itsi-server 0.1.19 → 0.1.20

data/ext/itsi_acme/src/incoming.rs

@@ -0,0 +1,142 @@
+use crate::acceptor::{AcmeAccept, AcmeAcceptor};
+use crate::AcmeState;
+use futures::stream::{FusedStream, FuturesUnordered};
+use futures::Stream;
+use rustls::ServerConfig;
+use std::fmt::Debug;
+use std::pin::Pin;
+use std::sync::Arc;
+use std::task::{Context, Poll};
+use tokio::io::{AsyncRead, AsyncWrite};
+use tokio_rustls::{server::TlsStream, Accept};
+
+pub struct Incoming<
+    TCP: AsyncRead + AsyncWrite + Unpin,
+    ETCP,
+    ITCP: Stream<Item = Result<TCP, ETCP>> + Unpin,
+    EC: Debug + 'static,
+    EA: Debug + 'static,
+> {
+    state: AcmeState<EC, EA>,
+    acceptor: AcmeAcceptor,
+    rustls_config: Arc<ServerConfig>,
+    tcp_incoming: Option<ITCP>,
+    acme_accepting: FuturesUnordered<AcmeAccept<TCP>>,
+    tls_accepting: FuturesUnordered<Accept<TCP>>,
+}
+
+impl<
+        TCP: AsyncRead + AsyncWrite + Unpin,
+        ETCP,
+        ITCP: Stream<Item = Result<TCP, ETCP>> + Unpin,
+        EC: Debug + 'static,
+        EA: Debug + 'static,
+    > Unpin for Incoming<TCP, ETCP, ITCP, EC, EA>
+{
+}
+
+impl<
+        TCP: AsyncRead + AsyncWrite + Unpin,
+        ETCP,
+        ITCP: Stream<Item = Result<TCP, ETCP>> + Unpin,
+        EC: Debug + 'static,
+        EA: Debug + 'static,
+    > Incoming<TCP, ETCP, ITCP, EC, EA>
+{
+    pub fn new(
+        tcp_incoming: ITCP,
+        state: AcmeState<EC, EA>,
+        acceptor: AcmeAcceptor,
+        alpn_protocols: Vec<Vec<u8>>,
+    ) -> Self {
+        let mut config = ServerConfig::builder()
+            .with_no_client_auth()
+            .with_cert_resolver(state.resolver());
+        config.alpn_protocols = alpn_protocols;
+        Self {
+            state,
+            acceptor,
+            rustls_config: Arc::new(config),
+            tcp_incoming: Some(tcp_incoming),
+            acme_accepting: FuturesUnordered::new(),
+            tls_accepting: FuturesUnordered::new(),
+        }
+    }
+}
+
+impl<
+        TCP: AsyncRead + AsyncWrite + Unpin,
+        ETCP,
+        ITCP: Stream<Item = Result<TCP, ETCP>> + Unpin,
+        EC: Debug + 'static,
+        EA: Debug + 'static,
+    > Stream for Incoming<TCP, ETCP, ITCP, EC, EA>
+{
+    type Item = Result<TlsStream<TCP>, ETCP>;
+
+    fn poll_next(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Option<Self::Item>> {
+        loop {
+            match Pin::new(&mut self.state).poll_next(cx) {
+                Poll::Ready(Some(event)) => {
+                    match event {
+                        Ok(ok) => log::info!("event: {:?}", ok),
+                        Err(err) => log::error!("event: {:?}", err),
+                    }
+                    continue;
+                }
+                Poll::Ready(None) => unreachable!(),
+                Poll::Pending => {}
+            }
+            match Pin::new(&mut self.acme_accepting).poll_next(cx) {
+                Poll::Ready(Some(Ok(Some(tls)))) => self
+                    .tls_accepting
