From f85952ddf4d2c36d26d2a8df661c6ef8f85b9548 Mon Sep 17 00:00:00 2001 From: Vladimir Pouzanov Date: Fri, 4 Feb 2022 13:38:45 +0000 Subject: [PATCH 1/3] Add Sec1 EC key support Signed-off-by: Vladimir Pouzanov --- kube-client/src/client/tls.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kube-client/src/client/tls.rs b/kube-client/src/client/tls.rs index ce98379c1..bdfe744fb 100644 --- a/kube-client/src/client/tls.rs +++ b/kube-client/src/client/tls.rs @@ -107,6 +107,10 @@ pub mod rustls_tls { #[error("invalid private key: {0}")] InvalidPrivateKey(#[source] rustls::Error), + /// Unknown private key format + #[error("unknown private key format")] + UnknownPrivateKeyFormat, + // Using type-erased error to avoid depending on webpki /// Failed to add a root certificate #[error("failed to add a root certificate: {0}")] @@ -153,25 +157,25 @@ pub mod rustls_tls { Ok(root_store) } - // TODO Support EC Private Key to support k3d. Need to convert to PKCS#8 or RSA (PKCS#1). - // `openssl pkcs8 -topk8 -nocrypt -in ec.pem -out pkcs8.pem` - // https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations#EC_Private_Key_File_Formats fn client_auth(data: &[u8]) -> Result<(Vec, PrivateKey), Error> { use rustls_pemfile::Item; let mut cert_chain = Vec::new(); let mut pkcs8_key = None; let mut rsa_key = None; + let mut ec_key = None; let mut reader = std::io::Cursor::new(data); for item in rustls_pemfile::read_all(&mut reader).map_err(Error::InvalidIdentityPem)? { match item { Item::X509Certificate(cert) => cert_chain.push(Certificate(cert)), Item::PKCS8Key(key) => pkcs8_key = Some(PrivateKey(key)), Item::RSAKey(key) => rsa_key = Some(PrivateKey(key)), + Item::ECKey(key) => ec_key = Some(PrivateKey(key)), + _ => return Err(Error::UnknownPrivateKeyFormat), } } - let private_key = pkcs8_key.or(rsa_key).ok_or(Error::MissingPrivateKey)?; + let private_key = pkcs8_key.or(rsa_key).or(ec_key).ok_or(Error::MissingPrivateKey)?; if cert_chain.is_empty() { return Err(Error::MissingCertificate); } From c16489611641129bff80931e073b572e92b51951 Mon Sep 17 00:00:00 2001 From: Vladimir Pouzanov Date: Sat, 5 Feb 2022 17:19:31 +0000 Subject: [PATCH 2/3] Bump rustls-pemfile to the verson that supports Sec1 EC keys Signed-off-by: Vladimir Pouzanov --- kube-client/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml index 6cba40a90..009ab85df 100644 --- a/kube-client/Cargo.toml +++ b/kube-client/Cargo.toml @@ -53,7 +53,7 @@ pem = { version = "1.0.1", optional = true } openssl = { version = "0.10.36", optional = true } tokio-native-tls = { version = "0.3.0", optional = true } rustls = { version = "0.20.1", features = ["dangerous_configuration"], optional = true } -rustls-pemfile = { version = "0.2.1", optional = true } +rustls-pemfile = { version = "0.3.0", optional = true } bytes = { version = "1.1.0", optional = true } tokio = { version = "1.14.0", features = ["time", "signal", "sync"], optional = true } kube-core = { path = "../kube-core", version = "^0.68.0"} From 5f2cc4910c0e58f194384dfed41b4097b3a67065 Mon Sep 17 00:00:00 2001 From: Vladimir Pouzanov Date: Sun, 13 Feb 2022 17:44:16 +0000 Subject: [PATCH 3/3] Bump rustls to the verson that supports Sec1 EC keys Signed-off-by: Vladimir Pouzanov --- kube-client/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml index 009ab85df..41792745a 100644 --- a/kube-client/Cargo.toml +++ b/kube-client/Cargo.toml @@ -52,7 +52,7 @@ futures = { version = "0.3.17", optional = true } pem = { version = "1.0.1", optional = true } openssl = { version = "0.10.36", optional = true } tokio-native-tls = { version = "0.3.0", optional = true } -rustls = { version = "0.20.1", features = ["dangerous_configuration"], optional = true } +rustls = { version = "0.20.3", features = ["dangerous_configuration"], optional = true } rustls-pemfile = { version = "0.3.0", optional = true } bytes = { version = "1.1.0", optional = true } tokio = { version = "1.14.0", features = ["time", "signal", "sync"], optional = true }