actix/examples
1
0
Fork 0
mirror of https://github.com/actix/examples synced 2024-11-23 22:41:07 +01:00
Code Issues Releases Wiki Activity

show how to handle private keys with passphrases in openssl example

Browse Source
This commit is contained in:
Rob Ede 2023-05-22 14:06:04 +01:00
parent aae806b42f
commit 48565526e7
No known key found for this signature in database
GPG Key ID: 97C636207D3EF933
4 changed files with 137 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
https-tls/openssl/README.md
View File

@ -2,31 +2,40 @@
## Usage ## Usage
### Certificate ### Generating Trusted Certificate
We put the self-signed certificate in this directory as an example but your browser would complain that it isn't secure. So we recommend to use [`mkcert`] to trust it. To use local CA, you should run: We put self-signed certificate in this directory as an example but your browser will complain that connections to the server aren't secure. We recommend to use [`mkcert`] to trust it. To use a local CA, you should run:
```sh ```sh
mkcert -install mkcert -install
``` ```
If you want to generate your own cert/private key file, then run: If you want to generate your own private key/certificate pair, then run:
```sh ```sh
mkcert 127.0.0.1 mkcert 127.0.0.1 localhost
```
A new `key.pem` and `cert.pem` will be saved to the current directory. You will then need to modify `main.rs` where indicated.
### Running Server
```console
$ cd security/openssl
$ cargo run # (or `cargo watch -x run`)
starting HTTPS server at 127.0.0.1:8443
```
### Using Client
- curl: `curl -vk https://127.0.0.1:8443`
- curl (forced HTTP/1.1): `curl -vk --http1.1 https://127.0.0.1:8443`
- browser: <https://127.0.0.1:8443>
## Self-Signed Encrypted Private Key Command
```sh
openssl req -x509 -newkey rsa:4096 -keyout key-pass.pem -out cert-pass.pem -sha256 -days 365
``` ```
[`mkcert`]: https://github.com/FiloSottile/mkcert [`mkcert`]: https://github.com/FiloSottile/mkcert
### server
```sh
cd security/openssl
cargo run (or ``cargo watch -x run``)
# Started http server: 127.0.0.1:8443
```
### web client
- curl: `curl -v https://127.0.0.1:8443/index.html --compressed -k`
- browser: [https://127.0.0.1:8443/index.html](https://127.0.0.1:8443/index.html)

49
