kris
/
th5
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

tls tris server: allow custom server keypairs (#128)

v1.2.3
Henry Case 6 years ago
committed by GitHub
parent
2bcf6466b4
commit
81871bbad5
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 66 additions and 24 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +6
    -6
      _dev/tris-localserver/runner.sh
  2. +60
    -18
      _dev/tris-localserver/server.go

+ 6
- 6
_dev/tris-localserver/runner.sh View File

@@ -1,10 +1,10 @@
#!/bin/sh #!/bin/sh


./tris-localserver -b 0.0.0.0:1443 -palg=rsa -rtt0=n 2>&1 & # first port: ECDSA (and no 0-RTT)
./tris-localserver -b 0.0.0.0:2443 -palg=ecdsa -rtt0=a 2>&1 & # second port: RSA (and accept 0-RTT but not offer it)
./tris-localserver -b 0.0.0.0:3443 -palg=ecdsa -rtt0=o 2>&1 & # third port: offer and reject 0-RTT
./tris-localserver -b 0.0.0.0:4443 -palg=ecdsa -rtt0=oa 2>&1 & # fourth port: offer and accept 0-RTT
./tris-localserver -b 0.0.0.0:5443 -palg=ecdsa -rtt0=oa -rtt0ack 2>&1 & # fifth port: offer and accept 0-RTT but confirm
./tris-localserver -b 0.0.0.0:6443 -palg=rsa -cliauth 2>&1 & # sixth port: RSA with required client authentication
./tris-localserver -b 0.0.0.0:1443 -cert=rsa -rtt0=n 2>&1 & # first port: ECDSA (and no 0-RTT)
./tris-localserver -b 0.0.0.0:2443 -cert=ecdsa -rtt0=a 2>&1 & # second port: RSA (and accept 0-RTT but not offer it)
./tris-localserver -b 0.0.0.0:3443 -cert=ecdsa -rtt0=o 2>&1 & # third port: offer and reject 0-RTT
./tris-localserver -b 0.0.0.0:4443 -cert=ecdsa -rtt0=oa 2>&1 & # fourth port: offer and accept 0-RTT
./tris-localserver -b 0.0.0.0:5443 -cert=ecdsa -rtt0=oa -rtt0ack 2>&1 & # fifth port: offer and accept 0-RTT but confirm
./tris-localserver -b 0.0.0.0:6443 -cert=rsa -cliauth 2>&1 & # sixth port: RSA with required client authentication


wait wait

+ 60
- 18
_dev/tris-localserver/server.go View File

@@ -4,11 +4,14 @@ import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"errors"
"flag" "flag"
"fmt" "fmt"
"io/ioutil"
"log" "log"
"net/http" "net/http"
"os" "os"
"strings"
"time" "time"
) )


@@ -22,15 +25,9 @@ const (
ZeroRTT_Accept = 1 << 1 ZeroRTT_Accept = 1 << 1
) )


const (
PubKeyRSA PubKeyAlgo_t = iota
PubKeyECDSA
)

type server struct { type server struct {
Address string Address string
ZeroRTT ZeroRTT_t ZeroRTT ZeroRTT_t
PubKey PubKeyAlgo_t
TLS tls.Config TLS tls.Config
} }


@@ -60,14 +57,7 @@ func NewServer() *server {
} }


func (s *server) start() { func (s *server) start() {
cert, err := tls.X509KeyPair([]byte(ecdsaCert), []byte(ecdsaKey))
if s.PubKey == PubKeyRSA {
cert, err = tls.X509KeyPair([]byte(rsaCert), []byte(rsaKey))
}
s.TLS.Certificates = []tls.Certificate{cert}
if err != nil {
log.Fatal(err)
}
var err error
if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer { if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer {
s.TLS.Max0RTTDataSize = 100 * 1024 s.TLS.Max0RTTDataSize = 100 * 1024
} }
@@ -91,12 +81,66 @@ func (s *server) start() {
log.Fatal(httpServer.ListenAndServeTLS("", "")) log.Fatal(httpServer.ListenAndServeTLS("", ""))
} }


// setServerCertificateFromArgs sets server certificate from an argument provided by the caller. Possible values
// for arg_cert:
// * "rsa": sets hardcoded RSA keypair
// * "ecdsa": sets hardcoded ECDSA keypair
// * FILE1:FILE2: Uses private key from FILE1 and public key from FILE2. Both must be in PEM format. FILE2 can
// be single certificate or certificate chain.
// * nil: fallbacks to "rsa"
//
// Function generate a panic in case certificate can't be correctly set
func (s *server) setServerCertificateFromArgs(arg_cert *string) {
var certStr, keyStr []byte
var cert tls.Certificate
var err error

if arg_cert == nil {
// set rsa by default
certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
} else {
switch *arg_cert {
case "rsa":
certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
case "ecdsa":
certStr, keyStr = []byte(ecdsaCert), []byte(ecdsaKey)
default:
files := strings.Split(*arg_cert, ":")
if len(files) != 2 {
err = errors.New("Wrong format provided after -cert.")
goto err
}
keyStr, err = ioutil.ReadFile(files[0])
if err != nil {
goto err
}
certStr, err = ioutil.ReadFile(files[1])
if err != nil {
goto err
}
}
}

cert, err = tls.X509KeyPair(certStr, keyStr)
if err != nil {
goto err
}

s.TLS.Certificates = []tls.Certificate{cert}
err:
if err != nil {
// Not possible to proceed really
log.Fatal(err)
panic(err)
}
}

func main() { func main() {


s := NewServer() s := NewServer()


arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding") arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding")
arg_palg := flag.String("palg", "rsa", "Public algorithm to use: rsa or ecdsa")
arg_cert := flag.String("cert", "rsa", "Public algorithm to use:\nOptions [rsa, ecdsa, PrivateKeyFile:CertificateChainFile]")
arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`) arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`)
arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm") arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")
arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)") arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)")
@@ -104,9 +148,7 @@ func main() {


s.Address = *arg_addr s.Address = *arg_addr


if *arg_palg == "ecdsa" {
s.PubKey = PubKeyECDSA
}
s.setServerCertificateFromArgs(arg_cert)


if *arg_zerortt == "a" { if *arg_zerortt == "a" {
s.ZeroRTT = ZeroRTT_Accept s.ZeroRTT = ZeroRTT_Accept


Write Preview
Loading…
Cancel
Save