Support SEC1 private keys for TLS

[oersted]

Is your feature request motivated by a concrete problem? Please describe.

Currently, Rocket fails to start with a SEC1 format private key.
Error: binding failed: bad TLS private key: invalid key header; supported formats are: RSA, PKCS8

I'm not all that familiar with this standard, but I know that it is the default output of tailscale cert for instance, which is a relatively mainstream tool now.

Support within rustls was added back in Feb and has been out since 0.20.3: rustls/rustls#998

I see that the latest version of Rocket accepts any 0.20.* version of rustls, so I assume that some action is required to use this existing support.

Alternatives Considered

It is fairly trivial to convert SEC1 to PKCS8 manually, so this would merely be a quality-of-life feature.
openssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem

[edgarogh]

This is Rocket's fault. Your issue seems tangentially related to #2281 but can be solved completely independently without accounting for this issue (the work will have to get undone though).

The following piece of code rejects any key that doesn't start exactly with a specific line

https://github.com/SergioBenitez/Rocket/blob/b4e1cac7a248c041a132666081ecd664a07b9744/core/http/src/tls/util.rs#L22-L26

And as you guess, elliptic curve keys have their own header (-----BEGIN EC PRIVATE KEY-----), so Rocket rejects them before even attempting to parse them with rustls which understands them.

It should be noted that rustls_pemfile has two specific functions for parsing RSA and PKSC8 (c.f. code above) but doesn't have one for EC keys. Supporting it might require a small refactor of this match expression (see rustls_pemfile::read_all for instance). I'm not specifically knowledgable in cryptography standards in general and there might be an actual reason why "sec1_private_keys" doesn't exist. Research should be done before attempting anything.

[SergioBenitez]

Support for SEC1 just landed in rc.3!