Merge pull request #7 from staaldraad/mtls

staaldraad · web-flow · commit 56fda6f947f5 · 2020-05-25T18:19:17.000+02:00
Add mTLS to tcpprox
diff --git a/Makefile b/Makefile
@@ -0,0 +1,28 @@
+build:
+	go build -o tcpprox tcpprox.go
+
+run:
+	go run tcpprox.go
+	
+build all:
+	# 32-bit
+	# Linux
+	GOOS=linux GOARCH=386 go build -o tcpprox-linux86
+	sha256sum  tcpprox-linux86 
+	# Windows
+	GOOS=windows GOARCH=386 go build -o tcpprox-win86.exe 
+	sha256sum  tcpprox-win86.exe 
+	# OSX
+	GOOS=darwin GOARCH=386 go build -o tcpprox-osx86
+	sha256sum  tcpprox-osx86
+
+	# 64-bit
+	# Linux
+	GOOS=linux GOARCH=amd64 go build -o tcpprox-linux64
+	sha256sum  tcpprox-linux64      
+	# Windows
+	GOOS=windows GOARCH=amd64 go build -o tcpprox-win64.exe  
+	sha256sum  tcpprox-win64.exe
+ 	# OSX
+	GOOS=darwin GOARCH=amd64 go build -o tcpprox-osx64
+	sha256sum  tcpprox-osx64
diff --git a/README.md b/README.md
@@ -10,27 +10,65 @@ _The command line arguments have precidence and override the config file_
 
 To create a TLS proxy using the supplied config file:
 
-`tcpprox -s -c config.json -r 172.16.0.12:4550`
+```
+tcpprox -s -c config.json -r 172.16.0.12:4550
+```
 
 To create a normal TCP proxy,  no config file:
 
-`tcpprox -l 0.0.0.0 -p 8081 -r 172.16.0.12:8081`
+```
+tcpprox -l 0.0.0.0 -p 8081 -r 172.16.0.12:8081
+```
+
+To specify a custom certificate to use (PEM format) you can use the -cert and -key options (must be used together):
 
-To specify a custom certificate to use (PEM format) you can use the -cert option:
+___Note (breaking change)__ for previous versions of tcpprox, the `-cert` and `-key` arguments were combined into one argument `-cert`. This previous arg would take the supplied value and automatically append **.pem** and **.key**. This is no longer the case and the supplied filepaths for `-cert` and `-key` must be complete and for valid, matching files._   
 
-`tcpprox -s -c config.json -cert server`
+```
+tcpprox -s -c config.json -cert server.pem -key server.key
+```
 
-Where server is the prefix to server.pem and server.key (I'm lazy...)
 To generate valid certificate and key:
 
-`
+```
 openssl genrsa -out server.key 2048
 openssl req -new -x509 -key server.key -out server.pem -days 3650
-`
+```
+
 To convert the certificate to DER format:
 
-`openssl x509 -in server.pem -out server.crt -outform der`
+```
+openssl x509 -in server.pem -out server.crt -outform der
+```
+
+
+## mTLS
+
+If proxying a connection where the upstream server uses mTLS, tcpprox can be configured to use mTLS to authenticate.
+
+```
+tcpprox -s -c config.json -cert server.pem -key server.key -clientCert client.pem -clientKey client.key
+```
+
+The application that is being proxied through tcpprox does not have to supply a client certificate (although it can). 
+
+This allows for either:
+
+```
+client <---TLS---> tcpprox <---mTLS---> server
+```
+
+or
+
+```
+client <---mTLS---> tcpprox <---mTLS---> server
+```
+
+Tcpprox will allow both types of connections through, as long as tcpprox is able to use mTLS to connect to the server, the client is oblivious of what is happening upstream.
+
+## Config File
 
+The config file can be used instead of supplying all information on the command line. The options specified in the file will be overwritten by any matching command line arguments. This allows for using a config file and overriding one or more options for testing / variation between hosts.
 
 # Using Docker
 
diff --git a/config.json b/config.json
@@ -7,5 +7,8 @@
             "Org":["Staaldraad"],
             "CommonName":"*.domain.com"
     },
-    "Certfile":""
+    "CACertFile":"",
+    "CAKeyFile":"",
+    "ClientCertFile":"",
+    "ClientKeyFile":"" 
 }
diff --git a/tcpprox.go b/tcpprox.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/big"
 	"net"
 	"os"
@@ -25,11 +26,14 @@ type TLS struct {
 }
 
 type Config struct {
-	Remotehost string
-	Localhost  string
-	Localport  int
-	TLS        *TLS
-	CertFile   string ""
+	Remotehost     string `json:"remotehost"`
+	Localhost      string `json:"localhost"`
+	Localport      int    `json:"localport"`
+	TLS            *TLS   `json:"TLS"`
+	CACertFile     string `json:"CACertFile"`
+	CAKeyFile      string `json:"CAKeyFile"`
+	ClientCertFile string `json:"ClientCertFile"` // client cert for mTLS
+	ClientKeyFile  string `json:"ClientKeyFile"`  // client priv key for mTLS
 }
 
 var config Config
@@ -47,9 +51,9 @@ func genCert() ([]byte, *rsa.PrivateKey) {
 		NotAfter:              time.Now().AddDate(10, 0, 0),
 		SubjectKeyId:          []byte{1, 2, 3, 4, 5},
 		BasicConstraintsValid: true,
-		IsCA:        true,
-		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		IsCA:                  true,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 	}
 
