jetstream 16.0.0

Jetstream is a RPC framework for Rust, based on the 9P protocol and QUIC.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370

//! Example: mTLS with a SQLite-backed certificate revocation verifier.
//!
//! Demonstrates how to use a custom `ClientCertVerifier` with `Server::new_with_mtls`.
//! The verifier delegates PKI chain validation to `WebPkiClientVerifier` and then
//! checks the certificate's SHA-256 fingerprint against a SQLite revocation table.
//! Certificates that pass PKI validation are accepted unless explicitly revoked.
//!
//! Usage:
//!   cargo run --example sqlite_mtls --features quic
//!
//! The example:
//! 1. Creates an in-memory SQLite database with a revoked certificate fingerprint
//! 2. Builds a custom `ClientCertVerifier` that rejects revoked certificates
//! 3. Starts a QUIC server using this verifier
//! 4. Connects a client whose certificate is NOT revoked (succeeds)
//! 5. Connects a client whose certificate IS revoked (rejected)

use std::fmt;
use std::net::SocketAddr;
use std::path::Path;
use std::sync::Arc;

use echo_protocol::EchoChannel;
use jetstream::prelude::*;
use jetstream_macros::service;
use jetstream_quic::{
    Client, QuicRouter, QuicRouterHandler, QuicTransport, Server,
};

use rusqlite::Connection as SqliteConnection;
use rustls::pki_types::{CertificateDer, PrivateKeyDer, UnixTime};
use rustls::server::danger::{ClientCertVerified, ClientCertVerifier};
use rustls::server::WebPkiClientVerifier;
use rustls::{
    DigitallySignedStruct, DistinguishedName, Error, RootCertStore,
    SignatureScheme,
};

#[service]
pub trait Echo {
    async fn ping(&mut self) -> Result<()>;
}

#[derive(Clone)]
struct EchoImpl {}

impl Echo for EchoImpl {
    async fn ping(&mut self) -> Result<()> {
        eprintln!("Ping received");
        Ok(())
    }
}

/// A client certificate verifier that delegates cryptographic verification to
/// `WebPkiClientVerifier` and then checks the certificate's SHA-256 fingerprint
/// against a SQLite revocation table. Certificates that pass PKI validation are
/// accepted unless their fingerprint appears in the `revoked_certs` table.
struct SqliteRevocationVerifier {
    /// Inner verifier that handles PKI chain validation and signature checks.
    inner: Arc<dyn ClientCertVerifier>,
    /// SQLite database connection (wrapped in a Mutex for Send + Sync).
    db: std::sync::Mutex<SqliteConnection>,
}

impl SqliteRevocationVerifier {
    /// Create a new verifier.
    ///
    /// * `ca_cert` - CA certificate used to verify the client's certificate chain.
    /// * `db` - SQLite connection with a `revoked_certs` table containing
    ///          a `fingerprint TEXT` column of hex-encoded SHA-256 fingerprints.
    fn new(ca_cert: CertificateDer<'static>, db: SqliteConnection) -> Self {
        let mut root_store = RootCertStore::empty();
        root_store.add(ca_cert).expect("Failed to add CA cert");

        let inner = WebPkiClientVerifier::builder(Arc::new(root_store))
            .build()
            .expect("Failed to build inner WebPki verifier");

        Self {
            inner,
            db: std::sync::Mutex::new(db),
        }
    }

    /// Compute a hex-encoded SHA-256 fingerprint of a DER-encoded certificate.
    fn fingerprint(cert: &CertificateDer<'_>) -> String {
        sha256::digest(cert.as_ref())
    }
}

impl fmt::Debug for SqliteRevocationVerifier {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("SqliteRevocationVerifier").finish()
    }
}

impl ClientCertVerifier for SqliteRevocationVerifier {
    fn offer_client_auth(&self) -> bool {
        true
    }

    fn client_auth_mandatory(&self) -> bool {
        true
    }

    fn root_hint_subjects(&self) -> &[DistinguishedName] {
        self.inner.root_hint_subjects()
    }

    fn verify_client_cert(
        &self,
        end_entity: &CertificateDer<'_>,
        intermediates: &[CertificateDer<'_>],
        now: UnixTime,
    ) -> std::result::Result<ClientCertVerified, Error> {
        // First, do standard PKI chain validation.
        self.inner
            .verify_client_cert(end_entity, intermediates, now)?;