+                    .push(tls.into_stream(self.rustls_config.clone())),
+                Poll::Ready(Some(Ok(None))) => {
+                    log::info!("received TLS-ALPN-01 validation request");
+                    continue;
+                }
+                Poll::Ready(Some(Err(err))) => {
+                    log::error!("tls accept failed, {:?}", err);
+                    continue;
+                }
+                Poll::Ready(None) | Poll::Pending => {}
+            }
+            match Pin::new(&mut self.tls_accepting).poll_next(cx) {
+                Poll::Ready(Some(Ok(tls))) => return Poll::Ready(Some(Ok(tls))),
+                Poll::Ready(Some(Err(err))) => {
+                    log::error!("tls accept failed, {:?}", err);
+                    continue;
+                }
+                Poll::Ready(None) | Poll::Pending => {}
+            }
+            let tcp_incoming = match &mut self.tcp_incoming {
+                Some(tcp_incoming) => tcp_incoming,
+                None => match self.is_terminated() {
+                    true => return Poll::Ready(None),
+                    false => return Poll::Pending,
+                },
+            };
+            match Pin::new(tcp_incoming).poll_next(cx) {
+                Poll::Ready(Some(Ok(tcp))) => self.acme_accepting.push(self.acceptor.accept(tcp)),
+                Poll::Ready(Some(Err(err))) => return Poll::Ready(Some(Err(err))),
+                Poll::Ready(None) => drop(self.tcp_incoming.as_mut()),
+                Poll::Pending => return Poll::Pending,
+            }
+        }
+    }
+}
+
+impl<
+        TCP: AsyncRead + AsyncWrite + Unpin,
+        ETCP,
+        ITCP: Stream<Item = Result<TCP, ETCP>> + Unpin,
+        EC: Debug + 'static,
+        EA: Debug + 'static,
+    > FusedStream for Incoming<TCP, ETCP, ITCP, EC, EA>
+{
+    fn is_terminated(&self) -> bool {
+        self.tcp_incoming.is_none()
+            && self.acme_accepting.is_terminated()
+            && self.tls_accepting.is_terminated()
+    }
+}

data/ext/itsi_acme/src/jose.rs

@@ -0,0 +1,161 @@
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine;
+use ring::digest::{digest, Digest, SHA256};
+use ring::rand::SystemRandom;
+use ring::signature::{EcdsaKeyPair, KeyPair};
+use serde::Serialize;
+use thiserror::Error;
+
+pub(crate) fn sign(
+    key: &EcdsaKeyPair,
+    kid: Option<&str>,
+    nonce: String,
+    url: &str,
+    payload: &str,
+) -> Result<String, JoseError> {
+    let jwk = match kid {
+        None => Some(Jwk::new(key)),
+        Some(_) => None,
+    };
+    let protected = Protected::base64(jwk, kid, Some(nonce.as_ref()), url)?;
+    let payload = URL_SAFE_NO_PAD.encode(payload);
+    let combined = format!("{}.{}", &protected, &payload);
+    let signature = key.sign(&SystemRandom::new(), combined.as_bytes())?;
+    let signature = URL_SAFE_NO_PAD.encode(signature.as_ref());
+    let body = Body {
+        protected,
+        payload,
+        signature,
+    };
+    Ok(serde_json::to_string(&body)?)
+}
+
+pub(crate) fn sign_eab(
+    key: &EcdsaKeyPair,
+    eab_key: &ring::hmac::Key,
+    kid: &str,
+    url: &str,
+) -> Result<Body, JoseError> {
+    let protected = Protected::hmac_base64(kid, url)?;
+    let payload = URL_SAFE_NO_PAD.encode(serde_json::to_vec(&Jwk::new(key))?);
+    let combined = format!("{}.{}", &protected, &payload);
+    let signature = ring::hmac::sign(eab_key, combined.as_bytes());
+    let signature = URL_SAFE_NO_PAD.encode(signature.as_ref());
+    let body = Body {
+        protected,
+        payload,
+        signature,
+    };
+    Ok(body)
+}
+
+pub(crate) fn key_authorization_sha256(
+    key: &EcdsaKeyPair,
+    token: &str,
+) -> Result<Digest, JoseError> {
+    let jwk = Jwk::new(key);
+    let key_authorization = format!("{}.{}", token, jwk.thumb_sha256_base64()?);
+    Ok(digest(&SHA256, key_authorization.as_bytes()))
+}
+
+#[derive(Serialize)]
+pub(crate) struct Body {
+    protected: String,
+    payload: String,
+    signature: String,
+}
+
+#[derive(Serialize)]
+struct Protected<'a> {
+    alg: &'static str,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    jwk: Option<Jwk>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    kid: Option<&'a str>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    nonce: Option<&'a str>,
+    url: &'a str,
+}
+
+impl<'a> Protected<'a> {
+    fn base64(
+        jwk: Option<Jwk>,
+        kid: Option<&'a str>,
+        nonce: Option<&'a str>,
+        url: &'a str,
+    ) -> Result<String, JoseError> {
+        let protected = Self {
+            alg: "ES256",
+            jwk,
+            kid,
+            nonce,
+            url,
+        };
+        let protected = serde_json::to_vec(&protected)?;
+        Ok(URL_SAFE_NO_PAD.encode(protected))
+    }
+
+    fn hmac_base64(kid: &'a str, url: &'a str) -> Result<String, JoseError> {
+        let protected = Self {
+            alg: "HS256",
+            jwk: None,
+            kid: Some(kid),
+            nonce: None,
+            url,
+        };
+        let protected = serde_json::to_vec(&protected)?;
+        Ok(URL_SAFE_NO_PAD.encode(protected))
+    }
+}
+
+#[derive(Serialize)]
+struct Jwk {
+    alg: &'static str,
+    crv: &'static str,
+    kty: &'static str,
+    #[serde(rename = "use")]
+    u: &'static str,
+    x: String,
+    y: String,
+}
+
+impl Jwk {
+    pub(crate) fn new(key: &EcdsaKeyPair) -> Self {
+        let (x, y) = key.public_key().as_ref()[1..].split_at(32);
+        Self {
+            alg: "ES256",
+            crv: "P-256",
+            kty: "EC",
+            u: "sig",
+            x: URL_SAFE_NO_PAD.encode(x),
+            y: URL_SAFE_NO_PAD.encode(y),
+        }
+    }
+    pub(crate) fn thumb_sha256_base64(&self) -> Result<String, JoseError> {
+        let jwk_thumb = JwkThumb {
+            crv: self.crv,
+            kty: self.kty,
+            x: &self.x,
+            y: &self.y,
+        };
+        let json = serde_json::to_vec(&jwk_thumb)?;
+        let hash = digest(&SHA256, &json);
+        Ok(URL_SAFE_NO_PAD.encode(hash))
+    }
+}
+
+#[derive(Serialize)]
+struct JwkThumb<'a> {
+    crv: &'a str,
+    kty: &'a str,
+    x: &'a str,
+    y: &'a str,
+}
+
+#[derive(Error, Debug)]
+pub enum JoseError {
+    #[error("json serialization failed: {0}")]
+    Json(#[from] serde_json::Error),
+    #[error("crypto error: {0}")]
+    Crypto(#[from] ring::error::Unspecified),
+}

data/ext/itsi_acme/src/lib.rs

@@ -0,0 +1,142 @@
+//! An easy-to-use, async compatible [ACME] client library using [rustls] with [ring].
+//! The validation mechanism used is tls-alpn-01, which allows serving acme challenge responses and
+//! regular TLS traffic on the same port.
+//!
+//! Is designed to use the tokio runtime, if you need support for other runtimes take a look
+//! at the original implementation [rustls-acme](https://github.com/FlorianUekermann/rustls-acme).
+//!
+//! No persistent tasks are spawned under the hood and the certificate acquisition/renewal process
+//! is folded into the streams and futures being polled by the library user.
+//!
+//! The goal is to provide a [Let's Encrypt](https://letsencrypt.org/) compatible TLS serving and
+//! certificate management using a simple and flexible stream based API.
