Client can authenticate using TLS certificate
This commit is contained in:
parent
27b52dfcb7
commit
cd0f6fea94
1
Cargo.lock
generated
1
Cargo.lock
generated
@ -1566,6 +1566,7 @@ name = "tcp_relay_client"
|
|||||||
version = "0.1.0"
|
version = "0.1.0"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"base",
|
"base",
|
||||||
|
"bytes",
|
||||||
"clap",
|
"clap",
|
||||||
"env_logger",
|
"env_logger",
|
||||||
"futures",
|
"futures",
|
||||||
|
@ -15,4 +15,5 @@ tokio-tungstenite = { version = "0.17.2", features = ["__rustls-tls", "rustls-tl
|
|||||||
urlencoding = "2.1.0"
|
urlencoding = "2.1.0"
|
||||||
rustls = { version = "0.20.6" }
|
rustls = { version = "0.20.6" }
|
||||||
hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
|
hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
|
||||||
rustls-pemfile = { version = "1.0.1" }
|
rustls-pemfile = { version = "1.0.1" }
|
||||||
|
bytes = "1.2.1"
|
@ -1,7 +1,6 @@
|
|||||||
|
use bytes::BufMut;
|
||||||
use clap::Parser;
|
use clap::Parser;
|
||||||
|
|
||||||
static mut ROOT_CERT: Option<Vec<u8>> = None;
|
|
||||||
|
|
||||||
/// TCP relay client
|
/// TCP relay client
|
||||||
#[derive(Parser, Debug, Clone)]
|
#[derive(Parser, Debug, Clone)]
|
||||||
#[clap(author, version, about, long_about = None)]
|
#[clap(author, version, about, long_about = None)]
|
||||||
@ -18,28 +17,80 @@ pub struct ClientConfig {
|
|||||||
#[clap(short, long, default_value = "127.0.0.1")]
|
#[clap(short, long, default_value = "127.0.0.1")]
|
||||||
pub listen_address: String,
|
pub listen_address: String,
|
||||||
|
|
||||||
/// Optional root certificate to use for server authentication
|
/// Alternative root certificate to use for server authentication
|
||||||
#[clap(short = 'c', long)]
|
#[clap(short = 'c', long)]
|
||||||
pub root_certificate: Option<String>,
|
pub root_certificate: Option<String>,
|
||||||
|
|
||||||
|
#[clap(skip)]
|
||||||
|
_root_certificate_cache: Option<Vec<u8>>,
|
||||||
|
|
||||||
|
/// TLS certificate for TLS authentication.
|
||||||
|
#[clap(long)]
|
||||||
|
pub tls_cert: Option<String>,
|
||||||
|
|
||||||
|
#[clap(skip)]
|
||||||
|
_tls_cert_cache: Option<Vec<u8>>,
|
||||||
|
|
||||||
|
/// TLS key for TLS authentication.
|
||||||
|
#[clap(long)]
|
||||||
|
pub tls_key: Option<String>,
|
||||||
|
|
||||||
|
#[clap(skip)]
|
||||||
|
_tls_key_cache: Option<Vec<u8>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl ClientConfig {
|
impl ClientConfig {
|
||||||
|
/// Load certificates and put them in cache
|
||||||
|
pub fn load_certificates(&mut self) {
|
||||||
|
self._root_certificate_cache = self.root_certificate.as_ref()
|
||||||
|
.map(|c| std::fs::read(c)
|
||||||
|
.expect("Failed to read root certificate!"));
|
||||||
|
|
||||||
|
self._tls_cert_cache = self.tls_cert.as_ref()
|
||||||
|
.map(|c| std::fs::read(c)
|
||||||
|
.expect("Failed to read client certificate!"));
|
||||||
|
|
||||||
|
self._tls_key_cache = self.tls_key.as_ref()
|
||||||
|
.map(|c| std::fs::read(c)
|
||||||
|
.expect("Failed to read client key!"));
|
||||||
|
}
|
||||||
|
|
||||||
/// Get client token, returning a dummy token if none was specified
|
/// Get client token, returning a dummy token if none was specified
|
||||||
pub fn get_auth_token(&self) -> &str {
|
pub fn get_auth_token(&self) -> &str {
|
||||||
self.token.as_deref().unwrap_or("none")
|
self.token.as_deref().unwrap_or("none")
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Load root certificate
|
/// Get root certificate content
|
||||||
pub fn get_root_certificate(&self) -> Option<Vec<u8>> {
|
pub fn get_root_certificate(&self) -> Option<Vec<u8>> {
|
||||||
self.root_certificate.as_ref()?;
|
self._root_certificate_cache.clone()
|
||||||
|
}
|
||||||
|
|
||||||
if unsafe { ROOT_CERT.is_none() } {
|
/// Get client certificate & key pair, if available
|
||||||
log::info!("Loading root certificate from disk");
|
pub fn get_client_keypair(&self) -> Option<(&Vec<u8>, &Vec<u8>)> {
|
||||||
let cert = self.root_certificate.as_ref().map(|c| std::fs::read(c)
|
if let (Some(cert), Some(key)) = (&self._tls_cert_cache, &self._tls_key_cache) {
|
||||||
.expect("Failed to read root certificate!"));
|
Some((cert, key))
|
||||||
unsafe { ROOT_CERT = cert }
|
} else { None }
|
||||||
}
|
}
|
||||||
|
|
||||||
unsafe { ROOT_CERT.clone() }
|
/// Get client certificate & key pair, in a single memory buffer
|
||||||
|
pub fn get_merged_client_keypair(&self) -> Option<Vec<u8>> {
|
||||||
|
self.get_client_keypair()
|
||||||
|
.map(|(c, k)| {
|
||||||
|
let mut out = k.to_vec();
|
||||||
|
out.put_slice("\n".as_bytes());
|
||||||
|
out.put_slice(c);
|
||||||
|
out
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
use crate::client_config::ClientConfig;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn verify_cli() {