 	priv, _ := rsa.GenerateKey(rand.Reader, 1024)
@@ -83,12 +87,22 @@ func handleConnection(conn net.Conn, isTLS bool) {
 
 	if isTLS == true {
 		conf := tls.Config{InsecureSkipVerify: true}
+
+		if config.ClientKeyFile != "" { //use mtls
+			cert, err := tls.LoadX509KeyPair(config.ClientCertFile, config.ClientKeyFile)
+			if err != nil {
+				log.Fatal(err)
+			}
+			conf.Certificates = []tls.Certificate{cert}
+		}
+
 		connR, err = tls.Dial("tcp", config.Remotehost, &conf)
 	} else {
 		connR, err = net.Dial("tcp", config.Remotehost)
 	}
 
 	if err != nil {
+		log.Fatal(err)
 		return
 	}
 
@@ -121,20 +135,36 @@ func startListener(isTLS bool) {
 	var cert tls.Certificate
 
 	if isTLS == true {
-		if config.CertFile != "" {
-			cert, _ = tls.LoadX509KeyPair(fmt.Sprint(config.CertFile, ".pem"), fmt.Sprint(config.CertFile, ".key"))
+		if config.CACertFile != "" {
+			cert, _ = tls.LoadX509KeyPair(fmt.Sprint(config.CACertFile), fmt.Sprint(config.CAKeyFile))
 		} else {
-            fmt.Println("[*] Generating cert")
+			fmt.Println("[*] Generating cert")
 			ca_b, priv := genCert()
 			cert = tls.Certificate{
 				Certificate: [][]byte{ca_b},
 				PrivateKey:  priv,
 			}
 		}
 
+		// we don't have to set mTLS on the listener, it will simply accept connection with or
+		// without the client supplying a cert. The mTLS part happens with the connection to the
+		// upstream host
 		conf := tls.Config{
 			Certificates: []tls.Certificate{cert},
 		}
+
+		/* optional to add mTLS on the listener side
+		if config.ClientKeyFile != "" {
+			caCert, err := ioutil.ReadFile(config.ClientKeyFile)
+			if err != nil {
+				log.Fatal(err)
+			}
+			caCertPool := x509.NewCertPool()
+			caCertPool.AppendCertsFromPEM(caCert)
+			conf.ClientCAs = caCertPool
+			conf.ClientAuth = tls.RequireAndVerifyClientCert
+		} */
+
 		conf.Rand = rand.Reader
 
 		conn, err = tls.Listen("tcp", fmt.Sprint(config.Localhost, ":", config.Localport), &conf)
@@ -161,7 +191,7 @@ func startListener(isTLS bool) {
 	conn.Close()
 }
 
-func setConfig(configFile string, localPort int, localHost, remoteHost string, certFile string) {
+func setConfig(configFile string, localPort int, localHost, remoteHost string, caCertFile, caKeyFile string, clientCertFile, clientKeyFile string) {
 	if configFile != "" {
 		data, err := ioutil.ReadFile(configFile)
 		if err != nil {
@@ -177,8 +207,14 @@ func setConfig(configFile string, localPort int, localHost, remoteHost string, c
 		config = Config{TLS: &TLS{}}
 	}
 
-	if certFile != "" {
-		config.CertFile = certFile
+	if caCertFile != "" {
+		config.CACertFile = caCertFile
+		config.CAKeyFile = caKeyFile
+	}
+
+	if clientCertFile != "" {
+		config.ClientCertFile = clientCertFile
+		config.ClientKeyFile = clientKeyFile
 	}
 
 	if localPort != 0 {
@@ -198,11 +234,24 @@ func main() {
 	remoteHostPtr := flag.String("r", "", "Remote Server address host:port")
 	configPtr := flag.String("c", "", "Use a config file (set TLS ect) - Commandline params overwrite config file")
 	tlsPtr := flag.Bool("s", false, "Create a TLS Proxy")
-	certFilePtr := flag.String("cert", "", "Use a specific certificate file")
+	caCertFilePtr := flag.String("cert", "", "Use a specific ca cert file")
+	caKeyFilePtr := flag.String("key", "", "Use a specific ca key file (must be set if --cert is set")
+	clientCertPtr := flag.String("clientCert", "", "A public client cert to use for mTLS")
+	clientKeyPtr := flag.String("clientKey", "", "A public client key to use for mTLS")
 
 	flag.Parse()
 
-	setConfig(*configPtr, *localPort, *localHost, *remoteHostPtr, *certFilePtr)
+	if *caCertFilePtr != "" && *caKeyFilePtr == "" {
+		fmt.Println("[x] -key is required when -cert is set")
+		os.Exit(1)
+	}
+
+	if *clientCertPtr != "" && *clientKeyPtr == "" {
+		fmt.Println("[x] -clientKey is required when -clientCert is set")
+		os.Exit(1)
+	}
+
+	setConfig(*configPtr, *localPort, *localHost, *remoteHostPtr, *caCertFilePtr, *caKeyFilePtr, *clientCertPtr, *clientKeyPtr)
 
 	if config.Remotehost == "" {
 		fmt.Println("[x] Remote host required")