+//!
+//! This crate uses [ring] as [rustls]'s backend, instead of [aws-lc-rs]. This generally makes it
+//! much easier to compile. If you'd like to use [aws-lc-rs] as [rustls]'s backend, we're open to
+//! contributions with the necessary `Cargo.toml` changes and feature-flags to enable you to do so.
+//!
+//! To use tokio-rustls-acme add the following lines to your `Cargo.toml`:
+//!
+//! ```toml
+//! [dependencies]
+//! tokio-rustls-acme = "*"
+//! ```
+//!
+//! ## High-level API
+//!
+//! The high-level API consists of a single stream [Incoming] of incoming TLS connection.
+//! Polling the next future of the stream takes care of acquisition and renewal of certificates, as
+//! well as accepting TLS connections, which are handed over to the caller on success.
+//!
+//! ```rust,no_run
+//! use tokio::io::AsyncWriteExt;
+//! use futures::StreamExt;
+//! use tokio_rustls_acme::{AcmeConfig, caches::DirCache};
+//! use tokio_stream::wrappers::TcpListenerStream;
+//!
+//! #[tokio::main]
+//! async fn main() {
+//!     simple_logger::init_with_level(log::Level::Info).unwrap();
+//!
+//!     let tcp_listener = tokio::net::TcpListener::bind("[::]:443").await.unwrap();
+//!     let tcp_incoming = TcpListenerStream::new(tcp_listener);
+//!
+//!     let mut tls_incoming = AcmeConfig::new(["example.com"])
+//!         .contact_push("mailto:admin@example.com")
+//!         .cache(DirCache::new("./rustls_acme_cache"))
+//!         .incoming(tcp_incoming, Vec::new());
+//!
+//!     while let Some(tls) = tls_incoming.next().await {
+//!         let mut tls = tls.unwrap();
+//!         tokio::spawn(async move {
+//!             tls.write_all(HELLO).await.unwrap();
+//!             tls.shutdown().await.unwrap();
+//!         });
+//!     }
+//! }
+//!
+//! const HELLO: &'static [u8] = br#"HTTP/1.1 200 OK
+//! Content-Length: 11
+//! Content-Type: text/plain; charset=utf-8
+//!
+//! Hello Tls!"#;
+//! ```
+//!
+//! `examples/high_level.rs` implements a "Hello Tls!" server similar to the one above, which accepts
+//! domain, port and cache directory parameters.
+//!
+//! Note that all examples use the let's encrypt staging directory by default.
+//! The production directory imposes strict rate limits, which are easily exhausted accidentally
+//! during testing and development.
+//! For testing with the staging directory you may open `https://<your domain>:<port>` in a browser
+//! that allows TLS connections to servers signed by an untrusted CA (in Firefox click "Advanced..."
+//! -> "Accept the Risk and Continue").
+//!
+//! ## Low-level Rustls API
+//!
+//! For users who may want to interact with [rustls] or [tokio_rustls]
+//! directly, the library exposes the underlying certificate management [AcmeState] as well as a
+//! matching resolver [ResolvesServerCertAcme] which implements the [rustls::server::ResolvesServerCert] trait.
+//! See the server_low_level example on how to use the low-level API directly with [tokio_rustls].
+//!
+//! ## Account and certificate caching
+//!
+//! A production server using the let's encrypt production directory must implement both account and
+//! certificate caching to avoid exhausting the let's encrypt API rate limits.
+//! A file based cache using a cache directory is provided by [caches::DirCache].
+//! Caches backed by other persistence layers may be implemented using the [Cache] trait,
+//! or the underlying [CertCache], [AccountCache] traits (contributions welcome).
+//! [caches::CompositeCache] provides a wrapper to combine two implementors of [CertCache] and
+//! [AccountCache] into a single [Cache].
+//!
+//! Note, that the error type parameters of the cache carries over to some other types in this
+//! crate via the [AcmeConfig] they are added to.
