Add support for reading key/cert from stdin, better OpenSSL error messages

This commit is contained in:
Travis Burtrum 2019-12-22 01:15:23 -05:00
parent 1650cefa0d
commit 7be828efdf
5 changed files with 42 additions and 3 deletions

View File

@ -44,6 +44,10 @@ usage: wireguard-proxy [options...]
requires --tls-cert also requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with, -tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also requires --tls-key also
Note: with both --tls-key and --tls-cert,
- means stdin,
also the same file can work for both if you combine them into
one pem file
Common Options: Common Options:
-h, --help print this usage text -h, --help print this usage text

View File

@ -124,6 +124,10 @@ fn main() {
sha256 hashes preceded by "sha256//" sha256 hashes preceded by "sha256//"
and separated by ";". Identical to curl's and separated by ";". Identical to curl's
--pinnedpubkey and CURLOPT_PINNEDPUBLICKEY --pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
Note: with both --tls-key and --tls-cert,
only for -is (not -s) - means stdin,
also the same file can work for both if you combine them into
one pem file
Environment variable support: Environment variable support:
For every command line option, short and long, if you replace all For every command line option, short and long, if you replace all

View File

@ -49,6 +49,10 @@ fn main() {
requires --tls-cert also requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with, -tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also requires --tls-key also
Note: with both --tls-key and --tls-cert,
- means stdin,
also the same file can work for both if you combine them into
one pem file
Common Options: Common Options:
-h, --help print this usage text -h, --help print this usage text

View File

@ -13,6 +13,9 @@ impl Error {
pub fn new(msg: &str) -> Error { pub fn new(msg: &str) -> Error {
Error(msg.to_owned()) Error(msg.to_owned())
} }
pub fn new_owned(msg: String) -> Error {
Error(msg)
}
} }
impl std::fmt::Display for Error { impl std::fmt::Display for Error {

View File

@ -103,8 +103,32 @@ pub struct TlsListener {
impl TlsListener { impl TlsListener {
pub fn new(tls_key: &str, tls_cert: &str) -> Result<TlsListener> { pub fn new(tls_key: &str, tls_cert: &str) -> Result<TlsListener> {
let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?;
acceptor.set_certificate_chain_file(tls_cert)?; if tls_key == "-" || tls_cert == "-" {
let mut key_and_or_cert = Vec::new();
println!("fully reading stdin...");
std::io::stdin().read_to_end(&mut key_and_or_cert)?;
println!("finished reading stdin");
if tls_key == "-" {
let tls_key = openssl::pkey::PKey::private_key_from_pem(&key_and_or_cert)?;
acceptor.set_private_key(&tls_key)?;
} else {
acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?;
}
if tls_cert == "-" {
// todo: read whole chain here or???
let tls_cert = openssl::x509::X509::from_pem(&key_and_or_cert)?;
acceptor.set_certificate(&tls_cert)?;
} else {
acceptor.set_certificate_chain_file(tls_cert)?;
}
} else {
// set from files
acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?;
acceptor.set_certificate_chain_file(tls_cert)?;
}
acceptor.check_private_key()?; acceptor.check_private_key()?;
let acceptor = acceptor.build(); let acceptor = acceptor.build();
Ok(TlsListener { Ok(TlsListener {
@ -118,7 +142,7 @@ impl TlsListener {
impl From<openssl::error::ErrorStack> for Error { impl From<openssl::error::ErrorStack> for Error {
fn from(value: openssl::error::ErrorStack) -> Self { fn from(value: openssl::error::ErrorStack) -> Self {
Error::new(value.description()) Error::new_owned(format!("{}", value))
} }
} }