kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tls tris server: allow custom server keypairs (#128)

Browse Source
This commit is contained in:
Henry Case 2018-08-19 20:59:43 +01:00 committed by GitHub
parent 2bcf6466b4
commit 81871bbad5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 66 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
_dev/tris-localserver/runner.sh
View File

@ -1,10 +1,10 @@
#!/bin/sh #!/bin/sh
./tris-localserver -b 0.0.0.0:1443 -palg=rsa -rtt0=n 2>&1 & # first port: ECDSA (and no 0-RTT) ./tris-localserver -b 0.0.0.0:1443 -cert=rsa -rtt0=n 2>&1 & # first port: ECDSA (and no 0-RTT)
./tris-localserver -b 0.0.0.0:2443 -palg=ecdsa -rtt0=a 2>&1 & # second port: RSA (and accept 0-RTT but not offer it) ./tris-localserver -b 0.0.0.0:2443 -cert=ecdsa -rtt0=a 2>&1 & # second port: RSA (and accept 0-RTT but not offer it)
./tris-localserver -b 0.0.0.0:3443 -palg=ecdsa -rtt0=o 2>&1 & # third port: offer and reject 0-RTT ./tris-localserver -b 0.0.0.0:3443 -cert=ecdsa -rtt0=o 2>&1 & # third port: offer and reject 0-RTT
./tris-localserver -b 0.0.0.0:4443 -palg=ecdsa -rtt0=oa 2>&1 & # fourth port: offer and accept 0-RTT ./tris-localserver -b 0.0.0.0:4443 -cert=ecdsa -rtt0=oa 2>&1 & # fourth port: offer and accept 0-RTT
./tris-localserver -b 0.0.0.0:5443 -palg=ecdsa -rtt0=oa -rtt0ack 2>&1 & # fifth port: offer and accept 0-RTT but confirm ./tris-localserver -b 0.0.0.0:5443 -cert=ecdsa -rtt0=oa -rtt0ack 2>&1 & # fifth port: offer and accept 0-RTT but confirm
./tris-localserver -b 0.0.0.0:6443 -palg=rsa -cliauth 2>&1 & # sixth port: RSA with required client authentication ./tris-localserver -b 0.0.0.0:6443 -cert=rsa -cliauth 2>&1 & # sixth port: RSA with required client authentication
wait wait

78
_dev/tris-localserver/server.go
View File

@ -4,11 +4,14 @@ import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"errors"
"flag" "flag"
"fmt" "fmt"
"io/ioutil"
"log" "log"
"net/http" "net/http"
"os" "os"
"strings"
"time" "time"
) )
@ -22,15 +25,9 @@ const (
ZeroRTT_Accept = 1 << 1 ZeroRTT_Accept = 1 << 1
) )
const (
PubKeyRSA PubKeyAlgo_t = iota
PubKeyECDSA
)
type server struct { type server struct {
Address string Address string
ZeroRTT ZeroRTT_t ZeroRTT ZeroRTT_t
PubKey PubKeyAlgo_t
TLS tls.Config TLS tls.Config
} }
@ -60,14 +57,7 @@ func NewServer() *server {
} }
func (s *server) start() { func (s *server) start() {
cert, err := tls.X509KeyPair([]byte(ecdsaCert), []byte(ecdsaKey)) var err error
if s.PubKey == PubKeyRSA {
cert, err = tls.X509KeyPair([]byte(rsaCert), []byte(rsaKey))
}
s.TLS.Certificates = []tls.Certificate{cert}
if err != nil {
log.Fatal(err)
}
if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer { if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer {
s.TLS.Max0RTTDataSize = 100 * 1024 s.TLS.Max0RTTDataSize = 100 * 1024
} }
@ -91,12 +81,66 @@ func (s *server) start() {
log.Fatal(httpServer.ListenAndServeTLS("", "")) log.Fatal(httpServer.ListenAndServeTLS("", ""))
} }
// setServerCertificateFromArgs sets server certificate from an argument provided by the caller. Possible values
// for arg_cert:
// * "rsa": sets hardcoded RSA keypair
// * "ecdsa": sets hardcoded ECDSA keypair
// * FILE1:FILE2: Uses private key from FILE1 and public key from FILE2. Both must be in PEM format. FILE2 can
// be single certificate or certificate chain.
// * nil: fallbacks to "rsa"
//
// Function generate a panic in case certificate can't be correctly set
func (s *server) setServerCertificateFromArgs(arg_cert *string) {
var certStr, keyStr []byte
var cert tls.Certificate
var err error
if arg_cert == nil {
// set rsa by default
certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
} else {
switch *arg_cert {
case "rsa":
certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
case "ecdsa":
certStr, keyStr = []byte(ecdsaCert), []byte(ecdsaKey)
default:
files := strings.Split(*arg_cert, ":")
if len(files) != 2 {
err = errors.New("Wrong format provided after -cert.")
goto err
}
keyStr, err = ioutil.ReadFile(files[0])
if err != nil {
goto err
}
certStr, err = ioutil.ReadFile(files[1])
if err != nil {
goto err
}
}
}
cert, err = tls.X509KeyPair(certStr, keyStr)
if err != nil {
goto err
}
s.TLS.Certificates = []tls.Certificate{cert}
err:
if err != nil {
// Not possible to proceed really
log.Fatal(err)
panic(err)
}
}
func main() { func main() {
s := NewServer() s := NewServer()
arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding") arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding")
arg_palg := flag.String("palg", "rsa", "Public algorithm to use: rsa or ecdsa") arg_cert := flag.String("cert", "rsa", "Public algorithm to use:\nOptions [rsa, ecdsa, PrivateKeyFile:CertificateChainFile]")
arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`) arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`)
arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm") arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")
arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)") arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)")
@ -104,9 +148,7 @@ func main() {
s.Address = *arg_addr s.Address = *arg_addr
if *arg_palg == "ecdsa" { s.setServerCertificateFromArgs(arg_cert)
s.PubKey = PubKeyECDSA
}
if *arg_zerortt == "a" { if *arg_zerortt == "a" {
s.ZeroRTT = ZeroRTT_Accept s.ZeroRTT = ZeroRTT_Accept