https-tls/openssl/cert.pem
View File

@ -1,24 +1,29 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEDDCCAnSgAwIBAgIQLu2TV80hCgYgZe18ovEhmzANBgkqhkiG9w0BAQsFADBZ MIIE5jCCAs4CCQD38stb1aoK0DANBgkqhkiG9w0BAQsFADA1MQswCQYDVQQGEwJH
MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExFzAVBgNVBAsMDmh1eXV1 QjESMBAGA1UECgwJQWN0aXggV2ViMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjMw
bWlAcmlyaWthMR4wHAYDVQQDDBVta2NlcnQgaHV5dXVtaUByaXJpa2EwHhcNMTkw NTIyMTI0NzE0WhcNMjQwNTIxMTI0NzE0WjA1MQswCQYDVQQGEwJHQjESMBAGA1UE
NjAxMDAwMDAwWhcNMzAwNTE5MDM0MjI2WjBCMScwJQYDVQQKEx5ta2NlcnQgZGV2 CgwJQWN0aXggV2ViMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEB
ZWxvcG1lbnQgY2VydGlmaWNhdGUxFzAVBgNVBAsMDmh1eXV1bWlAcmlyaWthMIIB AQUAA4ICDwAwggIKAoICAQDQ2GE10EOwS/G6vKO6wZwVXSCu45smiGpxSc4n2fUl
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fRUIbEv2DjBmK7+syGVvh3I PZjGkdr8h0abjdaKDJCIm1I1LvSuZZu7U4d9w5Z9NjfGW0iBWlIV09EUbb5kzq4D
FWDlVjU9N7ypxauQbXPHAzpATzghLnpm5CqQFoTnJwA4//A85775djcVlsAUqen2 dN+ndIm8xjwuQg+8APzrOK/duZbX6Ly1bQiEjHRCCBve3eo8Z5bjRoenfhjVH3VS
ZYi+4jTYeuRLrAJ0dkrUS8/7+T0fGzGZ8obCsII5iSE2BMS7AxbqlQtClDdkNwcK 6Gt48DmYpSRvU38TMefPkXJDgR2SQVd8RLjrkLs/ZWTdyhubIqNyKvFWtt9cUkng
rCuzrmIyMA8Bc2V231xIgcWFJ7en8OaZJRlYYK7kp2cJ8g0PbPnVq+9TAfFYcKEy /aGT4VseT7BUfUACNO3+guOYh0hwI+Sy0/fDgSsQi7mI5WAdhngRa6YZTweVAc3q
FWqJsYYY36bLbWyqYXGMOtAh2bhy+YGYL3Jhk+cw7iMCjye4FbDAIQzt9cH1KGGM yrb3bBgpzuq/nlwccVOiZTowyQ7bxBEDQQdTaEqyWX+v39Gv67GGKpS9pJkyMd8d
2VWZFiwn6VJquX1Z+n9KAhfzxuzYQHSrlJ+Rt++gezpTtNw8q15Ko78oiu7CLQID oTlXL4/mbdfH5TKDlmpmINsA8iQFSVhSPaSDKMMPmckbYRa/xfj6I8zWAATK2sbe
AQABo2cwZTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYD TSQ1/3jw9tkShh2JTuGySg2jvvte3lYGCcCZXdIXqF8kpu8QKlHHQGLrpnA96UO8
VR0TAQH/BAIwADAfBgNVHSMEGDAWgBSljCjB0QNrBG+8BV3nFnUyBn54jjAPBgNV 7XPrcL4ZNY0HDO/SAwAJkbD+9WskxPKE2zFUdeuHdmnWRKln43ipvFv9VwXchQr5
HREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBgQAsUrfA8deCaHYy7wB1jEVK YC023vs2Stz5+QCsJuJK7IAqGL6//xH/jSk9H1erii/CnZWHg0xMhhwrpQfVmJX+
pNZKRNcDKxqr/PXJQlfwwlq1qZTBzloMNTzfVBRkn/I7y+Bj/b1uYFmjQoQ3qG9s ERMSGcOL/iyk4ykDW53WuHIAsw05ofE8cSMpbHiafa4510B9F4G0FxuNh2PKZBqt
tIXFCYOop1cLltmWXC479/UtbEmhz0t+mzK0MFkLhxtbKqwvMGbcGGDFI/2/MGZN XQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQC78jYe15/E5cvuTLl1/0bMMsy0Ppzx
