tttls1.3 0.2.10 → 0.2.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a88e723a99666a675766294bcd4693baad9d49f9d8d2c95e2c9361d74ea74e0a
-  data.tar.gz: e7c18f7242cf74229ae99232366d18854c898ce18e9f5805af8ca5694666e7bc
+  metadata.gz: ba824030b1a295566777d4d12c35e259d379bc9a830b0cb95792356cc547a436
+  data.tar.gz: c3f2e8fd07567133cce7e8f24fcaf02499b8cceff6088ca403ca2e9be9e5ab5f
 SHA512:
-  metadata.gz: a36f3a4f8dc7884a3927572285773390e0076ff6f154366aeb85dbda10ed1edbdb0964ab2201b236b77f1b7c862cd61796a5eae9574883790da83b5e2c52c375
-  data.tar.gz: 88688015bd166a0c93bf2c6663eda3649719362228c496a7662bf162e236f1a0a04d7f5aa18d477cb18a3986c97fe9e7cab89fd7c04ba09caa1dd92c70441433
+  metadata.gz: 00e939bf927db1923274985cdad6526d16b6d99216f62ff3978b3bae9cdcedf675482b96f49a224f9f982f1d8c6f7ca0b49f282086422e73e93b4b74d13f0722
+  data.tar.gz: 1e523ad0d29d6f29dbd94388f9f895abf69324ceb4336406b13e21793395abdf795a0f043ee89899e888b851d85f2190064e93b70efec092964e34c94b15ac76

data/.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6.x', '2.7.x']
+    steps:
+      - uses: docker://thekuwayama/openssl:latest
+      - name: Set up Ruby
+        uses: actions/setup-ruby@v1
+      - uses: actions/checkout@v1
+      - name: Install dependencies
+        run: |
+          gem --version
+          gem install bundler
+          bundle --version
+          bundle install
+      - name: Run test
+        run: |
+          bundle exec rake
+          bundle exec rake interop:client
+          bundle exec rake interop:server

data/.rubocop.yml

@@ -1,19 +1,22 @@
 AllCops:
   TargetRubyVersion: 2.6
 
-Style/NumericLiterals:
+Style/ConditionalAssignment:
   Enabled: false
 
 Style/Documentation:
   Enabled: false
 
+Style/NumericLiterals:
+  Enabled: false
+
 Metrics/AbcSize:
   Max: 30
 
 Metrics/MethodLength:
   Max: 30
 
-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:
   MinNameLength: 1
 
 Metrics/BlockLength:
@@ -22,6 +25,6 @@ Metrics/BlockLength:
     - 'spec/*.rb'
     - 'interop/*.rb'
 
-Metrics/LineLength:
+Layout/LineLength:
   Exclude:
     - 'tttls1.3.gemspec'

data/Gemfile

@@ -7,10 +7,9 @@ gem 'openssl'
 gem 'rake'
 
 group :test do
-  gem 'pry'
-  gem 'pry-byebug'
-  gem 'rspec', '3.8.0'
-  gem 'rubocop', '0.67.2'
+  gem 'byebug'
+  gem 'rspec', '3.9.0'
+  gem 'rubocop', '0.78.0'
 end
 
 gemspec

data/README.md

@@ -1,7 +1,7 @@
 # tttls1.3
 
 [![Gem Version](https://badge.fury.io/rb/tttls1.3.svg)](https://badge.fury.io/rb/tttls1.3)
-[![Actions Status](https://github.com/thekuwayama/tttls1.3/workflows/workflow/badge.svg)](https://github.com/thekuwayama/tttls1.3/actions?query=workflow=.github/workflows/main.yml)
+[![Actions Status](https://github.com/thekuwayama/tttls1.3/workflows/CI/badge.svg)](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
 [![Maintainability](https://api.codeclimate.com/v1/badges/47f3c267d9cfd2c8e388/maintainability)](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
 
