mirror of
https://github.com/actix/examples
synced 2024-11-30 17:14:35 +01:00
Rustls client cert (#510)
This commit is contained in:
parent
c2b5d89ea6
commit
d25f75b09d
@ -5,8 +5,9 @@ authors = ["Rob Ede <robjtede@icloud.com>"]
|
|||||||
edition = "2018"
|
edition = "2018"
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
actix-tls = "2"
|
actix-tls = "3.0"
|
||||||
actix-web = { version = "3.2", features = ["rustls"] }
|
actix-web = { version = "4.0.0-beta.21", features = ["rustls"] }
|
||||||
env_logger = "0.8"
|
env_logger = "0.9"
|
||||||
log = "0.4"
|
log = "0.4"
|
||||||
rustls = "0.18"
|
rustls = "0.20.2"
|
||||||
|
rustls-pemfile = "0.2.1"
|
@ -3,15 +3,17 @@
|
|||||||
|
|
||||||
use std::{any::Any, env, fs::File, io::BufReader, net::SocketAddr};
|
use std::{any::Any, env, fs::File, io::BufReader, net::SocketAddr};
|
||||||
|
|
||||||
use actix_tls::rustls::{ServerConfig, TlsStream};
|
use actix_tls::accept::rustls::reexports::ServerConfig;
|
||||||
|
use actix_tls::accept::rustls::TlsStream;
|
||||||
use actix_web::{
|
use actix_web::{
|
||||||
dev::Extensions, rt::net::TcpStream, web, App, HttpResponse, HttpServer, Responder,
|
dev::Extensions, rt::net::TcpStream, web, App, HttpResponse, HttpServer, Responder,
|
||||||
};
|
};
|
||||||
use log::info;
|
use log::info;
|
||||||
use rustls::{
|
use rustls::{
|
||||||
internal::pemfile::{certs, pkcs8_private_keys},
|
server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey,
|
||||||
AllowAnyAnonymousOrAuthenticatedClient, Certificate, RootCertStore, Session,
|
RootCertStore,
|
||||||
};
|
};
|
||||||
|
use rustls_pemfile::{certs, pkcs8_private_keys};
|
||||||
|
|
||||||
const CA_CERT: &str = "certs/rootCA.pem";
|
const CA_CERT: &str = "certs/rootCA.pem";
|
||||||
const SERVER_CERT: &str = "certs/server-cert.pem";
|
const SERVER_CERT: &str = "certs/server-cert.pem";
|
||||||
@ -47,11 +49,11 @@ fn get_client_cert(connection: &dyn Any, data: &mut Extensions) {
|
|||||||
ttl: socket.ttl().ok(),
|
ttl: socket.ttl().ok(),
|
||||||
});
|
});
|
||||||
|
|
||||||
if let Some(mut certs) = tls_session.get_peer_certificates() {
|
if let Some(certs) = tls_session.peer_certificates() {
|
||||||
info!("client certificate found");
|
info!("client certificate found");
|
||||||
|
|
||||||
// insert a `rustls::Certificate` into request data
|
// insert a `rustls::Certificate` into request data
|
||||||
data.insert(certs.pop().unwrap());
|
data.insert(certs.last().unwrap().clone());
|
||||||
}
|
}
|
||||||
} else if let Some(socket) = connection.downcast_ref::<TcpStream>() {
|
} else if let Some(socket) = connection.downcast_ref::<TcpStream>() {
|
||||||
info!("plaintext on_connect");
|
info!("plaintext on_connect");
|
||||||
@ -78,21 +80,33 @@ async fn main() -> std::io::Result<()> {
|
|||||||
|
|
||||||
// import CA cert
|
// import CA cert
|
||||||
let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);
|
let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);
|
||||||
|
let ca_cert = Certificate(certs(ca_cert).unwrap()[0].clone());
|
||||||
|
|
||||||
cert_store
|
cert_store
|
||||||
.add_pem_file(ca_cert)
|
.add(&ca_cert)
|
||||||
.expect("root CA not added to store");
|
.expect("root CA not added to store");
|
||||||
|
|
||||||
// set up client authentication requirements
|
// set up client authentication requirements
|
||||||
let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store);
|
let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store);
|
||||||
let mut config = ServerConfig::new(client_auth);
|
let config = ServerConfig::builder()
|
||||||
|
.with_safe_defaults()
|
||||||
|
.with_client_cert_verifier(client_auth);
|
||||||
|
|
||||||
// import server cert and key
|
// import server cert and key
|
||||||
let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);
|
let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);
|
||||||
let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);
|
let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);
|
||||||
|
|
||||||
let cert_chain = certs(cert_file).unwrap();
|
let cert_chain = certs(cert_file)
|
||||||
let mut keys = pkcs8_private_keys(key_file).unwrap();
|
.unwrap()
|
||||||
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
|
.into_iter()
|
||||||
|
.map(Certificate)
|
||||||
|
.collect();
|
||||||
|
let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)
|
||||||
|
.unwrap()
|
||||||
|
.into_iter()
|
||||||
|
.map(PrivateKey)
|
||||||
|
.collect();
|
||||||
|
let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();
|
||||||
|
|
||||||
// start server
|
// start server
|
||||||
HttpServer::new(|| App::new().default_service(web::to(route_whoami)))
|
HttpServer::new(|| App::new().default_service(web::to(route_whoami)))
|
||||||
|
Loading…
Reference in New Issue
Block a user