key(key)) => key,
+                    Some(Item::RSAKey(key)) => key,
+                    _ => {
+                        log::error!("Unsupported private key type!");
+                        panic!();
+                    }
+                };
+
+                config.with_single_cert(certs, PrivateKey(key))
+                    .expect("Failed to set client certificate!")
+            }
+        };
         let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
 
         let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(