 tttls1.3 is Ruby implementation of [TLS 1.3](https://tools.ietf.org/html/rfc8446) protocol.
@@ -100,6 +100,8 @@ tttls1.3 client is configurable using keyword arguments.
 | `:ticket_age_add` | String | nil | The ticket\_age\_add for PSK. |
 | `:ticket_timestamp` | Integer | nil | The ticket\_timestamp for PSK. |
 | `:record_size_limit` | Integer | nil | The record\_size\_limit offerd in ClientHello extensions. If not needed to be present, set nil. |
+| `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
+| `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 
@@ -111,11 +113,13 @@ tttls1.3 server is configurable using keyword arguments.
 | key | type | default value | description |
 |-----|------|---------------|-------------|
 | `:crt_file` | String | nil | Path to the certificate file. This is a required setting. |
+| `:chain_files` | Array of String | nil | Paths to the itermediate certificate files. |
 | `:key_file` | String | nil | Path to the private key file. This is a required setting. |
 | `:cipher_suites` | Array of TTTLS13::CipherSuite constant | `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_AES_128_GCM_SHA256` | List of supported cipher suites. |
 | `:signature_algorithms` | Array of TTTLS13::SignatureScheme constant | `ECDSA_SECP256R1_SHA256`, `ECDSA_SECP384R1_SHA384`, `ECDSA_SECP521R1_SHA512`, `RSA_PSS_RSAE_SHA256`, `RSA_PSS_RSAE_SHA384`, `RSA_PSS_RSAE_SHA512`, `RSA_PKCS1_SHA256`, `RSA_PKCS1_SHA384`, `RSA_PKCS1_SHA512` | List of supported signature algorithms. |
 | `:supported_groups` | Array of TTTLS13::NamedGroup constant | `SECP256R1`, `SECP384R1`, `SECP521R1` | List of supported named groups. |
 | `:alpn` | Array of String | nil | List of supported application protocols. If not needed to check this extension, set nil. |
+| `:process_ocsp_response` | Proc | nil | Proc that gets OpenSSL::OCSP::Response. If not needed to staple OCSP::Response, set nil. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 

data/Rakefile

@@ -9,9 +9,11 @@ require 'fileutils'
 TMP_DIR    = __dir__ + '/tmp'
 CA_KEY     = TMP_DIR + '/ca.key'
 CA_CRT     = TMP_DIR + '/ca.crt'
+INTER_KEY  = TMP_DIR + '/intermediate.key'
+INTER_CRT  = TMP_DIR + '/intermediate.crt'
 SERVER_KEY = TMP_DIR + '/server.key'
 SERVER_CRT = TMP_DIR + '/server.crt'
-certs = [CA_KEY, CA_CRT, SERVER_KEY, SERVER_CRT]
+certs = [CA_KEY, CA_CRT, INTER_KEY, INTER_CRT, SERVER_KEY, SERVER_CRT]
 
 directory TMP_DIR
 
@@ -64,15 +66,66 @@ file CA_CRT => [TMP_DIR, CA_KEY] do
   File.write(CA_CRT, ca_crt.to_pem)
 end
 
+file INTER_KEY => TMP_DIR do
+  puts "generate #{INTER_KEY}..."
+  inter_key = OpenSSL::PKey::RSA.generate(2048)
+  File.write(INTER_KEY, inter_key.to_pem)
+end
+
+file INTER_CRT => [TMP_DIR, INTER_KEY] do
+  ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY))
+  ca_crt = OpenSSL::X509::Certificate.new(File.read(CA_CRT))
+  inter_key = OpenSSL::PKey::RSA.new(File.read(INTER_KEY))
+
+  puts "generate #{INTER_CRT}..."
+  sub = OpenSSL::X509::Name.new
+  sub.add_entry('CN', 'test-intermediate')
+
+  inter_crt = OpenSSL::X509::Certificate.new
+  inter_crt.not_before = Time.now
+  inter_crt.not_after = Time.now + (60 * 60 * 24 * 365 * 10)
+  inter_crt.public_key = inter_key.public_key
+  inter_crt.serial = OpenSSL::BN.rand(64)
+  inter_crt.version = 2
+  inter_crt.issuer = ca_crt.subject
+  inter_crt.subject = sub
+
+  factory = OpenSSL::X509::ExtensionFactory.new
+  factory.subject_certificate = inter_crt
+  factory.issuer_certificate = ca_crt
+  inter_crt.add_extension(
+    factory.create_extension(
+      'keyUsage',
+      'critical, cRLSign, keyCertSign'
+    )
+  )
+  inter_crt.add_extension(
+    factory.create_extension(
+      'basicConstraints',
+      'critical, CA:true'
+    )
+  )
+  inter_crt.add_extension(
+    factory.create_extension(
+      'subjectKeyIdentifier',
+      'hash'
+    )
+  )
+
+  digest = OpenSSL::Digest::SHA256.new
+  inter_crt.sign(ca_key, digest)
+  File.write(INTER_CRT, inter_crt.to_pem)
+end
+
 file SERVER_KEY => TMP_DIR do
   puts "generate #{SERVER_KEY}..."
   server_key = OpenSSL::PKey::RSA.generate(2048)
   File.write(SERVER_KEY, server_key.to_pem)
 end
 
