1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
/* Part of SWI-Prolog
Author: Jan Wielemaker
E-mail: J.Wielemaker@vu.nl
WWW: http://www.swi-prolog.org
This demo code is released in the _public domain_, which implies
you may copy, modify and reuse this code without restriction.
*/
:- module(https,
[ http_download/2, % +URL, -String
http_server/1, % ?Port
https_server/1, % ?Port
https_server_with_client_cert/1, % ?Port
http_client/2, % +Port, +Page
https_client/2, % +Port, +Page
https_client_with_client_cert/2 % +Port, +Page
]).
% Include our dependencies. The conditions are to accomodate for
% different locations of some of the files in the source tree and
% examples tree.
:- prolog_load_context(directory, D),
atom_concat(D, '/..', DD),
asserta(user:file_search_path(library, DD)).
:- if(exists_source(library(http/examples/demo_body))).
:- use_module(library(http/examples/demo_body)). % location in source tree
:- elif(exists_source(swi(doc/packages/examples/http/demo_body))).
:- use_module(swi(doc/packages/examples/http/demo_body)).
:- else.
:- use_module(library(http/demo_body)). % location in demo tree
:- endif.
:- use_module(library(http/thread_httpd)).
:- if(exists_source(library(http/http_ssl_plugin))).
:- use_module(library(http/http_ssl_plugin)).
:- else.
:- use_module(http_ssl_plugin).
:- endif.
:- use_module(library(debug)).
/** <module> Demo HTTPS server
This demo illustrates how to use the SSL library for dealing with HTTPS.
It provides examples for simple download of HTTPS documents from the web
and provides demo code for several HTTPS servers and corresponding
client code using (self-signed) certificates. The certificates are
provided in the `etc` directory. These certificates are the same
certificates that are used for testing the SSL library. You may use them
for testing purposes, but you should not use them for your own services
because the private key is not so private.
This demo implements three different servers:
- http_server/1 implements a typical HTTP server.
- https_server/1 implements a typical HTTPS server.
- https_server_with_client_cert/1 implements a server that asks
The startup sequence to run the server at port 1443 is shown below.
Directing your browser to the indicated URL should cause your browser to
warn you about an untrusted certificate. After accepting you can use the
simple demo through HTTPS.
==
$ swipl https.pl
...
?- https_server(1443).
% Started server at https://localhost:1443/
true.
==
The demo is primarily intended to access from a browser, but at the
bottom of this file are predicates to access the server from Prolog. The
first argument is the port and must be the same as the value returned by
or given to the *_server predicate. The second is the location on the
server, e.g., `/`, `/quit`, `/env`, etc.
- http_client/2 accesses http_server/1.
- https_client/2 accesses https_server/1.
- https_client_with_client_cert/2 accesses https_server_with_client_cert/1.
An example session is given below. Now that you can either run the
client calls from the Prolog window in which you started the server or
load this file into another Prolog.
==
?- https_client(1443, '/quit').
Bye Bye
true.
==
*/
%! http_download(+URL, -Data) is det.
%
% Download data from an HTTP or HTTPS server. If HTTPS is used,
% the certificate is verified by the system's root certificate
% store. This means you cannot download from servers using
% self-signed certificates, but you can download from proper
% public websites with official authorized keys. For example:
%
% ==
% ?- http_download('https://raw.githubusercontent.com\c
% /SWI-Prolog/packages-ssl/master/README.md',
% String).
% ==
http_download(URL, String) :-
http_open(URL, In, []),
call_cleanup(
read_string(In, _, String),
close(In)).
%! http_server(?Port) is det.
%
% Our baseline is a plain HTTP server. No HTTPS involved here. We
% give it for the case you want to do timing and other experiments
% comparing the HTTP with HTTPS.
http_server(Port) :-
http_server(reply,
[ port(Port)
]).
%! https_server(?Port) is det.
%
% Start an HTTPS demo server at Port. Compared to a normal HTTP
% server, this requires two additional SSL components:
%
% 1. The server certificate. This is basically a public
% key, so there is no need to keep this secret.
% 2. The server private key. If someone manages to grab
% this key, he can setup a server that claims to be you.
