diff --git a/Cargo.lock b/Cargo.lock index e52cca3..c223a6a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -192,6 +192,7 @@ dependencies = [ "aws-lc-sys", "mirai-annotations", "paste", + "untrusted 0.7.1", "zeroize", ] @@ -1880,6 +1881,19 @@ dependencies = [ "getrandom", ] +[[package]] +name = "rcgen" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779" +dependencies = [ + "aws-lc-rs", + "ring", + "rustls-pki-types", + "time", + "yasna", +] + [[package]] name = "redox_syscall" version = "0.4.1" @@ -1974,7 +1988,7 @@ dependencies = [ "getrandom", "libc", "spin", - "untrusted", + "untrusted 0.9.0", "windows-sys 0.52.0", ] @@ -2111,7 +2125,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ "ring", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -2123,7 +2137,7 @@ dependencies = [ "aws-lc-rs", "ring", "rustls-pki-types", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -2163,7 +2177,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ "ring", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -2774,6 +2788,12 @@ version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "untrusted" version = "0.9.0" @@ -3146,6 +3166,7 @@ dependencies = [ "parking_lot", "pin-project", "ppp", + "rcgen", "regex", "rustls-native-certs 0.7.2", "rustls-pemfile 2.1.3", @@ -3185,6 +3206,15 @@ dependencies = [ "time", ] +[[package]] +name = "yasna" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" +dependencies = [ + "time", +] + [[package]] name = "zerocopy" version = "0.7.34" diff --git a/Cargo.toml b/Cargo.toml index 12e6e41..753a0d0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -61,9 +61,11 @@ tokio-fd = "0.3.0" [target.'cfg(any(target_os = "linux", target_os = "macos"))'.dependencies] tokio-rustls = { version = "0.26.0", features = [] } +rcgen = { version = "0.13.1", default-features = false, features = ["aws_lc_rs"] } [target.'cfg(not(any(target_os = "linux", target_os = "macos")))'.dependencies] tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "tls12", "ring"] } +rcgen = { version = "0.13.1", default-features = false, features = ["ring"] } [dev-dependencies] diff --git a/certs/cert.pem b/certs/cert.pem deleted file mode 100644 index a897088..0000000 --- a/certs/cert.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB4DCCAYegAwIBAgIUdoMEAEloOjgFlRjkA7naE+xGBhowCgYIKoZIzj0EAwIw -RTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu -dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA4MjYyMTMxMDVaGA8yMTI0MDgy -NjIxMzEwNVowRTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf -BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG -SM49AwEHA0IABFd3WKJWOwZ3SwjjGeqIOiLXV1QWpggGMriK0EorXYaE1XJgNlCI -TTRtZUAYArThwVpnXPzFrA3LoVtZI0IZvkyjUzBRMB0GA1UdDgQWBBTOra0Tv425 -GAQl1w5lMmiz0AnJwjAfBgNVHSMEGDAWgBTOra0Tv425GAQl1w5lMmiz0AnJwjAP -BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEd/fLYpJKgTu/rAwIfJ -CAf2ApXcMA//wgQbABbqAQdpAiACDRz766m9bot2PbMzmXah8wTlwLkY0k400xG4 -qPrP9w== ------END CERTIFICATE----- diff --git a/certs/key.pem b/certs/key.pem deleted file mode 100644 index 1aa3525..0000000 --- a/certs/key.