Client can authenticate using TLS certificate

This commit is contained in:
Pierre HUBERT 2022-08-31 14:35:52 +02:00
parent 27b52dfcb7
commit cd0f6fea94
5 changed files with 118 additions and 17 deletions

1
Cargo.lock generated
View File

@ -1566,6 +1566,7 @@ name = "tcp_relay_client"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"base", "base",
"bytes",
"clap", "clap",
"env_logger", "env_logger",
"futures", "futures",

View File

@ -15,4 +15,5 @@ tokio-tungstenite = { version = "0.17.2", features = ["__rustls-tls", "rustls-tl
urlencoding = "2.1.0" urlencoding = "2.1.0"
rustls = { version = "0.20.6" } rustls = { version = "0.20.6" }
hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] } hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
rustls-pemfile = { version = "1.0.1" } rustls-pemfile = { version = "1.0.1" }
bytes = "1.2.1"

View File

@ -1,7 +1,6 @@
use bytes::BufMut;
use clap::Parser; use clap::Parser;
static mut ROOT_CERT: Option<Vec<u8>> = None;
/// TCP relay client /// TCP relay client
#[derive(Parser, Debug, Clone)] #[derive(Parser, Debug, Clone)]
#[clap(author, version, about, long_about = None)] #[clap(author, version, about, long_about = None)]
@ -18,28 +17,80 @@ pub struct ClientConfig {
#[clap(short, long, default_value = "127.0.0.1")] #[clap(short, long, default_value = "127.0.0.1")]
pub listen_address: String, pub listen_address: String,
/// Optional root certificate to use for server authentication /// Alternative root certificate to use for server authentication
#[clap(short = 'c', long)] #[clap(short = 'c', long)]
pub root_certificate: Option<String>, pub root_certificate: Option<String>,
#[clap(skip)]
_root_certificate_cache: Option<Vec<u8>>,
/// TLS certificate for TLS authentication.
#[clap(long)]
pub tls_cert: Option<String>,
#[clap(skip)]
_tls_cert_cache: Option<Vec<u8>>,
/// TLS key for TLS authentication.
#[clap(long)]
pub tls_key: Option<String>,
#[clap(skip)]
_tls_key_cache: Option<Vec<u8>>,
} }
impl ClientConfig { impl ClientConfig {
/// Load certificates and put them in cache
pub fn load_certificates(&mut self) {
self._root_certificate_cache = self.root_certificate.as_ref()
.map(|c| std::fs::read(c)
.expect("Failed to read root certificate!"));
self._tls_cert_cache = self.tls_cert.as_ref()
.map(|c| std::fs::read(c)
.expect("Failed to read client certificate!"));
self._tls_key_cache = self.tls_key.as_ref()
.map(|c| std::fs::read(c)
.expect("Failed to read client key!"));
}
/// Get client token, returning a dummy token if none was specified /// Get client token, returning a dummy token if none was specified
pub fn get_auth_token(&self) -> &str { pub fn get_auth_token(&self) -> &str {
self.token.as_deref().unwrap_or("none") self.token.as_deref().unwrap_or("none")
} }
/// Load root certificate /// Get root certificate content
pub fn get_root_certificate(&self) -> Option<Vec<u8>> { pub fn get_root_certificate(&self) -> Option<Vec<u8>> {
self.root_certificate.as_ref()?; self._root_certificate_cache.clone()
}
if unsafe { ROOT_CERT.is_none() } { /// Get client certificate & key pair, if available
log::info!("Loading root certificate from disk"); pub fn get_client_keypair(&self) -> Option<(&Vec<u8>, &Vec<u8>)> {
let cert = self.root_certificate.as_ref().map(|c| std::fs::read(c) if let (Some(cert), Some(key)) = (&self._tls_cert_cache, &self._tls_key_cache) {
.expect("Failed to read root certificate!")); Some((cert, key))
unsafe { ROOT_CERT = cert } } else { None }
} }
unsafe { ROOT_CERT.clone() } /// Get client certificate & key pair, in a single memory buffer
pub fn get_merged_client_keypair(&self) -> Option<Vec<u8>> {
self.get_client_keypair()
.map(|(c, k)| {
let mut out = k.to_vec();
out.put_slice("\n".as_bytes());
out.put_slice(c);
out
})
}
}
#[cfg(test)]
mod test {
use crate::client_config::ClientConfig;
#[test]
fn verify_cli() {
use clap::CommandFactory;
ClientConfig::command().debug_assert()
} }
} }

