1
0
mirror of https://github.com/actix/examples synced 2024-11-30 17:14:35 +01:00

Rustls client cert (#510)

This commit is contained in:
Christopher Gubbin 2022-01-29 16:51:49 +00:00 committed by GitHub
parent c2b5d89ea6
commit d25f75b09d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 14 deletions

View File

@ -5,8 +5,9 @@ authors = ["Rob Ede <robjtede@icloud.com>"]
edition = "2018" edition = "2018"
[dependencies] [dependencies]
actix-tls = "2" actix-tls = "3.0"
actix-web = { version = "3.2", features = ["rustls"] } actix-web = { version = "4.0.0-beta.21", features = ["rustls"] }
env_logger = "0.8" env_logger = "0.9"
log = "0.4" log = "0.4"
rustls = "0.18" rustls = "0.20.2"
rustls-pemfile = "0.2.1"

View File

@ -3,15 +3,17 @@
use std::{any::Any, env, fs::File, io::BufReader, net::SocketAddr}; use std::{any::Any, env, fs::File, io::BufReader, net::SocketAddr};
use actix_tls::rustls::{ServerConfig, TlsStream}; use actix_tls::accept::rustls::reexports::ServerConfig;
use actix_tls::accept::rustls::TlsStream;
use actix_web::{ use actix_web::{
dev::Extensions, rt::net::TcpStream, web, App, HttpResponse, HttpServer, Responder, dev::Extensions, rt::net::TcpStream, web, App, HttpResponse, HttpServer, Responder,
}; };
use log::info; use log::info;
use rustls::{ use rustls::{
internal::pemfile::{certs, pkcs8_private_keys}, server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey,
AllowAnyAnonymousOrAuthenticatedClient, Certificate, RootCertStore, Session, RootCertStore,
}; };
use rustls_pemfile::{certs, pkcs8_private_keys};
const CA_CERT: &str = "certs/rootCA.pem"; const CA_CERT: &str = "certs/rootCA.pem";
const SERVER_CERT: &str = "certs/server-cert.pem"; const SERVER_CERT: &str = "certs/server-cert.pem";
@ -47,11 +49,11 @@ fn get_client_cert(connection: &dyn Any, data: &mut Extensions) {
ttl: socket.ttl().ok(), ttl: socket.ttl().ok(),
}); });
if let Some(mut certs) = tls_session.get_peer_certificates() { if let Some(certs) = tls_session.peer_certificates() {
info!("client certificate found"); info!("client certificate found");
// insert a `rustls::Certificate` into request data // insert a `rustls::Certificate` into request data
data.insert(certs.pop().unwrap()); data.insert(certs.last().unwrap().clone());
} }
} else if let Some(socket) = connection.downcast_ref::<TcpStream>() { } else if let Some(socket) = connection.downcast_ref::<TcpStream>() {
info!("plaintext on_connect"); info!("plaintext on_connect");
@ -78,21 +80,33 @@ async fn main() -> std::io::Result<()> {
// import CA cert // import CA cert
let ca_cert = &mut BufReader::new(File::open(CA_CERT)?); let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);
let ca_cert = Certificate(certs(ca_cert).unwrap()[0].clone());
cert_store cert_store
.add_pem_file(ca_cert) .add(&ca_cert)
.expect("root CA not added to store"); .expect("root CA not added to store");
// set up client authentication requirements // set up client authentication requirements
let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store); let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store);
let mut config = ServerConfig::new(client_auth); let config = ServerConfig::builder()
.with_safe_defaults()
.with_client_cert_verifier(client_auth);
// import server cert and key // import server cert and key
let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?); let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);
let key_file = &mut BufReader::new(File::open(SERVER_KEY)?); let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);
let cert_chain = certs(cert_file).unwrap(); let cert_chain = certs(cert_file)
let mut keys = pkcs8_private_keys(key_file).unwrap(); .unwrap()
config.set_single_cert(cert_chain, keys.remove(0)).unwrap(); .into_iter()
.map(Certificate)
.collect();
let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)
.unwrap()
.into_iter()
.map(PrivateKey)
.collect();
let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();
// start server // start server
HttpServer::new(|| App::new().default_service(web::to(route_whoami))) HttpServer::new(|| App::new().default_service(web::to(route_whoami)))