use https

2024-09-27 19:47:11 +01:00 · 2024-09-27 19:47:11 +01:00 · d98f78db85
commit d98f78db85
parent 42aa1d8f0a
2 changed files with 27 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -38,6 +38,10 @@ chmod 0700 psk
 openssl genrsa -out ca.key 4096
 CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt

+# create key for the server and sign it with the CA 
+CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
+openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+
 # create example client CSR for testing (check openssl.cnf against "psk" file)
 CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr

@ -45,7 +49,7 @@ CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client
 nix-build && result/bin/certifix  --challenge-password psk  --certificate ca.crt --private-key ca.key localhost:19613

 # send it
-curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  http://localhost:8201/sign
+curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
 ```

 ## Background
--- a/main.fnl
+++ b/main.fnl
@ -2,7 +2,8 @@

 (local server (require :http.server))
 (local headers (require :http.headers))
-(local ssl (require :openssl))
+(local htls (require :http.tls))
+(local ctx (require :openssl.ssl.context))
 (local csr (require :openssl.x509.csr))
 (local x509 (require :openssl.x509))
 (local pkey (require :openssl.pkey))
@ -53,10 +54,14 @@

 (fn parse-args [args]
  (match args
-    ["--certificate" f & rest]
-    (assoc (parse-args rest) :certificate (slurp f))
-    ["--private-key" f & rest]
-    (assoc (parse-args rest) :private-key (slurp f))
+    ["--ca-certificate" f & rest]
+    (assoc (parse-args rest) :ca-certificate (slurp f))
+    ["--ca-private-key" f & rest]
+    (assoc (parse-args rest) :ca-private-key (slurp f))
+    ["--server-certificate" f & rest]
+    (assoc (parse-args rest) :server-certificate (slurp f))
+    ["--server-private-key" f & rest]
+    (assoc (parse-args rest) :server-private-key (slurp f))
    ["--challenge-password" f & rest]
    (assoc (parse-args rest) :challenge-password (read-line f))
    [bind-address] { : bind-address }
@ -66,13 +71,15 @@
       (doto
           (parse-args arg)
         (case
-             {: certificate : private-key : challenge-password : bind-address}
+             {: ca-certificate : ca-private-key
+              : server-certificate : server-private-key
+              : challenge-password : bind-address}
           true
           _
           (assert nil "missing required command line params"))))

-(local ca-key (pkey.new options.private-key))
-(local ca-crt (x509.new options.certificate))
+(local ca-key (pkey.new options.ca-private-key))
+(local ca-crt (x509.new options.ca-certificate))

 (fn new-crt [csr]
  (let [crt
@ -110,6 +117,11 @@
      _
      (send-error out 404 "not found"))))

+(fn ssl-context []
+  (doto (htls.new_server_context)
+    (: :setCertificate (x509.new options.server-certificate))
+    (: :setPrivateKey (pkey.new options.server-private-key))))
+
 (fn new-server []
  (let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]
    (ncall (server.listen
@ -117,6 +129,8 @@
            :host addr
            :port (tonumber port)
            :onstream on-stream
+            :tls true
+            :ctx (ssl-context)
            }))))

 (let [s (new-server)]