commit 132eee80912609e5932ba36b2725fafc0add66bf Author: Jay Date: Mon Aug 5 16:52:19 2024 +0900 Initialize Commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a36ea8c --- /dev/null +++ b/.gitignore @@ -0,0 +1,145 @@ +# Created by https://www.toptal.com/developers/gitignore/api/rust-analyzer,rust,certificates,visualstudiocode,jetbrains+all +# Edit at https://www.toptal.com/developers/gitignore?templates=rust-analyzer,rust,certificates,visualstudiocode,jetbrains+all + +### certificates ### +*.pem +*.key +*.crt +*.cer +*.der +*.priv + +# add jay +*.csr +*.pub +*.srl + +### JetBrains+all ### +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# AWS User-specific +.idea/**/aws.xml + +# Generated files +.idea/**/contentModel.xml + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/artifacts +# .idea/compiler.xml +# .idea/jarRepositories.xml +# .idea/modules.xml +# .idea/*.iml +# .idea/modules +# *.iml +# *.ipr + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# SonarLint plugin +.idea/sonarlint/ + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests + +# Android studio 3.1+ serialized cache file +.idea/caches/build_file_checksums.ser + +### JetBrains+all Patch ### +# Ignore everything but code style settings and run configurations +# that are supposed to be shared within teams. + +.idea/* + +!.idea/codeStyles +!.idea/runConfigurations + +### Rust ### +# Generated by Cargo +# will have compiled files and executables +debug/ +target/ + +# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries +# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html +Cargo.lock + +# These are backup files generated by rustfmt +**/*.rs.bk + +# MSVC Windows builds of rustc generate these, which store debugging information +*.pdb + +### rust-analyzer ### +# Can be generated by other build systems other than cargo (ex: bazelbuild/rust_rules) +rust-project.json + + +### VisualStudioCode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix + +### VisualStudioCode Patch ### +# Ignore all local history of files +.history +.ionide + +# End of https://www.toptal.com/developers/gitignore/api/rust-analyzer,rust,certificates,visualstudiocode,jetbrains+all diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..21b901e --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,16 @@ +[package] +name = "TcpExample" +version = "0.1.0" +edition = "2021" + +[dependencies] +log = "0.4.22" +pretty_env_logger = "0.5.0" +rustls = "0.23.12" +rustls-native-certs = "0.7.1" +rustls-pemfile = "2.1.2" +tokio = "1.39.2" +tokio-rustls = "0.26.0" +webpki = "0.22.4" +webpki-roots = "0.26.3" +x509-parser = "0.16.0" diff --git a/README.md b/README.md new file mode 100644 index 0000000..fdefb99 --- /dev/null +++ b/README.md @@ -0,0 +1,40 @@ +# TLS on Rust and PKI + +## How to Build +```bash +$ cargo build +``` + +## Run TLS Server +```bash +$ cargo run --bin TcpExample certs/host/fullchain.pem certs/host/server.key +``` + +## Run TLS Client +```bash +# EXEC_TARGET=client +$ EXEC_TARGET=allow_any_cert_client +$ cargo run --bin $EXEC_TARGET certs/rootca/rootCA.crt +``` + +## Make rootCA Certificate +```bash +$ cd certs/rootca +# edit rootca.conf +$ ./bootstrap cert_name +``` + +## Make ICA Certificate +```bash +$ cd certs/ica +# edit ica.conf +$ ./bootstrap cert_name +``` + +## Make Server Certificate +```bash +$ cd certs/host +# edit host.conf +$ ./bootstrap cert_name +``` + diff --git a/certs/host/bootstrap.sh b/certs/host/bootstrap.sh new file mode 100755 index 0000000..8e31dab --- /dev/null +++ b/certs/host/bootstrap.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +echo "Create $1 Server" +openssl genpkey -algorithm EC -out $1.key -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve + +openssl req -new -config host.conf -key $1.key -out $1.csr + +openssl x509 -req -days 730 -in $1.csr -out $1.crt -extfile host.conf -extensions v3_ext \ + -CAkey $2 -CA $3 -CAcreateserial + +openssl ec -in $1.key -pubout -out $1.pub + +openssl x509 -in $1.crt -text -pubkey -noout + +cat $1.pub + +cat $1.crt $3 > fullchain.pem + \ No newline at end of file diff --git a/certs/host/host.conf b/certs/host/host.conf new file mode 100644 index 0000000..e7cd57c --- /dev/null +++ b/certs/host/host.conf @@ -0,0 +1,43 @@ +# Modify this files to your needs + +[req] +default_bits = 384 +distinguished_name = dn +default_md = sha256 +prompt = no +req_extensions = req_ext + +[dn] +C="KR" +ST="Seoul" +L="Seoul" +O="SCOPE.Inc" +OU="SCOPE Lab" +emailAddress="jay3920@scope.co.kr" +CN="Invalid Test" + +[req_ext] +subjectAltName = @alt_names + +[ v3_ext] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[ v3_ext_client] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +extendedKeyUsage = clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = www.scope.co.kr +DNS.2 = *.scope.co.kr +IP.1 = 10.1.3.63 +IP.2 = 10.1.3.69 +IP.3 = 10.1.3.80 diff --git a/certs/ica/bootstrap.sh b/certs/ica/bootstrap.sh new file mode 100755 index 0000000..d8522a9 --- /dev/null +++ b/certs/ica/bootstrap.