        // Then check the fingerprint against the revocation table.
        let fp = Self::fingerprint(end_entity);
        let db = self.db.lock().unwrap();
        let mut stmt = db
            .prepare_cached(
                "SELECT 1 FROM revoked_certs WHERE fingerprint = ?1",
            )
            .map_err(|e| {
                Error::General(format!("SQLite prepare error: {}", e))
            })?;

        let revoked: bool = stmt
            .query_row(rusqlite::params![fp], |_row| Ok(true))
            .unwrap_or(false);

        if revoked {
            eprintln!("Certificate REVOKED (fingerprint: {})", fp);
            Err(Error::General(format!(
                "client certificate has been revoked: {}",
                fp
            )))
        } else {
            eprintln!("Certificate accepted (fingerprint: {})", fp);
            Ok(ClientCertVerified::assertion())
        }
    }

    fn verify_tls12_signature(
        &self,
        message: &[u8],
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> std::result::Result<
        rustls::client::danger::HandshakeSignatureValid,
        Error,
    > {
        self.inner.verify_tls12_signature(message, cert, dss)
    }

    fn verify_tls13_signature(
        &self,
        message: &[u8],
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> std::result::Result<
        rustls::client::danger::HandshakeSignatureValid,
        Error,
    > {
        self.inner.verify_tls13_signature(message, cert, dss)
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
        self.inner.supported_verify_schemes()
    }
}

pub static CA_CERT_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/ca.pem");
pub static CLIENT_CERT_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/client.pem");
pub static CLIENT_KEY_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/client.key");
pub static CLIENT2_CERT_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/client2.pem");
pub static CLIENT2_KEY_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/client2.key");
pub static SERVER_CERT_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/server.pem");
pub static SERVER_KEY_PEM: &str =
    concat!(env!("CARGO_MANIFEST_DIR"), "/certs/server.key");

fn load_certs(path: &str) -> Vec<CertificateDer<'static>> {
    let data = std::fs::read(Path::new(path)).expect("Failed to read cert");
    rustls_pemfile::certs(&mut &*data)
        .filter_map(|r| r.ok())
        .collect()
}

fn load_key(path: &str) -> PrivateKeyDer<'static> {
    let data = std::fs::read(Path::new(path)).expect("Failed to read key");
    rustls_pemfile::private_key(&mut &*data)
        .expect("Failed to parse key")
        .expect("No key found")
}

async fn server(
    addr: SocketAddr,
) -> std::result::Result<(), Box<dyn std::error::Error + Send + Sync>> {
    let server_cert = load_certs(SERVER_CERT_PEM).pop().unwrap();
    let server_key = load_key(SERVER_KEY_PEM);
    let ca_cert = load_certs(CA_CERT_PEM).pop().unwrap();
    let revoked_cert_der = load_certs(CLIENT2_CERT_PEM).pop().unwrap();

    // Create an in-memory SQLite database with a revocation table.
    let db = SqliteConnection::open_in_memory()
        .expect("Failed to open SQLite in-memory db");
    db.execute_batch(
        "CREATE TABLE revoked_certs (fingerprint TEXT NOT NULL UNIQUE);",
    )
    .expect("Failed to create table");

    // Revoke client2's certificate.
    let revoked_fp = SqliteRevocationVerifier::fingerprint(&revoked_cert_der);
    db.execute(
        "INSERT INTO revoked_certs (fingerprint) VALUES (?1)",
        rusqlite::params![revoked_fp],
    )
    .expect("Failed to insert fingerprint");
    eprintln!("Revoked certificate fingerprint: {}", revoked_fp);

    // Build the custom verifier
    let verifier = Arc::new(SqliteRevocationVerifier::new(ca_cert, db));

    let echo_service = echo_protocol::EchoService { inner: EchoImpl {} };

    let rpc_router = Arc::new(
        jetstream_rpc::Router::new()
            .with_handler(echo_protocol::PROTOCOL_NAME, echo_service),
    );
    let quic_handler = QuicRouterHandler::new(rpc_router);

    let mut router = QuicRouter::new();
    router.register(Arc::new(quic_handler));

    let server = Server::new_with_mtls(
        vec![server_cert],
        server_key,
        verifier,
        addr,
        router,
    );

    eprintln!("Server listening on {}", addr);
    server.run().await;