-file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
-  ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY))
-  ca_crt = OpenSSL::X509::Certificate.new(File.read(CA_CRT))
+file SERVER_CRT => [TMP_DIR, INTER_CRT, SERVER_KEY] do
+  inter_key = OpenSSL::PKey::RSA.new(File.read(INTER_KEY))
+  inter_crt = OpenSSL::X509::Certificate.new(File.read(INTER_CRT))
   server_key = OpenSSL::PKey::RSA.new(File.read(SERVER_KEY))
 
   puts "generate #{SERVER_CRT}..."
@@ -85,12 +138,12 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
   server_crt.public_key = server_key.public_key
   server_crt.serial = OpenSSL::BN.rand(64)
   server_crt.version = 2
-  server_crt.issuer = ca_crt.issuer
+  server_crt.issuer = inter_crt.subject
   server_crt.subject = sub
 
   factory = OpenSSL::X509::ExtensionFactory.new
   factory.subject_certificate = server_crt
-  factory.issuer_certificate = ca_crt
+  factory.issuer_certificate = inter_crt
   server_crt.add_extension(
     factory.create_extension(
       'basicConstraints',
@@ -109,9 +162,15 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
       'DNS:localhost'
     )
   )
+  server_crt.add_extension(
+    factory.create_extension(
+      'authorityInfoAccess',
+      'caIssuers;URI:http://localhost:8080,OCSP;URI:http://localhost:8080'
+    )
+  )
 
   digest = OpenSSL::Digest::SHA256.new
-  server_crt.sign(ca_key, digest)
+  server_crt.sign(inter_key, digest)
   File.write(SERVER_CRT, server_crt.to_pem)
 end
 

data/example/helper.rb

@@ -36,7 +36,7 @@ def recv_http_response(client)
   parser = HTTP::Parser.new
   buf = nil
 
-  parser.on_headers_complete = proc do |headers|
+  parser.on_headers_complete = lambda do |headers|
     buf =
       [
         'HTTP/' + parser.http_version.join('.'),
@@ -47,11 +47,11 @@ def recv_http_response(client)
       + WEBrick::CRLF
   end
 
-  parser.on_body = proc do |chunk|
+  parser.on_body = lambda do |chunk|
     buf += chunk
   end
 
-  parser.on_message_complete = proc do
+  parser.on_message_complete = lambda do
     client.close
   end
 

data/example/https_client.rb

@@ -12,7 +12,7 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-client = TTTLS13::Client.new(socket, hostname, settings)
+client = TTTLS13::Client.new(socket, hostname, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_0rtt.rb

@@ -11,7 +11,7 @@ settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-process_new_session_ticket = proc do |nst, rms, cs|
+process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:ticket] = nst.ticket
@@ -22,7 +22,7 @@ process_new_session_ticket = proc do |nst, rms, cs|
   settings_2nd[:ticket_timestamp] = nst.timestamp
 end
 settings_1st = {
-  ca_file: FileTest.exists?(ca_file) ? ca_file : nil,
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   process_new_session_ticket: process_new_session_ticket
 }
@@ -36,7 +36,7 @@ succeed_early_data = false
   settings_2nd
 ].each_with_index do |settings, i|
   socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, settings)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
 
   # send message using early data; 0-RTT
   client.early_data(req) if i == 1 && settings.include?(:ticket)

data/example/https_client_using_hrr.rb

@@ -13,7 +13,7 @@ settings = {
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1']
 }
-client = TTTLS13::Client.new(socket, hostname, settings)
+client = TTTLS13::Client.new(socket, hostname, **settings)
 client.connect
 client.write(req)
 print recv_http_response(client)

data/example/https_client_using_hrr_and_ticket.rb

@@ -11,7 +11,7 @@ settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-process_new_session_ticket = proc do |nst, rms, cs|
+process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:key_share_groups] = [] # empty KeyShareClientHello.client_shares
@@ -35,7 +35,7 @@ settings_1st = {
   settings_2nd
 ].each do |settings|
   socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, settings)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
   client.connect
   client.write(req)
   print recv_http_response(client)

