Merge branch 'rustls'

* rustls:
  simplify generation of certificates
  simplify creation of tls_cfg
  refactor: change use-style
  static dispatched Stream
  create HTTPS server

Author: nwtgck

Cargo.lock

@@ -1,13 +1,15 @@
 [package]
-name = "hyper-rustls-prac"
+name = "hyper-rustls-example"
 version = "0.1.0"
 authors = ["Ryo Ota <nwtgck@nwtgck.org>"]
 edition = "2018"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-hyper = { version = "0.13.0", default-features = false }
-tokio = { version = "0.2", features = ["full"] }
+hyper = "0.13.0"
+tokio = { version = "0.2", features = ["rt-threaded", "macros"] }
 rustls = "0.18"
 hyper-rustls = "0.21.0"
+futures-util = "0.3.1"
+tokio-rustls = "0.14.0"

Cargo.toml

@@ -1 +1,25 @@
-# hyper-rustls-prac
+# hyper-rustls-example
+Simple example of [hyper-rustls](https://github.com/ctz/hyper-rustls)
+
+## Run
+
+Run as follows.
+
+```bash
+cargo run
+```
+
+Access to the server as follows.
+
+```bash
+curl -k https://localhost:3000/
+```
+
+## Make self-signed certificates by yourself
+
+You can make certificates as follows.
+
+```bash
+mkdir ssl_certs && cd ssl_certs && openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -sha256 -nodes --subj '/CN=localhost/' && cd -
+```
+

README.md

@@ -1,28 +1,95 @@
+use futures_util::future::TryFutureExt;
+use futures_util::stream::{Stream, TryStreamExt};
+use hyper::service::{make_service_fn, service_fn};
+use hyper::{Body, Request, Response, Server};
 use std::convert::Infallible;
+use std::io;
 use std::net::SocketAddr;
-use hyper::{Body, Request, Response, Server};
-use hyper::service::{make_service_fn, service_fn};
+use tokio::net::{TcpListener, TcpStream};
+use tokio_rustls::server::TlsStream;
+use tokio_rustls::TlsAcceptor;
 
 async fn hello_world(_req: Request<Body>) -> Result<Response<Body>, Infallible> {
     Ok(Response::new("Hello, World".into()))
 }
 
+fn error(err: String) -> std::io::Error {
+    std::io::Error::new(std::io::ErrorKind::Other, err)
+}
+
 #[tokio::main]
-async fn main() {
+async fn main() -> io::Result<()> {
     // We'll bind to 127.0.0.1:3000
     let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
 
+    // Build TLS configuration.
+    let tls_cfg = {
+        // Load public certificate.
+        let mut cert_reader = io::BufReader::new(std::fs::File::open("./ssl_certs/server.crt")?);
+        let certs = rustls::internal::pemfile::certs(&mut cert_reader).unwrap();
+        // Load private key.
+        let mut key_reader = io::BufReader::new(std::fs::File::open("./ssl_certs/server.key")?);
+        // Load and return a single private key.
+        let mut keys = rustls::internal::pemfile::pkcs8_private_keys(&mut key_reader).unwrap();
+        // Do not use client certificate authentication.
+        let mut cfg = rustls::ServerConfig::new(rustls::NoClientAuth::new());
+        // Select a certificate to use.
+        cfg.set_single_cert(certs, keys.remove(0)).unwrap();
+        // Configure ALPN to accept HTTP/2, HTTP/1.1 in that order.
+        cfg.set_protocols(&[b"h2".to_vec(), b"http/1.1".to_vec()]);
+        std::sync::Arc::new(cfg)
+    };
+
+    // Create a TCP listener via tokio.
+    let mut tcp = TcpListener::bind(&addr).await?;
+    let tls_acceptor = TlsAcceptor::from(tls_cfg);
+    // Prepare a long-running future stream to accept and serve clients.
+    let incoming_tls_stream = tcp
+        .incoming()
+        .map_err(|e| error(format!("Incoming failed: {:?}", e)))
+        .and_then(move |s| {
+            tls_acceptor.accept(s).map_err(|e| {
+                println!("[!] Voluntary server halt due to client-connection error...");
+                // Errors could be handled here, instead of server aborting.
+                // Ok(None)
+                error(format!("TLS Error: {:?}", e))
+            })
+        });
+
     // A `Service` is needed for every connection, so this
     // creates one from our `hello_world` function.
     let make_svc = make_service_fn(|_conn| async {
         // service_fn converts our function into a `Service`
         Ok::<_, Infallible>(service_fn(hello_world))
     });
 
