Simplified examples

ancwrd1 · ancwrd1 · commit c40afb717bec · 2026-02-09T19:12:19.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,7 +23,6 @@ bitflags = "2"
 windows-sys = { version = "0.61", features = ["Win32_Foundation", "Win32_Security_Cryptography"] }
 
 [dev-dependencies]
-clap = { version = "4", default-features = false, features = ["std", "derive", "help"] }
 rustls-aws-lc-rs = { git = "https://github.com/rustls/rustls.git" }
 rustls-util = { git = "https://github.com/rustls/rustls.git" }
 rustls-native-certs = "0.8"
diff --git a/examples/client.rs b/examples/client.rs
@@ -2,11 +2,9 @@ use std::{
     hash::Hasher,
     io::{Read, Write},
     net::{Shutdown, TcpStream},
-    path::PathBuf,
     sync::Arc,
 };
 
-use clap::Parser;
 use rustls::{
     ClientConfig, RootCertStore,
     client::{ClientCredentialResolver, CredentialRequest},
@@ -16,7 +14,7 @@ use rustls::{
 };
 use rustls_cng::{
     signer::CngSigningKey,
-    store::{CertStore, CertStoreType, Pkcs12Flags},
+    store::{CertStore, CertStoreType},
 };
 use rustls_util::Stream;
 
@@ -26,7 +24,6 @@ const PORT: u16 = 8000;
 pub struct ClientCertResolver {
     store: CertStore,
     cert_name: String,
-    pin: Option<String>,
 }
 
 fn get_chain(
@@ -37,7 +34,7 @@ fn get_chain(
     let context = contexts
         .first()
         .ok_or_else(|| std::io::Error::other("No client cert"))?;
-    let key = context.acquire_key(true)?;
+    let key = context.acquire_key(false)?;
     let signing_key = CngSigningKey::new(key)?;
     let chain = context.as_chain_der()?.into_iter().map(Into::into).collect();
     Ok((chain, signing_key))
@@ -47,9 +44,6 @@ impl ClientCredentialResolver for ClientCertResolver {
     fn resolve(&self, server_hello: &CredentialRequest) -> Option<SelectedCredential> {
         println!("Server sig schemes: {:?}", server_hello.signature_schemes());
         let (chain, signing_key) = get_chain(&self.store, &self.cert_name).ok()?;
-        if let Some(ref pin) = self.pin {
-            signing_key.key().set_pin(pin).ok()?;
-        }
         Credentials::new_unchecked(Arc::new(Identity::from_cert_chain(chain).ok()?), Box::new(signing_key))
             .signer(server_hello.signature_schemes())
     }
@@ -61,69 +55,34 @@ impl ClientCredentialResolver for ClientCertResolver {
     fn hash_config(&self, _: &mut dyn Hasher) {}
 }
 
-#[derive(Parser)]
-#[clap(name = "rustls-client-sample")]
-struct AppParams {
-    #[clap(short = 'c', long = "ca-cert", help = "CA cert name to verify the peer certificate")]
-    ca_cert: Option<String>,
-
-    #[clap(short = 'k', long = "keystore", help = "Use external PFX keystore")]
-    keystore: Option<PathBuf>,
-
-    #[clap(short = 'p', long = "password", help = "Keystore password or token pin")]
-    password: Option<String>,
-
-    #[clap(short = 's', long = "server-name", help = "Server name for TLS SNI extension")]
-    server_name: Option<String>,
-
-    #[clap(short = 'l', long = "client-cert", help = "Client cert name for client auth")]
-    client_cert: Option<String>,
-
-    #[clap(help = "Server address")]
-    server_address: String,
-}
-
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let params: AppParams = AppParams::parse();
-
-    let store = if let Some(ref keystore) = params.keystore {
-        let data = std::fs::read(keystore)?;
-        CertStore::from_pkcs12(
-            &data,
-            params.password.as_deref().unwrap_or_default(),
-            Pkcs12Flags::default(),
-        )?
-    } else {
-        CertStore::open(CertStoreType::CurrentUser, "my")?
-    };
+    let args = std::env::args().collect::<Vec<_>>();
+    if args.len() < 2 {
+        println!("Usage: {} <sni-name> [client-cert-name]", args[0]);
+        return Ok(());
+    }
+
+    let store = CertStore::open(CertStoreType::CurrentUser, "my")?;
 
     let mut root_store = RootCertStore::empty();
     root_store.add_parsable_certificates(rustls_native_certs::load_native_certs().certs);
 
-    if let Some(ca_cert) = params.ca_cert {
-        let ca_cert_context = store.find_by_subject_str(&ca_cert)?;
-        let ca_cert = ca_cert_context.first().unwrap();
-
-        root_store.add(ca_cert.as_der().into())?;
-    }
-
     let builder =
         ClientConfig::builder(Arc::new(rustls_aws_lc_rs::DEFAULT_PROVIDER)).with_root_certificates(root_store);
 
-    let client_config = Arc::new(if let Some(client_cert) = params.client_cert {
+    let client_config = Arc::new(if let Some(client_cert) = args.get(2) {
         builder.with_client_credential_resolver(Arc::new(ClientCertResolver {
             store,
             cert_name: client_cert.clone(),
-            pin: params.password.clone(),
         }))?
     } else {
         builder.with_no_client_auth()?
     });
 
-    let server_name = ServerName::try_from(params.server_name.as_deref().unwrap_or(&params.server_address))?.to_owned();
+    let server_name = ServerName::try_from(args[1].as_str())?.to_owned();
 
     let mut connection = client_config.connect(server_name).build()?;
-    let mut client = TcpStream::connect(format!("{}:{}", params.server_address, PORT))?;
+    let mut client = TcpStream::connect(format!("127.0.0.1:{}", PORT))?;
 
     let mut tls_stream = Stream::new(&mut connection, &mut client);
     tls_stream.write_all(b"ping")?;
diff --git a/examples/server.rs b/examples/server.rs
@@ -1,82 +1,64 @@
 use std::{
     io::{Read, Write},
     net::{Shutdown, TcpListener, TcpStream},
-    path::PathBuf,
     sync::Arc,
 };
 
