tttls1.3 0.2.9 → 0.2.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 89ddf39b7273edf08fbe46e3b043e3407e6858448643558c79e2d745956bb73a
-  data.tar.gz: d3c67e1558ecf55ea64c6e1b7cf2ae8f76c52e25b02efd23161149532a0b35a9
+  metadata.gz: 3861f9a9864268fda75836b387c4a1f83e4edea0e885595155f2a352f69695ea
+  data.tar.gz: 617f9b12aa8ac8e39367b1b5f9fcba57d1bd3dc669fe645c7c6888a7140795bd
 SHA512:
-  metadata.gz: 859ba8321cda498360389cc0fdb0cba509cec245f9b822855341e5a50bfcfd9ac38d69b976a55923aaa7026a0973b0d3349d5a1d25826ad70d73074904af0bf0
-  data.tar.gz: 03a828102121e5bc70bdfc39e27e382355f0bc4d8ac9f3f925940d496dc845ec03c2e4c23d097de2a82f1edc3e3110ea4852d098f80239d9c0fa3e94b67fe63d
+  metadata.gz: 1f97901b82520b9c0a1fbc864e7e101749d9dacba3554e721eaf223fb1d4026384bf0756c8e9ac4578bcab37eb9c7b8e9c50b0387f3dfd7e8cf2d8456e709b14
+  data.tar.gz: a0d104b2e5dba0e7e7f8297a51b858f0912007f59350e1842e026639c1cc27d107c2737292f01cc2bf1fbc6c3374cb3426696f00ee2462c72d014c841ea3ce7d

data/.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.6.x', '2.7.x']
+    steps:
+      - uses: docker://thekuwayama/openssl:latest
+      - name: Set up Ruby
+        uses: actions/setup-ruby@v1
+      - uses: actions/checkout@v1
+      - name: Install dependencies
+        run: |
+          gem --version
+          gem install bundler
+          bundle --version
+          bundle install
+      - name: Run test
+        run: |
+          bundle exec rake
+          bundle exec rake interop:client
+          bundle exec rake interop:server

data/.rubocop.yml

@@ -1,19 +1,22 @@
 AllCops:
   TargetRubyVersion: 2.6
 
-Style/NumericLiterals:
+Style/ConditionalAssignment:
   Enabled: false
 
 Style/Documentation:
   Enabled: false
 
+Style/NumericLiterals:
+  Enabled: false
+
 Metrics/AbcSize:
   Max: 30
 
 Metrics/MethodLength:
   Max: 30
 
-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:
   MinNameLength: 1
 
 Metrics/BlockLength:
@@ -21,3 +24,7 @@ Metrics/BlockLength:
     - 'Rakefile'
     - 'spec/*.rb'
     - 'interop/*.rb'
+
+Layout/LineLength:
+  Exclude:
+    - 'tttls1.3.gemspec'

data/Gemfile

@@ -10,7 +10,7 @@ group :test do
   gem 'pry'
   gem 'pry-byebug'
   gem 'rspec', '3.8.0'
-  gem 'rubocop', '0.67.2'
+  gem 'rubocop', '0.78.0'
 end
 
 gemspec

data/README.md

@@ -1,7 +1,7 @@
 # tttls1.3
 
 [![Gem Version](https://badge.fury.io/rb/tttls1.3.svg)](https://badge.fury.io/rb/tttls1.3)
-[![Build Status](https://travis-ci.org/thekuwayama/tttls1.3.svg?branch=master)](https://travis-ci.org/thekuwayama/tttls1.3)
+[![Actions Status](https://github.com/thekuwayama/tttls1.3/workflows/CI/badge.svg)](https://github.com/thekuwayama/tttls1.3/actions?workflow=CI)
 [![Maintainability](https://api.codeclimate.com/v1/badges/47f3c267d9cfd2c8e388/maintainability)](https://codeclimate.com/github/thekuwayama/tttls1.3/maintainability)
 
