Compare commits
No commits in common. "797c8fd7f20ac2332400861eb5259d8582cb89bf" and "cdd0eacdd8c6b89ed3f2bf8b36aab7ddb502722e" have entirely different histories.
797c8fd7f2
...
cdd0eacdd8
33
.dev-config.yml
Normal file
33
.dev-config.yml
Normal file
@ -0,0 +1,33 @@
|
||||
origin:
|
||||
store_dir_path: /tmp/domani_dev_env/origin
|
||||
domain:
|
||||
store_dir_path: /tmp/domani_dev_env/domain
|
||||
builtins:
|
||||
bar:
|
||||
kind: git
|
||||
url: a
|
||||
branch_name: b
|
||||
public: true
|
||||
service:
|
||||
http:
|
||||
form_method: GET
|
||||
proxied_domains:
|
||||
foo:
|
||||
url: http://127.0.0.1:9000
|
||||
request_headers:
|
||||
- name: x-foo
|
||||
value: BAR
|
||||
- name: host
|
||||
value: hi
|
||||
- name: user-agent
|
||||
value: ""
|
||||
gemini:
|
||||
proxied_domains:
|
||||
mediocregopher.com:
|
||||
url: gemini://127.0.0.1:1965
|
||||
passphrase: foobar
|
||||
dns_records:
|
||||
- kind: A
|
||||
addr: 127.0.0.1
|
||||
- kind: AAAA
|
||||
addr: ::1
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,4 +1,3 @@
|
||||
/target
|
||||
.cargo
|
||||
/result
|
||||
config.yml
|
||||
|
@ -153,7 +153,6 @@ In order to open a shell with all necessary tooling (expected rust toolchain
|
||||
versions, etc...) simply do:
|
||||
|
||||
```
|
||||
cp config.yml.tpl config.yml
|
||||
nix develop
|
||||
```
|
||||
|
||||
|
@ -1,14 +0,0 @@
|
||||
# This is an example configuration file intended for use in development.
|
||||
|
||||
origin:
|
||||
store_dir_path: /tmp/domani_dev_env/origin
|
||||
domain:
|
||||
store_dir_path: /tmp/domani_dev_env/domain
|
||||
service:
|
||||
passphrase: foobar
|
||||
primary_domain: localhost
|
||||
dns_records:
|
||||
- kind: A
|
||||
addr: 127.0.0.1
|
||||
- kind: AAAA
|
||||
addr: ::1
|
@ -48,11 +48,8 @@
|
||||
pkgs.nmap # ncat
|
||||
];
|
||||
shellHook = ''
|
||||
source $(pwd)/.env.dev
|
||||
export CARGO_HOME=$(pwd)/.cargo
|
||||
|
||||
if [ -f "config.yml" ]; then
|
||||
export DOMANI_CONFIG_PATH=config.yml
|
||||
fi
|
||||
'';
|
||||
} // opensslEnv);
|
||||
});
|
||||
|
@ -1,12 +1,10 @@
|
||||
pub mod acme;
|
||||
pub mod checker;
|
||||
mod config;
|
||||
pub mod gemini;
|
||||
pub mod manager;
|
||||
mod name;
|
||||
mod settings;
|
||||
pub mod store;
|
||||
mod tls;
|
||||
|
||||
pub use config::*;
|
||||
pub use name::*;
|
||||
|
@ -1,2 +1,8 @@
|
||||
pub mod manager;
|
||||
pub mod store;
|
||||
|
||||
mod private_key;
|
||||
pub use self::private_key::PrivateKey;
|
||||
|
||||
mod certificate;
|
||||
pub use self::certificate::Certificate;
|
||||
|
45
src/domain/acme/certificate.rs
Normal file
45
src/domain/acme/certificate.rs
Normal file
@ -0,0 +1,45 @@
|
||||
use std::convert::{From, TryFrom};
|
||||
use std::fmt;
|
||||
use std::str::FromStr;
|
||||
|
||||
use serde_with::{DeserializeFromStr, SerializeDisplay};
|
||||
|
||||
#[derive(Debug, Clone, PartialEq, DeserializeFromStr, SerializeDisplay)]
|
||||
/// DER-encoded X.509, like rustls::Certificate.
|
||||
pub struct Certificate(Vec<u8>);
|
||||
|
||||
impl FromStr for Certificate {
|
||||
type Err = pem::PemError;
|
||||
|
||||
fn from_str(s: &str) -> Result<Self, Self::Err> {
|
||||
Ok(Certificate(pem::parse(s)?.into_contents()))
|
||||
}
|
||||
}
|
||||
|
||||
impl fmt::Display for Certificate {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
pem::Pem::new("CERTIFICATE", self.0.clone()).fmt(f)
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<&openssl::x509::X509Ref> for Certificate {
|
||||
type Error = openssl::error::ErrorStack;
|
||||
|
||||
fn try_from(c: &openssl::x509::X509Ref) -> Result<Self, Self::Error> {
|
||||
Ok(Certificate(c.to_der()?))
