Initialize Commit

.gitignore

@@ -0,0 +1,145 @@
+# Created by https://www.toptal.com/developers/gitignore/api/rust-analyzer,rust,certificates,visualstudiocode,jetbrains+all
+# Edit at https://www.toptal.com/developers/gitignore?templates=rust-analyzer,rust,certificates,visualstudiocode,jetbrains+all
+
+### certificates ###
+*.pem
+*.key
+*.crt
+*.cer
+*.der
+*.priv
+
+# add jay
+*.csr
+*.pub
+*.srl
+
+### JetBrains+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### JetBrains+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### Rust ###
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/
+
+# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
+# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
+Cargo.lock
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# MSVC Windows builds of rustc generate these, which store debugging information
+*.pdb
+
+### rust-analyzer ###
+# Can be generated by other build systems other than cargo (ex: bazelbuild/rust_rules) 
+rust-project.json
+
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+# End of https://www.toptal.com/developers/gitignore/api/rust-analyzer,rust,certificates,visualstudiocode,jetbrains+all

Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "TcpExample"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+log = "0.4.22"
+pretty_env_logger = "0.5.0"
+rustls = "0.23.12"
+rustls-native-certs = "0.7.1"
+rustls-pemfile = "2.1.2"
+tokio = "1.39.2"
+tokio-rustls = "0.26.0"
+webpki = "0.22.4"
+webpki-roots = "0.26.3"
+x509-parser = "0.16.0"

README.md

@@ -0,0 +1,40 @@
+# TLS on Rust and PKI
+
+## How to Build  
+```bash
+$ cargo build
+```
+
+## Run TLS Server  
+```bash
+$ cargo run --bin TcpExample certs/host/fullchain.pem certs/host/server.key
+```
+
+## Run TLS Client  
+```bash
+# EXEC_TARGET=client
+$ EXEC_TARGET=allow_any_cert_client
+$ cargo run --bin $EXEC_TARGET certs/rootca/rootCA.crt
+```
+
+## Make rootCA Certificate  
+```bash
+$ cd certs/rootca
+# edit rootca.conf
+$ ./bootstrap cert_name
+```
+
+## Make ICA Certificate  
+```bash
+$ cd certs/ica
+# edit ica.conf
+$ ./bootstrap cert_name
+```
+
+## Make Server Certificate  
+```bash
+$ cd certs/host
+# edit host.conf
+$ ./bootstrap cert_name
+```
+

certs/host/bootstrap.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+echo "Create $1 Server"
+openssl genpkey -algorithm EC -out $1.key -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve
+
+openssl req -new -config host.conf -key $1.key -out $1.csr
+
+openssl x509 -req -days 730 -in $1.csr -out $1.crt -extfile host.conf -extensions v3_ext \
+    -CAkey $2 -CA $3 -CAcreateserial
+
+openssl ec -in $1.key -pubout -out $1.pub
+
+openssl x509 -in $1.crt -text -pubkey -noout
+
+cat $1.pub
+
+cat $1.crt $3 > fullchain.pem
+ 

certs/host/host.conf

@@ -0,0 +1,43 @@
+# Modify this files to your needs
+
+[req]
+default_bits = 384
+distinguished_name = dn
+default_md = sha256
+prompt = no
+req_extensions = req_ext
+
+[dn]
+C="KR"
+ST="Seoul"
+L="Seoul"
+O="SCOPE.Inc"
+OU="SCOPE Lab"
+emailAddress="jay3920@scope.co.kr"
+CN="Invalid Test"
+
+[req_ext]
+subjectAltName = @alt_names
+
+[ v3_ext]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+subjectKeyIdentifier  = hash
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[ v3_ext_client]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+subjectKeyIdentifier  = hash
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = www.scope.co.kr
+DNS.2 = *.scope.co.kr
+IP.1 = 10.1.3.63
+IP.2 = 10.1.3.69
+IP.3 = 10.1.3.80