 tttls1.3 is Ruby implementation of [TLS 1.3](https://tools.ietf.org/html/rfc8446) protocol.
@@ -100,6 +100,8 @@ tttls1.3 client is configurable using keyword arguments.
 | `:ticket_age_add` | String | nil | The ticket\_age\_add for PSK. |
 | `:ticket_timestamp` | Integer | nil | The ticket\_timestamp for PSK. |
 | `:record_size_limit` | Integer | nil | The record\_size\_limit offerd in ClientHello extensions. If not needed to be present, set nil. |
+| `:check_certificate_status` | Boolean | false | If needed to check certificate status, set true. |
+| `:process_certificate_status` | Proc | `TTTLS13::Client.method(:softfail_check_certificate_status)` | Proc(or Method) that checks received OCSPResponse. Its 3 arguments are OpenSSL::OCSP::Response, end-entity certificate(OpenSSL::X509::Certificate) and certificates chain(Array of Certificate) used for verification and it returns Boolean. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 
@@ -111,11 +113,13 @@ tttls1.3 server is configurable using keyword arguments.
 | key | type | default value | description |
 |-----|------|---------------|-------------|
 | `:crt_file` | String | nil | Path to the certificate file. This is a required setting. |
+| `:chain_files` | Array of String | nil | Paths to the itermediate certificate files. |
 | `:key_file` | String | nil | Path to the private key file. This is a required setting. |
 | `:cipher_suites` | Array of TTTLS13::CipherSuite constant | `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_AES_128_GCM_SHA256` | List of supported cipher suites. |
 | `:signature_algorithms` | Array of TTTLS13::SignatureScheme constant | `ECDSA_SECP256R1_SHA256`, `ECDSA_SECP384R1_SHA384`, `ECDSA_SECP521R1_SHA512`, `RSA_PSS_RSAE_SHA256`, `RSA_PSS_RSAE_SHA384`, `RSA_PSS_RSAE_SHA512`, `RSA_PKCS1_SHA256`, `RSA_PKCS1_SHA384`, `RSA_PKCS1_SHA512` | List of supported signature algorithms. |
 | `:supported_groups` | Array of TTTLS13::NamedGroup constant | `SECP256R1`, `SECP384R1`, `SECP521R1` | List of supported named groups. |
 | `:alpn` | Array of String | nil | List of supported application protocols. If not needed to check this extension, set nil. |
+| `:process_ocsp_response` | Proc | nil | Proc that gets OpenSSL::OCSP::Response. If not needed to staple OCSP::Response, set nil. |
 | `:compatibility_mode` | Boolean | true | If needed to send ChangeCipherSpec, set true. |
 | `:loglevel` | Logger constant | Logger::WARN | If needed to print verbose, set Logger::DEBUG. |
 

data/Rakefile

@@ -9,9 +9,11 @@ require 'fileutils'
 TMP_DIR    = __dir__ + '/tmp'
 CA_KEY     = TMP_DIR + '/ca.key'
 CA_CRT     = TMP_DIR + '/ca.crt'
+INTER_KEY  = TMP_DIR + '/intermediate.key'
+INTER_CRT  = TMP_DIR + '/intermediate.crt'
 SERVER_KEY = TMP_DIR + '/server.key'
 SERVER_CRT = TMP_DIR + '/server.crt'
-certs = [CA_KEY, CA_CRT, SERVER_KEY, SERVER_CRT]
+certs = [CA_KEY, CA_CRT, INTER_KEY, INTER_CRT, SERVER_KEY, SERVER_CRT]
 
 directory TMP_DIR
 
@@ -64,15 +66,66 @@ file CA_CRT => [TMP_DIR, CA_KEY] do
   File.write(CA_CRT, ca_crt.to_pem)
 end
 
