feat: support server cert auto hot-reload

Itsusinn · Dec 18, 2024 · e479918 · e479918
1 parent 01bfe6c
commit e479918
Show file tree

Hide file tree

Showing 7 changed files with 287 additions and 58 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ Compared to origin, this fork's new features:
 - More relaxed locks
 - More CI targets via [cross-rs](https://github.com/cross-rs/cross)
 - Self-signed cert and `skip_cert_verify` support
+- ServerCert auto hot-reload
 - And [more...](https://github.com/EAimTY/tuic/compare/dev...Itsusinn:tuic:dev)
 
 ## Introduction

diff --git a/tuic-server/Cargo.toml b/tuic-server/Cargo.toml
@@ -26,6 +26,8 @@ socket2 = { version = "0.5", default-features = false }
 arc-swap = "1"
 uuid = { version = "1", default-features = false, features = ["serde", "std", "v4"] }
 chashmap = { package = "chashmap-async", version = "0.1" }
+notify = "7"
+
 
 # QUIC
 quinn = { version = "0.11", default-features = false, features = ["runtime-tokio", "log"] }

diff --git a/tuic-server/src/main.rs b/tuic-server/src/main.rs
@@ -16,6 +16,7 @@ mod error;
 mod old_config;
 mod restful;
 mod server;
+mod tls;
 mod utils;
 
 #[cfg(all(not(target_env = "msvc"), feature = "jemallocator"))]
@@ -75,7 +76,7 @@ async fn main() -> eyre::Result<()> {
         )
         .try_init()?;
     tokio::spawn(async move {
-        match Server::init(ctx.clone()) {
+        match Server::init(ctx.clone()).await {
             Ok(server) => server.start().await,
             Err(err) => {
                 eprintln!("{err}");

diff --git a/tuic-server/src/server.rs b/tuic-server/src/server.rs
@@ -20,7 +20,8 @@ use crate::{
     AppContext,
     connection::{Connection, INIT_CONCURRENT_STREAMS},
     error::Error,
-    utils::{self, CongestionController},
+    tls::CertResolver,
+    utils::CongestionController,
 };
 
 pub struct Server {
@@ -29,7 +30,7 @@ pub struct Server {
 }
 
 impl Server {
-    pub fn init(ctx: Arc<AppContext>) -> Result<Self, Error> {
+    pub async fn init(ctx: Arc<AppContext>) -> Result<Self, Error> {
         let mut crypto: RustlsServerConfig;
         if ctx.cfg.tls.self_sign {
             let cert = rcgen::generate_simple_self_signed(vec!["localhost".into()]).unwrap();
@@ -39,11 +40,12 @@ impl Server {
                 .with_no_client_auth()
                 .with_single_cert(vec![cert_der], PrivateKeyDer::Pkcs8(priv_key))?;
         } else {
-            let certs = utils::load_cert_chain(&ctx.cfg.tls.certificate)?;
-            let priv_key = utils::load_priv_key(&ctx.cfg.tls.private_key)?;
+            let cert_resolver =
+                CertResolver::new(&ctx.cfg.tls.certificate, &ctx.cfg.tls.private_key).await?;
+
             crypto = RustlsServerConfig::builder_with_protocol_versions(&[&rustls::version::TLS13])
                 .with_no_client_auth()
-                .with_single_cert(certs, priv_key)?;
+                .with_cert_resolver(cert_resolver);
         }
 
         crypto.alpn_protocols = ctx