examples/https-tls/rustls-client-cert/src/main.rs

//! This example shows how to use `actix_web::HttpServer::on_connect` to access client certificates
//! pass them to a handler through connection-local data.

use std::{any::Any, sync::Arc, fs::File, io::BufReader, net::SocketAddr};

use actix_tls::accept::rustls_0_21::{reexports::ServerConfig, TlsStream};
use actix_web::{
    dev::Extensions, rt::net::TcpStream, web, App, HttpRequest, HttpResponse, HttpServer, Responder,
};
use log::info;
use rustls::{
    server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey, RootCertStore,
};
use rustls_pemfile::{certs, pkcs8_private_keys};

const CA_CERT: &str = "certs/rootCA.pem";
const SERVER_CERT: &str = "certs/server-cert.pem";
const SERVER_KEY: &str = "certs/server-key.pem";

#[allow(dead_code)] // it is debug printed
#[derive(Debug, Clone)]
struct ConnectionInfo {
    bind: SocketAddr,
    peer: SocketAddr,
    ttl: Option<u32>,
}

async fn route_whoami(req: HttpRequest) -> impl Responder {
    let conn_info = req.conn_data::<ConnectionInfo>().unwrap();
    let client_cert = req.conn_data::<Certificate>();

    if let Some(cert) = client_cert {
        HttpResponse::Ok().body(format!("{:?}\n\n{:?}", &conn_info, &cert))
    } else {
        HttpResponse::Unauthorized().body("No client certificate provided.")
    }
}

fn get_client_cert(connection: &dyn Any, data: &mut Extensions) {
    if let Some(tls_socket) = connection.downcast_ref::<TlsStream<TcpStream>>() {
        info!("TLS on_connect");

        let (socket, tls_session) = tls_socket.get_ref();

        data.insert(ConnectionInfo {
            bind: socket.local_addr().unwrap(),
            peer: socket.peer_addr().unwrap(),
            ttl: socket.ttl().ok(),
        });

        if let Some(certs) = tls_session.peer_certificates() {
            info!("client certificate found");

            // insert a `rustls::Certificate` into request data
            data.insert(certs.last().unwrap().clone());
        }
    } else if let Some(socket) = connection.downcast_ref::<TcpStream>() {
        info!("plaintext on_connect");

        data.insert(ConnectionInfo {
            bind: socket.local_addr().unwrap(),
            peer: socket.peer_addr().unwrap(),
            ttl: socket.ttl().ok(),
        });
    } else {
        unreachable!("socket should be TLS or plaintext");
    }
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));

    let mut cert_store = RootCertStore::empty();

    // import CA cert
    let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);
    let ca_cert = Certificate(certs(ca_cert).unwrap()[0].clone());

    cert_store
        .add(&ca_cert)
        .expect("root CA not added to store");

    // set up client authentication requirements
    let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store);
    let config = ServerConfig::builder()
        .with_safe_defaults()
        .with_client_cert_verifier(Arc::new(client_auth));

    // import server cert and key
    let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);
    let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);

    let cert_chain = certs(cert_file)
        .unwrap()
        .into_iter()
        .map(Certificate)
        .collect();
    let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)
        .unwrap()
        .into_iter()
        .map(PrivateKey)
        .collect();
    let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();

    log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443");

    HttpServer::new(|| App::new().default_service(web::to(route_whoami)))
        .on_connect(get_client_cert)
        .bind(("localhost", 8080))?
        .bind_rustls_021(("localhost", 8443), config)?
        .workers(1)
        .run()
        .await
}
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			//! This example shows how to use `actix_web::HttpServer::on_connect` to access client certificates
fix client cert example fixes rustls-client-cert example not working #526 2022-02-14 01:05:44 +00:00			`//! pass them to a handler through connection-local data.`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00
fix: remaining upgrade issues 2023-08-29 18:56:00 +01:00			`use std::{any::Any, sync::Arc, fs::File, io::BufReader, net::SocketAddr};`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00
fix: remaining upgrade issues 2023-08-29 18:56:00 +01:00			`use actix_tls::accept::rustls_0_21::{reexports::ServerConfig, TlsStream};`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`use actix_web::{`
fmt 2022-02-18 02:44:02 +00:00			`dev::Extensions, rt::net::TcpStream, web, App, HttpRequest, HttpResponse, HttpServer, Responder,`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`};`
			`use log::info;`
			`use rustls::{`
fmt 2022-02-18 02:44:02 +00:00			`server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey, RootCertStore,`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`};`
Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`use rustls_pemfile::{certs, pkcs8_private_keys};`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00
			`const CA_CERT: &str = "certs/rootCA.pem";`
			`const SERVER_CERT: &str = "certs/server-cert.pem";`
			`const SERVER_KEY: &str = "certs/server-key.pem";`

bump to rc.1 2022-02-02 00:44:58 +00:00			`#[allow(dead_code)] // it is debug printed`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`#[derive(Debug, Clone)]`
			`struct ConnectionInfo {`
			`bind: SocketAddr,`
			`peer: SocketAddr,`
			`ttl: Option<u32>,`
			`}`

fix client cert example fixes rustls-client-cert example not working #526 2022-02-14 01:05:44 +00:00			`async fn route_whoami(req: HttpRequest) -> impl Responder {`
			`let conn_info = req.conn_data::<ConnectionInfo>().unwrap();`
			`let client_cert = req.conn_data::<Certificate>();`

add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`if let Some(cert) = client_cert {`
			`HttpResponse::Ok().body(format!("{:?}\n\n{:?}", &conn_info, &cert))`
			`} else {`
			`HttpResponse::Unauthorized().body("No client certificate provided.")`
			`}`
			`}`

			`fn get_client_cert(connection: &dyn Any, data: &mut Extensions) {`
			`if let Some(tls_socket) = connection.downcast_ref::<TlsStream<TcpStream>>() {`
			`info!("TLS on_connect");`

			`let (socket, tls_session) = tls_socket.get_ref();`

			`data.insert(ConnectionInfo {`
			`bind: socket.local_addr().unwrap(),`
			`peer: socket.peer_addr().unwrap(),`
			`ttl: socket.ttl().ok(),`
			`});`

Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`if let Some(certs) = tls_session.peer_certificates() {`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`info!("client certificate found");`

			// insert a `rustls::Certificate` into request data
Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`data.insert(certs.last().unwrap().clone());`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`}`
			`} else if let Some(socket) = connection.downcast_ref::<TcpStream>() {`
			`info!("plaintext on_connect");`

			`data.insert(ConnectionInfo {`
			`bind: socket.local_addr().unwrap(),`
			`peer: socket.peer_addr().unwrap(),`
			`ttl: socket.ttl().ok(),`
			`});`
			`} else {`
			`unreachable!("socket should be TLS or plaintext");`
			`}`
			`}`

			`#[actix_web::main]`
			`async fn main() -> std::io::Result<()> {`
normalize ports to 8080 2022-03-06 00:41:32 +00:00			`env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00
			`let mut cert_store = RootCertStore::empty();`

			`// import CA cert`
			`let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);`
Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`let ca_cert = Certificate(certs(ca_cert).unwrap()[0].clone());`

add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`cert_store`
Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`.add(&ca_cert)`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`.expect("root CA not added to store");`

			`// set up client authentication requirements`
			`let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store);`
Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`let config = ServerConfig::builder()`
			`.with_safe_defaults()`
fix: remaining upgrade issues 2023-08-29 18:56:00 +01:00			`.with_client_cert_verifier(Arc::new(client_auth));`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00
			`// import server cert and key`
			`let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);`
			`let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);`

Rustls client cert (#510) 2022-01-29 16:51:49 +00:00			`let cert_chain = certs(cert_file)`
			`.unwrap()`
			`.into_iter()`
			`.map(Certificate)`
			`.collect();`
			`let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)`
			`.unwrap()`
			`.into_iter()`
			`.map(PrivateKey)`
			`.collect();`
			`let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00
https-tls: typo - correct URIs to use https (#606) 2023-02-25 12:38:19 +00:00			`log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443");`
normalize ports to 8080 2022-03-06 00:41:32 +00:00
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`HttpServer::new(\|\| App::new().default_service(web::to(route_whoami)))`
			`.on_connect(get_client_cert)`
			`.bind(("localhost", 8080))?`
use rustls v0.21 2023-08-29 18:28:12 +01:00			`.bind_rustls_021(("localhost", 8443), config)?`
add client certificate example (#380) 2020-10-30 04:22:24 +00:00			`.workers(1)`
			`.run()`
			`.await`
			`}`