    Ok(())
}

/// Client whose certificate is NOT revoked — should succeed.
async fn allowed_client(
    addr: SocketAddr,
) -> std::result::Result<(), Box<dyn std::error::Error + Send + Sync>> {
    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;

    let ca_cert = load_certs(CA_CERT_PEM).pop().unwrap();
    let client_cert = load_certs(CLIENT_CERT_PEM).pop().unwrap();
    let client_key = load_key(CLIENT_KEY_PEM);

    let alpn = vec![b"jetstream".to_vec()];
    let bind_addr: SocketAddr = "0.0.0.0:0".parse().unwrap();
    let client = Client::new_with_mtls(
        ca_cert,
        client_cert,
        client_key,
        alpn,
        bind_addr,
    )?;

    let connection = client.connect(addr, "localhost").await?;

    let (send, recv) = connection.open_bi().await?;
    let transport: QuicTransport<EchoChannel> = (send, recv).into();
    let mut chan = EchoChannel::new(10, Box::new(transport));
    chan.negotiate_version(u32::MAX).await?;

    eprintln!("[allowed]   Sending ping...");
    chan.ping().await?;
    eprintln!(
        "[allowed]   Pong received - SQLite verifier accepted our certificate!"
    );

    Ok(())
}

/// Client whose certificate IS revoked — should be rejected.
/// Uses client2, which is signed by the same CA and has clientAuth EKU,
/// but whose fingerprint is in the SQLite revocation table.
async fn revoked_client(
    addr: SocketAddr,
) -> std::result::Result<(), Box<dyn std::error::Error + Send + Sync>> {
    tokio::time::sleep(tokio::time::Duration::from_millis(200)).await;

    let ca_cert = load_certs(CA_CERT_PEM).pop().unwrap();
    let unauthorized_cert = load_certs(CLIENT2_CERT_PEM).pop().unwrap();
    let unauthorized_key = load_key(CLIENT2_KEY_PEM);

    let alpn = vec![b"jetstream".to_vec()];
    let bind_addr: SocketAddr = "0.0.0.0:0".parse().unwrap();
    let client = Client::new_with_mtls(
        ca_cert,
        unauthorized_cert,
        unauthorized_key,
        alpn,
        bind_addr,
    )?;

    eprintln!("[revoked]   Connecting with revoked certificate...");
    match client.connect(addr, "localhost").await {
        Ok(connection) => {
            // In QUIC, the client handshake completes before the server
            // verifies the client certificate. Race every operation
            // against the connection being closed by the server.
            let try_ping = async {
                let (send, recv) = connection.open_bi().await?;
                let transport: QuicTransport<EchoChannel> = (send, recv).into();
                let mut chan = EchoChannel::new(10, Box::new(transport));
                chan.negotiate_version(u32::MAX).await?;
                chan.ping().await?;
                Ok::<_, Box<dyn std::error::Error + Send + Sync>>(())
            };
            tokio::select! {
                result = try_ping => {
                    match result {
                        Ok(_) => {
                            eprintln!("[revoked]   ERROR: ping succeeded — should have been rejected!");
                        }
                        Err(e) => {
                            eprintln!("[revoked]   Correctly rejected: {}", e);
                        }
                    }
                }
                reason = connection.closed() => {
                    eprintln!("[revoked]   Correctly rejected: {}", reason);
                }
            }
        }
        Err(e) => {
            eprintln!("[revoked]   Correctly rejected: {}", e);
        }
    }

    Ok(())
}

#[tokio::main]
async fn main() {
    rustls::crypto::ring::default_provider()
        .install_default()
        .ok();

    let addr: SocketAddr = "127.0.0.1:4437".parse().unwrap();
    tokio::select! {
        _ = server(addr) => {},
        _ = async {
            // First: non-revoked client succeeds
            allowed_client(addr).await.unwrap();
            // Then: revoked client fails
            revoked_client(addr).await.unwrap();
        } => {},
    }
}