packages feed

sws 0.4.6.0 → 0.5.0.0

raw patch · 4 files changed

+34/−58 lines, 4 filesdep +asn1-encodingdep +asn1-typesdep +pem

Dependencies added: asn1-encoding, asn1-types, pem, x509

Files

CHANGELOG.md view
@@ -1,6 +1,10 @@ # Change Log All notable changes to this project will be documented in this file. +## 0.5.0.0 - 2020-01-02+### Added+- Added back in support for self-signed certificate generation.+ ## 0.4.6.0 - 2019-10-20 ### Changed - Upper bound bumps.
Main.hs view
@@ -41,22 +41,19 @@ import Crypto.Random ( getSystemDRG, randomBytesGenerate, SystemDRG ) -- cryptonite  -- For certificate generation.--- import Crypto.PubKey.RSA ( generate  ) -- crypto-pubkey--- import Crypto.PubKey.RSA.PKCS15 ( sign ) -- crypto-pubkey--- import Crypto.PubKey.HashDescr ( hashDescrSHA256 ) -- crypto-pubkey--- import Data.ASN1.OID ( getObjectID ) -- asn1-types--- import Data.ASN1.Types ( toASN1, {- for work-around -} ASN1Object ) -- asn1-types--- import Data.ASN1.BinaryEncoding ( DER(DER) ) -- asn1-encoding--- import Data.ASN1.Encoding ( encodeASN1' ) -- asn1-encoding--- import qualified Data.PEM as PEM -- pem--- import qualified Data.X509 as X509 -- x509+import Crypto.Hash.Algorithms ( SHA256(SHA256) ) -- cryptonite+import Crypto.PubKey.RSA ( generate  ) -- cryptonite+import Crypto.PubKey.RSA.PKCS15 ( sign ) -- cryptonite+import Crypto.Random.Types ( withDRG ) -- cryptonite+import Data.ASN1.OID ( getObjectID ) -- asn1-types+import Data.ASN1.Types ( toASN1 ) -- asn1-types+import Data.ASN1.BinaryEncoding ( DER(DER) ) -- asn1-encoding+import Data.ASN1.Encoding ( encodeASN1' ) -- asn1-encoding+import qualified Data.PEM as PEM -- pem+import qualified Data.X509 as X509 -- x509 import qualified Data.Hourglass as HG -- hourglass import qualified System.Hourglass as HG -- hourglass --- for work-around--- import Data.ASN1.Types ( ASN1(..), ASN1ConstructionType(..), ASN1TimeType(..) )--- import Data.ASN1.Types.Lowlevel ( ASN1Class(..) )- -- For STUN import Control.Concurrent ( forkIO, threadDelay ) -- base import Control.Concurrent.MVar ( newEmptyMVar, putMVar, tryTakeMVar ) -- base@@ -69,7 +66,7 @@ -- Not future things: CGI etc of any sort, "extensibility" -- vERSION :: String-vERSION = "0.4.4.0"+vERSION = "0.5.0.0"  -- STUN code @@ -111,38 +108,12 @@ certExpiryInDays :: Int64 certExpiryInDays = 30 -{---- Temporary work-around for bug in x509.-newtype CertificateWorkaround = CW X509.Certificate-    deriving ( Eq, Show )--encodeCertificateHeader :: X509.Certificate -> [ASN1]-encodeCertificateHeader cert =-    eVer ++ eSerial ++ eAlgId ++ eIssuer ++ eValidity ++ eSubject ++ epkinfo ++ eexts-  where eVer      = asn1Container (Container Context 0) [IntVal (fromIntegral $ X509.certVersion cert)]-        eSerial   = [IntVal $ X509.certSerial cert]-        eAlgId    = toASN1 (X509.certSignatureAlg cert) []-        eIssuer   = toASN1 (X509.certIssuerDN cert) []-        (t1, t2)  = X509.certValidity cert-        eValidity = asn1Container Sequence [ASN1Time TimeGeneralized t1 (Just (HG.TimezoneOffset 0))-                                           ,ASN1Time TimeGeneralized t2 (Just (HG.TimezoneOffset 0))]-        eSubject  = toASN1 (X509.certSubjectDN cert) []-        epkinfo   = toASN1 (X509.certPubKey cert) []-        eexts     = toASN1 (X509.certExtensions cert) []-        asn1Container ty l = [Start ty] ++ l ++ [End ty]--instance ASN1Object CertificateWorkaround where-    toASN1 (CW cert) = (encodeCertificateHeader cert ++)--- End work-around code--}--{- generateCert :: Options -> HG.DateTime -> SystemDRG -> (Warp.TLSSettings, SystemDRG) generateCert opts now g = ((Warp.tlsSettingsMemory (PEM.pemWriteBS pemCert) (PEM.pemWriteBS pemKey)) {                                 Warp.onInsecure = Warp.DenyInsecure (fromString "Use HTTPS") }, g'')     where later = HG.timeAdd now (HG.Hours (24*certExpiryInDays))           (bs, g') = randomBytesGenerate 8 g -- generate 8 random bytes for the serial number-          ((pk, sk), g'') = generate g' rsaSizeInBytes rsaPublicExponent+          ((pk, sk), g'') = withDRG g' (generate rsaSizeInBytes rsaPublicExponent)           serialNum = BS.foldl' (\a w -> a*256 + fromIntegral w) 0 bs           cn = getObjectID X509.DnCommonName           o = getObjectID X509.DnOrganization@@ -158,12 +129,11 @@                   X509.certPubKey = X509.PubKeyRSA pk,                   X509.certExtensions = X509.Extensions Nothing               }-          signFunc xs = (either (error . show) id (sign Nothing hashDescrSHA256 sk xs), sigAlg, ())-          certBytes = X509.encodeSignedObject $ fst $ X509.objectToSignedExact signFunc (CW cert)-          keyBytes = encodeASN1' DER (toASN1 sk [])+          signFunc xs = (either (error . show) id (sign Nothing (Just SHA256) sk xs), sigAlg, ())+          certBytes = X509.encodeSignedObject $ fst $ X509.objectToSignedExact signFunc cert+          keyBytes = encodeASN1' DER (toASN1 (X509.PrivKeyRSA sk) [])           pemCert = PEM.PEM (fromString "CERTIFICATE") [] certBytes  -- This is a mite silly.  