Client can authenticate using TLS certificate
This commit is contained in:
parent
27b52dfcb7
commit
cd0f6fea94
1
Cargo.lock
generated
1
Cargo.lock
generated
@ -1566,6 +1566,7 @@ name = "tcp_relay_client"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"base",
|
||||
"bytes",
|
||||
"clap",
|
||||
"env_logger",
|
||||
"futures",
|
||||
|
@ -16,3 +16,4 @@ urlencoding = "2.1.0"
|
||||
rustls = { version = "0.20.6" }
|
||||
hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
|
||||
rustls-pemfile = { version = "1.0.1" }
|
||||
bytes = "1.2.1"
|
@ -1,7 +1,6 @@
|
||||
use bytes::BufMut;
|
||||
use clap::Parser;
|
||||
|
||||
static mut ROOT_CERT: Option<Vec<u8>> = None;
|
||||
|
||||
/// TCP relay client
|
||||
#[derive(Parser, Debug, Clone)]
|
||||
#[clap(author, version, about, long_about = None)]
|
||||
@ -18,28 +17,80 @@ pub struct ClientConfig {
|
||||
#[clap(short, long, default_value = "127.0.0.1")]
|
||||
pub listen_address: String,
|
||||
|
||||
/// Optional root certificate to use for server authentication
|
||||
/// Alternative root certificate to use for server authentication
|
||||
#[clap(short = 'c', long)]
|
||||
pub root_certificate: Option<String>,
|
||||
|
||||
#[clap(skip)]
|
||||
_root_certificate_cache: Option<Vec<u8>>,
|
||||
|
||||
/// TLS certificate for TLS authentication.
|
||||
#[clap(long)]
|
||||
pub tls_cert: Option<String>,
|
||||
|
||||
#[clap(skip)]
|
||||
_tls_cert_cache: Option<Vec<u8>>,
|
||||
|
||||
/// TLS key for TLS authentication.
|
||||
#[clap(long)]
|
||||
pub tls_key: Option<String>,
|
||||
|
||||
#[clap(skip)]
|
||||
_tls_key_cache: Option<Vec<u8>>,
|
||||
}
|
||||
|
||||
impl ClientConfig {
|
||||
/// Load certificates and put them in cache
|
||||
pub fn load_certificates(&mut self) {
|
||||
self._root_certificate_cache = self.root_certificate.as_ref()
|
||||
.map(|c| std::fs::read(c)
|
||||
.expect("Failed to read root certificate!"));
|
||||
|
||||
self._tls_cert_cache = self.tls_cert.as_ref()
|
||||
.map(|c| std::fs::read(c)
|
||||
.expect("Failed to read client certificate!"));
|
||||
|
||||
self._tls_key_cache = self.tls_key.as_ref()
|
||||
.map(|c| std::fs::read(c)
|
||||
.expect("Failed to read client key!"));
|
||||
}
|
||||
|
||||
/// Get client token, returning a dummy token if none was specified
|
||||
pub fn get_auth_token(&self) -> &str {
|
||||
self.token.as_deref().unwrap_or("none")
|
||||
}
|
||||
|
||||
/// Load root certificate
|
||||
/// Get root certificate content
|
||||
pub fn get_root_certificate(&self) -> Option<Vec<u8>> {
|
||||
self.root_certificate.as_ref()?;
|
||||
|
||||
if unsafe { ROOT_CERT.is_none() } {
|
||||
log::info!("Loading root certificate from disk");
|
||||
let cert = self.root_certificate.as_ref().map(|c| std::fs::read(c)
|
||||
.expect("Failed to read root certificate!"));
|
||||
unsafe { ROOT_CERT = cert }
|
||||
self._root_certificate_cache.clone()
|
||||
}
|
||||
|
||||
unsafe { ROOT_CERT.clone() }
|
||||
/// Get client certificate & key pair, if available
|
||||
pub fn get_client_keypair(&self) -> Option<(&Vec<u8>, &Vec<u8>)> {
|
||||
if let (Some(cert), Some(key)) = (&self._tls_cert_cache, &self._tls_key_cache) {
|
||||
Some((cert, key))
|
||||
} else { None }
|
||||
}
|
||||
|
||||
/// Get client certificate & key pair, in a single memory buffer
|
||||
pub fn get_merged_client_keypair(&self) -> Option<Vec<u8>> {
|
||||
self.get_client_keypair()
|
||||
.map(|(c, k)| {
|
||||
let mut out = k.to_vec();
|
||||
out.put_slice("\n".as_bytes());
|
||||
out.put_slice(c);
|
||||
out
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod test {
|
||||
use crate::client_config::ClientConfig;