|
||||||
|
use clap::CommandFactory;
|
||||||
|
ClientConfig::command().debug_assert()
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -1,9 +1,11 @@
|
|||||||
|
extern crate core;
|
||||||
|
|
||||||
use std::error::Error;
|
use std::error::Error;
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
|
|
||||||
use clap::Parser;
|
use clap::Parser;
|
||||||
use futures::future::join_all;
|
use futures::future::join_all;
|
||||||
use reqwest::Certificate;
|
use reqwest::{Certificate, Identity};
|
||||||
|
|
||||||
use base::RemoteConfig;
|
use base::RemoteConfig;
|
||||||
use tcp_relay_client::client_config::ClientConfig;
|
use tcp_relay_client::client_config::ClientConfig;
|
||||||
@ -20,6 +22,14 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
|
|||||||
client = client.add_root_certificate(Certificate::from_pem(&cert)?);
|
client = client.add_root_certificate(Certificate::from_pem(&cert)?);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Specify client certificate, if any
|
||||||
|
if let Some(kp) = config.get_merged_client_keypair() {
|
||||||
|
let identity = Identity::from_pem(&kp)
|
||||||
|
.expect("Failed to load certificates for reqwest!");
|
||||||
|
client = client.identity(identity)
|
||||||
|
.use_rustls_tls();
|
||||||
|
}
|
||||||
|
|
||||||
let client = client.build().expect("Failed to build reqwest client");
|
let client = client.build().expect("Failed to build reqwest client");
|
||||||
|
|
||||||
let req = client.get(url)
|
let req = client.get(url)
|
||||||
@ -38,9 +48,20 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
|
|||||||
async fn main() -> Result<(), Box<dyn Error>> {
|
async fn main() -> Result<(), Box<dyn Error>> {
|
||||||
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
||||||
|
|
||||||
let args: ClientConfig = ClientConfig::parse();
|
let mut args: ClientConfig = ClientConfig::parse();
|
||||||
|
args.load_certificates();
|
||||||
let args = Arc::new(args);
|
let args = Arc::new(args);
|
||||||
|
|
||||||
|
// Check arguments coherence
|
||||||
|
if args.tls_cert.is_some() != args.tls_key.is_some() {
|
||||||
|
log::error!("If you specify one of TLS certificate / key, you must then specify the other!");
|
||||||
|
panic!();
|
||||||
|
}
|
||||||
|
|
||||||
|
if args.get_client_keypair().is_some() {
|
||||||
|
log::info!("Using client-side authentication");
|
||||||
|
}
|
||||||
|
|
||||||
// Get server relay configuration (fetch the list of port to forward)
|
// Get server relay configuration (fetch the list of port to forward)
|
||||||
let conf = get_server_config(&args).await?;
|
let conf = get_server_config(&args).await?;
|
||||||
|
|
||||||
|
@ -3,7 +3,8 @@ use std::sync::Arc;
|
|||||||
|
|
||||||
use futures::{SinkExt, StreamExt};
|
use futures::{SinkExt, StreamExt};
|
||||||
use hyper_rustls::ConfigBuilderExt;
|
use hyper_rustls::ConfigBuilderExt;
|
||||||
use rustls::{Certificate, RootCertStore};
|
use rustls::{Certificate, PrivateKey, RootCertStore};
|
||||||
|
use rustls_pemfile::{Item, read_one};
|
||||||
use tokio::io::{AsyncReadExt, AsyncWriteExt};
|
use tokio::io::{AsyncReadExt, AsyncWriteExt};
|
||||||
use tokio::net::{TcpListener, TcpStream};
|
use tokio::net::{TcpListener, TcpStream};
|
||||||
use tokio_tungstenite::tungstenite::Message;
|
use tokio_tungstenite::tungstenite::Message;
|
||||||
@ -54,7 +55,33 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let config = config.with_no_client_auth();
|
let config = match conf.get_client_keypair() {
|
||||||
|
None => config.with_no_client_auth(),
|
||||||
|
Some((certs, key)) => {
|
||||||
|
let certs = rustls_pemfile::certs(&mut Cursor::new(certs))
|
||||||
|
.expect("Failed to parse client certificates!")
|
||||||
|
.into_iter()
|
||||||
|
.map(Certificate)
|
||||||
|
.collect::<Vec<_>>();
|
||||||
|
|
||||||
|
let key = match read_one(&mut Cursor::new(key))
|
||||||
|
.expect("Failed to read client private key!") {
|
||||||
|
None => {
|
||||||
|
log::error!("Failed to extract private key!");
|
||||||
|
panic!();
|
||||||
|
}
|
||||||
|
Some(Item::PKCS8Key(key)) => key,
|
||||||
|
Some(Item::RSAKey(key)) => key,
|
||||||
|
_ => {
|
||||||
|
log::error!("Unsupported private key type!");
|
||||||
|
panic!();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
config.with_single_cert(certs, PrivateKey(key))
|
||||||
|
.expect("Failed to set client certificate!")
|
||||||
|
}
|
||||||
|
};
|
||||||
let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
|
let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
|
||||||
|
|
||||||
let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(
|
let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(
|
||||||
|
Loading…
Reference in New Issue
Block a user