2003-07-23 16:51:36 +00:00
|
|
|
#
|
|
|
|
|
# https.rb -- SSL/TLS enhancement for HTTPServer
|
|
|
|
|
#
|
|
|
|
|
# Author: IPR -- Internet Programming with Ruby -- writers
|
|
|
|
|
# Copyright (c) 2001 GOTOU Yuuzou
|
|
|
|
|
# Copyright (c) 2002 Internet Programming with Ruby writers. All rights
|
|
|
|
|
# reserved.
|
|
|
|
|
#
|
|
|
|
|
# $IPR: https.rb,v 1.15 2003/07/22 19:20:42 gotoyuzo Exp $
|
|
|
|
|
|
|
|
|
|
require 'webrick'
|
|
|
|
|
require 'openssl'
|
|
|
|
|
|
|
|
|
|
module WEBrick
|
|
|
|
|
module Config
|
|
|
|
|
HTTP.update(
|
|
|
|
|
:SSLEnable => true,
|
|
|
|
|
:SSLCertificate => nil,
|
|
|
|
|
:SSLPrivateKey => nil,
|
|
|
|
|
:SSLClientCA => nil,
|
|
|
|
|
:SSLCACertificateFile => nil,
|
|
|
|
|
:SSLCACertificatePath => nil,
|
2003-08-02 12:01:48 +00:00
|
|
|
:SSLCertificateStore => nil,
|
2003-07-23 16:51:36 +00:00
|
|
|
:SSLVerifyClient => ::OpenSSL::SSL::VERIFY_NONE,
|
|
|
|
|
:SSLVerifyDepth => nil,
|
|
|
|
|
:SSLVerifyCallback => nil, # custom verification
|
|
|
|
|
:SSLTimeout => nil,
|
|
|
|
|
:SSLOptions => nil,
|
|
|
|
|
# Must specify if you use auto generated certificate.
|
|
|
|
|
:SSLCertName => nil,
|
|
|
|
|
:SSLCertComment => "Generated by Ruby/OpenSSL"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
osslv = ::OpenSSL::OPENSSL_VERSION.split[1]
|
|
|
|
|
HTTP[:ServerSoftware] << " OpenSSL/#{osslv}"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class HTTPRequest
|
|
|
|
|
attr_reader :cipher, :server_cert, :client_cert
|
|
|
|
|
|
|
|
|
|
alias orig_parse parse
|
|
|
|
|
|
|
|
|
|
def parse(socket=nil)
|
|
|
|
|
orig_parse(socket)
|
|
|
|
|
@cipher = socket.respond_to?(:cipher) ? socket.cipher : nil
|
|
|
|
|
@client_cert = socket.respond_to?(:peer_cert) ? socket.peer_cert : nil
|
|
|
|
|
@server_cert = @config[:SSLCertificate]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
alias orig_parse_uri parse_uri
|
|
|
|
|
|
|
|
|
|
def parse_uri(str, scheme="https")
|
|
|
|
|
if @config[:SSLEnable]
|
|
|
|
|
return orig_parse_uri(str, scheme)
|
|
|
|
|
end
|
|
|
|
|
return orig_parse_uri(str)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
alias orig_meta_vars meta_vars
|
|
|
|
|
|
|
|
|
|
def meta_vars
|
|
|
|
|
meta = orig_meta_vars
|
|
|
|
|
if @config[:SSLEnable]
|
|
|
|
|
meta["HTTPS"] = "on"
|
|
|
|
|
meta["SSL_CIPHER"] = @cipher ? @cipher[0] : ""
|
|
|
|
|
meta["SSL_CLIENT_CERT"] = @client_cert ? @client_cert.to_pem : ""
|
|
|
|
|
meta["SSL_SERVER_CERT"] = @server_cert ? @server_cert.to_pem : ""
|
|
|
|
|
end
|
|
|
|
|
meta
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
class HTTPServer
|
|
|
|
|
alias orig_init initialize
|
|
|
|
|
|
|
|
|
|
def initialize(*args)
|
|
|
|
|
orig_init(*args)
|
|
|
|
|
|
|
|
|
|
if @config[:SSLEnable]
|
|
|
|
|
unless @config[:SSLCertificate]
|
|
|
|
|
rsa = OpenSSL::PKey::RSA.new(512){|p, n|
|
|
|
|
