product-os-proxy 0.0.19

Product OS : Proxy builds on the work of hudsucker, taking it to the next level with a man-in-the-middle proxy server that can tunnel traffic through a VPN utilising Product OS : VPN.
//! Certificate Authority module for TLS interception.
//!
//! This module provides the [`CertificateAuthority`] trait and implementations
//! for generating TLS certificates on-the-fly during MITM proxy operation.
//!
//! When the proxy intercepts an HTTPS connection, it needs to present a valid
//! TLS certificate to the client. The certificate authority generates these
//! certificates dynamically, signed by a trusted root CA.
//!
//! # Available Implementations
//!
//! - [`RcgenAuthority`] - Uses the `rcgen` crate for certificate generation (feature: `rcgen_ca`)
//!
//! # Security
//!
//! The CA private key must be kept secure. Clients connecting through the proxy
//! must be configured to trust the CA certificate, or certificate validation
//! errors must be explicitly ignored.

#[cfg(feature = "rcgen_ca")]
mod rcgen_authority;

use product_os_http::uri::Authority;
use product_os_utilities::ProductOSError;
use std::{future::Future, sync::Arc};
use tokio_rustls::rustls::ServerConfig;

#[cfg(feature = "rcgen_ca")]
pub use rcgen_authority::*;

/// Time-to-live for generated certificates in seconds (1 year).
const TTL_SECS: i64 = 365 * 24 * 60 * 60;

/// Cache TTL for certificate configs - half the certificate TTL.
const CACHE_TTL: u64 = TTL_SECS as u64 / 2;

/// Issues TLS certificates for use when communicating with clients.
///
/// Implementations of this trait generate [`ServerConfig`] instances containing
/// TLS certificates signed by a trusted CA. The generated certificates are
/// specific to the requested authority (hostname).
///
/// Clients should be configured to either trust the provided root certificate,
/// or to ignore certificate errors.
///
/// # Caching
///
/// Implementations should cache generated certificates to avoid the overhead
/// of generating new certificates for every connection to the same host.
///
/// # Examples
///
/// ```ignore
/// use product_os_proxy::mitm::certificate_authority::CertificateAuthority;
///
/// let config = ca.gen_server_config(&authority).await;
/// // Use config with TlsAcceptor
/// ```
pub trait CertificateAuthority: Send + Sync + 'static {
    /// Generate a [`ServerConfig`] for the given authority (hostname).
    ///
    /// The returned config contains a TLS certificate valid for the specified
    /// authority, signed by this CA's root certificate.
    ///
    /// # Arguments
    ///
    /// * `authority` - The hostname (and optional port) to generate a certificate for
    ///
    /// # Returns
    ///
    /// * `Ok(Arc<ServerConfig>)` - Ready for use with a TLS acceptor
    /// * `Err(ProductOSError)` - Certificate generation or build failed
    fn gen_server_config(
        &self,
        authority: &Authority,
    ) -> impl Future<Output = Result<Arc<ServerConfig>, ProductOSError>> + Send;
}