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<&Certificate> for openssl::x509::X509 {
|
||||
type Error = openssl::error::ErrorStack;
|
||||
|
||||
fn try_from(c: &Certificate) -> Result<Self, Self::Error> {
|
||||
openssl::x509::X509::from_der(&c.0)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<Certificate> for rustls::Certificate {
|
||||
fn from(c: Certificate) -> Self {
|
||||
rustls::Certificate(c.0)
|
||||
}
|
||||
}
|
@ -1,7 +1,6 @@
|
||||
use std::{sync, time};
|
||||
|
||||
use crate::domain::acme;
|
||||
use crate::domain::tls::{Certificate, PrivateKey};
|
||||
use crate::domain::acme::{self, Certificate, PrivateKey};
|
||||
use crate::error::unexpected::{self, Intoable, Mappable};
|
||||
use crate::{domain, token, util};
|
||||
|
||||
@ -81,7 +80,7 @@ impl ManagerImpl {
|
||||
.await
|
||||
.or_unexpected_while("building account")?;
|
||||
|
||||
let account_key: PrivateKey = account
|
||||
let account_key: acme::PrivateKey = account
|
||||
.private_key()
|
||||
.as_ref()
|
||||
.try_into()
|
||||
@ -106,8 +105,8 @@ impl Manager for ManagerImpl {
|
||||
) -> util::BoxFuture<'mgr, Result<(), unexpected::Error>> {
|
||||
Box::pin(async move {
|
||||
// if there's an existing cert, and its expiry (determined by the soonest value of
|
||||
// not_after amongst its parts) is later than 30 days from now, then we consider it to
|
||||
// be synced.
|
||||
// not_after amongst its parts) is later than 30 days from now, then we consider it to be
|
||||
// synced.
|
||||
if let Ok((_, cert)) = self.store.get_certificate(domain.as_str()) {
|
||||
let thirty_days = openssl::asn1::Asn1Time::days_from_now(30)
|
||||
.expect("parsed thirty days from now as Asn1Time");
|
||||
@ -243,7 +242,7 @@ impl Manager for ManagerImpl {
|
||||
}
|
||||
|
||||
// Generate an RSA private key for the certificate.
|
||||
let pkey = PrivateKey::new();
|
||||
let pkey = acme::PrivateKey::new();
|
||||
|
||||
let acme2_pkey = (&pkey)
|
||||
.try_into()
|
||||
@ -288,8 +287,8 @@ impl Manager for ManagerImpl {
|
||||
"expected the order to return a certificate",
|
||||
))?
|
||||
.into_iter()
|
||||
.map(|cert| Certificate::try_from(cert.as_ref()))
|
||||
.try_collect::<Vec<Certificate>>()
|
||||
.map(|cert| acme::Certificate::try_from(cert.as_ref()))
|
||||
.try_collect::<Vec<acme::Certificate>>()
|
||||
.or_unexpected_while("parsing certificate")?;
|
||||
|
||||
if cert.len() <= 1 {
|
||||
|
@ -11,9 +11,9 @@ pub struct PrivateKey(Vec<u8>);
|
||||
impl PrivateKey {
|
||||
#[allow(clippy::new_without_default)]
|
||||
pub fn new() -> PrivateKey {
|
||||
let rsa = openssl::rsa::Rsa::generate(4096).expect("generating RSA");
|
||||
let key = openssl::pkey::PKey::from_rsa(rsa).expect("creating private key from RSA");
|
||||
key.as_ref()
|
||||
acme2::gen_rsa_private_key(4096)
|
||||
.expect("RSA private key generated")
|
||||
.as_ref()
|
||||
.try_into()
|
||||
.expect("RSA private key converted to internal representation")
|
||||
}
|
@ -2,7 +2,7 @@ use std::io::{Read, Write};
|
||||
use std::str::FromStr;
|
||||
use std::{fs, path};
|
||||
|
||||
use crate::domain::tls::{Certificate, PrivateKey};
|
||||
use crate::domain::acme::{Certificate, PrivateKey};
|
||||
use crate::error::unexpected::{self, Mappable};
|
||||
use crate::util;
|
||||
|
||||
|
@ -1,101 +0,0 @@
|
||||
use crate::domain::tls::{Certificate, PrivateKey};
|
||||
use crate::error::unexpected::{self, Mappable};
|
||||
use crate::{domain, util};
|
||||
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use std::{fs, path, sync};