|
||||
|
||||
#[test]
|
||||
fn verify_cli() {
|
||||
use clap::CommandFactory;
|
||||
ClientConfig::command().debug_assert()
|
||||
}
|
||||
}
|
@ -1,9 +1,11 @@
|
||||
extern crate core;
|
||||
|
||||
use std::error::Error;
|
||||
use std::sync::Arc;
|
||||
|
||||
use clap::Parser;
|
||||
use futures::future::join_all;
|
||||
use reqwest::Certificate;
|
||||
use reqwest::{Certificate, Identity};
|
||||
|
||||
use base::RemoteConfig;
|
||||
use tcp_relay_client::client_config::ClientConfig;
|
||||
@ -20,6 +22,14 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
|
||||
client = client.add_root_certificate(Certificate::from_pem(&cert)?);
|
||||
}
|
||||
|
||||
// Specify client certificate, if any
|
||||
if let Some(kp) = config.get_merged_client_keypair() {
|
||||
let identity = Identity::from_pem(&kp)
|
||||
.expect("Failed to load certificates for reqwest!");
|
||||
client = client.identity(identity)
|
||||
.use_rustls_tls();
|
||||
}
|
||||
|
||||
let client = client.build().expect("Failed to build reqwest client");
|
||||
|
||||
let req = client.get(url)
|
||||
@ -38,9 +48,20 @@ async fn get_server_config(config: &ClientConfig) -> Result<RemoteConfig, Box<dy
|
||||
async fn main() -> Result<(), Box<dyn Error>> {
|
||||
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
||||
|
||||
let args: ClientConfig = ClientConfig::parse();
|
||||
let mut args: ClientConfig = ClientConfig::parse();
|
||||
args.load_certificates();
|
||||
let args = Arc::new(args);
|
||||
|
||||
// Check arguments coherence
|
||||
if args.tls_cert.is_some() != args.tls_key.is_some() {
|
||||
log::error!("If you specify one of TLS certificate / key, you must then specify the other!");
|
||||
panic!();
|
||||
}
|
||||
|
||||
if args.get_client_keypair().is_some() {
|
||||
log::info!("Using client-side authentication");
|
||||
}
|
||||
|
||||
// Get server relay configuration (fetch the list of port to forward)
|
||||
let conf = get_server_config(&args).await?;
|
||||
|
||||
|
@ -3,7 +3,8 @@ use std::sync::Arc;
|
||||
|
||||
use futures::{SinkExt, StreamExt};
|
||||
use hyper_rustls::ConfigBuilderExt;
|
||||
use rustls::{Certificate, RootCertStore};
|
||||
use rustls::{Certificate, PrivateKey, RootCertStore};
|
||||
use rustls_pemfile::{Item, read_one};
|
||||
use tokio::io::{AsyncReadExt, AsyncWriteExt};
|
||||
use tokio::net::{TcpListener, TcpStream};
|
||||
use tokio_tungstenite::tungstenite::Message;
|
||||
@ -54,7 +55,33 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
|
||||
}
|
||||
};
|
||||
|
||||
let config = config.with_no_client_auth();
|
||||
let config = match conf.get_client_keypair() {
|
||||
None => config.with_no_client_auth(),
|
||||
Some((certs, key)) => {
|
||||
let certs = rustls_pemfile::certs(&mut Cursor::new(certs))
|
||||
.expect("Failed to parse client certificates!")
|
||||
.into_iter()
|
||||
.map(Certificate)
|
||||
.collect::<Vec<_>>();
|
||||
|
||||
let key = match read_one(&mut Cursor::new(key))
|
||||
.expect("Failed to read client private key!") {
|
||||
None => {
|
||||
log::error!("Failed to extract private key!");
|
||||
panic!();
|
||||
}
|
||||
Some(Item::PKCS8Key(key)) => key,
|
||||
Some(Item::RSAKey(key)) => key,
|
||||
_ => {
|
||||
log::error!("Unsupported private key type!");
|
||||
panic!();
|
||||
}
|
||||
};
|
||||
|
||||
config.with_single_cert(certs, PrivateKey(key))
|
||||
.expect("Failed to set client certificate!")
|
||||
}
|
||||
};
|
||||
let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
|
||||
|
||||
let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(
|
||||
|
Loading…
Reference in New Issue
Block a user