itsi-server 0.1.19 → 0.1.20

data/ext/itsi_acme/src/caches/dir.rs

@@ -0,0 +1,106 @@
+use crate::{AccountCache, CertCache};
+use async_trait::async_trait;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine;
+use ring::digest::{Context, SHA256};
+use std::io::ErrorKind;
+use std::path::Path;
+use tokio::fs;
+
+pub struct DirCache<P: AsRef<Path> + Send + Sync> {
+    inner: P,
+}
+
+impl<P: AsRef<Path> + Send + Sync> DirCache<P> {
+    pub fn new(dir: P) -> Self {
+        Self { inner: dir }
+    }
+    async fn read_if_exist(
+        &self,
+        file: impl AsRef<Path>,
+    ) -> Result<Option<Vec<u8>>, std::io::Error> {
+        let path = self.inner.as_ref().join(file);
+        match fs::read(path).await {
+            Ok(content) => Ok(Some(content)),
+            Err(err) => match err.kind() {
+                ErrorKind::NotFound => Ok(None),
+                _ => Err(err),
+            },
+        }
+    }
+    async fn write(
+        &self,
+        file: impl AsRef<Path>,
+        contents: impl AsRef<[u8]>,
+    ) -> Result<(), std::io::Error> {
+        fs::create_dir_all(&self.inner).await?;
+        let path = self.inner.as_ref().join(file);
+        fs::write(path, contents).await
+    }
+
+    fn cached_account_file_name(contact: &[String], directory_url: impl AsRef<str>) -> String {
+        let mut ctx = Context::new(&SHA256);
+        for el in contact {
+            ctx.update(el.as_ref());
+            ctx.update(&[0])
+        }
+        ctx.update(directory_url.as_ref().as_bytes());
+        let hash = URL_SAFE_NO_PAD.encode(ctx.finish());
+        format!("cached_account_{}", hash)
+    }
+    fn cached_cert_file_name(domains: &[String], directory_url: impl AsRef<str>) -> String {
+        let mut ctx = Context::new(&SHA256);
+        for domain in domains {
+            ctx.update(domain.as_ref());
+            ctx.update(&[0])
+        }
+        ctx.update(directory_url.as_ref().as_bytes());
+        let hash = URL_SAFE_NO_PAD.encode(ctx.finish());
+        format!("cached_cert_{}", hash)
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> CertCache for DirCache<P> {
+    type EC = std::io::Error;
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        let file_name = Self::cached_cert_file_name(domains, directory_url);
+        self.read_if_exist(file_name).await
+    }
+    async fn store_cert(
+        &self,
+        domains: &[String],
+        directory_url: &str,
+        cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        let file_name = Self::cached_cert_file_name(domains, directory_url);
+        self.write(file_name, cert).await
+    }
+}
+
+#[async_trait]
+impl<P: AsRef<Path> + Send + Sync> AccountCache for DirCache<P> {
+    type EA = std::io::Error;
+    async fn load_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        let file_name = Self::cached_account_file_name(contact, directory_url);
+        self.read_if_exist(file_name).await
+    }
+
+    async fn store_account(
+        &self,
+        contact: &[String],
+        directory_url: &str,
+        account: &[u8],
+    ) -> Result<(), Self::EA> {
+        let file_name = Self::cached_account_file_name(contact, directory_url);
+        self.write(file_name, account).await
+    }
+}

data/ext/itsi_acme/src/caches/mod.rs

@@ -0,0 +1,11 @@
+mod boxed;
+mod composite;
+mod dir;
+mod no;
+mod test;
+
+pub use boxed::*;
+pub use composite::*;
+pub use dir::*;
+pub use no::*;
+pub use test::*;

