chore(tls): Update to rustls 0.22.0

hyperium · Sep 11, 2023 · d3e3fbd · d3e3fbd
1 parent d59fe0d
commit d3e3fbd
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 31 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,3 +29,5 @@ members = [
 ]
 resolver = "2"
 
+[patch.crates-io]
+rustls = { git = "https://github.com/rustls/rustls", package ="rustls", rev = "b57204daab48e46b216d2505d9007cbdde0a6460" }
diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml
@@ -27,7 +27,7 @@ codegen = ["dep:async-trait"]
 gzip = ["dep:flate2"]
 default = ["transport", "codegen", "prost"]
 prost = ["dep:prost"]
-tls = ["dep:rustls-pemfile", "transport", "dep:tokio-rustls", "tokio/rt", "tokio/macros"]
+tls = ["dep:rustls-pki-types", "dep:rustls-pemfile", "transport", "dep:tokio-rustls", "tokio/rt", "tokio/macros"]
 tls-roots = ["tls-roots-common", "dep:rustls-native-certs"]
 tls-roots-common = ["tls"]
 tls-webpki-roots = ["tls-roots-common", "dep:webpki-roots"]
@@ -77,10 +77,11 @@ axum = {version = "0.6.9", default_features = false, optional = true}
 
 # rustls
 async-stream = { version = "0.3", optional = true }
-rustls-pemfile = { version = "1.0", optional = true }
-rustls-native-certs = { version = "0.6.3", optional = true }
-tokio-rustls = { version = "0.24", optional = true }
-webpki-roots = { version = "0.25.0", optional = true }
+rustls-pki-types = { version = "0.2", optional = true }
+rustls-pemfile = { version = "2.0.0-alpha.1", optional = true }
+rustls-native-certs = { git = "https://github.com/rustls/rustls-native-certs", optional = true }
+tokio-rustls = { git = "https://github.com/rustls/tokio-rustls", optional = true }
+webpki-roots = { version = "0.26.0-alpha.1", optional = true }
 
 # compression
 flate2 = {version = "1.0", optional = true}

diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs
@@ -6,7 +6,10 @@ use crate::transport::{
 use std::{fmt, sync::Arc};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::{
-    rustls::{ClientConfig, RootCertStore, ServerConfig, ServerName},
+    rustls::{
+        crypto::ring::Ring, server::WebPkiClientVerifier, ClientConfig, RootCertStore,
+        ServerConfig, ServerName,
+    },
     TlsAcceptor as RustlsAcceptor, TlsConnector as RustlsConnector,
 };
 
@@ -22,7 +25,7 @@ enum TlsError {
 
 #[derive(Clone)]
 pub(crate) struct TlsConnector {
-    config: Arc<ClientConfig>,
+    config: Arc<ClientConfig<Ring>>,
     domain: Arc<ServerName>,
 }
 
@@ -36,16 +39,10 @@ impl TlsConnector {
         let mut roots = RootCertStore::empty();
 
         #[cfg(feature = "tls-roots")]
-        roots.add_parsable_certificates(&rustls_native_certs::load_native_certs()?);
+        roots.add_parsable_certificates(rustls_native_certs::load_native_certs()?);
 
         #[cfg(feature = "tls-webpki-roots")]
-        roots.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-            tokio_rustls::rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        }));
+        roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
 
         if let Some(cert) = ca_cert {
             rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?;
@@ -98,7 +95,7 @@ impl fmt::Debug for TlsConnector {
 
 #[derive(Clone)]
 pub(crate) struct TlsAcceptor {
-    inner: Arc<ServerConfig>,
+    inner: Arc<ServerConfig<Ring>>,
 }
 
 impl TlsAcceptor {
@@ -112,18 +109,19 @@ impl TlsAcceptor {
         let builder = match (client_ca_root, client_auth_optional) {
             (None, _) => builder.with_no_client_auth(),
             (Some(cert), true) => {
-                use tokio_rustls::rustls::server::AllowAnyAnonymousOrAuthenticatedClient;
                 let mut roots = RootCertStore::empty();
                 rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?;
                 builder.with_client_cert_verifier(
-                    AllowAnyAnonymousOrAuthenticatedClient::new(roots).boxed(),
+                    WebPkiClientVerifier::builder(roots.into())
+                        .allow_unauthenticated()
+                        .build()?,
                 )
             }
             (Some(cert), false) => {
-                use tokio_rustls::rustls::server::AllowAnyAuthenticatedClient;
                 let mut roots = RootCertStore::empty();
                 rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?;
-                builder.with_client_cert_verifier(AllowAnyAuthenticatedClient::new(roots).boxed())
+                builder
+                    .with_client_cert_verifier(WebPkiClientVerifier::builder(roots.into()).build()?)
             }
         };
 
@@ -169,19 +167,21 @@ impl std::error::Error for TlsError {}
 mod rustls_keys {
     use std::io::Cursor;
 
-    use tokio_rustls::rustls::{Certificate, PrivateKey, RootCertStore};
+    use rustls_pki_types::{CertificateDer, PrivateKeyDer};
+    use tokio_rustls::rustls::RootCertStore;
 
     use crate::transport::service::tls::TlsError;
     use crate::transport::Identity;
 
     pub(super) fn load_rustls_private_key(
         mut cursor: std::io::Cursor<&[u8]>,
-    ) -> Result<PrivateKey, crate::Error> {
+    ) -> Result<PrivateKeyDer<'static>, crate::Error> {
         while let Ok(Some(item)) = rustls_pemfile::read_one(&mut cursor) {
+            use rustls_pemfile::Item;
             match item {
-                rustls_pemfile::Item::RSAKey(key)
-                | rustls_pemfile::Item::PKCS8Key(key)
-                | rustls_pemfile::Item::ECKey(key) => return Ok(PrivateKey(key)),
+                Item::Pkcs1Key(der) => return Ok(PrivateKeyDer::from(der)),
+                Item::Pkcs8Key(der) => return Ok(PrivateKeyDer::from(der)),
+                Item::Sec1Key(der) => return Ok(PrivateKeyDer::from(der)),
                 _ => continue,
             }
         }
@@ -192,11 +192,11 @@ mod rustls_keys {
 
     pub(crate) fn load_identity(
         identity: Identity,
-    ) -> Result<(Vec<Certificate>, PrivateKey), crate::Error> {
-        let cert = {
+    ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), crate::Error> {
+        let certs = {
             let mut cert = std::io::Cursor::new(identity.cert.as_ref());
-            match rustls_pemfile::certs(&mut cert) {
-                Ok(certs) => certs.into_iter().map(Certificate).collect(),
+            match rustls_pemfile::certs(&mut cert).collect::<Result<Vec<_>, _>>() {
+                Ok(certs) => certs,
                 Err(_) => return Err(Box::new(TlsError::CertificateParseError)),
             }
         };
@@ -211,14 +211,16 @@ mod rustls_keys {
             }
         };
 
-        Ok((cert, key))
+        Ok((certs, key))
     }
 
     pub(crate) fn add_certs_from_pem(
         mut certs: Cursor<&[u8]>,
         roots: &mut RootCertStore,
     ) -> Result<(), crate::Error> {
-        let (_, ignored) = roots.add_parsable_certificates(&rustls_pemfile::certs(&mut certs)?);
+        let (_, ignored) = roots.add_parsable_certificates(
+            rustls_pemfile::certs(&mut certs).collect::<Result<Vec<_>, _>>()?,
+        );
         match ignored == 0 {
             true => Ok(()),
             false => Err(Box::new(TlsError::CertificateParseError)),