From 7be828efdfb9466fdbe67f171b0b2ae83c90b03b Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Sun, 22 Dec 2019 01:15:23 -0500 Subject: [PATCH] Add support for reading key/cert from stdin, better OpenSSL error messages --- README.md | 4 ++++ src/bin/udp-test.rs | 4 ++++ src/bin/wireguard-proxy.rs | 4 ++++ src/error.rs | 3 +++ src/openssl.rs | 30 +++++++++++++++++++++++++++--- 5 files changed, 42 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 404c95f..235fd2a 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,10 @@ usage: wireguard-proxy [options...] requires --tls-cert also -tc, --tls-cert TLS cert to listen with, requires --tls-key also + Note: with both --tls-key and --tls-cert, + - means stdin, + also the same file can work for both if you combine them into + one pem file Common Options: -h, --help print this usage text diff --git a/src/bin/udp-test.rs b/src/bin/udp-test.rs index db8d840..f9325fe 100644 --- a/src/bin/udp-test.rs +++ b/src/bin/udp-test.rs @@ -124,6 +124,10 @@ fn main() { sha256 hashes preceded by "sha256//" and separated by ";". Identical to curl's --pinnedpubkey and CURLOPT_PINNEDPUBLICKEY + Note: with both --tls-key and --tls-cert, + only for -is (not -s) - means stdin, + also the same file can work for both if you combine them into + one pem file Environment variable support: For every command line option, short and long, if you replace all diff --git a/src/bin/wireguard-proxy.rs b/src/bin/wireguard-proxy.rs index 5e4349c..1a25431 100644 --- a/src/bin/wireguard-proxy.rs +++ b/src/bin/wireguard-proxy.rs @@ -49,6 +49,10 @@ fn main() { requires --tls-cert also -tc, --tls-cert TLS cert to listen with, requires --tls-key also + Note: with both --tls-key and --tls-cert, + - means stdin, + also the same file can work for both if you combine them into + one pem file Common Options: -h, --help print this usage text diff --git a/src/error.rs b/src/error.rs index 8c97de8..d6f713d 100644 --- a/src/error.rs +++ b/src/error.rs @@ -13,6 +13,9 @@ impl Error { pub fn new(msg: &str) -> Error { Error(msg.to_owned()) } + pub fn new_owned(msg: String) -> Error { + Error(msg) + } } impl std::fmt::Display for Error { diff --git a/src/openssl.rs b/src/openssl.rs index c8de116..da4a620 100644 --- a/src/openssl.rs +++ b/src/openssl.rs @@ -103,8 +103,32 @@ pub struct TlsListener { impl TlsListener { pub fn new(tls_key: &str, tls_cert: &str) -> Result { let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; - acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?; - acceptor.set_certificate_chain_file(tls_cert)?; + + if tls_key == "-" || tls_cert == "-" { + let mut key_and_or_cert = Vec::new(); + println!("fully reading stdin..."); + std::io::stdin().read_to_end(&mut key_and_or_cert)?; + println!("finished reading stdin"); + + if tls_key == "-" { + let tls_key = openssl::pkey::PKey::private_key_from_pem(&key_and_or_cert)?; + acceptor.set_private_key(&tls_key)?; + } else { + acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?; + } + if tls_cert == "-" { + // todo: read whole chain here or??? + let tls_cert = openssl::x509::X509::from_pem(&key_and_or_cert)?; + acceptor.set_certificate(&tls_cert)?; + } else { + acceptor.set_certificate_chain_file(tls_cert)?; + } + + } else { + // set from files + acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?; + acceptor.set_certificate_chain_file(tls_cert)?; + } acceptor.check_private_key()?; let acceptor = acceptor.build(); Ok(TlsListener { @@ -118,7 +142,7 @@ impl TlsListener { impl From for Error { fn from(value: openssl::error::ErrorStack) -> Self { - Error::new(value.description()) + Error::new_owned(format!("{}", value)) } }