data/ext/itsi_acme/src/caches/no.rs

@@ -0,0 +1,78 @@
+use crate::{AccountCache, CertCache};
+use async_trait::async_trait;
+use std::convert::Infallible;
+use std::fmt::Debug;
+use std::marker::PhantomData;
+use std::sync::atomic::AtomicPtr;
+
+/// No-op cache, which does nothing.
+/// ```rust
+/// # use tokio_rustls_acme::caches::NoCache;
+/// # type EC = std::io::Error;
+/// # type EA = EC;
+/// let no_cache = NoCache::<EC, EA>::new();
+/// ```
+#[derive(Copy, Clone)]
+pub struct NoCache<EC: Debug = Infallible, EA: Debug = Infallible> {
+    _cert_error: PhantomData<AtomicPtr<Box<EC>>>,
+    _account_error: PhantomData<AtomicPtr<Box<EA>>>,
+}
+
+impl<EC: Debug, EA: Debug> Default for NoCache<EC, EA> {
+    fn default() -> Self {
+        Self {
+            _cert_error: Default::default(),
+            _account_error: Default::default(),
+        }
+    }
+}
+
+impl<EC: Debug, EA: Debug> NoCache<EC, EA> {
+    pub fn new() -> Self {
+        Self::default()
+    }
+}
+
+#[async_trait]
+impl<EC: Debug, EA: Debug> CertCache for NoCache<EC, EA> {
+    type EC = EC;
+    async fn load_cert(
+        &self,
+        _domains: &[String],
+        _directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        log::info!("no cert cache configured, could not load certificate");
+        Ok(None)
+    }
+    async fn store_cert(
+        &self,
+        _domains: &[String],
+        _directory_url: &str,
+        _cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        log::info!("no cert cache configured, could not store certificate");
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<EC: Debug, EA: Debug> AccountCache for NoCache<EC, EA> {
+    type EA = EA;
+    async fn load_account(
+        &self,
+        _contact: &[String],
+        _directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        log::info!("no account cache configured, could not load account");
+        Ok(None)
+    }
+    async fn store_account(
+        &self,
+        _contact: &[String],
+        _directory_url: &str,
+        _account: &[u8],
+    ) -> Result<(), Self::EA> {
+        log::info!("no account cache configured, could not store account");
+        Ok(())
+    }
+}