+file INTER_KEY => TMP_DIR do
+  puts "generate #{INTER_KEY}..."
+  inter_key = OpenSSL::PKey::RSA.generate(2048)
+  File.write(INTER_KEY, inter_key.to_pem)
+end
+
+file INTER_CRT => [TMP_DIR, INTER_KEY] do
+  ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY))
+  ca_crt = OpenSSL::X509::Certificate.new(File.read(CA_CRT))
+  inter_key = OpenSSL::PKey::RSA.new(File.read(INTER_KEY))
+
+  puts "generate #{INTER_CRT}..."
+  sub = OpenSSL::X509::Name.new
+  sub.add_entry('CN', 'test-intermediate')
+
+  inter_crt = OpenSSL::X509::Certificate.new
+  inter_crt.not_before = Time.now
+  inter_crt.not_after = Time.now + (60 * 60 * 24 * 365 * 10)
+  inter_crt.public_key = inter_key.public_key
+  inter_crt.serial = OpenSSL::BN.rand(64)
+  inter_crt.version = 2
+  inter_crt.issuer = ca_crt.subject
+  inter_crt.subject = sub
+
+  factory = OpenSSL::X509::ExtensionFactory.new
+  factory.subject_certificate = inter_crt
+  factory.issuer_certificate = ca_crt
+  inter_crt.add_extension(
+    factory.create_extension(
+      'keyUsage',
+      'critical, cRLSign, keyCertSign'
+    )
+  )
+  inter_crt.add_extension(
+    factory.create_extension(
+      'basicConstraints',
+      'critical, CA:true'
+    )
+  )
+  inter_crt.add_extension(
+    factory.create_extension(
+      'subjectKeyIdentifier',
+      'hash'
+    )
+  )
+
+  digest = OpenSSL::Digest::SHA256.new
+  inter_crt.sign(ca_key, digest)
+  File.write(INTER_CRT, inter_crt.to_pem)
+end
+
 file SERVER_KEY => TMP_DIR do
   puts "generate #{SERVER_KEY}..."
   server_key = OpenSSL::PKey::RSA.generate(2048)
   File.write(SERVER_KEY, server_key.to_pem)
 end
 
-file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
-  ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY))
-  ca_crt = OpenSSL::X509::Certificate.new(File.read(CA_CRT))
+file SERVER_CRT => [TMP_DIR, INTER_CRT, SERVER_KEY] do
+  inter_key = OpenSSL::PKey::RSA.new(File.read(INTER_KEY))
+  inter_crt = OpenSSL::X509::Certificate.new(File.read(INTER_CRT))
   server_key = OpenSSL::PKey::RSA.new(File.read(SERVER_KEY))
 
   puts "generate #{SERVER_CRT}..."
@@ -85,12 +138,12 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
   server_crt.public_key = server_key.public_key
   server_crt.serial = OpenSSL::BN.rand(64)
   server_crt.version = 2
-  server_crt.issuer = ca_crt.issuer
+  server_crt.issuer = inter_crt.subject
   server_crt.subject = sub
 
   factory = OpenSSL::X509::ExtensionFactory.new
   factory.subject_certificate = server_crt
-  factory.issuer_certificate = ca_crt
+  factory.issuer_certificate = inter_crt
   server_crt.add_extension(
     factory.create_extension(
       'basicConstraints',
@@ -109,9 +162,15 @@ file SERVER_CRT => [TMP_DIR, CA_CRT, SERVER_KEY] do
       'DNS:localhost'
     )
   )
+  server_crt.add_extension(
+    factory.create_extension(
+      'authorityInfoAccess',
+      'caIssuers;URI:http://localhost:8080,OCSP;URI:http://localhost:8080'
+    )
+  )
 
   digest = OpenSSL::Digest::SHA256.new
-  server_crt.sign(ca_key, digest)
+  server_crt.sign(inter_key, digest)
   File.write(SERVER_CRT, server_crt.to_pem)
 end
 

data/example/helper.rb

@@ -21,24 +21,22 @@ def simple_http_request(hostname, path = '/')
 end
 
 def simple_http_response(body)
-  s = <<~RESPONSE
+  h = <<~RESPONSE_HEADER_EOS
     HTTP/1.1 200 OK
     Date: #{Time.now.httpdate}
     Content-Type: text/html
     Content-Length: #{body.length}
     Server: tttls1.3/examples
+  RESPONSE_HEADER_EOS
 