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
struct StoredPKeyCert {
|
||||
private_key: PrivateKey,
|
||||
cert: Certificate,
|
||||
}
|
||||
|
||||
pub struct FSStore {
|
||||
cert_dir_path: path::PathBuf,
|
||||
}
|
||||
|
||||
impl FSStore {
|
||||
pub fn new(dir_path: &path::Path) -> unexpected::Result<Self> {
|
||||
let cert_dir_path = dir_path.join("certificates");
|
||||
fs::create_dir_all(&cert_dir_path)
|
||||
.map_unexpected_while(|| format!("creating dir {}", cert_dir_path.display()))?;
|
||||
|
||||
Ok(Self { cert_dir_path })
|
||||
}
|
||||
|
||||
fn pkey_cert_path(&self, domain: &domain::Name) -> path::PathBuf {
|
||||
let mut domain = domain.as_str().to_string();
|
||||
domain.push_str(".json");
|
||||
self.cert_dir_path.join(domain)
|
||||
}
|
||||
|
||||
fn get_certificate(
|
||||
&self,
|
||||
domain: &domain::Name,
|
||||
) -> unexpected::Result<(PrivateKey, Certificate)> {
|
||||
let path = self.pkey_cert_path(domain);
|
||||
|
||||
let file = match util::open_file(path.as_path())
|
||||
.map_unexpected_while(|| format!("opening file {}", path.display()))?
|
||||
{
|
||||
Some(file) => file,
|
||||
None => {
|
||||
let pkey = PrivateKey::new();
|
||||
let cert = Certificate::new_self_signed(&pkey, domain)
|
||||
.or_unexpected_while("creating self-signed cert")?;
|
||||
|
||||
let file = fs::File::create(path.as_path())
|
||||
.map_unexpected_while(|| format!("creating file {}", path.display()))?;
|
||||
|
||||
let stored = StoredPKeyCert {
|
||||
private_key: pkey,
|
||||
cert,
|
||||
};
|
||||
|
||||
serde_json::to_writer(file, &stored).or_unexpected_while("writing cert to file")?;
|
||||
|
||||
return Ok((stored.private_key, stored.cert));
|
||||
}
|
||||
};
|
||||
|
||||
let stored: StoredPKeyCert =
|
||||
serde_json::from_reader(file).or_unexpected_while("parsing json")?;
|
||||
|
||||
Ok((stored.private_key, stored.cert))
|
||||
}
|
||||
}
|
||||
|
||||
impl rustls::server::ResolvesServerCert for FSStore {
|
||||
fn resolve(
|
||||
&self,
|
||||
client_hello: rustls::server::ClientHello<'_>,
|
||||
) -> Option<sync::Arc<rustls::sign::CertifiedKey>> {
|
||||
let domain = client_hello.server_name()?;
|
||||
|
||||
let res: unexpected::Result<Option<sync::Arc<rustls::sign::CertifiedKey>>> = (|| {
|
||||
let domain: domain::Name = domain
|
||||
.parse()
|
||||
.map_unexpected_while(|| format!("parsing domain {domain}"))?;
|
||||
|
||||
let (pkey, cert) = self
|
||||
.get_certificate(&domain)
|
||||
.or_unexpected_while("fetching pkey/cert")?;
|
||||
|
||||
let pkey = rustls::sign::any_supported_type(&pkey.into()).or_unexpected()?;
|
||||
|
||||
Ok(Some(sync::Arc::new(rustls::sign::CertifiedKey {
|
||||
cert: vec![cert.into()],
|
||||
key: pkey,
|
||||
ocsp: None,
|
||||
sct_list: None,
|
||||
})))
|
||||
})();
|
||||
|
||||
res.unwrap_or_else(|err| {
|
||||
log::error!("Unexpected error getting cert for domain {domain}: {err}");
|
||||
None
|
||||
})
|
||||
}
|
||||
}
|
@ -149,7 +149,7 @@ pub trait Manager: Sync + Send + rustls::server::ResolvesServerCert {
|
||||
path: &str,
|
||||
) -> Result<util::BoxByteStream, GetFileError>;
|
||||
|
||||
fn sync_https_cert<'mgr>(
|
||||
fn sync_cert<'mgr>(
|
||||
&'mgr self,
|
||||
domain: domain::Name,
|
||||
) -> util::BoxFuture<'mgr, Result<(), unexpected::Error>>;
|
||||
@ -256,7 +256,7 @@ impl Manager for ManagerImpl {
|
||||
Ok(f)
|
||||
}
|
||||
|
||||
fn sync_https_cert<'mgr>(
|
||||
fn sync_cert<'mgr>(
|
||||
&'mgr self,