-    let server = Server::bind(&addr).serve(make_svc);
+    let server = Server::builder(HyperAcceptor {
+        acceptor: Box::pin(incoming_tls_stream),
+    })
+    .serve(make_svc);
 
     // Run this server for... forever!
     if let Err(e) = server.await {
         eprintln!("server error: {}", e);
     }
+    Ok(())
+}
+
+struct HyperAcceptor<S> {
+    acceptor: core::pin::Pin<Box<S>>,
+}
+
+impl<S> hyper::server::accept::Accept for HyperAcceptor<S>
+where
+    S: Stream<Item = Result<TlsStream<TcpStream>, io::Error>>,
+{
+    type Conn = TlsStream<TcpStream>;
+    type Error = io::Error;
+
+    fn poll_accept(
+        mut self: core::pin::Pin<&mut Self>,
+        cx: &mut core::task::Context,
+    ) -> core::task::Poll<Option<Result<Self::Conn, Self::Error>>> {
+        self.acceptor.as_mut().poll_next(cx)
+    }
 }

src/main.rs

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCTCCAvGgAwIBAgIUQmZTN5CEHIxNl5vqjCc3MuCPduswDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMDgyNDEyMjczNloXDTIxMDgy
+NDEyMjczNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAyxZFBEhSLGP7hDMx1QDl3PZCUAdDYYw/DFUYjQ+uLSfZ
+izkJJASUozn1+fVqC6u9On8jPxeVA9JgrNhj/GJVSdWtm8E6uJAHiKLq0OzHIaSd
+zXWD3XxFNtcMr7Zl5T/qpujxG0gpx8h3SFhMS96wMRwt7F5DI/6db2laOjo1rwFP
+tqWij9ZSsdsyOjm9FrCEWZd6IvMxZWNU4E3MetZGlHzle1GhDG891GuswYaait3Z
+HFLRihRKwYQKb7xSzCtfX8G6fuuBI/9F7GkpLYHcUyFYdEfWPSbQupJp2p10+NQC
+x7IaEFIaAK274xiRX4aDeddUm1IZb0Muhf2QLfSpFa6gnlhdrDNpx5I/KZT3ENMv
+FBOdUrsqOfxXhoY7Gze0BlQtfKUJnjZkD5bAX7U+5kEc5yH6tRpVvIJGJavaZGIr
+H9v2slEYEl8SpjZ9JP58EFqAUQVwNn5oTwUm+E1MN7U6N/JkPgGc77aQwtUYO6bc
+yHry90kmVf5gO5YZIMl4Sk16G+/vPciNRGJBa4qPXfE2mPhKl8z6qMrX10aI2MxR
+iuCMGuK+h5T04VQazr7km2pd37U1YcY0vKoAgxnbvD7nEex44ping7z7Sep5zN4o
+1jPVNNLLQlMSkK9lIBH+P0I6LMkccoXHqt6I5owaP2gdp97MXA/DisZXsDOXXEUC
+AwEAAaNTMFEwHQYDVR0OBBYEFEzLSxAwMQ3mZ+CanTTnLClaoGqZMB8GA1UdIwQY
+MBaAFEzLSxAwMQ3mZ+CanTTnLClaoGqZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggIBAJYpP/1W2ZKwNxXUhqNfICzDtJklQsvuWCAMLwKmNpuIbLbt
+37ginllGXul/I/eWu3lNLsDadkfOMjPTUQprT9kEEN+rXQ8wohMUTfCXyd3ThQUJ
+/9aJe41idP2LHEptXLROWXNRGnVew3BecVAao5tHjiRlbVU/c+rO++0Cn6e16zhM
+o9U9se0T+Ce5Q3OAV0F/oWC0sdEC9EBS3EVbo+xDRLIWzfSyOKEEr4XRySgMRTme
+tYCs0OYKvdCe3iYqSY+OAauEGb01T5D6URqDMCoi3mkffBqWnVKEZ+MR2BfznV3Y
+N0kF9FxNy+D+1jpJ33e0TV1+zrUKs6n4hqD/inVWO4d+OP3OEZGvvpxVsxfcPo3d
+Q0BBMw0c/qcgnukR5TH9I8/RmkLG9bgfcq2s2sgwli2jXrDwqLIVsIRejpjC+aNI
+mClWTZ92+mI1l7wPIhdh1kM6oKjxUHgOrF+YRuVWnBH4edstq5Q67Mg5JYOIqEvZ
+a+G+LSCCY0d9cQ3RBLg/nlhlvxzHzh8ThEq1uVyXdqpzkQ1aCNR3lwPXwVOTSQuT
+pz8hVGPTKRIuv+VZU0Dgcd+T4zStWBHf26vYEn/d5Sw5lAj1enO2AQ9simJjH0QD
+VJhBKColzck4G7k+mvZr+aIntojbnUsEcFwqtlZ2pL5BRc6MXxD5RLt9jmPD
+-----END CERTIFICATE-----

ssl_certs/server.crt

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDLFkUESFIsY/uE
+MzHVAOXc9kJQB0NhjD8MVRiND64tJ9mLOQkkBJSjOfX59WoLq706fyM/F5UD0mCs
+2GP8YlVJ1a2bwTq4kAeIourQ7MchpJ3NdYPdfEU21wyvtmXlP+qm6PEbSCnHyHdI
+WExL3rAxHC3sXkMj/p1vaVo6OjWvAU+2paKP1lKx2zI6Ob0WsIRZl3oi8zFlY1Tg
+Tcx61kaUfOV7UaEMbz3Ua6zBhpqK3dkcUtGKFErBhApvvFLMK19fwbp+64Ej/0Xs
+aSktgdxTIVh0R9Y9JtC6kmnanXT41ALHshoQUhoArbvjGJFfhoN511SbUhlvQy6F
+/ZAt9KkVrqCeWF2sM2nHkj8plPcQ0y8UE51Suyo5/FeGhjsbN7QGVC18pQmeNmQP
+lsBftT7mQRznIfq1GlW8gkYlq9pkYisf2/ayURgSXxKmNn0k/nwQWoBRBXA2fmhP
+BSb4TUw3tTo38mQ+AZzvtpDC1Rg7ptzIevL3SSZV/mA7lhkgyXhKTXob7+89yI1E
+YkFrio9d8TaY+EqXzPqoytfXRojYzFGK4Iwa4r6HlPThVBrOvuSbal3ftTVhxjS8
+qgCDGdu8PucR7HjimKeDvPtJ6nnM3ijWM9U00stCUxKQr2UgEf4/QjosyRxyhceq
+3ojmjBo/aB2n3sxcD8OKxlewM5dcRQIDAQABAoICAEgzA5hRKb2UUf+ev7GNHysd
+9VdELcVJOcTln9POZkqxZxqizUgbxMf+vB8AC5JYnO5l8p7kgFqaeToZt/oq701P
+hOfhm0GwGq2N1dMuymCAiIVZqOad3nFvpJf3TWRiA8cQ+16KmifncdirY3x5j8P1
+07G7lTz/sPLBzozy0tEDs1YorpFaTY3jcojWrA2b9YFwY8B3GvGDjdIsdmyZLwBt
+Ipxj2dB039Nb8E/gzaJe2mfCXbIsIqOHkLpGhl0FcmO1mNq0WPX2M+KnRDdkenKn
+YS39uAGHgh9CHBXXcpVfshlSjQeOWKYzHZ/PxSbjyGwRjIeneVlf1fNWwOJFn7Jt
+2YD7UL9hvkTwSyooJ0WOLxupSHNeEdQ4lKdTBVBTSt0SsLvD1OS1XPST3yH19RyU
+rO1euVNdpkv6SecNkHSDwRt8Z0owbtF/MJatd0zMPLkFK6q5Ozg/82nK+vCJHVx+
+xZgHq5R2ECBr1/n2xSFK/c76NUrEi+nGdiOHLmJQVPMDMfFTBgg3s6gGCavt0vZy
+li2g5baf+Qe76k5fmMiDiuSpdCwnrx/jc93iynZCqtwMAJSpKq6/giq+jsYxC1nZ
++tGIcKARKajsUIedl4AhSkanNUCHZpkcS1ZWlOgfaWYO6TdweoH21hGY49iVhZ1M
+TeckSaX7ToROCBbQIuxBAoIBAQD5f0/m7GcxdkuIxbdoZk8o7RQ3TxSADWub+0wu
+Ltwf2UVIeIR41RF4PSx6292CJ3o5a+Iuk+tO4xt2jVMEYVLPMyzWNvzUBn2qlDUw
+pb7dIL5UflpPtLgfyoG7lYgZehIf/z0mQ4Qmxkku7oyV4brOK6T7/h+4W7GXAKCz
+Nus15luIGMFmL1GKtCNFfJIkARwlWuk1kWLE9to1OjRmH35aOW2w1C2BlSawlu1P
+kap/S4tmCL7i+ybyCWTmejzBw98C2Ma1Ww+U++yd65KzWvwlaSv8kCAGoruqhWEU
+B++laWVmNSc2Eaz7betEFJrqZVPRHev2z/uT8/Sva3ULE0nxAoIBAQDQYUzO1wo9
+lao5AW88pYa4/CGLU2k923Ww5pWyyZHmaIMUoYcBVd6FSKcV6yWd+mA4gPhXQpgZ
+HJ9Nphtz7335tOwd261F2x27NNZIrd+5YBjgzp6tqwo3xJoXgvZC8OImjSWoNrMi
+ZOxu6DzrT4Kod13AgWVJDpuhr4HGre+T3SOWONYxX19GDqn3XAn12Jtqhe0PQmGt
+Z2mp+a/oschGLBvztL7CwBmb81CaW9bUEmx308ZilCc5jYOj6FHiEcoJHvekC7jd
+vnzwLB6QNN7X0TDUop8c+H5dK/Mknk4N36Y/T76b3Z5mGiXBZoMEHtTpjruQQJAd
+iCYyYy8794OVAoIBAQCnwQtXaEJmRnS5LL+KCahWCzoZiilthBiDk28Aam+FVpA4
+Dxh7KkAJyY/7t5NzbNnIfBpjWP/RVfBkQNe9zTZhrLYL/oL2iLq8E9TDtd3kTpzK
+sP5GM2vNrFqYZw1Qm/xN2U8jSCg17gLM9IZATLtO3pea+54WVkjNEBX9CgMShaWr
+l4GKFGzORxqkIQMeBEUJdNvzMaLoblX/jfgnZiuNvKldSPyj8UZHW+OKKZYq6v96
+hozajyX7fYeDVFM/sVRkVJ8e13BdqxnIgNltkNKS0OlLcxilfYuTNwUz87YVUQ1l
+sH2B5Fab46dZakVTLvgxVd4PYH52V4SA4k6bOMfxAoIBAAWQc5KaX2Whl3gKN8Qw
+z1YlNWgZBBhowc3Fen3ZsBGs/MMSRR6eAmEgvYVyUADV7LfVicwatSEGiKJ0Kwt/
+e6etUxjBAvF4lmSnVol+SxkSHdfy7H3KsW0nzM2P66+B6ygIYNcLDuF+PGoBvY6z
+AtQoy9IWInQ+9ZztqNN7VYhnQUoDnoSW/V5LifJW/NUZwZyoktnzddRBjKrDRhU6
+mhR1nRF25BkjNAvcBWz5wtTK4SaZ+xQqzJlW1AsOaxFUVEbGEurIfVk+euuW4gIL
+x1+P8HPdG86UPBuUzttNdtwb+r56DKbw1gf37sYpTJpRkHHkI9IIR1Dij9KMn3hE
+dbkCggEBALlaoWCqom17jT4S7DpjLbXpNf2Q1TF1oRYR/CyoB6crkF/IaT8K2+oZ
+Ot8GLTA7waIdLEgPblqJ0a2f2s8OGY0bSXSljrz2WiAVUOC/Y5JlS2p/FLSiVi6X
+5uYf2ZiqPdpJ9yxGNxpibdNfl4GKVKGvc+bxzi5zG8PSFSCcsDOEB222SKZA2V+a
+tCKfPC3iGLge7cc5RN+XUcTF1ChmpahsNkk6OZVkvAkEveW3FCm/UUExvfenin8a
+rekejQZKB9EpM9s5E+FC8+d1KE5KGe3C+LjpUkc6u2Y4vx+9Au4PwCh5JWY8r20i
+ILFkgCCKfn/6BJGkLTf/dT4ekHP5OOc=
+-----END PRIVATE KEY-----