coyote/examples/acmed-tls.rs

use std::{
    io::Write,
    ops::Add,
    time::{Duration, SystemTime},
};

use openssl::{
    error::ErrorStack,
    pkey::{PKey, Private},
    rsa::Rsa,
    x509::{X509Extension, X509Name, X509Req},
};

use coyote::{
    acme::{
        ca::{CACollector, CA},
        challenge::Challenger,
        handlers::{configure_routes, ServiceState},
        PostgresNonceValidator,
    },
    models::Postgres,
};

use ratpack::prelude::*;

const CHALLENGE_EXPIRATION: i64 = 600;

#[tokio::main]
async fn main() -> Result<(), ServerError> {
    // set HOSTNAME in your environment to something your webserver or certbot can hit; otherwise
    // it will be 'localhost'. a cert will be generated with this name to serve the service with.
    // This is really important.
    let dnsname = &std::env::var("HOSTNAME").unwrap_or("localhost".to_string());

    env_logger::builder()
        .filter_level(log::LevelFilter::Info)
        .init();
    //
    // to start a database to work with me:
    //
    // make postgres
    //
    let pg = Postgres::new("host=localhost dbname=coyote user=postgres", 10)
        .await
        .unwrap();
    pg.migrate().await.unwrap();

    let c = Challenger::new(Some(chrono::Duration::seconds(CHALLENGE_EXPIRATION)));
    let ca = CACollector::new(Duration::MAX);

    let pg2 = pg.clone();
    let c2 = c.clone();

    // FIXME probably need something magical with signals here to manage shutdown that I don't want to think about yet
    tokio::spawn(async move {
        loop {
            // FIXME whitelist all challenge requests. This is not how ACME is supposed to work. You have to write this.
            c2.tick(|_c| Some(())).await;
            // NOTE this will explode violently if it unwraps to error, e.g. if the db goes down.
            c2.reconcile(pg2.clone()).await.unwrap();

            tokio::time::sleep(Duration::new(1, 0)).await;
        }
    });

    let mut ca2 = ca.clone();
    let (csr, key) = generate_csr(dnsname)?;

    let test_ca = CA::new_test_ca().unwrap();
    let cert = test_ca.generate_and_sign_cert(
        csr,
        SystemTime::now(),
        SystemTime::now().add(Duration::from_secs(365 * 24 * 60 * 60)),
    )?;

    let test_ca2 = test_ca.clone();

    tokio::spawn(async move {
        // after CA generation, write out the key and certificate
        let mut buf = std::fs::File::create("ca.key").unwrap();
        let private = test_ca
            .clone()
            .private_key()
            .private_key_to_pem_pkcs8()
            .unwrap();
        buf.write(&private).unwrap();

        let mut buf = std::fs::File::create("ca.pem").unwrap();
        let cert = test_ca.clone().certificate().to_pem().unwrap();
        buf.write(&cert).unwrap();

        ca2.spawn_collector(|| -> Result<CA, ErrorStack> { Ok(test_ca.clone()) })
            .await
    });

    let validator = PostgresNonceValidator::new(pg.clone());
    let ss = ServiceState::new(
        format!("https://{}:8000", dnsname),
        pg.clone(),
        c,
        ca,
        validator,
    )?;
    let mut app = App::with_state(ss);

    configure_routes(&mut app, None);

    let key = key.private_key_to_der()?;

    let config = rustls::ServerConfig::builder()
        .with_safe_defaults()
        .with_no_client_auth()
        .with_single_cert(
            vec![
                rustls::Certificate(cert.to_der()?),
                rustls::Certificate(test_ca2.certificate().to_der()?),
            ],
            rustls::PrivateKey(key),
        )?;

    Ok(app.serve_tls("0.0.0.0:8000", config).await?)
}

fn generate_csr(dnsname: &str) -> Result<(X509Req, Rsa<Private>), ErrorStack> {
    log::info!("hostname: {}", dnsname);
    let mut namebuilder = X509Name::builder().unwrap();
    namebuilder.append_entry_by_text("CN", dnsname).unwrap();
    let mut req = X509Req::builder().unwrap();
    req.set_subject_name(&namebuilder.build()).unwrap();
    let mut extensions = openssl::stack::Stack::new()?;
    extensions.push(X509Extension::new(
        None,
        Some(&req.x509v3_context(None)),
        "subjectAltName",
        &format!("DNS:{}", dnsname),
    )?)?;
    req.add_extensions(&extensions)?;
    req.set_version(2)?;

    let key = Rsa::generate(4096).unwrap();
    // FIXME there has to be a much better way of doing this!
    let pubkey = PKey::public_key_from_pem(&key.public_key_to_pem().unwrap()).unwrap();

    req.set_pubkey(&pubkey).unwrap();
    Ok((req.build(), key))
}
Split examples into TLS and non-TLS editions, for easier testing Signed-off-by: Erik Hollensbe <git@hollensbe.org> 2022-02-17 11:45:38 +00:00			`use std::{`
			`io::Write,`
			`ops::Add,`
			`time::{Duration, SystemTime},`
			`};`