% There are two ways to protect it. One is to make sure
% the file cannot be obtained and the other is to protect
% it using a password and make sure that the password is
% kept secret. Our server uses a password, but it is not
% very secret. See also the `pem_password_hook` option
% of ssl_context/3.
%
% Note that anyone can access this server. You can implement HTTP
% authentication or cookie based password login in the application
% to realise a safe login procedure where attackers cannot easily
% steal the HTTP authentication token or cookie.
https_server(Port) :-
http_server(reply,
[ port(Port),
ssl([ certificate_file('etc/server/server-cert.pem'),
key_file('etc/server/server-key.pem'),
password("apenoot1")
])
]).
%! https_server_with_client_cert(?Port)
%
% Our second server is a setup that is typically used for
% administrative tasks where users are handed a certificate to
% login. In our example, we use the client certificate and private
% key that can be found in etc/client. First of all, we need to
% combine these into a `.p12` (PKCS12) file. This is done using
% `openssl` as below. We provide the .p12 file for your
% convenience.
%
% ==
% $ openssl pkcs12 -export \
% -inkey client-key.pem -in client-cert.pem \
% -name jan -out client-cert.p12
% Enter pass phrase for client-key.pem: apenoot2
% Enter Export Password: secret
% ==
%
% Next, import `client-cert.p12` into your browser. For firefox,
% this is in Edit/Preference/Advanced/View Certificates/Import.
% When requested for the password, enter "secret".
https_server_with_client_cert(Port) :-
http_server(reply,
[ port(Port),
ssl([ certificate_file('etc/server/server-cert.pem'),
key_file('etc/server/server-key.pem'),
password("apenoot1"),
peer_cert(true),
cacert_file('etc/demoCA/cacert.pem'),
cert_verify_hook(client_cert_verify)
])
]).
%! client_cert_verify(+SSL,
%! +ProblemCert, +AllCerts, +FirstCer,
%! +Error) is semidet.
%
% This hook is called for validating the peer certificate. The
% certificate has already been validated against the known _root
% certificates_ and Error either contains `verified` to indicate
% that this part of the validation was successful or a message
% from OpenSSL indicating why it did not verify. The certificate
% is accepted if this hook succeeds, regardless of the initial
% verification. If this hook is not defined, certificates that
% verify against the root certificates are accepted and others are
% rejected, i.e., the default implementation behaves as `Error ==
% verified`.
% :- debug(cert_verify_hook).
:- public
client_cert_verify/5.
client_cert_verify(_SSL, _Problem, _AllCerts, First, Error) :-
debug(cert_verify_hook,
'Handling client certificate verification~n\c
Certificate: ~p, error: ~w~n', [First, Error]).
/*******************************
* CLIENTS *
*******************************/
:- use_module(library(http/http_open)).
%! http_client(+Port, +Page) is det.
%
% Access the server created with http_server/1. Note that the only
% significant difference to https_client/2 is the URL scheme
% (`http` vs. `https`.
http_client(Port, Page) :-
format(atom(URL), 'http://localhost:~d~w', [Port, Page]),
http_open(URL, In,
[
]),
copy_stream_data(In, current_output),
close(In).
%! https_client(+Port, +Page) is det.
%
% Access the server created with https_server/1. Note that, as we
% are using a self-signed certificate, we pass our own root
% certificate instead of using the system one.
https_client(Port, Page) :-
format(atom(URL), 'https://localhost:~d~w', [Port, Page]),
http_open(URL, In,
[ cacert_file('etc/demoCA/cacert.pem')
]),
copy_stream_data(In, current_output),
close(In).
%! https_client_with_client_cert(+Port, +Page) is det.
%
% Access the server created with https_server_with_client_cert/1,
% providing our client certificate.
https_client_with_client_cert(Port, Page) :-
format(atom(URL), 'https://localhost:~d~w', [Port, Page]),
http_open(URL, In,
[ cacert_file('etc/demoCA/cacert.pem'),
certificate_file('etc/client/client-cert.pem'),
key_file('etc/client/client-key.pem'),
password('apenoot2')
]),
copy_stream_data(In, current_output),
close(In).
|
