mirror of
https://github.com/rwf2/Rocket.git
synced 2025-02-20 07:32:01 +00:00
7cc818cd85
This commit introduces the ability to dynamically select a TLS configuration based on the client's TLS hello via the new `Resolver` trait. In support of this, it also makes the following changes: * Added `Authority::set_port()`. * `UdsListener` is now `UnixListener`. * `Bindable` removed in favor of new `Bind`. * All built-in listeners now implement `Bind<&Rocket>`. * `Connection` requires `AsyncRead + AsyncWrite`. * The `Debug` impl for `Endpoint` displays the underlying address. * `Listener` must be `Sized`. * The TLS listener was moved to `tls::TlsListener`. * The preview `quic` listener no longer implements `Listener`. * Added `TlsConfig::server_config()`. * Added `race` future helpers. * Added `Rocket::launch_with()`, `Rocket::bind_launch()`. * Added a default `client.pem` to the TLS example. * Various unnecessary listener `Config` structures removed. In addition, the testbench was revamped to support more scenarios. This resulted in the following issues being found and fixed: * Fix an issue where the logger would ignore color requests. * Clarified docs for `mtls::Certificate` guard. * Improved error messages on listener misconfiguration. Resolves #2730. Resolves #2363. Closes #2748. Closes #2683. Closes #2577.
165 lines
5.3 KiB
Bash
Executable File
165 lines
5.3 KiB
Bash
Executable File
#! /bin/bash
|
|
|
|
# Usage:
|
|
# ./gen_certs.sh [cert-kind]
|
|
#
|
|
# [cert-kind]:
|
|
# ed25519
|
|
# rsa_sha256
|
|
# ecdsa_nistp256_sha256
|
|
# ecdsa_nistp384_sha384
|
|
# ecdsa_nistp521_sha512
|
|
# client
|
|
#
|
|
# Generate a certificate of the [cert-kind] key type, or if no cert-kind is
|
|
# specified, all of the certificates.
|
|
#
|
|
# Examples:
|
|
# ./gen_certs.sh ed25519
|
|
# ./gen_certs.sh rsa_sha256
|
|
|
|
# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
|
|
# to check if a certificate is valid for a server name sent via SNI. It's not
|
|
# clear if this is intended, since certificates _should_ have a `subjectAltName`
|
|
# with a DNS name, or if it simply hasn't been implemented yet. See
|
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
|
|
|
|
CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
|
|
SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
|
|
ALT="DNS:localhost"
|
|
|
|
function gen_ca() {
|
|
openssl genrsa -out ca_key.pem 4096
|
|
openssl req -new -x509 -days 3650 -key ca_key.pem \
|
|
-subj "${CA_SUBJECT}" -out ca_cert.pem
|
|
}
|
|
|
|
function gen_ca_if_non_existent() {
|
|
if ! [ -f ./ca_cert.pem ]; then gen_ca; fi
|
|
}
|
|
|
|
function gen_rsa_sha256() {
|
|
gen_ca_if_non_existent
|
|
|
|
openssl req -newkey rsa:4096 -nodes -sha256 -keyout rsa_sha256_key.pem \
|
|
-subj "${SUBJECT}" -out server.csr
|
|
|
|
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-in server.csr -out rsa_sha256_cert.pem
|
|
|
|
openssl pkcs12 -export -password pass:rocket \
|
|
-in rsa_sha256_cert.pem -inkey rsa_sha256_key.pem -out rsa_sha256.p12
|
|
|
|
rm ca_cert.srl server.csr
|
|
}
|
|
|
|
function gen_ed25519() {
|
|
gen_ca_if_non_existent
|
|
|
|
openssl genpkey -algorithm ED25519 > ed25519_key.pem
|
|
|
|
openssl req -new -key ed25519_key.pem -subj "${SUBJECT}" -out server.csr
|
|
|
|
openssl x509 -req -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-in server.csr -out ed25519_cert.pem
|
|
|
|
openssl pkcs12 -export -password pass:rocket \