-    #{body}
-  RESPONSE
-
-  s.gsub(WEBrick::LF, WEBrick::CRLF)
+  h.gsub(WEBrick::LF, WEBrick::CRLF) + WEBrick::CRLF + body
 end
 
 def recv_http_response(client)
   parser = HTTP::Parser.new
   buf = nil
 
-  parser.on_headers_complete = proc do |headers|
+  parser.on_headers_complete = lambda do |headers|
     buf =
       [
         'HTTP/' + parser.http_version.join('.'),
@@ -49,11 +47,11 @@ def recv_http_response(client)
       + WEBrick::CRLF
   end
 
-  parser.on_body = proc do |chunk|
+  parser.on_body = lambda do |chunk|
     buf += chunk
   end
 
-  parser.on_message_complete = proc do
+  parser.on_message_complete = lambda do
     client.close
   end
 

data/example/https_client.rb

@@ -12,7 +12,7 @@ settings = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-client = TTTLS13::Client.new(socket, hostname, settings)
+client = TTTLS13::Client.new(socket, hostname, **settings)
 client.connect
 client.write(req)
 

data/example/https_client_using_0rtt.rb

@@ -11,7 +11,7 @@ settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-process_new_session_ticket = proc do |nst, rms, cs|
+process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:ticket] = nst.ticket
@@ -22,7 +22,7 @@ process_new_session_ticket = proc do |nst, rms, cs|
   settings_2nd[:ticket_timestamp] = nst.timestamp
 end
 settings_1st = {
-  ca_file: FileTest.exists?(ca_file) ? ca_file : nil,
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1'],
   process_new_session_ticket: process_new_session_ticket
 }
@@ -36,7 +36,7 @@ succeed_early_data = false
   settings_2nd
 ].each_with_index do |settings, i|
   socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, settings)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
 
   # send message using early data; 0-RTT
   client.early_data(req) if i == 1 && settings.include?(:ticket)

data/example/https_client_using_hrr.rb

@@ -13,7 +13,7 @@ settings = {
   key_share_groups: [], # empty KeyShareClientHello.client_shares
   alpn: ['http/1.1']
 }
-client = TTTLS13::Client.new(socket, hostname, settings)
+client = TTTLS13::Client.new(socket, hostname, **settings)
 client.connect
 client.write(req)
 print recv_http_response(client)

data/example/https_client_using_hrr_and_ticket.rb

@@ -11,7 +11,7 @@ settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-process_new_session_ticket = proc do |nst, rms, cs|
+process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:key_share_groups] = [] # empty KeyShareClientHello.client_shares
@@ -35,7 +35,7 @@ settings_1st = {
   settings_2nd
 ].each do |settings|
   socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, settings)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
   client.connect
   client.write(req)
   print recv_http_response(client)

data/example/https_client_using_status_request.rb

@@ -0,0 +1,31 @@
+# encoding: ascii-8bit
+# frozen_string_literal: true
+
+require_relative 'helper'
+
+hostname, port = (ARGV[0] || 'localhost:4433').split(':')
+ca_file = __dir__ + '/../tmp/ca.crt'
+req = simple_http_request(hostname)
+
+process_certificate_status = lambda do |res, cert, chain|
+  puts 'stapled OCSPResponse: '
+  puts res.basic.status.pretty_inspect unless res.nil?
+  puts '-' * 10
+
+  TTTLS13::Client.softfail_check_certificate_status(res, cert, chain)
+end
+
+socket = TCPSocket.new(hostname, port)
+settings = {
+  ca_file: File.exist?(ca_file) ? ca_file : nil,
+  alpn: ['http/1.1'],
+  check_certificate_status: true,
+  process_certificate_status: process_certificate_status
+}
+client = TTTLS13::Client.new(socket, hostname, **settings)
+client.connect
+client.write(req)
+
+print recv_http_response(client)
+client.close unless client.eof?
+socket.close