data/ext/itsi_acme/src/caches/test.rs

@@ -0,0 +1,136 @@
+use crate::{AccountCache, CertCache};
+use async_trait::async_trait;
+use rcgen::{
+    date_time_ymd, BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa,
+    KeyUsagePurpose, PKCS_ECDSA_P256_SHA256,
+};
+use std::fmt::Debug;
+use std::marker::PhantomData;
+use std::sync::atomic::AtomicPtr;
+use std::sync::Arc;
+
+/// Test cache, which generates certificates for ACME incompatible test environments.
+/// ```rust
+/// # use tokio_rustls_acme::{AcmeConfig};
+/// # use tokio_rustls_acme::caches::{DirCache, TestCache};
+/// # let test_environment = true;
+/// let mut config = AcmeConfig::new(["example.com"])
+///     .cache(DirCache::new("./cache"));
+/// if test_environment {
+///     config = config.cache(TestCache::new());
+/// }
+/// ```
+#[derive(Clone)]
+pub struct TestCache<EC: Debug = std::io::Error, EA: Debug = std::io::Error> {
+    ca_cert: Arc<rcgen::Certificate>,
+    ca_pem: Arc<String>,
+    ca_key_pair: Arc<rcgen::KeyPair>,
+    _cert_error: PhantomData<AtomicPtr<Box<EC>>>,
+    _account_error: PhantomData<AtomicPtr<Box<EA>>>,
+}
+
+impl<EC: Debug, EA: Debug> Default for TestCache<EC, EA> {
+    fn default() -> Self {
+        let mut params = CertificateParams::default();
+        let mut distinguished_name = DistinguishedName::new();
+        distinguished_name.push(DnType::CountryName, "US");
+        distinguished_name.push(DnType::OrganizationName, "Test CA");
+        distinguished_name.push(DnType::CommonName, "Test CA");
+        params.distinguished_name = distinguished_name;
+
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        params.key_usages = vec![KeyUsagePurpose::KeyCertSign, KeyUsagePurpose::CrlSign];
+        params.not_before = date_time_ymd(2000, 1, 1);
+        params.not_after = date_time_ymd(3000, 1, 1);
+
+        let key_pair = rcgen::KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap();
+        let ca_cert = params.self_signed(&key_pair).unwrap();
+        let ca_pem = ca_cert.pem();
+        Self {
+            ca_cert: ca_cert.into(),
+            ca_key_pair: key_pair.into(),
+            ca_pem: ca_pem.into(),
+            _cert_error: Default::default(),
+            _account_error: Default::default(),
+        }
+    }
+}
+
+impl<EC: Debug, EA: Debug> TestCache<EC, EA> {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    pub fn ca_pem(&self) -> &str {
+        &self.ca_pem
+    }
+}
+
+#[async_trait]
+impl<EC: Debug, EA: Debug> CertCache for TestCache<EC, EA> {
+    type EC = EC;
+    async fn load_cert(
+        &self,
+        domains: &[String],
+        _directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EC> {
+        let key_pair = rcgen::KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap();
+        let mut params = CertificateParams::new(domains).unwrap();
+        let mut distinguished_name = DistinguishedName::new();
+        distinguished_name.push(DnType::CommonName, "Test Cert");
+        params.distinguished_name = distinguished_name;
+        params.not_before = date_time_ymd(2000, 1, 1);
+        params.not_after = date_time_ymd(3000, 1, 1);
+
+        let cert = match params.signed_by(&key_pair, &self.ca_cert, &self.ca_key_pair) {
+            Ok(cert) => cert,
+            Err(err) => {
+                log::error!("test cache: generation error: {:?}", err);
+                return Ok(None);
+            }
+        };
+
+        let cert_pem = cert.pem();
+
+        let pem = [
+            &key_pair.serialize_pem(),
+            "\n",
+            &cert_pem,
+            "\n",
+            &self.ca_pem,
+        ]
+        .concat();
+        Ok(Some(pem.into_bytes()))
+    }
+    async fn store_cert(
+        &self,
+        _domains: &[String],
+        _directory_url: &str,
+        _cert: &[u8],
+    ) -> Result<(), Self::EC> {
+        log::info!("test cache configured, could not store certificate");
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<EC: Debug, EA: Debug> AccountCache for TestCache<EC, EA> {
+    type EA = EA;
+    async fn load_account(
+        &self,
+        _contact: &[String],
+        _directory_url: &str,
+    ) -> Result<Option<Vec<u8>>, Self::EA> {
+        log::info!("test cache configured, could not load account");
+        Ok(None)
+    }
+    async fn store_account(
+        &self,
+        _contact: &[String],
+        _directory_url: &str,
+        _account: &[u8],
+    ) -> Result<(), Self::EA> {
+        log::info!("test cache configured, could not store account");
+        Ok(())
+    }
+}

