Add support for reading key/cert from stdin, better OpenSSL error messages

2019-12-22 01:15:23 -05:00 · 2019-12-22 01:15:23 -05:00 · 7be828efdf
parent 1650cefa0d
commit 7be828efdf
5 changed files with 42 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -44,6 +44,10 @@ usage: wireguard-proxy [options...]
                                          requires --tls-cert also
 -tc, --tls-cert <ip:port>                TLS cert to listen with,
                                          requires --tls-key also
+ Note: with both --tls-key and --tls-cert,
+       - means stdin,
+       also the same file can work for both if you combine them into
+       one pem file

 Common Options:
 -h, --help                      print this usage text
--- a/src/bin/udp-test.rs
+++ b/src/bin/udp-test.rs
@ -124,6 +124,10 @@ fn main() {
                                 sha256 hashes preceded by "sha256//"
                                 and separated by ";". Identical to curl's
                                 --pinnedpubkey and CURLOPT_PINNEDPUBLICKEY
+ Note: with both --tls-key and --tls-cert,
+       only for -is (not -s) - means stdin,
+       also the same file can work for both if you combine them into
+       one pem file

 Environment variable support:
 For every command line option, short and long, if you replace all
--- a/src/bin/wireguard-proxy.rs
+++ b/src/bin/wireguard-proxy.rs
@ -49,6 +49,10 @@ fn main() {
                                          requires --tls-cert also
 -tc, --tls-cert <ip:port>                TLS cert to listen with,
                                          requires --tls-key also
+ Note: with both --tls-key and --tls-cert,
+       - means stdin,
+       also the same file can work for both if you combine them into
+       one pem file

 Common Options:
 -h, --help                      print this usage text
--- a/src/error.rs
+++ b/src/error.rs
@ -13,6 +13,9 @@ impl Error {
    pub fn new(msg: &str) -> Error {
        Error(msg.to_owned())
    }
+    pub fn new_owned(msg: String) -> Error {
+        Error(msg)
+    }
 }

 impl std::fmt::Display for Error {
--- a/src/openssl.rs
+++ b/src/openssl.rs
@ -103,8 +103,32 @@ pub struct TlsListener {
 impl TlsListener {
    pub fn new(tls_key: &str, tls_cert: &str) -> Result<TlsListener> {
        let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
+
+        if tls_key == "-" || tls_cert == "-" {
+            let mut key_and_or_cert = Vec::new();
+            println!("fully reading stdin...");
+            std::io::stdin().read_to_end(&mut key_and_or_cert)?;
+            println!("finished reading stdin");
+
+            if tls_key == "-" {
+                let tls_key = openssl::pkey::PKey::private_key_from_pem(&key_and_or_cert)?;
+                acceptor.set_private_key(&tls_key)?;
+            } else {
+                acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?;
+            }
+            if tls_cert == "-" {
+                // todo: read whole chain here or???
+                let tls_cert = openssl::x509::X509::from_pem(&key_and_or_cert)?;
+                acceptor.set_certificate(&tls_cert)?;
+            } else {
+                acceptor.set_certificate_chain_file(tls_cert)?;
+            }
+
+        } else {
+            // set from files
            acceptor.set_private_key_file(tls_key, SslFiletype::PEM)?;
            acceptor.set_certificate_chain_file(tls_cert)?;
+        }
        acceptor.check_private_key()?;
        let acceptor = acceptor.build();
        Ok(TlsListener {
@ -118,7 +142,7 @@ impl TlsListener {

 impl From<openssl::error::ErrorStack> for Error {
    fn from(value: openssl::error::ErrorStack) -> Self {
-        Error::new(value.description())
+        Error::new_owned(format!("{}", value))
    }
 }