data/example/https_client_using_ticket.rb

@@ -11,7 +11,7 @@ settings_2nd = {
   ca_file: File.exist?(ca_file) ? ca_file : nil,
   alpn: ['http/1.1']
 }
-process_new_session_ticket = proc do |nst, rms, cs|
+process_new_session_ticket = lambda do |nst, rms, cs|
   return if Time.now.to_i - nst.timestamp > nst.ticket_lifetime
 
   settings_2nd[:ticket] = nst.ticket
@@ -34,7 +34,7 @@ settings_1st = {
   settings_2nd
 ].each do |settings|
   socket = TCPSocket.new(hostname, port)
-  client = TTTLS13::Client.new(socket, hostname, settings)
+  client = TTTLS13::Client.new(socket, hostname, **settings)
   client.connect
   client.write(req)
   print recv_http_response(client)

data/example/https_server.rb

@@ -10,6 +10,7 @@ port = ARGV[0] || 4433
 
 settings = {
   crt_file: __dir__ + '/../tmp/server.crt',
+  chain_files: [__dir__ + '/../tmp/intermediate.crt'],
   key_file: __dir__ + '/../tmp/server.key',
   alpn: ['http/1.1']
 }
@@ -22,10 +23,10 @@ Etc.nprocessors.times do
     loop do
       s = q.pop
       Timeout.timeout(1) do
-        server = TTTLS13::Server.new(s, settings)
+        server = TTTLS13::Server.new(s, **settings)
         parser = HTTP::Parser.new
 
-        parser.on_message_complete = proc do
+        parser.on_message_complete = lambda do
           if !parser.http_method.nil?
             logger.info 'Receive Request'
             server.write(simple_http_response('TEST'))
@@ -38,10 +39,10 @@ Etc.nprocessors.times do
         begin
           server.accept
           parser << server.read until server.eof?
-        rescue HTTP::Parser::Error, TTTLS13::Error::ErrorAlerts
-          logger.warn 'Parser Error'
+          server.close
+        rescue StandardError => e
+          logger.warn e
         ensure
-          server.close unless server.eof?
           parser.reset!
         end
       end

data/interop/client_spec.rb

@@ -7,14 +7,13 @@ FIXTURES_DIR = __dir__ + '/../spec/fixtures'
 PORT = 4433
 
 RSpec.describe Client do
-  # testcases
   # normal [Boolean] Is this nominal scenarios?
   # opt [String] openssl s_server options
   # crt [String] server crt file path
   # key [String] server key file path
   # settings [Hash] TTTLS13::Server settings
-  [
-    # rubocop: disable Metrics/LineLength
+  # rubocop: disable Layout/LineLength
+  testcases = [
     [
       true,
       '-ciphersuites TLS_AES_256_GCM_SHA384',
@@ -163,8 +162,9 @@ RSpec.describe Client do
       'rsa_rsa.key',
       compatibility_mode: false
     ]
-    # rubocop: enable Metrics/LineLength
-  ].each do |normal, opt, crt, key, settings|
+  ]
+  # rubocop: enable Layout/LineLength
+  testcases.each do |normal, opt, crt, key, settings|
     context 'client interop' do
       before do
         cmd = 'openssl s_server ' \
@@ -177,17 +177,17 @@ RSpec.describe Client do
         pid = spawn('docker run ' \
                     + "--volume #{FIXTURES_DIR}:/tmp " \
                     + "--publish #{PORT}:#{PORT} " \
-                    + 'openssl ' + cmd)
+                    + 'thekuwayama/openssl ' + cmd)
         Process.detach(pid)
 
-        wait_to_listen(PORT)
+        wait_to_listen('127.0.0.1', PORT)
       end
 
       let(:client) do
         hostname = 'localhost'
         @socket = TCPSocket.new(hostname, PORT)
         settings[:ca_file] = FIXTURES_DIR + '/rsa_ca.crt'
-        Client.new(@socket, hostname, settings)
+        Client.new(@socket, hostname, **settings)
       end
 
       after do