XFZXL1bclFieZxO5ePEkZSDkPcWvh9uYWCp8r7H6aAd/iwH4lDxfajyhDneRmd/v HVklm73eIws6UNbbBA/Z8CQynCqzg4Cs50CSzSjdA4s4qn+O6qrlG07yIOaRz5fP
Mq0PgqTZhVHOP7JdVNA+6cewROyPL7ElLs66ujE9hsRvs6eXLjgLZrHOZShnoQxK Ud4EtL//DJbQpWpYbvd1NmB3Bt6XZVzcShizDn8wEem+xzhSehyTEXlGV9Shoj3G
JJv8UfoE90FX1uDt9w9i3raig/O3oePNkU263kJlR+J1rdVdYV+pCCb7L4Vk+1l3 f86nNWO2qsz6UpmaW4kYG1Y03ZulHWcx01XjAiuyTSoYIlaBhnrWFBLd7u5+f7oU
S4VFVGVHN8x35dISCJwZrtnqPlfpCiLjtEJOu1zJUEY2Q0n7Km3z3zQcs6iCeOQi raLpLyMN5T3a4ixF8vq4Go74h78le+jnWAok9xoUL0a20eEI38nWu5EuJ/ULDE4h
O9MVJ4aiALdNvyCG7lL4+AJ/kWbwHFM6wOAKSrkpZ20msMuEgIlhCOi8PgYlKb+b HQArH1cHl0G+/e0Dr5cMYrU8iXIWZy1/j2Rsc4JeNnYbYfGpV69kMhMh28WGPFqP
V/lV6IJPVrAOOclgcvtfZ/LdsTxn15yLIieqgR0Lf/s= vWQo2BrQLSqeQRKPul348OmSwiSIqTGOZ08K+9yRQVsMEtQc3L2z+a4CTdOF7C+U
exEeHCtpGgcvJOPL63qNoOsARFzuEgjPgghSjWWuPvRsro8408sDt8LGgeCVIcln
KAXsPOADRBKzafS5M70vPj0uvhG9CulHngChBRP6Mt+X9fQhzTP89GS3V58/c8cL
JY8AM0zsHbKuVzVr53cCd4feHmwhNh9ybIfkPPPoTx5WOId03sLgD1YeBXdSJDnY
+qjcQtTcROwhrUW3lH3n6LmgiIAd6xxVg6fRaaWEmfYIGWAUiKTKlj7qTxBbtrZI
5CAz3ZrF2CJVOg==
-----END CERTIFICATE----- -----END CERTIFICATE-----

82
https-tls/openssl/key.pem
View File

@ -1,28 +1,54 @@
-----BEGIN PRIVATE KEY----- -----BEGIN ENCRYPTED PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDl9FQhsS/YOMGY MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQInyCHbzTA8WQCAggA
rv6zIZW+HcgVYOVWNT03vKnFq5Btc8cDOkBPOCEuembkKpAWhOcnADj/8Dznvvl2 MB0GCWCGSAFlAwQBKgQQKta+YfF+2frxJkClzFIOOQSCCVCZGxUAljkILYi6CLcV
NxWWwBSp6fZliL7iNNh65EusAnR2StRLz/v5PR8bMZnyhsKwgjmJITYExLsDFuqV MFAbqnGYpTLBiGk1PzdnLkC6cXqxwzTMtMRD2ZFziOJOUHJ/8G1RtpyHgyMtgh0d
C0KUN2Q3BwqsK7OuYjIwDwFzZXbfXEiBxYUnt6fw5pklGVhgruSnZwnyDQ9s+dWr yIACeZ1e7aUvGSKA9NAE7yiUvNpm4uUcGJtUwHrnW6dUHaLgJUjFMMf3qVYj4+Sq
71MB8VhwoTIVaomxhhjfpsttbKphcYw60CHZuHL5gZgvcmGT5zDuIwKPJ7gVsMAh Aabrfs1aI+8SZgyhdJ07fjNEwcNjqOZn7jM7CsNDASIqsAOggs35kOdzVpkUgzYi
DO31wfUoYYzZVZkWLCfpUmq5fVn6f0oCF/PG7NhAdKuUn5G376B7OlO03DyrXkqj BSJeMIll2yRy6iAmIvqsWIKHtulsTSC5pL3BTcdOO5ONdjkZSOp1kWmvtpWhVXnQ
vyiK7sItAgMBAAECggEBAIabZmAukz4zwwe4cDm1kC0wy73P8Y9sLMCivJKMYkff bDynwbjCHc1O7PFov2zUdQlMn+dYiICjwZrhCRmwqA96MdYa8AB9MZjkzZJ78x/v
vQBjqd91kN7fIbmwPJYiCBlpZPRU0aIqxWZwyj9rgu0Pmn9G884AdzRAzRcMfNX9 pQCLqhwc41sKX+kwkZVymquSFPPkIRlWkx9AFUeeRtbFfsOqW6GxGxYeCgNc57Ia
