tls/SSL support

This commit is contained in:
la Fleur 2020-11-03 23:46:30 +01:00
parent eda07ac2ad
commit 684ed3acb0
5 changed files with 142 additions and 1 deletions

88
Cargo.lock generated
View File

@ -143,6 +143,12 @@ version = "1.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
[[package]]
name = "cc"
version = "1.0.61"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed67cbde08356238e75fc4656be4749481eeffb09e19f320a25237d5221c985d"
[[package]]
name = "cfg-if"
version = "0.1.10"
@ -317,6 +323,18 @@ dependencies = [
"url",
]
[[package]]
name = "hyper-sync-rustls"
version = "0.3.0-rc.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d1a443a90413a118ac6739e024f6a5180aa3b3f43f7de65f9d388a961cff19b"
dependencies = [
"hyper",
"rustls",
"webpki",
"webpki-roots",
]
[[package]]
name = "idna"
version = "0.1.5"
@ -344,6 +362,12 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a91d884b6667cd606bb5a69aa0c99ba811a115fc68915e7056ec08a46e93199a"
[[package]]
name = "lazy_static"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]]
name = "libc"
version = "0.2.80"
@ -514,6 +538,18 @@ dependencies = [
"rand_core",
]
[[package]]
name = "ring"
version = "0.13.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2c4db68a2e35f3497146b7e4563df7d4773a2433230c5e4b448328e31740458a"
dependencies = [
"cc",
"lazy_static",
"libc",
"untrusted",
]
[[package]]
name = "rocket"
version = "0.4.5"
@ -558,21 +594,47 @@ checksum = "1aff5a5480175f2f553a876b251e9350c74196128806d176da3a51c82aab5428"
dependencies = [
"cookie",
"hyper",
"hyper-sync-rustls",
"indexmap",
"pear",
"percent-encoding 1.0.1",
"rustls",
"smallvec",
"state",
"time",
"unicode-xid",
]
[[package]]
name = "rustls"
version = "0.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b7891791343c75b73ed9a18cadcafd8c8563d11a88ebe2d87f5b8a3182654d9"
dependencies = [
"base64 0.9.3",
"log 0.4.11",
"ring",
"sct",
"untrusted",
"webpki",
]
[[package]]
name = "safemem"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ef703b7cb59335eae2eb93ceb664c0eb7ea6bf567079d843e09420219668e072"
[[package]]
name = "sct"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cb8f61f9e6eadd062a71c380043d28036304a4706b3c4dd001ff3387ed00745a"
dependencies = [
"ring",
"untrusted",
]
[[package]]
name = "serde"
version = "1.0.117"
@ -713,6 +775,12 @@ dependencies = [
"subtle 2.3.0",
]
[[package]]
name = "untrusted"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
[[package]]
name = "url"
version = "1.7.2"
@ -748,6 +816,26 @@ version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]]
name = "webpki"
version = "0.18.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17d7967316d8411ca3b01821ee6c332bde138ba4363becdb492f12e514daa17f"
dependencies = [
"ring",
"untrusted",
]
[[package]]
name = "webpki-roots"
version = "0.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85d1f408918fd590908a70d36b7ac388db2edc221470333e4d6e5b598e44cabf"
dependencies = [
"untrusted",
"webpki",
]
[[package]]
name = "winapi"
version = "0.3.9"

View File

@ -7,4 +7,4 @@ edition = "2018"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
rocket = "0.4.5"
rocket = {version="0.4", features=["tls"]}

12
README.md Normal file
View File

@ -0,0 +1,12 @@
# Fly me a rocket
This is a basic rocket web app. It uses tls to serve content, signing itself
with keys that are in `private`, along with a generation script. A tryout use
case would bring :
( cd private && bash gen_cert.sh )
cargo run
One should use Let'sEncrypt keys for a specific domain. See `Rocket.toml` for
adding specific keys for production binaries. Self-generated keys are useful for
developement environments.

20
Rocket.toml Normal file
View File

@ -0,0 +1,20 @@
# Global configuration of TLS:
[global.tls]
certs = "private/cert.pem"
key = "private/key.pem"
# Per Environment Configuration of TLS:
#[development]
#tls = { certs = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\certs.pem", key = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\key.pem" }
#[production]
#tls = { certs = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\certs.pem", key = "c:\\code\\lang\\rust\\proj\\rocket-auth-login\\examples\\tls_example\\private\\key.pem" }
# Or relative paths:
# Per Environment Configuration of TLS:
# [development]
# tls = { certs = "private\\certs.pem", key = "private\\key.pem" }
# [production]
# tls = { certs = "private\\certs.pem", key = "private\\key.pem" }

21
private/gen_cert.sh Normal file
View File

@ -0,0 +1,21 @@
#! /bin/bash
# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
# to check if a certificate is valid for a server name sent via SNI. It's not
# clear if this is intended, since certificates _should_ have a `subjectAltName`
# with a DNS name, or if it simply hasn't been implemented yet. See
# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
ALT="DNS:localhost"
openssl genrsa -out ca_key.pem 4096
openssl req -new -x509 -days 3650 -key ca_key.pem -subj "${CA_SUBJECT}" -out ca_cert.pem
openssl req -newkey rsa:4096 -nodes -sha256 -keyout key.pem -subj "${SUBJECT}" -out server.csr
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
-in server.csr -out cert.pem
rm ca_cert.srl server.csr