View File

@ -1,9 +1,11 @@
extern crate core;
use std::error::Error; use std::error::Error;
use std::sync::Arc; use std::sync::Arc;
use clap::Parser; use clap::Parser;
use futures::future::join_all; use futures::future::join_all;
use reqwest::Certificate; use reqwest::{Certificate, Identity};
use base::RemoteConfig; use base::RemoteConfig;
use tcp_relay_client::client_config::ClientConfig; use tcp_relay_client::client_config::ClientConfig;
@ -20,6 +22,14 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
client = client.add_root_certificate(Certificate::from_pem(&cert)?); client = client.add_root_certificate(Certificate::from_pem(&cert)?);
} }
// Specify client certificate, if any
if let Some(kp) = config.get_merged_client_keypair() {
let identity = Identity::from_pem(&kp)
.expect("Failed to load certificates for reqwest!");
client = client.identity(identity)
.use_rustls_tls();
}
let client = client.build().expect("Failed to build reqwest client"); let client = client.build().expect("Failed to build reqwest client");
let req = client.get(url) let req = client.get(url)
@ -38,9 +48,20 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
async fn main() -> Result<(), Box<dyn Error>> { async fn main() -> Result<(), Box<dyn Error>> {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
let args: ClientConfig = ClientConfig::parse(); let mut args: ClientConfig = ClientConfig::parse();
args.load_certificates();
let args = Arc::new(args); let args = Arc::new(args);
// Check arguments coherence
if args.tls_cert.is_some() != args.tls_key.is_some() {
log::error!("If you specify one of TLS certificate / key, you must then specify the other!");
panic!();
}
if args.get_client_keypair().is_some() {
log::info!("Using client-side authentication");
}
// Get server relay configuration (fetch the list of port to forward) // Get server relay configuration (fetch the list of port to forward)
let conf = get_server_config(&args).await?; let conf = get_server_config(&args).await?;

View File

@ -3,7 +3,8 @@ use std::sync::Arc;
use futures::{SinkExt, StreamExt}; use futures::{SinkExt, StreamExt};
use hyper_rustls::ConfigBuilderExt; use hyper_rustls::ConfigBuilderExt;
use rustls::{Certificate, RootCertStore}; use rustls::{Certificate, PrivateKey, RootCertStore};
use rustls_pemfile::{Item, read_one};
use tokio::io::{AsyncReadExt, AsyncWriteExt}; use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::{TcpListener, TcpStream}; use tokio::net::{TcpListener, TcpStream};
use tokio_tungstenite::tungstenite::Message; use tokio_tungstenite::tungstenite::Message;
@ -54,7 +55,33 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
} }
}; };
let config = config.with_no_client_auth(); let config = match conf.get_client_keypair() {
None => config.with_no_client_auth(),
Some((certs, key)) => {
let certs = rustls_pemfile::certs(&mut Cursor::new(certs))
.expect("Failed to parse client certificates!")
.into_iter()
.map(Certificate)
.collect::<Vec<_>>();
let key = match read_one(&mut Cursor::new(key))
.expect("Failed to read client private key!") {
None => {
log::error!("Failed to extract private key!");
panic!();
}
Some(Item::PKCS8Key(key)) => key,
Some(Item::RSAKey(key)) => key,
_ => {
log::error!("Unsupported private key type!");
panic!();
}
};
config.with_single_cert(certs, PrivateKey(key))
.expect("Failed to set client certificate!")
}
};
let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config)); let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config( let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(