-use clap::Parser;
 use rustls::{
     RootCertStore, ServerConfig, ServerConnection,
     crypto::{Credentials, Identity, SelectedCredential},
     server::{ClientHello, ServerCredentialResolver, WebPkiClientVerifier},
 };
 use rustls_cng::{
     signer::CngSigningKey,
-    store::{CertStore, CertStoreType, Pkcs12Flags},
+    store::{CertStore, CertStoreType},
 };
 use rustls_util::Stream;
 
 const PORT: u16 = 8000;
 
-#[derive(Parser)]
-#[clap(name = "rustls-server-sample")]
-struct AppParams {
-    #[clap(
-        action,
-        short = 'c',
-        long = "ca-cert",
-        help = "CA cert name to verify the peer certificate"
-    )]
-    ca_cert: Option<String>,
-
-    #[clap(action, short = 'k', long = "keystore", help = "Use external PFX keystore")]
-    keystore: Option<PathBuf>,
-
-    #[clap(action, short = 'p', long = "password", help = "Keystore password or card pin")]
-    password: Option<String>,
-}
-
 #[derive(Debug)]
 pub struct ServerCertResolver {
     store: CertStore,
-    pin: Option<String>,
 }
 
 impl ServerCredentialResolver for ServerCertResolver {
     fn resolve(&self, client_hello: &ClientHello) -> Result<SelectedCredential, rustls::Error> {
         println!("Client hello server name: {:?}", client_hello.server_name());
         let name = client_hello
             .server_name()
-            .ok_or_else(|| rustls::Error::NoSuitableCertificate)?;
+            .ok_or_else(|| rustls::Error::NoSuitableCertificate)
+            .inspect_err(|e| println!("{}", e))?;
 
         let contexts = self
             .store
             .find_by_subject_str(name)
-            .map_err(|_| rustls::Error::NoSuitableCertificate)?;
+            .map_err(|_| rustls::Error::NoSuitableCertificate)
+            .inspect_err(|e| println!("{}", e))?;
 
         let (context, key) = contexts
             .into_iter()
             .find_map(|ctx| {
-                let key = ctx.acquire_key(true).ok()?;
-                if let Some(ref pin) = self.pin {
-                    key.set_pin(pin).ok()?;
-                }
+                let key = ctx.acquire_key(false).ok()?;
                 CngSigningKey::new(key).ok().map(|key| (ctx, key))
             })
-            .ok_or_else(|| rustls::Error::NoSuitableCertificate)?;
+            .ok_or_else(|| rustls::Error::NoSuitableCertificate)
+            .inspect_err(|e| println!("{}", e))?;
 
         println!("Key alg group: {:?}", key.key().algorithm_group());
         println!("Key alg: {:?}", key.key().algorithm());
 
         let chain = context
             .as_chain_der()
-            .map_err(|_| rustls::Error::NoSuitableCertificate)?;
+            .map_err(|_| rustls::Error::NoSuitableCertificate)
+            .inspect_err(|e| println!("{}", e))?;
+
         let certs = chain.into_iter().map(Into::into).collect();
 
         Credentials::new_unchecked(Arc::new(Identity::from_cert_chain(certs)?), Box::new(key))
             .signer(client_hello.signature_schemes())
             .ok_or_else(|| rustls::Error::General("No common schemes".to_owned()))
+            .inspect_err(|e| println!("{}", e))
     }
 }
 
@@ -113,39 +95,20 @@ fn accept(server: TcpListener, config: Arc<ServerConfig>) -> Result<(), Box<dyn
 }
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let params: AppParams = AppParams::parse();
-
-    let store = if let Some(ref keystore) = params.keystore {
-        let data = std::fs::read(keystore)?;
-        CertStore::from_pkcs12(
-            &data,
-            params.password.as_deref().unwrap_or_default(),
-            Pkcs12Flags::default(),
-        )?
-    } else {
-        CertStore::open(CertStoreType::CurrentUser, "my")?
-    };
+    let store = CertStore::open(CertStoreType::CurrentUser, "my")?;
 
     let mut root_store = RootCertStore::empty();
     root_store.add_parsable_certificates(rustls_native_certs::load_native_certs().certs);
 
-    if let Some(ca_cert) = params.ca_cert {
-        let ca_cert_context = store.find_by_subject_str(&ca_cert)?;
-        let ca_cert = ca_cert_context.first().unwrap();
-
-        root_store.add(ca_cert.as_der().into())?;
-    }
-
     let verifier = WebPkiClientVerifier::builder(Arc::new(root_store), &rustls_aws_lc_rs::DEFAULT_PROVIDER).build()?;
 
     let server_config = ServerConfig::builder(Arc::new(rustls_aws_lc_rs::DEFAULT_PROVIDER))
         .with_client_cert_verifier(Arc::new(verifier))
-        .with_server_credential_resolver(Arc::new(ServerCertResolver {
-            store,
-            pin: params.password.clone(),
-        }))?;
+        .with_server_credential_resolver(Arc::new(ServerCertResolver { store }))?;
+
+    let server = TcpListener::bind(format!("127.0.0.1:{PORT}"))?;
 
-    let server = TcpListener::bind(format!("0.0.0.0:{PORT}"))?;
+    println!("Listening on port {}", PORT);
 
     // to test: openssl s_client -servername HOSTNAME -connect localhost:8000
     accept(server, Arc::new(server_config))?;