+//! If you want to avoid different specializations based on cache type use the
+//! [AcmeConfig::cache_with_boxed_err] method to construct the an [AcmeConfig] object.
+//!
+//!
+//! ## The acme module
+//!
+//! The underlying implementation of an async acme client may be useful to others and is exposed as
+//! a module. It is incomplete (contributions welcome) and not covered by any stability
+//! promises.
+//!
+//! ## Special thanks
+//!
+//! This crate was inspired by the [autocert](https://golang.org/x/crypto/acme/autocert/)
+//! package for [Go](https://golang.org).
+//!
+//! The original implementation of this crate can be found at [FlorianUekermann/rustls-acme](https://github.com/FlorianUekermann/rustls-acme/commits/main), this is just a version focused on supporting only tokio.
+//!
+//! This crate also builds on the excellent work of the authors of
+//! [rustls],
+//! [tokio-rustls](https://github.com/tokio-rs/tls/tree/master/tokio-rustls) and many others.
+//!
+//! [ACME]: https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment
+//! [ring]: https://github.com/briansmith/ring
+//! [rustls]: https://github.com/ctz/rustls
+//! [aws-lc-rs]: https://github.com/aws/aws-lc-rs
+
+#![cfg_attr(docsrs, feature(doc_auto_cfg))]
+
+mod acceptor;
+pub mod acme;
+#[cfg(feature = "axum")]
+pub mod axum;
+mod cache;
+pub mod caches;
+mod config;
+mod https_helper;
+mod incoming;
+mod jose;
+mod resolver;
+mod state;
+
+pub use tokio_rustls;
+
+pub use acceptor::*;
+pub use cache::*;
+pub use config::*;
+pub use incoming::*;
+pub use resolver::*;
+pub use state::*;

data/ext/itsi_acme/src/resolver.rs

@@ -0,0 +1,59 @@
+use crate::acme::ACME_TLS_ALPN_NAME;
+use rustls::server::{ClientHello, ResolvesServerCert};
+use rustls::sign::CertifiedKey;
+use std::collections::BTreeMap;
+use std::sync::Arc;
+use std::sync::Mutex;
+
+#[derive(Debug)]
+pub struct ResolvesServerCertAcme {
+    inner: Mutex<Inner>,
+}
+
+#[derive(Debug)]
+struct Inner {
+    cert: Option<Arc<CertifiedKey>>,
+    auth_keys: BTreeMap<String, Arc<CertifiedKey>>,
+}
+
+impl ResolvesServerCertAcme {
+    pub(crate) fn new() -> Arc<Self> {
+        Arc::new(Self {
+            inner: Mutex::new(Inner {
+                cert: None,
+                auth_keys: Default::default(),
+            }),
+        })
+    }
+    pub(crate) fn set_cert(&self, cert: Arc<CertifiedKey>) {
+        self.inner.lock().unwrap().cert = Some(cert);
+    }
+    pub(crate) fn set_auth_key(&self, domain: String, cert: Arc<CertifiedKey>) {
+        self.inner.lock().unwrap().auth_keys.insert(domain, cert);
+    }
+}
+
+impl ResolvesServerCert for ResolvesServerCertAcme {
+    fn resolve(&self, client_hello: ClientHello) -> Option<Arc<CertifiedKey>> {
+        let is_acme_challenge = client_hello
+            .alpn()
+            .into_iter()
+            .flatten()
+            .eq([ACME_TLS_ALPN_NAME]);
+        if is_acme_challenge {
+            match client_hello.server_name() {
+                None => {
+                    log::debug!("client did not supply SNI");
+                    None
+                }
+                Some(domain) => {
+                    let domain = domain.to_owned();
+                    let domain: String = AsRef::<str>::as_ref(&domain).into();
+                    self.inner.lock().unwrap().auth_keys.get(&domain).cloned()
+                }
+            }
+        } else {
+            self.inner.lock().unwrap().cert.clone()
+        }
+    }
+}