6ZXTUsFMCRhnCaHRRsgCAuIFwdQ6wOoHERxb8gZHAm+/vHyaPFz4+D3vmr7NBy+p EfwGBgtKsDUx037foC85LZCYlqS9Q1Fjq/ncp4j56qci7mJDP+B0l8Af48c4Jy1D
fgpdDCGwkltKI73efk6H4oAeyztDwNev/TZ3Y+O3UKuAUfVReBX0us/lYgEf/KXV 91kazVNEG0YYa536mobsfKYsZ7OZocL3b91iZYP/urOpkWLDoozv4GNVgOoh9GSw
USd7envxACy+PDcqmn/HL6IUnbrc1zB92dmSSUUtLjOz//z1zM05ME/E2keMQwsW A7CLXKyFrab9nd19RBBxQQEp9YJ7KJgpvD7st/6TOoZfvFDdZl5aV0U2Hcnx4bdI
7LDen0Lm0Nh6AcOCxmnN4u0lJ3nWzU7PsHJKY/LznPUCgYEA5kQq/AG6LlL9Iu1E k+MMw6TUm663rETVvX3OdealI9HzmyMU4O3zsIPsOvwfdCi82d3BtLhs5qX/Dca3
Y55AB1rkvseof41liaqXVccB5tr55IF75d0wPd6jF04W+x6LwmL6EUYPRGkkOdHE iEMwWlJt85+cPO0MHYykLnCDeKhqenv/y9SzG+B0IfSz2O8sWvnoSpK40Mzac/7+
raz9CDE3a7hWbAghxIwLrI1s+faT5aaHG9o6mTeDyfgEEoBg8X2nQHQJPayDJZcW KOW1+BTGrze9JrNraecgo7lwoiOTc4Uj7z1u3PGYghB7YW1KDGcaWEIYqkYLTExQ
kiXQyHEtj/G4m/Y+WDFXastZz8MCgYEA/6c8+cI3Slvg3CZLG9f6rdAlrOSIQynF 4+XIJcRcPCLasoqeW1ue06/FfMKHrffkbAJ1QY0EK4bfVvThxJdbdvyhkYD+7QTc
muXyVeUaxrU0OPC9H3WEwWv7n4adQU2g0L6TBTdlOOiv5SPIsOPQVN2JZVdxwg0V thefrXSCTsZFDFwn7dI0ldePSadcS1Vyjd7jMiKobBWtvAOIP83FCsuI0E+udDsc
n5+7/WRrI9rAXnmu1x0q1e/TZ9Msggmrn5SdHaEfuug4DnHv4nct356joDwYB2i3 dmv3BajCXPWod218TyzHnXUxjmoqu2WcBnHqY3vizFIxRJuiKkuFauz6h2GRdz3d
xYl+yCSMd08CgYEAqduvOaasiG9/e7w6rqGV6dcK1hDCIxVSyXKloAjlRj5SCFXb nHkAi6cevwifbZ+xK5qU616NS0kUFyBW4Why0irsDL4SBTfXDkhdhLsaFmTeg/9+
53x6kakh9ZcNLMEjp4kLnqJnsLc+mcg7pUHuhZSIpVWdqqN1BV+pXOgWc22JO+bT o59jRmPhqx/Z5YQpvFwKEOUbscENvmNmH8SSRZKyJMDx9FgwafZW/ShkvXciXVBl
05/vigaBmQLzPhKlcH6YWds+1dfkBl6lr7llgfa6/Wv6GlJTOwtqyMSow7ECgYEA 6Mk4qmCpgLX59eVaaqOOolqfbhwmpwqtIBfT1DIlm56J29c6si7YxmDJpDMf1sYP
zGQ8j8ICymRihh/ndL9cH5KGTI/5kRjYb1rgQGQG4E8HDW8LBRfDp5BZf9Tz7L3P 1RdToYPRFaGjw0raGEeKRporVv9tgEM8tCZq1aspeceBnMETYCI4A1vq2JB+wnHt
kJSMnmMHflQqLJxLW4EHkpH7wxYCUQ589z2R4qhiMCw4GFBYxIsBMEGpVxyyPNTW 32qWFzncisdhgZh48LGTOJ9XW77jn2F/XUgxrPS4K2U+RgJS7tMDf6BDO8bgPKRB
baM3afTjlV8LUiEtlHWMK3h9gSIKZAIIytl+jy0JUGkCgYA3wrpcG3wgXeuEtoie K5aKFsMhvg05vXbpywRMXHlbYATiBAitaOhq63Vq3YsjU1T7vxoB/WWvrMi114jJ
ve/kFS5JRaOeV/9OLE2JGaGaumPlN0L14kCVvb6uqLa/P88BwBUxvGQ7FDBdh4sk uidoTCyERmllzOCkwgSP3e2Ei5SRjvvLTI65f5ZSMO20Ti099ASl4czykQAo6fhv
ypuSe9ZPCNDgnsbnfM8QgFqIW6MDdizLtj7no1SKeaUU3JWWc0kH2KWMw/sYZ7ec fJVe3syL4nvBRGTCw8+D93t/8faeIVMxA4mJGFm/uuiXswlWJp/53a8eWAALqrhZ
