Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update tokio-rustls to v0.23 #927

Merged
merged 6 commits into from Dec 29, 2021
Merged

Update tokio-rustls to v0.23 #927

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
58a449f
Update tokio-rustls to v0.23
olix0r Dec 20, 2021
d099a94
wip: Port trust anchor configuration
olix0r Dec 27, 2021
7a63b2d
fix ServerConfig::builder usage
olix0r Dec 27, 2021
e0cc66c
Remove errant semicolon
olix0r Dec 27, 2021
4baf8cc
Revert "Remove errant semicolon"
olix0r Dec 29, 2021
055b277
Merge branch 'master' into ver/tokio-rustls-0.23
seanmonstar Dec 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion Cargo.toml
View file
Open in desktop
Expand Up @@ -40,7 +40,8 @@ tower-service = "0.3"
tokio-tungstenite = { version = "0.15", optional = true }
percent-encoding = "2.1"
pin-project = "1.0"
tokio-rustls = { version = "0.22", optional = true }
tokio-rustls = { version = "0.23", optional = true }
rustls-pemfile = "0.2"

[dev-dependencies]
pretty_env_logger = "0.4"
Expand Down
55 changes: 30 additions & 25 deletions src/tls.rs
View file
Open in desktop
Expand Up @@ -15,8 +15,8 @@ use hyper::server::conn::{AddrIncoming, AddrStream};

use crate::transport::Transport;
use tokio_rustls::rustls::{
AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth,
RootCertStore, ServerConfig, TLSError,
server::{AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth},
Certificate, Error as TlsError, PrivateKey, RootCertStore, ServerConfig,
};

/// Represents errors that can occur building the TlsConfig
Expand All @@ -32,7 +32,7 @@ pub(crate) enum TlsConfigError {
/// An error from an empty key
EmptyKey,
/// An error from an invalid key
InvalidKey(TLSError),
InvalidKey(TlsError),
olix0r marked this conversation as resolved.
Show resolved Hide resolved
}

impl fmt::Display for TlsConfigError {
Expand Down Expand Up @@ -169,8 +169,11 @@ impl TlsConfigBuilder {

pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
let mut cert_rdr = BufReader::new(self.cert);
let cert = tokio_rustls::rustls::internal::pemfile::certs(&mut cert_rdr)
.map_err(|()| TlsConfigError::CertParseError)?;
let cert = rustls_pemfile::certs(&mut cert_rdr)
.map_err(|_e| TlsConfigError::CertParseError)?
.into_iter()
.map(Certificate)
.collect();

let key = {
// convert it to Vec<u8> to allow reading it again if key is RSA
Expand All @@ -183,21 +186,17 @@ impl TlsConfigBuilder {
return Err(TlsConfigError::EmptyKey);
}

let mut pkcs8 = tokio_rustls::rustls::internal::pemfile::pkcs8_private_keys(
&mut key_vec.as_slice(),
)
.map_err(|()| TlsConfigError::Pkcs8ParseError)?;
let mut pkcs8 = rustls_pemfile::pkcs8_private_keys(&mut key_vec.as_slice())
.map_err(|_e| TlsConfigError::Pkcs8ParseError)?;

if !pkcs8.is_empty() {
pkcs8.remove(0)
PrivateKey(pkcs8.remove(0))
} else {
let mut rsa = tokio_rustls::rustls::internal::pemfile::rsa_private_keys(
&mut key_vec.as_slice(),
)
.map_err(|()| TlsConfigError::RsaParseError)?;
let mut rsa = rustls_pemfile::rsa_private_keys(&mut key_vec.as_slice())
.map_err(|_e| TlsConfigError::RsaParseError)?;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These errors could be handled as TlsConfigError::Io now, but I didn't want to change the public API more than needed.


if !rsa.is_empty() {
rsa.remove(0)
PrivateKey(rsa.remove(0))
} else {
return Err(TlsConfigError::EmptyKey);
}
Expand All @@ -207,13 +206,18 @@ impl TlsConfigBuilder {
fn read_trust_anchor(
trust_anchor: Box<dyn Read + Send + Sync>,
) -> Result<RootCertStore, TlsConfigError> {
let mut reader = BufReader::new(trust_anchor);
let trust_anchors = {
let mut reader = BufReader::new(trust_anchor);
rustls_pemfile::certs(&mut reader).map_err(TlsConfigError::Io)?
};

let mut store = RootCertStore::empty();
if let Ok((0, _)) | Err(()) = store.add_pem_file(&mut reader) {
Err(TlsConfigError::CertParseError)
} else {
Ok(store)
let (added, _skipped) = store.add_parsable_certificates(&trust_anchors);
if added == 0 {
return Err(TlsConfigError::CertParseError);
}

Ok(store)
}

let client_auth = match self.client_auth {
Expand All @@ -226,11 +230,12 @@ impl TlsConfigBuilder {
}
};

let mut config = ServerConfig::new(client_auth);
config
.set_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
.map_err(|err| TlsConfigError::InvalidKey(err))?;
config.set_protocols(&["h2".into(), "http/1.1".into()]);
let mut config = ServerConfig::builder()
.with_safe_defaults()
.with_client_cert_verifier(client_auth.into())
.with_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
.map_err(TlsConfigError::InvalidKey)?;
config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
Ok(config)
}
}
Expand Down