|
||||
domain: domain::Name,
|
||||
) -> util::BoxFuture<'mgr, Result<(), unexpected::Error>> {
|
||||
@ -285,7 +285,7 @@ impl Manager for ManagerImpl {
|
||||
|
||||
self.domain_store.set(&domain, &settings)?;
|
||||
|
||||
self.sync_https_cert(domain).await?;
|
||||
self.sync_cert(domain).await?;
|
||||
|
||||
Ok(())
|
||||
})
|
||||
|
@ -1,5 +0,0 @@
|
||||
mod private_key;
|
||||
pub use self::private_key::PrivateKey;
|
||||
|
||||
mod certificate;
|
||||
pub use self::certificate::Certificate;
|
@ -1,109 +0,0 @@
|
||||
use crate::domain;
|
||||
use crate::domain::tls::PrivateKey;
|
||||
use crate::error::unexpected::{self, Mappable};
|
||||
|
||||
use std::convert::{From, TryFrom};
|
||||
use std::fmt;
|
||||
use std::str::FromStr;
|
||||
|
||||
use serde_with::{DeserializeFromStr, SerializeDisplay};
|
||||
|
||||
#[derive(Debug, Clone, PartialEq, DeserializeFromStr, SerializeDisplay)]
|
||||
/// DER-encoded X.509, like rustls::Certificate.
|
||||
pub struct Certificate(Vec<u8>);
|
||||
|
||||
impl Certificate {
|
||||
pub fn new_self_signed(
|
||||
pkey: &PrivateKey,
|
||||
domain: &domain::Name,
|
||||
) -> unexpected::Result<Certificate> {
|
||||
use openssl::asn1::*;
|
||||
use openssl::pkey::*;
|
||||
use openssl::x509::extension::SubjectAlternativeName;
|
||||
use openssl::x509::*;
|
||||
|
||||
let name = {
|
||||
let mut builder = X509Name::builder().expect("initializing x509 name builder");
|
||||
builder
|
||||
.append_entry_by_text("CN", domain.as_str())
|
||||
.or_unexpected_while("adding CN")?;
|
||||
builder.build()
|
||||
};
|
||||
|
||||
let mut builder = X509::builder().expect("initializing x509 builder");
|
||||
builder
|
||||
.set_subject_name(&name)
|
||||
.or_unexpected_while("setting subject name")?;
|
||||
|
||||
// 9999/07/23
|
||||
let not_after = Asn1Time::from_unix(253388296800).expect("initializing not_after");
|
||||
builder
|
||||
.set_not_after(not_after.as_ref())
|
||||
.or_unexpected_while("setting not_after")?;
|
||||
|
||||
// Add domain as SAN
|
||||
let san_extension = {
|
||||
let mut san = SubjectAlternativeName::new();
|
||||
san.dns(domain.as_str());
|
||||
san.build(&builder.x509v3_context(None, None))
|
||||
.or_unexpected_while("building SAN")?
|
||||
};
|
||||
|
||||
builder
|
||||
.append_extension(san_extension)
|
||||
.or_unexpected_while("appending SAN")?;
|
||||
|
||||
let pkey: PKey<Private> = pkey.try_into().or_unexpected_while("converting PKey")?;
|
||||
|
||||
builder
|
||||
.set_pubkey(pkey.as_ref())
|
||||
.or_unexpected_while("setting pubkey")?;
|
||||
|
||||
builder
|
||||
.sign(pkey.as_ref(), openssl::hash::MessageDigest::sha256())
|
||||
.or_unexpected_while("signing with private key")?;
|
||||
|
||||
let cert = builder.build();
|
||||
|
||||
Ok(cert
|
||||
.as_ref()
|
||||
.try_into()
|
||||
.or_unexpected_while("converting to cert")?)
|
||||
}
|
||||
}
|
||||
|
||||
impl FromStr for Certificate {
|
||||
type Err = pem::PemError;
|
||||
|
||||
fn from_str(s: &str) -> Result<Self, Self::Err> {
|
||||
Ok(Certificate(pem::parse(s)?.into_contents()))
|
||||
}
|
||||
}
|
||||
|
||||
impl fmt::Display for Certificate {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
pem::Pem::new("CERTIFICATE", self.0.clone()).fmt(f)
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<&openssl::x509::X509Ref> for Certificate {
|
||||
type Error = openssl::error::ErrorStack;
|
||||
|
||||
fn try_from(c: &openssl::x509::X509Ref) -> Result<Self, Self::Error> {
|
||||
Ok(Certificate(c.to_der()?))