0tcEInxEd7FbssGfMqF9fQtnNw== TI5FmM/MN+8cd/RgpMLQx9BSb+MZyCHyWERdlKVkM7YWZlf7OOVC7Lmk01Pp8j5Y
-----END PRIVATE KEY----- 48b5wTHX5pc8ZGPGghn029DG4r09BvHOo/b+0de/vB3PnNzWuC/nSSlOUWWYuRTn
/rUBkb5prgMn5sbfQegElC9wjKycAmf9W0Ixhly8KCau7zpynogbgN1plqiR4jSw
Qh0GwxYr6vncveO29l6qBhdF+5X/ly+Eo+emHzmka6n9ujgxR1n2nkhi0zBIRMh8
t7yVp6pTd2lKtNr8B+ph31k7CJCGpSM5YO1+8nkZYqH2XIyZvmxxSCsBN3etLHod
ghjF29MAr5a0ny/d7sTXt3YLoWtIBMdRcV/7m8m5SBd+LR1k/TOdUn0QnuSrqENx
j+NyIgEIQ016G84IIKBE+JzKRgLGCBhZzDMdOaNUOaqWWYRvYj9sWCjNViYPjtnX
iQLNogGSZhedxCCtJabF6yONSmd/1xvT8Gs6e4h2zTUxSDnw+4S4Gegeag2gr6Lg
WGruLrERXvB9hpv7UFkiD7qK8Xm/B/G9v1ZkBqJQLL78s91jStepulFJesvRSD3g
bBFOTZC+DDoSR8EanQINEXX2rA4nBO8PvnX5IIWUAm6t09T40DFnZe3BkYsuxHdU
Od3DySl2GZgXBD7C2zRLhMzi+bbj1nyAVJM0vQRiUaYlDVFj0mVKdFKuhrP0vHDs
Nc+bJ3qBVgemIcnxaeF3db8H5ctBw4l/Jsjx1kz3pw8z5iy1rvcTAYBY8PQCDcOL
Pv6B+AQZrASNsbNIGsPV/hGNcolJWdH+iB7vhl9BjMYWENjCXVjnEQbLehVJVP/A
8yC4SHl899DIdtCcJ0fEGy2B09aA324RRnfMaJWhVW5tuzlvjkzIrcUn5b4rpNbV
JlQXdf5oskxjBxtJ0Q8u/IPmSCA3hyy/JQ6Q0QjhX1ZGIFGpK4RtJAdTxRcOLNM9
+exZlXlrMm84yY86hgM+daBLaLEdKYI72an5hbjGSVk1rhj2iv3oxAHu52GreIgz
ayQbWas5E0Pm0JiMAMNZmHZ/q/RWVDT2kXlpNhwcbHDfduYlW3cJXLmGbV1begBp
vAvyyZglFuUZdnyiVthmEc33a2LfHeRSLrdft9nyhilGekpqiTz8407ckzbIosc0
TxEI9Q93Zjj3kMC1MAtwUCCK3N/7QNQw0vft1SZ/cKNn2zZ7Slzc7HWo3NJkMfAB
39o/M+I80XGL0HUO4uWXrkBh5O9wJpnKcz+jarY5H52if/+NCFdgLo/xDCyKGcr0
c02C3NieX4ZjakKv21yxH57SEVlLr6CDpZJ/YxmMiUdFdg93xp2X3Cwl8tNuwbOG
+KfEbFnzqCxb9BZAT5isezfryXcPyOdcpeERdg8VkcvqYkhS0Rf1uOPYNY5cX16K
Wv0piAT/VbNw/wF4KsB5xIJXeiGG1730grCtQlCRXIlK9LDzm+hmHZ5cwcfgr8RG
TX3gRP9CJn9jJP7Ftq1I2V1sPD4C2Jga5Wr1HomzMRwS36hHBd2wqh29fstYnZZY
BKJnjiF3ep3sPGZ/IB9R1gLIvRcym+o3f40dU3KWII+68BOJz/j6x72cJgZWmGIu
tX90atqzCqFUwgZCtlzzN4BxjlsKLsLOxDE/VlOjlhAcKu7k7CgxBHHFoauMG1l9
HRReC0LmrD91l8GASZ4NVzAGlA==
-----END ENCRYPTED PRIVATE KEY-----

43
https-tls/openssl/src/main.rs
View File

@ -1,25 +1,39 @@
use std::io; use std::{
fs::File,
io::{self, Read as _},
};
use actix_web::{middleware, web, App, Error, HttpRequest, HttpResponse, HttpServer}; use actix_web::{middleware, web, App, Error, HttpRequest, HttpResponse, HttpServer};
use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; use openssl::{
pkey::{PKey, Private},
ssl::{SslAcceptor, SslMethod},
};