data/ext/itsi_acme/src/config.rs

@@ -0,0 +1,172 @@
+use crate::acme::{
+    ExternalAccountKey, LETS_ENCRYPT_PRODUCTION_DIRECTORY, LETS_ENCRYPT_STAGING_DIRECTORY,
+};
+use crate::caches::{BoxedErrCache, CompositeCache, NoCache};
+use crate::{AccountCache, Cache, CertCache};
+use crate::{AcmeState, Incoming};
+use futures::Stream;
+use rustls::{ClientConfig, RootCertStore};
+use std::convert::Infallible;
+use std::fmt::Debug;
+use std::sync::Arc;
+use tokio::io::{AsyncRead, AsyncWrite};
+use webpki_roots::TLS_SERVER_ROOTS;
+
+/// Configuration for an ACME resolver.
+///
+/// The type parameters represent the error types for the certificate cache and account cache.
+pub struct AcmeConfig<EC: Debug, EA: Debug = EC> {
+    pub(crate) client_config: Arc<ClientConfig>,
+    pub(crate) directory_url: String,
+    pub(crate) domains: Vec<String>,
+    pub(crate) contact: Vec<String>,
+    pub(crate) cache: Box<dyn Cache<EC = EC, EA = EA>>,
+    pub(crate) eab: Option<ExternalAccountKey>,
+}
+
+impl AcmeConfig<Infallible, Infallible> {
+    /// Creates a new [AcmeConfig] instance.
+    ///
+    /// The new [AcmeConfig] instance will initially have no cache, and its type parameters for
+    /// error types will be `Infallible` since the cache cannot return an error. The methods to set
+    /// a cache will change the error types to match those returned by the supplied cache.
+    ///
+    /// ```rust
+    /// # use tokio_rustls_acme::AcmeConfig;
+    /// use tokio_rustls_acme::caches::DirCache;
+    /// let config = AcmeConfig::new(["example.com"]).cache(DirCache::new("./rustls_acme_cache"));
+    /// ```
+    ///
+    /// Due to limited support for type parameter inference in Rust (see
+    /// [RFC213](https://github.com/rust-lang/rfcs/blob/master/text/0213-defaulted-type-params.md)),
+    /// [AcmeConfig::new] is not (yet) generic over the [AcmeConfig]'s type parameters.
+    /// An uncached instance of [AcmeConfig] with particular type parameters can be created using
+    /// [NoCache].
+    ///
+    /// ```rust
+    /// # use tokio_rustls_acme::AcmeConfig;
+    /// use tokio_rustls_acme::caches::NoCache;
+    /// # type EC = std::io::Error;
+    /// # type EA = EC;
+    /// let config: AcmeConfig<EC, EA> = AcmeConfig::new(["example.com"]).cache(NoCache::new());
+    /// ```
+    ///
+    pub fn new(domains: impl IntoIterator<Item = impl AsRef<str>>) -> Self {
+        let mut root_store = RootCertStore::empty();
+        root_store.extend(
+            TLS_SERVER_ROOTS
+                .iter()
+                .map(|ta| rustls::pki_types::TrustAnchor {
+                    subject: ta.subject.clone(),
+                    subject_public_key_info: ta.subject_public_key_info.clone(),
+                    name_constraints: ta.name_constraints.clone(),
+                }),
+        );
+        let client_config = Arc::new(
+            ClientConfig::builder()
+                .with_root_certificates(root_store)
+                .with_no_client_auth(),
+        );
+        AcmeConfig {
+            client_config,
+            directory_url: LETS_ENCRYPT_STAGING_DIRECTORY.into(),
+            domains: domains.into_iter().map(|s| s.as_ref().into()).collect(),
+            contact: vec![],
+            cache: Box::new(NoCache::new()),
+            eab: None,
+        }
+    }
+}
+
+impl<EC: 'static + Debug, EA: 'static + Debug> AcmeConfig<EC, EA> {
+    /// Set custom `rustls::ClientConfig` for ACME API calls.
+    pub fn client_tls_config(mut self, client_config: Arc<ClientConfig>) -> Self {
+        self.client_config = client_config;
+        self
+    }
+    pub fn directory(mut self, directory_url: impl AsRef<str>) -> Self {
+        self.directory_url = directory_url.as_ref().into();
+        self
+    }
+    pub fn directory_lets_encrypt(mut self, production: bool) -> Self {
+        self.directory_url = match production {
+            true => LETS_ENCRYPT_PRODUCTION_DIRECTORY,
+            false => LETS_ENCRYPT_STAGING_DIRECTORY,
+        }
+        .into();
+        self
+    }
+    pub fn domains(mut self, contact: impl IntoIterator<Item = impl AsRef<str>>) -> Self {
+        self.domains = contact.into_iter().map(|s| s.as_ref().into()).collect();
+        self
+    }
+    pub fn domains_push(mut self, contact: impl AsRef<str>) -> Self {
+        self.domains.push(contact.as_ref().into());
+        self
+    }
+
+    pub fn external_account_binding(mut self, kid: impl AsRef<str>, key: impl AsRef<[u8]>) -> Self {
+        self.eab = Some(ExternalAccountKey::new(kid.as_ref().into(), key.as_ref()));
+        self
+    }
+
+    /// Provide a list of contacts for the account.
+    ///
+    /// Note that email addresses must include a `mailto:` prefix.
+    pub fn contact(mut self, contact: impl IntoIterator<Item = impl AsRef<str>>) -> Self {
+        self.contact = contact.into_iter().map(|s| s.as_ref().into()).collect();
+        self
+    }
+
+    /// Provide a contact for the account.
+    ///
+    /// Note that an email address must include a `mailto:` prefix.
+    pub fn contact_push(mut self, contact: impl AsRef<str>) -> Self {
+        self.contact.push(contact.as_ref().into());
+        self
+    }
+
+    pub fn cache<C: 'static + Cache>(self, cache: C) -> AcmeConfig<C::EC, C::EA> {
+        AcmeConfig {
+            client_config: self.client_config,
+            directory_url: self.directory_url,
+            domains: self.domains,
+            contact: self.contact,
+            cache: Box::new(cache),
+            eab: self.eab,
+        }
+    }
+    pub fn cache_compose<CC: 'static + CertCache, CA: 'static + AccountCache>(
+        self,
+        cert_cache: CC,
+        account_cache: CA,
+    ) -> AcmeConfig<CC::EC, CA::EA> {
+        self.cache(CompositeCache::new(cert_cache, account_cache))
+    }
+    pub fn cache_with_boxed_err<C: 'static + Cache>(self, cache: C) -> AcmeConfig<Box<dyn Debug>> {
+        self.cache(BoxedErrCache::new(cache))
+    }
+    pub fn cache_option<C: 'static + Cache>(self, cache: Option<C>) -> AcmeConfig<C::EC, C::EA> {
+        match cache {
+            Some(cache) => self.cache(cache),
+            None => self.cache(NoCache::<C::EC, C::EA>::new()),
+        }
+    }
+    pub fn state(self) -> AcmeState<EC, EA> {
+        AcmeState::new(self)
+    }
+    /// Turn a stream of TCP connections into a stream of TLS connections.
+    ///
+    /// Specify supported protocol names in `alpn_protocols`, most preferred first. If emtpy (`Vec::new()`), we don't do ALPN.
+    pub fn incoming<
+        TCP: AsyncRead + AsyncWrite + Unpin,
+        ETCP,
+        ITCP: Stream<Item = Result<TCP, ETCP>> + Unpin,
+    >(
+        self,
+        tcp_incoming: ITCP,
+        alpn_protocols: Vec<Vec<u8>>,
+    ) -> Incoming<TCP, ETCP, ITCP, EC, EA> {
+        self.state().incoming(tcp_incoming, alpn_protocols)
+    }
+}