|
case p
|
|
|
|
|
when 0; $stderr.putc "." # BN_generate_prime
|
|
|
|
|
when 1; $stderr.putc "+" # BN_generate_prime
|
|
|
|
|
when 2; $stderr.putc "*" # searching good prime,
|
|
|
|
|
# n = #of try,
|
|
|
|
|
# but also data from BN_generate_prime
|
|
|
|
|
when 3; $stderr.putc "\n" # found good prime, n==0 - p, n==1 - q,
|
|
|
|
|
# but also data from BN_generate_prime
|
|
|
|
|
else; $stderr.putc "*" # BN_generate_prime
|
|
|
|
|
end
|
|
|
|
|
}
|
|
|
|
|
cert = OpenSSL::X509::Certificate.new
|
|
|
|
|
cert.version = 3
|
|
|
|
|
cert.serial = 0
|
|
|
|
|
name = OpenSSL::X509::Name.new(@config[:SSLCertName])
|
|
|
|
|
cert.subject = name
|
|
|
|
|
cert.issuer = name
|
|
|
|
|
cert.not_before = Time.now
|
|
|
|
|
cert.not_after = Time.now + (365*24*60*60)
|
|
|
|
|
cert.public_key = rsa.public_key
|
|
|
|
|
|
|
|
|
|
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
|
|
|
|
|
cert.extensions = [
|
|
|
|
|
ef.create_extension("basicConstraints","CA:FALSE"),
|
|
|
|
|
ef.create_extension("subjectKeyIdentifier", "hash"),
|
|
|
|
|
ef.create_extension("extendedKeyUsage", "serverAuth")
|
|
|
|
|
]
|
|
|
|
|
ef.issuer_certificate = cert
|
|
|
|
|
ext = ef.create_extension("authorityKeyIdentifier",
|
|
|
|
|
"keyid:always,issuer:always")
|
|
|
|
|
cert.add_extension(ext)
|
|
|
|
|
if comment = @config[:SSLCertComment]
|
|
|
|
|
cert.add_extension(ef.create_extension("nsComment", comment))
|
|
|
|
|
end
|
|
|
|
|
cert.sign(rsa, OpenSSL::Digest::SHA1.new)
|
|
|
|
|
|
|
|
|
|
@config[:SSLPrivateKey] = rsa
|
|
|
|
|
@config[:SSLCertificate] = cert
|
|
|
|
|
@logger.info cert.to_s
|
|
|
|
|
end
|
|
|
|
|
@ctx = OpenSSL::SSL::SSLContext.new
|
|
|
|
|
set_ssl_context(@ctx, @config)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
alias orig_run run
|
|
|
|
|
|
|
|
|
|
def run(sock)
|
|
|
|
|
if @config[:SSLEnable]
|
|
|
|
|
ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
|
|
|
|
|
ssl.accept
|
|
|
|
|
Thread.current[:WEBrickSocket] = ssl
|
|
|
|
|
orig_run(ssl)
|
|
|
|
|
Thread.current[:WEBrickSocket] = sock
|
|
|
|
|
ssl.close
|
|
|
|
|
else
|
|
|
|
|
orig_run(sock)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def set_ssl_context(ctx, config)
|
|
|
|
|
ctx.key = config[:SSLPrivateKey]
|
|
|
|
|
ctx.cert = config[:SSLCertificate]
|
|
|
|
|
ctx.client_ca = config[:SSLClientCA]
|
|
|
|
|
ctx.ca_file = config[:SSLCACertificateFile]
|
|
|
|
|
ctx.ca_path = config[:SSLCACertificatePath]
|
2003-08-02 12:01:48 +00:00
|
|
|
ctx.cert_store = config[:SSLCertificateStore]
|
2003-07-23 16:51:36 +00:00
|
|
|
ctx.verify_mode = config[:SSLVerifyClient]
|
|
|
|
|
ctx.verify_depth = config[:SSLVerifyDepth]
|
|
|
|
|
ctx.verify_callback = config[:SSLVerifyCallback]
|
|
|
|
|
ctx.timeout = config[:SSLTimeout]
|
|
|
|
|
ctx.options = config[:SSLOptions]
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
