wip proxy gencert internal

proxy/.gitignore

@@ -1,4 +0,0 @@
-cert.pem
-key.pem
-bundle
-config.toml

proxy/Cargo.toml

@@ -16,3 +16,6 @@ mumble-web2-common = { workspace = true }
 salvo = { version = "0.74.2", features = ["quinn", "eyre", "rustls", "serve-static", "logging"] }
 once_cell = "1.20.2"
 rustls = { version = "^0.23", features = ["aws_lc_rs"] }
+rcgen = "0.13.2"
+hmac-sha256 = "1.1.8"
+time = "0.3"

proxy/config.toml.example

@@ -1,11 +0,0 @@
-https_listen_address = "127.0.0.1:4433"
-http_listen_address = "127.0.0.1:8080"
-cert_path = "./cert.pem"
-key_path = "./key.pem"
-mumble_server_url = "voip.ohea.xyz:64738"
-gui_path = "../target/dx/mumble-web2-gui/release/web/public"
-
-[gui]
-force_proxy = true
-proxy_url = "https://127.0.0.1:4433/proxy"
-# cert_hash = [...]

proxy/src/main.rs

@@ -1,6 +1,8 @@
-use color_eyre::eyre::{anyhow, Context, Error, Result};
+use color_eyre::eyre::{anyhow, bail, Context, Result};
+use color_eyre::owo_colors::OwoColorize;
 use mumble_web2_common::GuiConfig;
 use once_cell::sync::OnceCell;
+use rcgen::date_time_ymd;
 use salvo::conn::rustls::{Keycert, RustlsConfig};
 use salvo::logging::Logger;
 use salvo::prelude::*;
@@ -24,12 +26,18 @@ use tracing::{error, instrument};
 use tracing_subscriber::filter::LevelFilter;
 use tracing_subscriber::EnvFilter;
 
+fn default_cert_alt_names() -> Vec<String> {
+    vec!["localhost".into()]
+}
+
 #[derive(Deserialize)]
 struct Config {
     https_listen_address: SocketAddr,
     http_listen_address: Option<SocketAddr>,
-    cert_path: PathBuf,
-    key_path: PathBuf,
+    cert_path: Option<PathBuf>,
+    key_path: Option<PathBuf>,
+    #[serde(default = "default_cert_alt_names")]
+    cert_alt_names: Vec<String>,
     mumble_server_url: String,
     mumble_server_address: Option<SocketAddr>,
     gui_path: PathBuf,
@@ -105,16 +113,42 @@ async fn main() -> Result<()> {
         .push(Router::with_path("/<*+rest>").get(StaticDir::new(config.gui_path.clone())))
         .hoop(Logger::new());
 
-    // Read server certs
     rustls::crypto::aws_lc_rs::default_provider()
         .install_default()
         .map_err(|e| anyhow!("could not install crypto provider {e:?}"))?;
-    let cert = fs::read(&config.cert_path)
-        .await
-        .context(format!("reading cert {}", config.cert_path.display()))?;
-    let key = fs::read(&config.key_path)
-        .await
-        .context(format!("reading key {}", config.key_path.display()))?;
+
+    let (cert, key) = match (&config.cert_path, &config.key_path) {
+        (None, None) => {
+            info!("generating self-signed cert");
+
+            use rcgen::{CertificateParams, KeyPair, PKCS_ECDSA_P256_SHA256};
+            let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?;
+            let mut cert_params = CertificateParams::new(config.cert_alt_names.clone())?;
+            cert_params.not_after = time::OffsetDateTime::now_utc() + time::Duration::days(12);
+            let cert = cert_params.self_signed(&key_pair)?;
+
+            let hash = hmac_sha256::Hash::hash(cert.der().as_ref());
+            {
+                let mut gui_config = config.gui.lock().unwrap();
+                gui_config.cert_hash = Some(hash.into());
+            }
+
+            (cert.pem().into(), key_pair.serialize_pem().into())
+        }
+        (Some(cert_path), Some(key_path)) => {
+            // Read server certs
+            let cert = fs::read(cert_path)
+                .await
+                .context(format!("reading cert {}", cert_path.display()))?;
+            let key = fs::read(key_path)
+                .await
+                .context(format!("reading key {}", key_path.display()))?;
+            (cert, key)
+        }
+        _ => {
+            bail!("please supply both cert_path and key_path (or neither to generate a self-signed cert)")
+        }
+    };
     let rustls_config = RustlsConfig::new(Keycert::new().cert(cert.as_slice()).key(key.as_slice()));
 
     // Create http listeners