hyperledger-indy · andrewwhitehead · Aug 10, 2023 · May 22, 2023
diff --git a/indy-vdr-proxy/Cargo.toml b/indy-vdr-proxy/Cargo.toml
@@ -10,6 +10,7 @@ license = "Apache-2.0"
 [features]
 fetch = ["hyper-tls", "hyper/client"]
 zmq_vendored = ["indy-vdr/zmq_vendored"]
+tls = ["rustls-pemfile", "tokio-rustls", "hyper/stream"]
 default = ["fetch", "zmq_vendored"]
 
 [dependencies]
@@ -27,6 +28,8 @@ regex = "1.5.4"
 serde_json = "1.0"
 tokio = { version = "1.0", features = ["macros", "rt-multi-thread", "signal"] }
 url = "2.2.2"
+rustls-pemfile = { version = "1.0.3", optional = true }
+tokio-rustls = { version = "0.24.1", optional = true }
 
 [target.'cfg(unix)'.dependencies]
 hyper-unix-connector = "0.2"

diff --git a/indy-vdr-proxy/src/app.rs b/indy-vdr-proxy/src/app.rs
@@ -11,6 +11,8 @@ pub struct Config {
     pub init_refresh: bool,
     pub interval_refresh: u32,
     pub is_multiple: bool,
+    pub tls_cert_path: Option<String>,
+    pub tls_key_path: Option<String>,
 }
 
 pub fn load_config() -> Result<Config, String> {
@@ -66,6 +68,20 @@ pub fn load_config() -> Result<Config, String> {
                 .takes_value(true)
                 .value_name("INTERVAL")
                 .help("Set the interval in minutes between validator node refresh attempts (0 to disable refresh, default 120)"),
+        )
+        .arg(
+            Arg::new("tls-cert")
+                .long("tls-cert")
+                .takes_value(true)
+                .value_name("CERT")
+                .help("Path to the TLS certificate file")
+        )
+        .arg(
+            Arg::new("tls-key")
+                .long("tls-key")
+                .takes_value(true)
+                .value_name("KEY")
+                .help("Path to the TLS private key file")
         );
 
     #[cfg(unix)]
@@ -112,6 +128,9 @@ pub fn load_config() -> Result<Config, String> {
         .transpose()?
         .unwrap_or(120);
 
+    let tls_cert_path = matches.value_of("tls-cert").map(str::to_owned);
+    let tls_key_path = matches.value_of("tls-key").map(str::to_owned);
+
     Ok(Config {
         genesis,
         namespace,
@@ -122,5 +141,7 @@ pub fn load_config() -> Result<Config, String> {
         init_refresh,
         interval_refresh,
         is_multiple,
+        tls_cert_path,
+        tls_key_path,
     })
 }
diff --git a/indy-vdr-proxy/src/main.rs b/indy-vdr-proxy/src/main.rs
@@ -16,8 +16,12 @@ use std::path::PathBuf;
 use std::process::exit;
 use std::rc::Rc;
 use std::time::{Duration, SystemTime};
+#[cfg(feature = "tls")]
+use std::{fs::File, io::BufReader, sync::Arc};
 
 use futures_util::future::FutureExt;
+#[cfg(feature = "tls")]
+use futures_util::stream;
 use git2::Repository;
 
 #[cfg(feature = "fetch")]
@@ -32,9 +36,18 @@ use hyper_tls::HttpsConnector;
 #[cfg(unix)]
 use hyper_unix_connector::UnixConnector;
 
+#[cfg(feature = "tls")]
+use rustls_pemfile::{certs, pkcs8_private_keys};
+#[cfg(feature = "tls")]
+use tokio::net::TcpListener;
 use tokio::select;
 #[cfg(unix)]
 use tokio::signal::unix::SignalKind;
+#[cfg(feature = "tls")]
+use tokio_rustls::{
+    rustls::{Certificate, PrivateKey, ServerConfig},
+    TlsAcceptor,
+};
 
 use indy_vdr::common::error::prelude::*;
 use indy_vdr::pool::{helpers::perform_refresh, LocalPool, PoolBuilder, PoolTransactions};
@@ -352,11 +365,64 @@ async fn init_server(config: app::Config) -> Result<(), String> {
         .parse::<IpAddr>()
         .map_err(|_| "Error parsing host IP")?;
     let addr = (ip, config.port.unwrap()).into();
-    let builder =
-        Server::try_bind(&addr).map_err(|err| format!("Error binding TCP socket: {}", err))?;
+
+    #[cfg(feature = "tls")]
+    if let (Some(tls_cert_path), Some(tls_key_path)) = (&config.tls_cert_path, &config.tls_key_path)
+    {
+        let tls_cfg = build_tls_config(&tls_cert_path, &tls_key_path)?;
+        let tls_acceptor = TlsAcceptor::from(Arc::new(tls_cfg));
+        let tcp_listener = TcpListener::bind(&addr)
+            .await
+            .map_err(|err| format!("Error binding TCP socket: {}", err))?;
+
+        let incoming_tls_stream = stream::try_unfold(tcp_listener, move |tcp_listener| {
+            let tls_acceptor = tls_acceptor.clone();
+            async move {
+                match tcp_listener.accept().await {
+                    Ok((socket, _)) => Ok(Some((
+                        tls_acceptor.clone().accept(socket).await?,
+                        tcp_listener,
+                    ))),
+                    Err(err) => Err(err),
+                }
+            }
+        });
+        let builder = Server::builder(hyper::server::accept::from_stream(incoming_tls_stream));
+        return run_server(builder, state, format!("https://{}", addr), config).await;
+    }
+
+    let builder = Server::try_bind(&addr)
+        .map_err(|err| format!("Error binding TCP socket: {}", err.to_string()))?;
     run_server(builder, state, format!("http://{}", addr), config).await
 }
 
+#[cfg(feature = "tls")]
+fn build_tls_config(cert_path: &str, key_path: &str) -> Result<ServerConfig, String> {
+    let certs = certs(&mut BufReader::new(
+        File::open(cert_path)
+            .map_err(|err| format!("Error opening TLS certificate file: {}", err))?,
+    ))
+    .map_err(|err| format!("Error parsing TLS certificate file: {}", err))?;
+    let keys = pkcs8_private_keys(&mut BufReader::new(
+        File::open(key_path).map_err(|err| format!("Error opening TLS key file: {}", err))?,
+    ))
+    .map_err(|err| format!("Error parsing TLS key file: {}", err))?;
+    ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_single_cert(
+            vec![Certificate(certs.into_iter().next().ok_or_else(|| {
+                "Error parsing TLS certificate file: no certificates found".to_string()
+            })?)],
+            PrivateKey(
+                keys.into_iter()
+                    .next()
+                    .ok_or_else(|| "Error parsing TLS key file: no keys found".to_string())?,
+            ),
+        )
+        .map_err(|err| format!("Error building TLS config: {}", err.to_string()))
+}
+
 async fn run_server<I>(
     builder: hyper::server::Builder<I>,
     state: Rc<RefCell<AppState>>,