show how to handle private keys with passphrases in openssl example

2025-06-27 09:29:02 +02:00 · 2023-05-22 14:06:04 +01:00
parent aae806b42f
commit 48565526e7
4 changed files with 137 additions and 80 deletions
--- a/https-tls/openssl/src/main.rs
+++ b/https-tls/openssl/src/main.rs
@ -1,25 +1,39 @@
-use std::io;
+use std::{
+    fs::File,
+    io::{self, Read as _},
+};

 use actix_web::{middleware, web, App, Error, HttpRequest, HttpResponse, HttpServer};
-use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
+use openssl::{
+    pkey::{PKey, Private},
+    ssl::{SslAcceptor, SslMethod},
+};

 /// simple handle
 async fn index(req: HttpRequest) -> Result<HttpResponse, Error> {
    println!("{req:?}");
    Ok(HttpResponse::Ok()
        .content_type("text/plain")
-        .body("Welcome!"))
+        .body("Hello HTTPS World!"))
 }

 #[actix_web::main]
 async fn main() -> io::Result<()> {
    env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));

-    // load TLS keys
+    // build TLS config from files
    let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
+
+    // set the encrypted private key
    builder
-        .set_private_key_file("key.pem", SslFiletype::PEM)
+        .set_private_key(&load_encrypted_private_key())
        .unwrap();
+
+    // set the unencrypted private key
+    // (uncomment if you generate your own key+cert with `mkcert`, and also remove the statement above)
+    // builder.set_private_key_file("key.pem").unwrap();
+
+    // set the certificate chain file location
    builder.set_certificate_chain_file("cert.pem").unwrap();

    log::info!("starting HTTPS server at http://localhost:8443");
@ -28,16 +42,19 @@ async fn main() -> io::Result<()> {
        App::new()
            // enable logger
            .wrap(middleware::Logger::default())
-            // register simple handler, handle all methods
-            .service(web::resource("/index.html").to(index))
-            // with path parameters
-            .service(web::resource("/").route(web::get().to(|| async {
-                HttpResponse::Found()
-                    .append_header(("LOCATION", "/index.html"))
-                    .finish()
-            })))
+            // simple root handler
+            .service(web::resource("/").route(web::get().to(index)))
    })
    .bind_openssl("127.0.0.1:8443", builder)?
+    .workers(2)
    .run()
    .await
 }
+
+fn load_encrypted_private_key() -> PKey<Private> {
+    let mut file = File::open("key.pem").unwrap();
+    let mut buffer = Vec::new();
+    file.read_to_end(&mut buffer).expect("Failed to read file");
+
+    PKey::private_key_from_pem_passphrase(&buffer, b"password").unwrap()
+}