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +echo "Create $1 ICA" +openssl genpkey -algorithm EC -out $1.key -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve + +openssl req -new -config ica.conf -key $1.key -out $1.csr + +openssl x509 -req -days 730 -in $1.csr -out $1.crt -extfile ../rootca/rootca.conf -extensions v3_intermediate_ca \ + -CAkey $2 -CA $3 -CAcreateserial + +openssl ec -in $1.key -pubout -out $1.pub + +openssl x509 -in $1.crt -text -pubkey -noout + +cat $1.pub + \ No newline at end of file diff --git a/certs/ica/ica.conf b/certs/ica/ica.conf new file mode 100644 index 0000000..f94175a --- /dev/null +++ b/certs/ica/ica.conf @@ -0,0 +1,132 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# # Directory and file locations. +# dir = /root/ca/intermediate +# certs = $dir/certs +# crl_dir = $dir/crl +# new_certs_dir = $dir/newcerts +# database = $dir/index.txt +# serial = $dir/serial +# RANDFILE = $dir/private/.rand + +# # The root key and root certificate. +# private_key = $dir/private/intermediate.key.pem +# certificate = $dir/certs/intermediate.cert.pem + +# # For certificate revocation lists. +# crlnumber = $dir/crlnumber +# crl = $dir/crl/intermediate.crl.pem +# crl_extensions = crl_ext +# default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 384 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no +encrypt_key = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = KR +stateOrProvinceName = Seoul +localityName = seoul +0.organizationName = SCOPE.Inc +organizationalUnitName = SCOPE Lab +commonName = SCOPE ICA (Lab) +emailAddress = scopelab@scope.co.kr + +# Optionally, specify some defaults. +# countryName_default = TR +# stateOrProvinceName_default = Istanbul +# localityName_default = Istanbul +# 0.organizationName_default = Safderun +# organizationalUnitName_default = Safderun Intermediate CA +# commonName_default = Safderun Intermediate CA +# emailAddress_default = burakberkkeskin@gmail.com + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/certs/rootca/bootstrap.sh b/certs/rootca/bootstrap.sh new file mode 100755 index 0000000..abc8a78 --- /dev/null +++ b/certs/rootca/bootstrap.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +echo "Create $1 Host" + +openssl genpkey -algorithm EC -out $1.key -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve + +openssl req -x509 -new -days 730 -key $1.key -out $1.crt -config rootca.conf + +openssl ec -in $1.key -pubout -out $1.pub + +openssl x509 -in $1.crt -text -pubkey -noout + +cat $1.pub + + +# openssl req -x509 -days 3650 -new -key ${CANAME}.key -out ${CANAME}.crt -config rootca_openssl.conf \ No newline at end of file diff --git a/certs/rootca/rootca.conf b/certs/rootca/rootca.conf new file mode 100644 index 0000000..5641215 --- /dev/null +++ b/certs/rootca/rootca.conf @@ -0,0 +1,132 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +# dir = /etc/ssl/localCA/rootCA +# certs = $dir/certs +# crl_dir = $dir/crl +# new_certs_dir = $dir/newcerts +# database = $dir/index.txt +# serial = $dir/serial +# RANDFILE = $dir/private/.rand + +# # The root key and root certificate. +# private_key = $dir/rootCA.key +# certificate = $dir/rootCA.crt + +# # For certificate revocation lists. +# crlnumber = $dir/crlnumber +# crl = $dir/crl/ca.crl.pem +# crl_extensions = crl_ext +# default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 384 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no +encrypt_key = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +req_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = KR +stateOrProvinceName = Seoul +localityName = seoul +0.organizationName = SCOPE.Inc +organizationalUnitName = SCOPE.Inc +commonName = SCOPE Self Sign CA +emailAddress = sos@scope.co.kr + +# # Optionally, specify some defaults. +# countryName_default = KR +# stateOrProvinceName_default = Seoul +# localityName_default = Seoul +# 0.organizationName_default = SCOPE.Inc +# organizationalUnitName_default = SCOPE.Inc +# commonName_default = SCOPE Self Sign CA +# emailAddress_default = sos@scope.co.kr + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning \ No newline at end of file