|
||||
}
|
||||
}
|
||||
|
||||
impl TryFrom<&Certificate> for openssl::x509::X509 {
|
||||
type Error = openssl::error::ErrorStack;
|
||||
|
||||
fn try_from(c: &Certificate) -> Result<Self, Self::Error> {
|
||||
openssl::x509::X509::from_der(&c.0)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<Certificate> for rustls::Certificate {
|
||||
fn from(c: Certificate) -> Self {
|
||||
rustls::Certificate(c.0)
|
||||
}
|
||||
}
|
@ -4,7 +4,7 @@ use clap::Parser;
|
||||
use futures::stream::StreamExt;
|
||||
use signal_hook_tokio::Signals;
|
||||
|
||||
use std::{path, sync};
|
||||
use std::path;
|
||||
|
||||
#[derive(Parser, Debug)]
|
||||
#[command(version)]
|
||||
@ -128,10 +128,6 @@ async fn main() {
|
||||
None
|
||||
};
|
||||
|
||||
let domain_gemini_store =
|
||||
domani::domain::gemini::FSStore::new(&config.domain.store_dir_path.join("gemini"))
|
||||
.unwrap_or_else(|e| panic!("domain gemini store initialization failed: {e}"));
|
||||
|
||||
let mut task_stack = domani::task_stack::TaskStack::new();
|
||||
|
||||
let domain_manager = domani::domain::manager::ManagerImpl::new(
|
||||
@ -151,7 +147,7 @@ async fn main() {
|
||||
|
||||
let _ = domani::service::gemini::Service::new(
|
||||
&mut task_stack,
|
||||
sync::Arc::new(domain_gemini_store),
|
||||
domain_manager.clone(),
|
||||
config.service,
|
||||
);
|
||||
|
||||
|
@ -123,7 +123,7 @@ pub async fn cert_refresher(
|
||||
}
|
||||
|
||||
_ = domain_manager
|
||||
.sync_https_cert(primary_domain.clone())
|
||||
.sync_cert(primary_domain.clone())
|
||||
.await
|
||||
.inspect_err(|err| {
|
||||
log::error!(
|
||||
@ -141,7 +141,7 @@ pub async fn cert_refresher(
|
||||
|
||||
for domain in domains_iter.unwrap().into_iter() {
|
||||
let _ = domain_manager
|
||||
.sync_https_cert(domain.clone())
|
||||
.sync_cert(domain.clone())
|
||||
.await
|
||||
.inspect_err(|err| {
|
||||
log::error!("Error while getting cert for {}: {err}", domain.as_str(),)
|
||||
|
@ -1,3 +0,0 @@
|
||||
# FOO
|
||||
|
||||
This is foo
|
@ -1,7 +0,0 @@
|
||||
<html>
|
||||
<body>
|
||||
<h1>FOO</h1>
|
||||
<p>This is the foo page</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,9 +0,0 @@
|
||||
# INDEX
|
||||
|
||||
This is the gemini index.
|
||||
|
||||
=> foo /foo.gmi
|
||||
|
||||
=> bar /subdir/bar.gmi
|
||||
|
||||
=> penguin /penguin.jpg
|
@ -1,9 +0,0 @@
|
||||
<html>
|
||||
<body>
|
||||
<h1>INDEX</h1>
|
||||
<p>This is the index page.</p>
|
||||
<p>Check out <a href="/foo.html">foo</a>.</p>
|
||||
<p>Check out <a href="/subdir/foo.html">bar</a>.</p>
|
||||
<img src="/penguin.jpg" />
|
||||
</body>
|
||||
</html>
|
Binary file not shown.
Before Width: | Height: | Size: 669 KiB |
@ -1,3 +0,0 @@
|
||||
# BAR
|
||||
|
||||
This is bar
|
@ -1,7 +0,0 @@
|
||||
<html>
|
||||
<body>
|
||||
<h1>BAR</h1>
|
||||
<p>This is the bar page</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,3 +0,0 @@
|
||||
# INDEX
|
||||
|
||||
This is the gemini index of the subdir.
|
@ -1,6 +0,0 @@
|
||||
<html>
|
||||
<body>
|
||||
<h1>INDEX</h1>
|
||||
<p>This is the index page of the subdir</p>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user