|
|
-in ed25519_cert.pem -inkey ed25519_key.pem -out ed25519.p12
|
|
|
|
rm ca_cert.srl server.csr
|
|
}
|
|
|
|
function gen_ecdsa_nistp256_sha256() {
|
|
gen_ca_if_non_existent
|
|
|
|
openssl ecparam -out ecdsa_nistp256_sha256_key.pem -name prime256v1 -genkey
|
|
|
|
# Convert to pkcs8 format supported by rustls
|
|
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp256_sha256_key.pem \
|
|
-out ecdsa_nistp256_sha256_key_pkcs8.pem
|
|
|
|
openssl req -new -nodes -sha256 -key ecdsa_nistp256_sha256_key_pkcs8.pem \
|
|
-subj "${SUBJECT}" -out server.csr
|
|
|
|
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-in server.csr -out ecdsa_nistp256_sha256_cert.pem
|
|
|
|
openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp256_sha256_cert.pem \
|
|
-inkey ecdsa_nistp256_sha256_key_pkcs8.pem -out ecdsa_nistp256_sha256.p12
|
|
|
|
rm ca_cert.srl server.csr ecdsa_nistp256_sha256_key.pem
|
|
}
|
|
|
|
function gen_ecdsa_nistp384_sha384() {
|
|
gen_ca_if_non_existent
|
|
|
|
openssl ecparam -out ecdsa_nistp384_sha384_key.pem -name secp384r1 -genkey
|
|
|
|
# Convert to pkcs8 format supported by rustls
|
|
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp384_sha384_key.pem \
|
|
-out ecdsa_nistp384_sha384_key_pkcs8.pem
|
|
|
|
openssl req -new -nodes -sha384 -key ecdsa_nistp384_sha384_key_pkcs8.pem \
|
|
-subj "${SUBJECT}" -out server.csr
|
|
|
|
openssl x509 -req -sha384 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-in server.csr -out ecdsa_nistp384_sha384_cert.pem
|
|
|
|
openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp384_sha384_cert.pem \
|
|
-inkey ecdsa_nistp384_sha384_key_pkcs8.pem -out ecdsa_nistp384_sha384.p12
|
|
|
|
rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem
|
|
}
|
|
|
|
function gen_ecdsa_nistp521_sha512() {
|
|
gen_ca_if_non_existent
|
|
|
|
openssl ecparam -out ecdsa_nistp521_sha512_key.pem -name secp521r1 -genkey
|
|
|
|
# Convert to pkcs8 format supported by rustls
|
|
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp521_sha512_key.pem \
|
|
-out ecdsa_nistp521_sha512_key_pkcs8.pem
|
|
|
|
openssl req -new -nodes -sha512 -key ecdsa_nistp521_sha512_key_pkcs8.pem \
|
|
-subj "${SUBJECT}" -out server.csr
|
|
|
|
openssl x509 -req -sha512 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-in server.csr -out ecdsa_nistp521_sha512_cert.pem
|
|
|
|
openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp521_sha512_cert.pem \
|
|
-inkey ecdsa_nistp521_sha512_key_pkcs8.pem -out ecdsa_nistp521_sha512.p12
|
|
|
|
rm ca_cert.srl server.csr ecdsa_nistp521_sha512_key.pem
|
|
}
|
|
|
|
function gen_client_cert() {
|
|
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr
|
|
openssl x509 -req -extfile <(printf "subjectAltName=DNS:${ALT}") -days 365 \
|
|
-in client.csr -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
|
-out client.crt
|
|
|
|
cat client.key client.crt ca_cert.pem > client.pem
|
|
rm client.key client.crt client.csr ca_cert.srl
|
|
}
|
|
|
|
case $1 in
|
|
ed25519) gen_ed25519 ;;
|
|
rsa_sha256) gen_rsa_sha256 ;;
|
|
ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;;
|
|
ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;;
|
|
ecdsa_nistp521_sha512) gen_ecdsa_nistp521_sha512 ;;
|
|
client) gen_client_cert ;;
|
|
*)
|
|
gen_ed25519
|
|
gen_rsa_sha256
|
|
gen_ecdsa_nistp256_sha256
|
|
gen_ecdsa_nistp384_sha384
|
|
gen_ecdsa_nistp521_sha512
|
|
;;
|
|
esac
|