sws 0.4.6.0 → 0.5.0.0
raw patch · 4 files changed
+34/−58 lines, 4 filesdep +asn1-encodingdep +asn1-typesdep +pem
Dependencies added: asn1-encoding, asn1-types, pem, x509
Files
- CHANGELOG.md +4/−0
- Main.hs +22/−54
- README.md +1/−2
- sws.cabal +7/−2
CHANGELOG.md view
@@ -1,6 +1,10 @@ # Change Log All notable changes to this project will be documented in this file. +## 0.5.0.0 - 2020-01-02+### Added+- Added back in support for self-signed certificate generation.+ ## 0.4.6.0 - 2019-10-20 ### Changed - Upper bound bumps.
Main.hs view
@@ -41,22 +41,19 @@ import Crypto.Random ( getSystemDRG, randomBytesGenerate, SystemDRG ) -- cryptonite -- For certificate generation.--- import Crypto.PubKey.RSA ( generate ) -- crypto-pubkey--- import Crypto.PubKey.RSA.PKCS15 ( sign ) -- crypto-pubkey--- import Crypto.PubKey.HashDescr ( hashDescrSHA256 ) -- crypto-pubkey--- import Data.ASN1.OID ( getObjectID ) -- asn1-types--- import Data.ASN1.Types ( toASN1, {- for work-around -} ASN1Object ) -- asn1-types--- import Data.ASN1.BinaryEncoding ( DER(DER) ) -- asn1-encoding--- import Data.ASN1.Encoding ( encodeASN1' ) -- asn1-encoding--- import qualified Data.PEM as PEM -- pem--- import qualified Data.X509 as X509 -- x509+import Crypto.Hash.Algorithms ( SHA256(SHA256) ) -- cryptonite+import Crypto.PubKey.RSA ( generate ) -- cryptonite+import Crypto.PubKey.RSA.PKCS15 ( sign ) -- cryptonite+import Crypto.Random.Types ( withDRG ) -- cryptonite+import Data.ASN1.OID ( getObjectID ) -- asn1-types+import Data.ASN1.Types ( toASN1 ) -- asn1-types+import Data.ASN1.BinaryEncoding ( DER(DER) ) -- asn1-encoding+import Data.ASN1.Encoding ( encodeASN1' ) -- asn1-encoding+import qualified Data.PEM as PEM -- pem+import qualified Data.X509 as X509 -- x509 import qualified Data.Hourglass as HG -- hourglass import qualified System.Hourglass as HG -- hourglass --- for work-around--- import Data.ASN1.Types ( ASN1(..), ASN1ConstructionType(..), ASN1TimeType(..) )--- import Data.ASN1.Types.Lowlevel ( ASN1Class(..) )- -- For STUN import Control.Concurrent ( forkIO, threadDelay ) -- base import Control.Concurrent.MVar ( newEmptyMVar, putMVar, tryTakeMVar ) -- base@@ -69,7 +66,7 @@ -- Not future things: CGI etc of any sort, "extensibility" -- vERSION :: String-vERSION = "0.4.4.0"+vERSION = "0.5.0.0" -- STUN code @@ -111,38 +108,12 @@ certExpiryInDays :: Int64 certExpiryInDays = 30 -{---- Temporary work-around for bug in x509.-newtype CertificateWorkaround = CW X509.Certificate- deriving ( Eq, Show )--encodeCertificateHeader :: X509.Certificate -> [ASN1]-encodeCertificateHeader cert =- eVer ++ eSerial ++ eAlgId ++ eIssuer ++ eValidity ++ eSubject ++ epkinfo ++ eexts- where eVer = asn1Container (Container Context 0) [IntVal (fromIntegral $ X509.certVersion cert)]- eSerial = [IntVal $ X509.certSerial cert]- eAlgId = toASN1 (X509.certSignatureAlg cert) []- eIssuer = toASN1 (X509.certIssuerDN cert) []- (t1, t2) = X509.certValidity cert- eValidity = asn1Container Sequence [ASN1Time TimeGeneralized t1 (Just (HG.TimezoneOffset 0))- ,ASN1Time TimeGeneralized t2 (Just (HG.TimezoneOffset 0))]- eSubject = toASN1 (X509.certSubjectDN cert) []- epkinfo = toASN1 (X509.certPubKey cert) []- eexts = toASN1 (X509.certExtensions cert) []- asn1Container ty l = [Start ty] ++ l ++ [End ty]--instance ASN1Object CertificateWorkaround where- toASN1 (CW cert) = (encodeCertificateHeader cert ++)--- End work-around code--}--{- generateCert :: Options -> HG.DateTime -> SystemDRG -> (Warp.TLSSettings, SystemDRG) generateCert opts now g = ((Warp.tlsSettingsMemory (PEM.pemWriteBS pemCert) (PEM.pemWriteBS pemKey)) { Warp.onInsecure = Warp.DenyInsecure (fromString "Use HTTPS") }, g'') where later = HG.timeAdd now (HG.Hours (24*certExpiryInDays)) (bs, g') = randomBytesGenerate 8 g -- generate 8 random bytes for the serial number- ((pk, sk), g'') = generate g' rsaSizeInBytes rsaPublicExponent+ ((pk, sk), g'') = withDRG g' (generate rsaSizeInBytes rsaPublicExponent) serialNum = BS.foldl' (\a w -> a*256 + fromIntegral w) 0 bs cn = getObjectID X509.DnCommonName o = getObjectID X509.DnOrganization@@ -158,12 +129,11 @@ X509.certPubKey = X509.PubKeyRSA pk, X509.certExtensions = X509.Extensions Nothing }- signFunc xs = (either (error . show) id (sign Nothing hashDescrSHA256 sk xs), sigAlg, ())- certBytes = X509.encodeSignedObject $ fst $ X509.objectToSignedExact signFunc (CW cert)- keyBytes = encodeASN1' DER (toASN1 sk [])+ signFunc xs = (either (error . show) id (sign Nothing (Just SHA256) sk xs), sigAlg, ())+ certBytes = X509.encodeSignedObject $ fst $ X509.objectToSignedExact signFunc cert+ keyBytes = encodeASN1' DER (toASN1 (X509.PrivKeyRSA sk) []) pemCert = PEM.PEM (fromString "CERTIFICATE") [] certBytes -- This is a mite silly. Wrap in PEM just to immediately unwrap... pemKey = PEM.PEM (fromString "RSA PRIVATE KEY") [] keyBytes--} -- File upload @@ -310,7 +280,7 @@ optRealm = "", optUserName = fromString "guest", optPassword = BS.empty,- optHTTPS = False, --True,+ optHTTPS = True, optHost = "localhost", optCertificate = "", optKeyFile = "",@@ -360,12 +330,10 @@ "Require the given password. (Default: generated)", Option "u" ["username"] (ReqArg (\u opt -> opt { optUserName = fromString u }) "USERNAME") ("Require the given username. (Default: " ++ show (optUserName defOptions) ++ ")"),- {- Option "s" ["secure"] (NoArg (\opt -> opt { optHTTPS = True })) "Enable HTTPS. (Default)", Option "" ["no-https"] (NoArg (\opt -> opt { optHTTPS = False })) "Disable HTTPS.",- -} Option "H" ["host"] (ReqArg (\host opt -> opt { optHost = host }) "HOST") ("Host name to use for generated certificate. (Default: " ++ show (optHost defOptions) ++ ")"), Option "" ["certificate"] (ReqArg (\f opt -> opt { optCertificate = f, optHTTPS = True }) "FILE")@@ -466,15 +434,15 @@ $ app404 where runner now g | optHTTPS opts && certProvided = Warp.runTLS tlsFileSettings (Warp.setPort (optPort opts) Warp.defaultSettings)- -- | optHTTPS opts = \app -> do- -- when (not $ optQuiet opts) $ do- -- putStrLn "Generating a self-signed certificate. Use --no-https to disable HTTPS."- -- putStrLn "Users will get warnings and will be vulnerable to man-in-the-middle attacks."- -- Warp.runTLS tlsMemSettings (Warp.setPort (optPort opts) Warp.defaultSettings) app+ | optHTTPS opts = \app -> do+ when (not $ optQuiet opts) $ do+ putStrLn "Generating a self-signed certificate. Use --no-https to disable HTTPS."+ putStrLn "Users will get warnings and will be vulnerable to man-in-the-middle attacks."+ Warp.runTLS tlsMemSettings (Warp.setPort (optPort opts) Warp.defaultSettings) app | otherwise = Warp.run (optPort opts) where tlsFileSettings = (Warp.tlsSettings (optCertificate opts) (optKeyFile opts)) { Warp.onInsecure = Warp.DenyInsecure (fromString "Use HTTPS") }- -- (tlsMemSettings, _) = generateCert opts now g+ (tlsMemSettings, _) = generateCert opts now g certProvided = not (null (optCertificate opts)) && not (null (optKeyFile opts)) policy = basePolicy <> addBase dir
README.md view
@@ -9,8 +9,7 @@ main goals. It has no config files, and only a few, if any, easily provided command line parameters should be necessary. If convenience and security conflict, I'm willing to sacrifice a little convenience for security, but only a little. Often such conflicts are largely resolvable. For example, requiring a password and using TLS improve security, but-making a password or a certificate are inconvenient, so `sws` can generate these. *Currently, support for generating-a certificate is removed.*+making a password or a certificate are inconvenient, so `sws` can generate these. ### Use-case 1: Large file transfer
sws.cabal view
@@ -10,7 +10,7 @@ -- PVP summary: +-+------- breaking API changes -- | | +----- non-breaking API additions -- | | | +--- code changes with no API change-version: 0.4.6.0+version: 0.5.0.0 -- A short (one-line) description of the package. synopsis: A simple web server for serving directories.@@ -64,6 +64,8 @@ -- Other library packages from which modules are imported. build-depends: + asn1-encoding >= 0.9.6 && < 0.10,+ asn1-types >= 0.3.3 && < 0.4, base >= 4.11.1 && < 4.13, bytestring >= 0.10.8 && < 0.11, containers >= 0.6.0 && < 0.7,@@ -75,13 +77,16 @@ network >= 2.7.0 && < 3.2, network-bsd >= 2.7.0 && < 2.9, network-uri >= 2.6.0 && < 2.7,+ pem >= 0.2.4 && < 0.3, resourcet >= 1.2.1 && < 1.3, transformers >= 0.5.5 && < 0.6, wai >= 3.2.1 && < 3.3, wai-extra >= 3.0.22 && < 3.1, wai-middleware-static >= 0.8.3 && < 0.9, warp >= 3.2.22 && < 3.4,- warp-tls >= 3.2.4 && < 3.3+ warp-tls >= 3.2.4 && < 3.3,+ x509 >= 1.7.5 && < 1.8+ -- Directories containing source files. -- hs-source-dirs: