tls/SSL support

Cargo.lock

@@ -143,6 +143,12 @@ version = "1.3.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
 
+[[package]]
+name = "cc"
+version = "1.0.61"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed67cbde08356238e75fc4656be4749481eeffb09e19f320a25237d5221c985d"
+
 [[package]]
 name = "cfg-if"
 version = "0.1.10"
@@ -317,6 +323,18 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "hyper-sync-rustls"
+version = "0.3.0-rc.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d1a443a90413a118ac6739e024f6a5180aa3b3f43f7de65f9d388a961cff19b"
+dependencies = [
+ "hyper",
+ "rustls",
+ "webpki",
+ "webpki-roots",
+]
+
 [[package]]
 name = "idna"
 version = "0.1.5"
@@ -344,6 +362,12 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a91d884b6667cd606bb5a69aa0c99ba811a115fc68915e7056ec08a46e93199a"
 
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
 [[package]]
 name = "libc"
 version = "0.2.80"
@@ -514,6 +538,18 @@ dependencies = [
  "rand_core",
 ]
 
+[[package]]
+name = "ring"
+version = "0.13.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c4db68a2e35f3497146b7e4563df7d4773a2433230c5e4b448328e31740458a"
+dependencies = [
+ "cc",
+ "lazy_static",
+ "libc",
+ "untrusted",
+]
+
 [[package]]
 name = "rocket"
 version = "0.4.5"
@@ -558,21 +594,47 @@ checksum = "1aff5a5480175f2f553a876b251e9350c74196128806d176da3a51c82aab5428"
 dependencies = [
  "cookie",
  "hyper",
+ "hyper-sync-rustls",
  "indexmap",
  "pear",
  "percent-encoding 1.0.1",
+ "rustls",
  "smallvec",
  "state",
  "time",
  "unicode-xid",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b7891791343c75b73ed9a18cadcafd8c8563d11a88ebe2d87f5b8a3182654d9"
+dependencies = [
+ "base64 0.9.3",
+ "log 0.4.11",
+ "ring",
+ "sct",
+ "untrusted",
+ "webpki",
+]
+
 [[package]]
 name = "safemem"
 version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ef703b7cb59335eae2eb93ceb664c0eb7ea6bf567079d843e09420219668e072"
 
+[[package]]
+name = "sct"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb8f61f9e6eadd062a71c380043d28036304a4706b3c4dd001ff3387ed00745a"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.117"
@@ -713,6 +775,12 @@ dependencies = [
  "subtle 2.3.0",
 ]
 
+[[package]]
+name = "untrusted"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
+
 [[package]]
 name = "url"
 version = "1.7.2"
@@ -748,6 +816,26 @@ version = "0.10.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
 
+[[package]]
+name = "webpki"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17d7967316d8411ca3b01821ee6c332bde138ba4363becdb492f12e514daa17f"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85d1f408918fd590908a70d36b7ac388db2edc221470333e4d6e5b598e44cabf"
+dependencies = [
+ "untrusted",
+ "webpki",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"

Cargo.toml

@@ -7,4 +7,4 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-rocket = "0.4.5"
+rocket = {version="0.4", features=["tls"]}

README.md

@@ -0,0 +1,12 @@
+# Fly me a rocket
+
+This is a basic rocket web app. It uses tls to serve content, signing itself
+with keys that are in `private`, along with a generation script. A tryout use
+case would bring :
+
+    ( cd private && bash gen_cert.sh )
+    cargo run
+
+One should use Let'sEncrypt keys for a specific domain. See `Rocket.toml` for
+adding specific keys for production binaries. Self-generated keys are useful for
+developement environments.

Rocket.toml

@@ -0,0 +1,20 @@
+
+# Global configuration of TLS:
+[global.tls]
+certs = "private/cert.pem"
+key = "private/key.pem"
+
+
+# Per Environment Configuration of TLS:
+#[development]
+#tls = { certs = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\certs.pem", key = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\key.pem" }
+#[production]
+#tls = { certs = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\certs.pem", key = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\key.pem" }
+
+# Or relative paths:
+
+# Per Environment Configuration of TLS:
+# [development]
+# tls = { certs = "private\\certs.pem", key = "private\\key.pem" }
+# [production]
+# tls = { certs = "private\\certs.pem", key = "private\\key.pem" }

private/gen_cert.sh

@@ -0,0 +1,21 @@
+#! /bin/bash
+
+# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
+# to check if a certificate is valid for a server name sent via SNI. It's not
+# clear if this is intended, since certificates _should_ have a `subjectAltName`
+# with a DNS name, or if it simply hasn't been implemented yet. See
+# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
+
+CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
+SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
+ALT="DNS:localhost"
+
+openssl genrsa -out ca_key.pem 4096
+openssl req -new -x509 -days 3650 -key ca_key.pem -subj "${CA_SUBJECT}" -out ca_cert.pem
+
+openssl req -newkey rsa:4096 -nodes -sha256 -keyout key.pem -subj "${SUBJECT}" -out server.csr
+openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
+    -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
+    -in server.csr -out cert.pem
+
+rm ca_cert.srl server.csr