From 5bc265e0648d4f5f8e4f500505c2b7532b6ea617 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 05:00:25 +0000 Subject: [PATCH 1/2] --- updated-dependencies: - dependency-name: rustls-pemfile dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- Cargo.lock | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a41d76b7f1..9428c4b80e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3327,11 +3327,12 @@ dependencies = [ [[package]] name = "rustls-pemfile" -version = "1.0.4" +version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d" dependencies = [ - "base64 0.21.7", + "base64 0.22.1", + "rustls-pki-types", ] [[package]] From b7436c5c0e867f693260141c433232bf51f4ea3d Mon Sep 17 00:00:00 2001 From: Matt Wrock Date: Tue, 21 May 2024 20:06:01 -0700 Subject: [PATCH 2/2] refactor for rustls-pemfile-2.1.2 Signed-off-by: Matt Wrock --- .../core/src/tls/rustls_wrapper/readers.rs | 28 ++++++------ components/sup/src/manager.rs | 45 ++++++++++--------- 2 files changed, 39 insertions(+), 34 deletions(-) diff --git a/components/core/src/tls/rustls_wrapper/readers.rs b/components/core/src/tls/rustls_wrapper/readers.rs index f907de5240..d5c901d1f6 100644 --- a/components/core/src/tls/rustls_wrapper/readers.rs +++ b/components/core/src/tls/rustls_wrapper/readers.rs @@ -38,18 +38,20 @@ fn buf_from_file(path: impl AsRef) -> Result, Error> { pub fn certificates_from_file(path: impl AsRef) -> Result, Error> { let mut buf = buf_from_file(path.as_ref())?; - let certs = rustls_pemfile::certs(&mut buf).map_err(|_| { - Error::FailedToReadCerts(path.as_ref().into()) - })?; - Ok(certs.into_iter().map(Certificate).collect()) + rustls_pemfile::certs(&mut buf).map(|c| { + c.map_err(|_| Error::FailedToReadCerts(path.as_ref().into())) + .map(|c| Certificate(c.as_ref().to_vec())) + }) + .collect() } fn private_keys_from_file(path: impl AsRef) -> Result, Error> { let mut buf = buf_from_file(path.as_ref())?; - let private_keys = rustls_pemfile::pkcs8_private_keys(&mut buf).map_err(|_| { - Error::FailedToReadPrivateKeys(path.as_ref().into()) - })?; - Ok(private_keys.into_iter().map(PrivateKey).collect()) + rustls_pemfile::pkcs8_private_keys(&mut buf).map(|k| { + k.map_err(|_| Error::FailedToReadPrivateKeys(path.as_ref().into())) + .map(|k| PrivateKey(k.secret_pkcs8_der().to_vec())) + }) + .collect() } pub fn private_key_from_file(path: impl AsRef) -> Result { @@ -60,11 +62,11 @@ pub fn private_key_from_file(path: impl AsRef) -> Result) -> Result { let mut buf = buf_from_file(path.as_ref())?; let mut root_certificate_store = RootCertStore::empty(); - let certs = - &rustls_pemfile::certs(&mut buf).map_err(|_| { - Error::FailedToReadRootCertificateStore(path.as_ref() - .into()) - })?; + let certs = &rustls_pemfile::certs(&mut buf).map(|c| { + c.map_err(|_| Error::FailedToReadRootCertificateStore(path.as_ref().into())) + .map(|c| c.as_ref().to_vec()) + }) + .collect::, _>>()?; let (_, failed) = root_certificate_store.add_parsable_certificates(certs); if failed > 0 { Err(Error::FailedToReadCertificatesFromRootCertificateStore(failed, path.as_ref().into())) diff --git a/components/sup/src/manager.rs b/components/sup/src/manager.rs index 6a95fa11b9..803f7eadc3 100644 --- a/components/sup/src/manager.rs +++ b/components/sup/src/manager.rs @@ -2013,9 +2013,11 @@ fn tls_config(config: &TLSConfig) -> Result { Some(path) => { let mut root_store = RootCertStore::empty(); let mut ca_file = &mut BufReader::new(File::open(path)?); - let certs = &rustls_pemfile::certs(&mut ca_file).map_err(|_| { - Error::InvalidCertFile(path.clone()) - })?; + let certs = &rustls_pemfile::certs(&mut ca_file).map(|c| { + c.map_err(|_| Error::InvalidCertFile(path.clone())) + .map(|c| c.as_ref().to_vec()) + }) + .collect::>>()?; let (added, _) = root_store.add_parsable_certificates(certs); if added < 1 { return Err(Error::InvalidCertFile(path.clone())); @@ -2035,29 +2037,30 @@ fn tls_config(config: &TLSConfig) -> Result { // Note that we must explicitly map these errors because rustls returns () as the error from // both pemfile::certs() as well as pemfile::rsa_private_keys() and we want to return // different errors for each. - let cert_chain = rustls_pemfile::certs(cert_file).and_then(|c| { - if c.is_empty() { + let certs = rustls_pemfile::certs(cert_file).map(|c| { + c.and_then(|cr| { + if cr.is_empty() { Err(std::io::Error::new(std::io::ErrorKind::Other, "error getting file contents")) } else { - Ok(c) + Ok(cr) } - }) - .map_err(|_| Error::InvalidCertFile(config.cert_path.clone()))?; - let certs = cert_chain.into_iter().map(Certificate).collect(); - - let key = rustls_pemfile::rsa_private_keys(key_file).and_then(|mut k| { - k.pop() - .ok_or_else(|| { - std::io::Error::new(std::io::ErrorKind::Other, "error getting file contents") + }).map_err(|_| Error::InvalidCertFile(config.cert_path.clone())) + .map(|c| Certificate(c.as_ref().to_vec())) + }) + .collect::>>()?; + + let mut keys = rustls_pemfile::rsa_private_keys(key_file).map(|k| { + k.map_err(|_| Error::InvalidKeyFile(config.key_path.clone())) + .map(|k| PrivateKey(k.secret_pkcs1_der().to_vec())) }) - }) - .map_err(|_| { - Error::InvalidKeyFile(config.key_path - .clone()) - })?; - - let mut server_config = tls_config.with_single_cert(certs, PrivateKey(key))?; + .collect::>>()?; + let key = keys.pop() + .ok_or_else(|| { + std::io::Error::new(std::io::ErrorKind::Other, "error getting file contents") + }) + .map_err(|_| Error::InvalidKeyFile(config.key_path.clone()))?; + let mut server_config = tls_config.with_single_cert(certs, key)?; server_config.ignore_client_order = true; Ok(server_config) }