data/example/https_client_using_status_request.rb

@@ -0,0 +1,31 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+
+hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(hostname)
+
+process_certificate_status = lambda do |res, cert, chain|
+  puts 'stapled OCSPResponse: '
+  puts res.basic.status.pretty_inspect unless res.nil?
+  puts '-' * 10
+
+  TTTLS13::Client.softfail_check_certificate_status(res, cert, chain)
+end
+
+socket = TCPSocket.new(hostname, port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  check_certificate_status: true,
+  process_certificate_status: process_certificate_status
+}
+client = TTTLS13::Client.new(socket, hostname, **settings)
+client.connect
+client.write(req)
+
+print recv_http_response(client)
+client.close unless client.eof?
+socket.close

data/example/https_client_using_ticket.rb

@@ -11,7 +11,7 @@ settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-process_new_session_ticket = proc do |nst, rms, cs|
+process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:ticket] = nst.ticket
@@ -34,7 +34,7 @@ settings_1st = {
   settings_2nd
 ].each do |settings|
   socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, settings)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
   client.connect
   client.write(req)
   print recv_http_response(client)

data/example/https_server.rb

@@ -10,6 +10,7 @@ port = ARGV[0] || 4433
 
 settings = {
   crt_file: __dir__ + '/../tmp/server.crt',
+  chain_files: [__dir__ + '/../tmp/intermediate.crt'],
   key_file: __dir__ + '/../tmp/server.key',
   alpn: ['http/1.1']
 }
@@ -22,10 +23,10 @@ Etc.nprocessors.times do
     loop do
       s = q.pop
       Timeout.timeout(1) do
-        server = TTTLS13::Server.new(s, settings)
+        server = TTTLS13::Server.new(s, **settings)
         parser = HTTP::Parser.new
 
-        parser.on_message_complete = proc do
+        parser.on_message_complete = lambda do
           if !parser.http_method.nil?
             logger.info 'Receive Request'
             server.write(simple_http_response('TEST'))

data/interop/client_spec.rb

@@ -7,14 +7,13 @@ FIXTURES_DIR = __dir__ + '/../spec/fixtures'
 PORT = 4433
 
 RSpec.describe Client do
-  # testcases
   # normal [Boolean] Is this nominal scenarios?
   # opt [String] openssl s_server options
   # crt [String] server crt file path
   # key [String] server key file path
   # settings [Hash] TTTLS13::Server settings
-  [
-    # rubocop: disable Metrics/LineLength
+  # rubocop: disable Layout/LineLength
+  testcases = [
     [
       true,
       '-ciphersuites TLS_AES_256_GCM_SHA384',
@@ -163,8 +162,9 @@ RSpec.describe Client do
       'rsa_rsa.key',
       compatibility_mode: false
     ]
-    # rubocop: enable Metrics/LineLength
-  ].each do |normal, opt, crt, key, settings|
+  ]
+  # rubocop: enable Layout/LineLength
+  testcases.each do |normal, opt, crt, key, settings|
     context 'client interop' do
       before do
         cmd = 'openssl s_server ' \
@@ -187,7 +187,7 @@ RSpec.describe Client do
         hostname = 'localhost'
         @socket = TCPSocket.new(hostname, PORT)
         settings[:ca_file] = FIXTURES_DIR + '/rsa_ca.crt'
-        Client.new(@socket, hostname, settings)
+        Client.new(@socket, hostname, **settings)
       end
 
       after do

data/interop/server_spec.rb

@@ -9,14 +9,13 @@ PORT = 4433
 tcpserver = TCPServer.open(PORT)
 
 RSpec.describe Server do
-  # testcases
   # normal [Boolean] Is this nominal scenarios?
   # opt [String] openssl s_client options
   # crt [String] server crt file path
   # key [String] server key file path
   # settings [Hash] TTTLS13::Client settins
-  [
-    # rubocop: disable Metrics/LineLength
+  # rubocop: disable Layout/LineLength
+  testcases = [
     [
       true,
       '-groups P-256:P-384:P-521 -ciphersuites TLS_AES_256_GCM_SHA384',
@@ -172,8 +171,9 @@ RSpec.describe Server do
       FIXTURES_DIR + '/rsa_rsa.key',
       compatibility_mode: false
     ]
-    # rubocop: enable Metrics/LineLength
-  ].each do |normal, opt, crt, key, settings|
+  ]
+  # rubocop: enable Layout/LineLength
+  testcases.each do |normal, opt, crt, key, settings|
     context 'server interop' do
       let(:server) do
         loop do
@@ -182,7 +182,7 @@ RSpec.describe Server do
         end
         settings[:crt_file] = crt
         settings[:key_file] = key
-        Server.new(@socket, settings)
+        Server.new(@socket, **settings)
       end
 
       let(:client) do