			`use openssl::{`
			`error::ErrorStack,`
			`pkey::{PKey, Private},`
			`rsa::Rsa,`
			`x509::{X509Extension, X509Name, X509Req},`
			`};`

			`use coyote::{`
			`acme::{`
			`ca::{CACollector, CA},`
			`challenge::Challenger,`
			`handlers::{configure_routes, ServiceState},`
			`PostgresNonceValidator,`
			`},`
			`models::Postgres,`
			`};`

			`use ratpack::prelude::*;`

			`const CHALLENGE_EXPIRATION: i64 = 600;`

			`#[tokio::main]`
			`async fn main() -> Result<(), ServerError> {`
			`// set HOSTNAME in your environment to something your webserver or certbot can hit; otherwise`
			`// it will be 'localhost'. a cert will be generated with this name to serve the service with.`
			`// This is really important.`
			`let dnsname = &std::env::var("HOSTNAME").unwrap_or("localhost".to_string());`

			`env_logger::builder()`
			`.filter_level(log::LevelFilter::Info)`
			`.init();`
			`//`
			`// to start a database to work with me:`
			`//`
			`// make postgres`
			`//`
			`let pg = Postgres::new("host=localhost dbname=coyote user=postgres", 10)`
			`.await`
			`.unwrap();`
			`pg.migrate().await.unwrap();`

			`let c = Challenger::new(Some(chrono::Duration::seconds(CHALLENGE_EXPIRATION)));`
			`let ca = CACollector::new(Duration::MAX);`

			`let pg2 = pg.clone();`
			`let c2 = c.clone();`

			`// FIXME probably need something magical with signals here to manage shutdown that I don't want to think about yet`
			`tokio::spawn(async move {`
			`loop {`
			`// FIXME whitelist all challenge requests. This is not how ACME is supposed to work. You have to write this.`
			`c2.tick(\|_c\| Some(())).await;`
			`// NOTE this will explode violently if it unwraps to error, e.g. if the db goes down.`
			`c2.reconcile(pg2.clone()).await.unwrap();`

			`tokio::time::sleep(Duration::new(1, 0)).await;`
			`}`
			`});`

			`let mut ca2 = ca.clone();`
			`let (csr, key) = generate_csr(dnsname)?;`

			`let test_ca = CA::new_test_ca().unwrap();`
			`let cert = test_ca.generate_and_sign_cert(`
			`csr,`
			`SystemTime::now(),`
			`SystemTime::now().add(Duration::from_secs(365 * 24 * 60 * 60)),`
			`)?;`

			`let test_ca2 = test_ca.clone();`

			`tokio::spawn(async move {`
			`// after CA generation, write out the key and certificate`
			`let mut buf = std::fs::File::create("ca.key").unwrap();`
			`let private = test_ca`
			`.clone()`
			`.private_key()`
			`.private_key_to_pem_pkcs8()`
			`.unwrap();`
			`buf.write(&private).unwrap();`

			`let mut buf = std::fs::File::create("ca.pem").unwrap();`
			`let cert = test_ca.clone().certificate().to_pem().unwrap();`
			`buf.write(&cert).unwrap();`

			`ca2.spawn_collector(\|\| -> Result<CA, ErrorStack> { Ok(test_ca.clone()) })`
			`.await`
			`});`

			`let validator = PostgresNonceValidator::new(pg.clone());`
			`let ss = ServiceState::new(`
			`format!("https://{}:8000", dnsname),`
			`pg.clone(),`
			`c,`
			`ca,`
			`validator,`
			`)?;`
			`let mut app = App::with_state(ss);`

			`configure_routes(&mut app, None);`

			`let key = key.private_key_to_der()?;`

			`let config = rustls::ServerConfig::builder()`
			`.with_safe_defaults()`
			`.with_no_client_auth()`
			`.with_single_cert(`
			`vec![`
			`rustls::Certificate(cert.to_der()?),`
			`rustls::Certificate(test_ca2.certificate().to_der()?),`
			`],`
			`rustls::PrivateKey(key),`
			`)?;`

			`Ok(app.serve_tls("0.0.0.0:8000", config).await?)`
			`}`

			`fn generate_csr(dnsname: &str) -> Result<(X509Req, Rsa<Private>), ErrorStack> {`
			`log::info!("hostname: {}", dnsname);`
			`let mut namebuilder = X509Name::builder().unwrap();`
			`namebuilder.append_entry_by_text("CN", dnsname).unwrap();`
			`let mut req = X509Req::builder().unwrap();`
			`req.set_subject_name(&namebuilder.build()).unwrap();`
			`let mut extensions = openssl::stack::Stack::new()?;`
			`extensions.push(X509Extension::new(`
			`None,`
			`Some(&req.x509v3_context(None)),`
			`"subjectAltName",`
			`&format!("DNS:{}", dnsname),`
			`)?)?;`
			`req.add_extensions(&extensions)?;`
			`req.set_version(2)?;`

			`let key = Rsa::generate(4096).unwrap();`
			`// FIXME there has to be a much better way of doing this!`
			`let pubkey = PKey::public_key_from_pem(&key.public_key_to_pem().unwrap()).unwrap();`

			`req.set_pubkey(&pubkey).unwrap();`
			`Ok((req.build(), key))`
			`}`