/// simple handle /// simple handle
async fn index(req: HttpRequest) -> Result<HttpResponse, Error> { async fn index(req: HttpRequest) -> Result<HttpResponse, Error> {
println!("{req:?}"); println!("{req:?}");
Ok(HttpResponse::Ok() Ok(HttpResponse::Ok()
.content_type("text/plain") .content_type("text/plain")
.body("Welcome!")) .body("Hello HTTPS World!"))
} }
#[actix_web::main] #[actix_web::main]
async fn main() -> io::Result<()> { async fn main() -> io::Result<()> {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
// load TLS keys // build TLS config from files
let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap(); let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
// set the encrypted private key
builder builder
.set_private_key_file("key.pem", SslFiletype::PEM) .set_private_key(&load_encrypted_private_key())
.unwrap(); .unwrap();
// set the unencrypted private key
// (uncomment if you generate your own key+cert with `mkcert`, and also remove the statement above)
// builder.set_private_key_file("key.pem").unwrap();
// set the certificate chain file location
builder.set_certificate_chain_file("cert.pem").unwrap(); builder.set_certificate_chain_file("cert.pem").unwrap();
log::info!("starting HTTPS server at http://localhost:8443"); log::info!("starting HTTPS server at http://localhost:8443");
@ -28,16 +42,19 @@ async fn main() -> io::Result<()> {
App::new() App::new()
// enable logger // enable logger
.wrap(middleware::Logger::default()) .wrap(middleware::Logger::default())
// register simple handler, handle all methods // simple root handler
.service(web::resource("/index.html").to(index)) .service(web::resource("/").route(web::get().to(index)))
// with path parameters
.service(web::resource("/").route(web::get().to(|| async {
HttpResponse::Found()
.append_header(("LOCATION", "/index.html"))
.finish()
})))
}) })
.bind_openssl("127.0.0.1:8443", builder)? .bind_openssl("127.0.0.1:8443", builder)?
.workers(2)
.run() .run()
.await .await
} }
fn load_encrypted_private_key() -> PKey<Private> {
let mut file = File::open("key.pem").unwrap();
let mut buffer = Vec::new();
file.read_to_end(&mut buffer).expect("Failed to read file");
PKey::private_key_from_pem_passphrase(&buffer, b"password").unwrap()
}