certs/ica/bootstrap.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+echo "Create $1 ICA"
+openssl genpkey -algorithm EC -out $1.key -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve
+
+openssl req -new -config ica.conf -key $1.key -out $1.csr
+
+openssl x509 -req -days 730 -in $1.csr -out $1.crt -extfile ../rootca/rootca.conf -extensions v3_intermediate_ca \
+    -CAkey $2 -CA $3 -CAcreateserial
+
+openssl ec -in $1.key -pubout -out $1.pub
+
+openssl x509 -in $1.crt -text -pubkey -noout
+
+cat $1.pub
+ 

certs/ica/ica.conf

@@ -0,0 +1,132 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# # Directory and file locations.
+# dir               = /root/ca/intermediate
+# certs             = $dir/certs
+# crl_dir           = $dir/crl
+# new_certs_dir     = $dir/newcerts
+# database          = $dir/index.txt
+# serial            = $dir/serial
+# RANDFILE          = $dir/private/.rand
+
+# # The root key and root certificate.
+# private_key       = $dir/private/intermediate.key.pem
+# certificate       = $dir/certs/intermediate.cert.pem
+
+# # For certificate revocation lists.
+# crlnumber         = $dir/crlnumber
+# crl               = $dir/crl/intermediate.crl.pem
+# crl_extensions    = crl_ext
+# default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 384
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt                  = no
+encrypt_key             = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = KR
+stateOrProvinceName             = Seoul
+localityName                    = seoul
+0.organizationName              = SCOPE.Inc
+organizationalUnitName          = SCOPE Lab
+commonName                      = SCOPE ICA (Lab)
+emailAddress                    = scopelab@scope.co.kr
+
+# Optionally, specify some defaults.
+# countryName_default             = TR
+# stateOrProvinceName_default     = Istanbul
+# localityName_default            = Istanbul
+# 0.organizationName_default      = Safderun
+# organizationalUnitName_default  = Safderun Intermediate CA
+# commonName_default              = Safderun Intermediate CA
+# emailAddress_default            = burakberkkeskin@gmail.com
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

certs/rootca/bootstrap.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+echo "Create $1 Host"
+
+openssl genpkey -algorithm EC -out $1.key -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve
+
+openssl req -x509 -new -days 730 -key $1.key -out $1.crt -config rootca.conf
+
+openssl ec -in $1.key -pubout -out $1.pub
+
+openssl x509 -in $1.crt -text -pubkey -noout
+
+cat $1.pub
+
+
+# openssl req -x509 -days 3650 -new -key ${CANAME}.key -out ${CANAME}.crt -config rootca_openssl.conf

certs/rootca/rootca.conf

@@ -0,0 +1,132 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+# dir               = /etc/ssl/localCA/rootCA
+# certs             = $dir/certs
+# crl_dir           = $dir/crl
+# new_certs_dir     = $dir/newcerts
+# database          = $dir/index.txt
+# serial            = $dir/serial
+# RANDFILE          = $dir/private/.rand
+
+# # The root key and root certificate.
+# private_key       = $dir/rootCA.key
+# certificate       = $dir/rootCA.crt
+
+# # For certificate revocation lists.
+# crlnumber         = $dir/crlnumber
+# crl               = $dir/crl/ca.crl.pem
+# crl_extensions    = crl_ext
+# default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3650
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 384
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt            = no
+encrypt_key       = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+req_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = KR
+stateOrProvinceName             = Seoul
+localityName                    = seoul
+0.organizationName              = SCOPE.Inc
+organizationalUnitName          = SCOPE.Inc
+commonName                      = SCOPE Self Sign CA
+emailAddress                    = sos@scope.co.kr
+
+# # Optionally, specify some defaults.
+# countryName_default             = KR
+# stateOrProvinceName_default     = Seoul
+# localityName_default            = Seoul
+# 0.organizationName_default      = SCOPE.Inc
+# organizationalUnitName_default  = SCOPE.Inc
+# commonName_default              = SCOPE Self Sign CA
+# emailAddress_default            = sos@scope.co.kr
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning