Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add an example tls server with provider #1440

Closed
wants to merge 11 commits into from
Closed

add an example tls server with provider #1440

wants to merge 11 commits into from

Conversation

stevefan1999-personal
Copy link
Contributor

@stevefan1999-personal stevefan1999-personal commented Sep 3, 2023
edited

This provides an example server using the crypto provider with some code referenced from internal examples. This is a very bare-bone example with some of the unnecessary features such as CRL removed. It is also assumed to use PKCS_ECDSA_P256_SHA256 for key signing at the moment (due to the config in rcgen uses this).

Use curl https://<your IP address>:4443 --insecure -v to view SSL status with curl.
Use openssl s_client -connect <your IP address>:4443 to debug SSL.

Only ECDSA keys and certs is available since rcgen depends on ring, but ring cannot generate RSA keys and certs yet. There is also an ongoing problem with ring regarding ed25519 support, that the PKCS#8 DER it generated is not standard-compliant: briansmith/ring#1518, so ed25519 test is not included,

@codecov
Copy link

codecov bot commented Sep 3, 2023
edited

Codecov Report

Merging #1440 (2c8154a) into jbp-generalise-crypto-usage-pt3 (76a2a07) will not change coverage.
The diff coverage is n/a.

@@                       Coverage Diff                        @@
##           jbp-generalise-crypto-usage-pt3    #1440   +/-   ##
================================================================
  Coverage                            96.46%   96.46%           
================================================================
  Files                                   72       72           
  Lines                                15179    15179           
================================================================
  Hits                                 14642    14642           
  Misses                                 537      537

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@stevefan1999-personal
Copy link
Contributor Author

@ctz should I split the code for the example provider instead?

@ctz
Copy link
Member

ctz commented Sep 5, 2023

Thanks for the server example, we can integrate this after the parent branch is merged.

For the rest, I think it is unlikely we'll release a crate from this demonstration-level code, and making it fully-featured will occlude the goal of it.

I think a project like rustls-on-rust-crypto-crates probably does deserves its own repo and testing infrastructure, though if the aim for parity with ring and ring-alike crates the testing could be based on those established here.

@stevefan1999-personal
Copy link
Contributor Author

@ctz Sure. I will likely fork the new provider code out, but may I know what software license of that provider code is? I would like to make a repo for those code myself as you suggested but some of the code is yours, so I need to ask for permission first.

@ctz
Move crate::sign to crate::crypto::signer
00377f2
@ctz
Move ring-backed signature keys to crypto::ring
6ba5b31
@ctz
Make *ring* an optional dependency
17d4b72 
Using the crate without this feature means something external
needs to provide all the cryptography, and (eg) convenient integrated
key loading APIs disappear.
@ctz
Allow control of which webpki::SignatureVerificationAlgorithms are …
7462764 
…used

The prior arrangements are still available (and the default), if the
crate is built with the *ring* feature.

`WebPkiSupportedAlgorithms` is a new structure (designed for static
construction, and direct use in webpki calls) that links
`webpki::SignatureVerificationAlgorithm`s to their corresponding TLS `SignatureScheme`.
This replaces the hardcoded mappings in `fn convert_scheme` etc.
@ctz
Make webpki crate dependency optional
5a25dc3 
If this is compiled out, naturally a bunch of public API and testing
code falls away.
@ctz
Add demonstration of custom crypto
e9d88fe 
This is an example that builds a mostly-unchanged rustls example
(simpleclient), but only using crypto from the rust-crypto project
and elsewhere.

This is intended to be minimalistic, and not a complete replacement
for *ring*.

It implements:

- TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite.
- TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite.
- X25519 key exchange.
- RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for
  verifying the server, integrated into the webpki crate.
- random generation using `rand_core`.

This means it can fetch www.rust-lang.org.

TLS1.2 is not strictly necessary for this server, but serves to
demonstrate that part of the API.
@ctz ctz force-pushed the jbp-generalise-crypto-usage-pt3 branch from 38a471d to e9d88fe Compare September 5, 2023 14:41
@ctz
Make webpki crate dependency optional
cfaf6ef 
If this is compiled out, naturally a bunch of public API and testing
code falls away.
@ctz
Add demonstration of custom crypto
76a2a07 
This is an example that builds a mostly-unchanged rustls example
(simpleclient), but only using crypto from the rust-crypto project
and elsewhere.

This is intended to be minimalistic, and not a complete replacement
for *ring*.

It implements:

- TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite.
- TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite.
- X25519 key exchange.
- RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for
  verifying the server, integrated into the webpki crate.
- random generation using `rand_core`.

This means it can fetch www.rust-lang.org.

TLS1.2 is not strictly necessary for this server, but serves to
demonstrate that part of the API.
@stevefan1999-personal
Copy link
Contributor Author

I force pushed the changes and only included the necessary change to add the example server 

The old provider code is still available at stevefan1999-personal/rustls at patch-add-more-provider (github.com) but I will split them by making a new crate that points to the rustls git repo with the ring-optional branch.

@ctz ctz force-pushed the jbp-generalise-crypto-usage-pt3 branch from e9d88fe to 76a2a07 Compare September 5, 2023 15:12
@cpu cpu marked this pull request as draft September 7, 2023 13:18
@cpu
Copy link
Member

cpu commented Sep 7, 2023

Thanks for the server example, we can integrate this after the parent branch is merged.

I converted this to a draft while we're waiting on another branch to make it easier to scan the PR list and get a sense of which PRs should be prioritized for review.

@ctz ctz force-pushed the jbp-generalise-crypto-usage-pt3 branch 9 times, most recently from 3144ff2 to ba26a6d Compare September 12, 2023 10:42
@ctz ctz mentioned this pull request Sep 12, 2023
Merged
4 tasks
@stevefan1999-personal
Copy link
Contributor Author

@ctz I also forked the content of this PR out to its independent repo: stevefan1999-personal/rustls-provider-rustcrypto (github.com)

Feel free to contribute.

@ctz ctz force-pushed the jbp-generalise-crypto-usage-pt3 branch 2 times, most recently from 937bb0c to 78295cf Compare September 13, 2023 15:16
@ctz ctz deleted the branch rustls:jbp-generalise-crypto-usage-pt3 September 13, 2023 15:40
@ctz ctz closed this Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stevefan1999-personal @ctz @cpu