Wrap in PEM just to immediately unwrap...           pemKey = PEM.PEM (fromString "RSA PRIVATE KEY") [] keyBytes--}  -- File upload @@ -310,7 +280,7 @@     optRealm = "",     optUserName = fromString "guest",     optPassword = BS.empty,-    optHTTPS = False, --True,+    optHTTPS = True,     optHost = "localhost",     optCertificate = "",     optKeyFile = "",@@ -360,12 +330,10 @@         "Require the given password. (Default: generated)",     Option "u" ["username"] (ReqArg (\u opt -> opt { optUserName = fromString u }) "USERNAME")         ("Require the given username. (Default: " ++ show (optUserName defOptions)  ++ ")"),-    {-     Option "s" ["secure"] (NoArg (\opt -> opt { optHTTPS = True }))         "Enable HTTPS. (Default)",     Option "" ["no-https"] (NoArg (\opt -> opt { optHTTPS = False }))         "Disable HTTPS.",-    -}     Option "H" ["host"] (ReqArg (\host opt -> opt { optHost = host }) "HOST")         ("Host name to use for generated certificate. (Default: " ++ show (optHost defOptions) ++ ")"),     Option "" ["certificate"] (ReqArg (\f opt -> opt { optCertificate = f, optHTTPS = True }) "FILE")@@ -466,15 +434,15 @@                 $ app404   where runner now g | optHTTPS opts && certProvided                         = Warp.runTLS tlsFileSettings (Warp.setPort (optPort opts) Warp.defaultSettings)-                     -- | optHTTPS opts = \app -> do-                     --    when (not $ optQuiet opts) $ do-                     --        putStrLn "Generating a self-signed certificate.  Use --no-https to disable HTTPS."-                     --        putStrLn "Users will get warnings and will be vulnerable to man-in-the-middle attacks."-                     --    Warp.runTLS tlsMemSettings (Warp.setPort (optPort opts) Warp.defaultSettings) app+                     | optHTTPS opts = \app -> do+                        when (not $ optQuiet opts) $ do+                            putStrLn "Generating a self-signed certificate.  Use --no-https to disable HTTPS."+                            putStrLn "Users will get warnings and will be vulnerable to man-in-the-middle attacks."+                        Warp.runTLS tlsMemSettings (Warp.setPort (optPort opts) Warp.defaultSettings) app                      | otherwise = Warp.run (optPort opts)             where tlsFileSettings = (Warp.tlsSettings (optCertificate opts) (optKeyFile opts)) {                         Warp.onInsecure = Warp.DenyInsecure (fromString "Use HTTPS") }-                  -- (tlsMemSettings, _) = generateCert opts now g+                  (tlsMemSettings, _) = generateCert opts now g                   certProvided = not (null (optCertificate opts)) && not (null (optKeyFile opts))          policy = basePolicy <> addBase dir
README.md view
@@ -9,8 +9,7 @@ main goals.  It has no config files, and only a few, if any, easily provided command line parameters should be necessary. If convenience and security conflict, I'm willing to sacrifice a little convenience for security, but only a little. Often such conflicts are largely resolvable.  For example, requiring a password and using TLS improve security, but-making a password or a certificate are inconvenient, so `sws` can generate these. *Currently, support for generating-a certificate is removed.*+making a password or a certificate are inconvenient, so `sws` can generate these.  ### Use-case 1: Large file transfer     
sws.cabal view
@@ -10,7 +10,7 @@ -- PVP summary:      +-+------- breaking API changes --                   | | +----- non-breaking API additions --                   | | | +--- code changes with no API change-version:             0.4.6.0+version:             0.5.0.0  -- A short (one-line) description of the package. synopsis:            A simple web server for serving directories.@@ -64,6 +64,8 @@      -- Other library packages from which modules are imported.   build-depends:       +    asn1-encoding         >= 0.9.6 && < 0.10,+    asn1-types            >= 0.3.3 && < 0.4,     base                  >= 4.11.1 && < 4.13,     bytestring            >= 0.10.8 && < 0.11,     containers            >= 0.6.0 && < 0.7,@@ -75,13 +77,16 @@     network               >= 2.7.0 && < 3.2,     network-bsd           >= 2.7.0 && < 2.9,     network-uri           >= 2.6.0 && < 2.7,+    pem                   >= 0.2.4 && < 0.3,     resourcet             >= 1.2.1 && < 1.3,     transformers          >= 0.5.5 && < 0.6,     wai                   >= 3.2.1 && < 3.3,     wai-extra             >= 3.0.22 && < 3.1,     wai-middleware-static >= 0.8.3 && < 0.9,     warp                  >= 3.2.22 && < 3.4,-    warp-tls              >= 3.2.4 && < 3.3+    warp-tls              >= 3.2.4 && < 3.3,+    x509                  >= 1.7.5 && < 1.8+      -- Directories containing source files.   -- hs-source-dirs: