create_example_certs.sh

create_example_certs.sh

#!/bin/bash
# Copyright (c) 2018 Denis Trofimov ([email protected])
# Distributed under the MIT License.
# See accompanying file LICENSE.md or copy at http://opensource.org/licenses/MIT

set -ev

# Used to create certs for localhost

# Don`t forget to add it to Chromium browser
# Chromium -> Setting -> (Advanced) Manage Certificates -> Import -> 'server_rootCA.pem'

# Read https://robmclarty.com/blog/how-to-secure-your-web-app-using-https-with-letsencrypt
# Read https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec
# Read https://maxrival.com/sozdaniie-dh-diffie-hellman-siertifikata/

pushd ../assets/certs

# clean old certs
rm server.csr.cnf || true
rm v3.ext || true
rm *.key || true
rm *.pem || true
rm *.crt || true
rm *.csr || true

cat << EOF > server.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=RandomOrganizationUnit
[email protected]
CN = localhost
EOF

cat << EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
EOF

# root certificate can then be used to sign any number of certificates you might generate for individual domains
# root key
openssl genrsa -des3 -out rootCA.key 2048
# root pem
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 10000 -out rootCA.pem

# https://forum.seafile.com/t/tutorial-for-a-complete-certificate-chain-with-your-own-certificate-authority-ca/124
openssl dhparam -out dh.pem 4096

# Domain SSL certificate
# issue a certificate specifically for your local development environment located at localhost.
# server.csr.cnf so you can import these settings when creating a certificate instead of entering them on the command line.
# v3.ext file in order to create a X509 v3 certificate.

# Create a certificate key for localhost using the configuration settings stored in server.csr.cnf. This key is stored in server.key.
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
# sign created certificate
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 10000 -sha256 -extfile v3.ext

chmod 400 server.key
chmod 400 rootCA.key

# check certs https://gist.github.com/webtobesocial/5313b0d7abc25e06c2d78f8b767d4bc3
# must return ok >>
openssl verify -CAfile rootCA.crt rootCA.crt
openssl verify -CAfile rootCA.crt server.crt

# must return err >>
openssl verify -CAfile server.crt server.crt

loadSSLContext.cpp

/*  Load a signed certificate into the ssl context, and configure
    the context for use with a server.
    For this to work with the browser or operating system, it is
    necessary to import the "Beast Test CA" certificate into
    the local certificate store, browser, or operating system
    depending on your environment Please see the documentation
    accompanying the Beast certificate for more details.
*/
static bool loadSSLContext(boost::asio::ssl::context& ctx, const std::string& cert,
                           const std::string& key, const std::string& dh,
                           const std::string& certPassword) {

  boost::system::error_code ec;

  // password of certificate
  ctx.set_password_callback(
      [certPassword](std::size_t, boost::asio::ssl::context_base::password_purpose) {
        return certPassword.c_str();
      },
      ec);
  if (ec) {
    LOG(WARNING) << "loadSSLContext: set_password_callback error: " << ec.message();
    return false;
  }

  ctx.set_options(boost::asio::ssl::context::default_workarounds |
                      boost::asio::ssl::context::no_sslv2 |
                      boost::asio::ssl::context::single_dh_use,
                  ec);
  if (ec) {
    LOG(WARNING) << "loadSSLContext: ctx.set_options error: " << ec.message();
    return false;
  }

  ctx.use_certificate_chain(boost::asio::buffer(cert.data(), cert.size()), ec);
  if (ec) {
    LOG(WARNING) << "loadSSLContext: use_certificate_chain error: " << ec.message();
    return false;
  }

  LOG(WARNING) << "cert: " << cert; // TODO <<<<<<<<<<

  ctx.use_private_key(boost::asio::buffer(key.data(), key.size()),
                      boost::asio::ssl::context::file_format::pem, ec);
  if (ec) {
    LOG(WARNING) << "loadSSLContext: use_private_key error: " << ec.message();
    return false;
  }

  LOG(WARNING) << "key: " << key; // TODO <<<<<<<<<<

  ctx.use_tmp_dh(boost::asio::buffer(dh.data(), dh.size()), ec);
  if (ec) {
    LOG(WARNING) << "loadSSLContext: use_tmp_dh error: " << ec.message();
    return false;
  }
  LOG(WARNING) << "dh: " << dh; // TODO <<<<<<<<<<

  return true;
}


// ...

// see https://www.boost.org/doc/libs/1_66_0/libs/beast/example/common/server_certificate.hpp

  boost::asio::ssl::context sslCtx_{boost::asio::ssl::context::sslv23};

  // This holds the self-signed certificate used by the server
  bool isCertsValid = loadSSLContext(sslCtx_, serverConfig.cert_, serverConfig.key_,
                                     serverConfig.dh_, serverConfig.certPass_);

What type is the variable with the name serverConfig?