data/ext/itsi_acme/src/https_helper.rs

@@ -0,0 +1,69 @@
+use rustls::{pki_types::InvalidDnsNameError, ClientConfig};
+use thiserror::Error;
+
+pub use reqwest::Response;
+
+#[derive(Copy, Clone)]
+pub enum Method {
+    Post,
+    Get,
+    Head,
+}
+
+impl From<Method> for reqwest::Method {
+    fn from(m: Method) -> Self {
+        match m {
+            Method::Post => reqwest::Method::POST,
+            Method::Get => reqwest::Method::GET,
+            Method::Head => reqwest::Method::HEAD,
+        }
+    }
+}
+
+pub(crate) async fn https(
+    client_config: &ClientConfig,
+    url: impl AsRef<str>,
+    method: Method,
+    body: Option<String>,
+) -> Result<Response, HttpsRequestError> {
+    let method: reqwest::Method = method.into();
+    let client = reqwest::ClientBuilder::new()
+        .use_preconfigured_tls(client_config.clone())
+        .build()?;
+    let mut request = client.request(method, url.as_ref());
+    if let Some(body) = body {
+        request = request
+            .body(body)
+            .header("Content-Type", "application/jose+json");
+    }
+
+    let response = request.send().await?;
+    let status = response.status();
+    if !status.is_success() {
+        return Err(HttpsRequestError::Non2xxStatus {
+            status_code: status.into(),
+            body: response.text().await?,
+        });
+    }
+    Ok(response)
+}
+
+impl From<reqwest::Error> for HttpsRequestError {
+    fn from(e: reqwest::Error) -> Self {
+        Self::Http(e.into())
+    }
+}
+
+#[derive(Error, Debug)]
+pub enum HttpsRequestError {
+    #[error("io error: {0:?}")]
+    Io(#[from] std::io::Error),
+    #[error("invalid dns name: {0:?}")]
+    InvalidDnsName(#[from] InvalidDnsNameError),
+    #[error("http error: {0:?}")]
+    Http(Box<dyn std::error::Error + Send + Sync + 'static>),
+    #[error("non 2xx http status: {status_code} {body:?}")]
+    Non2xxStatus { status_code: u16, body: String },
+    #[error("could not determine host from url")]
+    UndefinedHost,
+}