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIN9PYI7feqDtiEt2P5Eo1m78mFjrlYeTsOY2HFpSl43roAoGCCqGSM49 -AwEHoUQDQgAEV3dYolY7BndLCOMZ6og6ItdXVBamCAYyuIrQSitdhoTVcmA2UIhN -NG1lQBgCtOHBWmdc/MWsDcuhW1kjQhm+TA== ------END EC PRIVATE KEY----- diff --git a/src/embedded_certificate.rs b/src/embedded_certificate.rs index 0e6a6e4..0ba6cbc 100644 --- a/src/embedded_certificate.rs +++ b/src/embedded_certificate.rs @@ -1,23 +1,31 @@ use log::info; +use rcgen::{date_time_ymd, CertificateParams, DnType, KeyPair}; use std::sync::LazyLock; -use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer}; +use std::time::Instant; +use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer}; -pub static TLS_PRIVATE_KEY: LazyLock> = LazyLock::new(|| { - info!("Loading embedded tls private key"); +pub static TLS_CERTIFICATE: LazyLock<(Vec>, PrivateKeyDer<'static>)> = LazyLock::new(|| { + info!("Generating self-signed tls certificate"); - let key = include_bytes!("../certs/key.pem"); - let key = rustls_pemfile::private_key(&mut key.as_slice()) - .expect("failed to load embedded tls private key") - .expect("failed to load embedded tls private key"); - key -}); -pub static TLS_CERTIFICATE: LazyLock>> = LazyLock::new(|| { - info!("Loading embedded tls certificate"); - - let cert = include_bytes!("../certs/cert.pem"); - let certs = rustls_pemfile::certs(&mut cert.as_slice()) - .next() - .expect("failed to load embedded tls certificate"); - - certs.into_iter().collect() + let now = Instant::now(); + let key_pair = KeyPair::generate().unwrap(); + let mut cert = CertificateParams::new(vec![]).unwrap(); + cert.distinguished_name = rcgen::DistinguishedName::new(); + cert.distinguished_name.push(DnType::CountryName, "FR".to_string()); + let el = now.elapsed(); + let year = 2024 - (el.as_nanos() % 2) as i32; + let month = 1 + (el.as_nanos() % 12) as u8; + let day = 1 + (el.as_nanos() % 31) as u8; + cert.not_before = date_time_ymd(year, month, day); + + let el = now.elapsed(); + let year = 2024 + (el.as_nanos() % 50) as i32; + let month = 1 + (el.as_nanos() % 12) as u8; + let day = 1 + (el.as_nanos() % 31) as u8; + cert.not_after = date_time_ymd(year, month, day); + + let cert = cert.self_signed(&key_pair).unwrap().der().clone(); + let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialized_der().to_vec())); + + (vec![cert], private_key) }); diff --git a/src/main.rs b/src/main.rs index 21bd7aa..a8a6edd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1069,13 +1069,13 @@ async fn main() -> anyhow::Result<()> { let tls_certificate = if let Some(cert_path) = &args.tls_certificate { tls::load_certificates_from_pem(cert_path).expect("Cannot load tls certificate") } else { - embedded_certificate::TLS_CERTIFICATE.clone() + embedded_certificate::TLS_CERTIFICATE.0.clone() }; let tls_key = if let Some(key_path) = &args.tls_private_key { tls::load_private_key_from_file(key_path).expect("Cannot load tls private key") } else { - embedded_certificate::TLS_PRIVATE_KEY.clone_key() + embedded_certificate::TLS_CERTIFICATE.1.clone_key() }; let tls_client_ca_certificates = args.tls_client_ca_certs.as_ref().map(|tls_client_ca| { @@ -1125,7 +1125,7 @@ async fn main() -> anyhow::Result<()> { let http_proxy = mk_http_proxy(args.http_proxy, args.http_proxy_login, args.http_proxy_password)?; let server_config = WsServerConfig { socket_so_mark: args.socket_so_mark, - bind: args.remote_addr.socket_addrs(|| Some(8080)).unwrap()[0], + bind: args.remote_addr.socket_addrs(|| Some(8080))?[0], websocket_ping_frequency: args .websocket_ping_frequency_sec .or(Some(Duration::from_secs(30))) @@ -1157,7 +1157,7 @@ async fn main() -> anyhow::Result<()> { } } - tokio::signal::ctrl_c().await.unwrap(); + tokio::signal::ctrl_c().await?; Ok(()) }