Move crypto wrapper types back into quinn-proto

This is the second time we flip-flop on this. Previously in 4fd4868 (#351) we moved these types from quinn into quinn-proto so that they could be used as part of the low-level configuration API. Then in 9522b44 (#511) we moved them back into quinn after some discussion, making the point that the configuration API at the quinn-proto was not in a great place. Here, we keep the existing quinn-proto configuration API and merely offer an abstracted API relying on the wrapper types for use in quinn internals.
quinn-rs · Mar 6, 2020 · 33b4915 · 33b4915
1 parent 752693e
commit 33b4915
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 24 deletions.
diff --git a/quinn-proto/src/crypto.rs b/quinn-proto/src/crypto.rs
@@ -24,6 +24,9 @@ pub(crate) mod ring;
 /// TLS interface based on rustls
 #[cfg(feature = "rustls")]
 pub(crate) mod rustls;
+/// Public interface TLS types
+#[cfg(feature = "rustls")]
+pub(crate) mod types;
 
 /// A cryptographic session (commonly TLS)
 pub trait Session: Sized {

diff --git a/quinn/src/tls.rs → quinn-proto/src/crypto/types.rs b/quinn/src/tls.rs → quinn-proto/src/crypto/types.rs
@@ -22,6 +22,12 @@ impl Certificate {
     }
 }
 
+impl From<rustls::Certificate> for Certificate {
+    fn from(inner: rustls::Certificate) -> Self {
+        Certificate { inner }
+    }
+}
+
 /// A chain of signed TLS certificates ending the one to be used by a server
 #[derive(Debug, Clone)]
 pub struct CertificateChain {
@@ -33,7 +39,7 @@ impl CertificateChain {
     ///
     /// ```no_run
     /// let pem = std::fs::read("fullchain.pem").expect("error reading certificates");
-    /// let cert_chain = quinn::PrivateKey::from_pem(&pem).expect("error parsing certificates");
+    /// let cert_chain = quinn_proto::PrivateKey::from_pem(&pem).expect("error parsing certificates");
     /// ```
     pub fn from_pem(pem: &[u8]) -> Result<Self, ParseError> {
         Ok(Self {
@@ -70,7 +76,7 @@ impl PrivateKey {
     ///
     /// ```no_run
     /// let pem = std::fs::read("key.pem").expect("error reading key");
-    /// let key = quinn::PrivateKey::from_pem(&pem).expect("error parsing key");
+    /// let key = quinn_proto::PrivateKey::from_pem(&pem).expect("error parsing key");
     /// ```
     pub fn from_pem(pem: &[u8]) -> Result<Self, ParseError> {
         let pkcs8 = pemfile::pkcs8_private_keys(&mut &pem[..])

diff --git a/quinn-proto/src/lib.rs b/quinn-proto/src/lib.rs
@@ -39,6 +39,8 @@ mod connection;
 pub use crate::connection::{ConnectionError, Event, SendDatagramError};
 
 pub mod crypto;
+#[cfg(feature = "rustls")]
+pub use crypto::types::*;
 
 mod frame;
 use crate::frame::Frame;

diff --git a/quinn-proto/src/shared.rs b/quinn-proto/src/shared.rs
@@ -10,6 +10,8 @@ use bytes::BytesMut;
 use err_derive::Error;
 use rand::{Rng, RngCore};
 
+#[cfg(feature = "rustls")]
+use crate::crypto::types::{Certificate, CertificateChain, PrivateKey};
 use crate::{
     crypto::{self, ClientConfig as _, HmacKey as _, ServerConfig as _},
     packet::PartialDecode,
@@ -459,6 +461,19 @@ where
     }
 }
 
+#[cfg(feature = "rustls")]
+impl ServerConfig<crypto::rustls::TlsSession> {
+    /// Set the certificate chain that will be presented to clients
+    pub fn certificate(
+        &mut self,
+        cert_chain: CertificateChain,
+        key: PrivateKey,
+    ) -> Result<&mut Self, rustls::TLSError> {
+        Arc::make_mut(&mut self.crypto).set_single_cert(cert_chain.certs, key.inner)?;
+        Ok(self)
+    }
+}
+
 impl<S> fmt::Debug for ServerConfig<S>
 where
     S: crypto::Session,
@@ -524,6 +539,21 @@ where
     pub crypto: S::ClientConfig,
 }
 
+#[cfg(feature = "rustls")]
+impl ClientConfig<crypto::rustls::TlsSession> {
+    /// Add a trusted certificate authority
+    pub fn add_certificate_authority(
+        &mut self,
+        cert: Certificate,
+    ) -> Result<&mut Self, webpki::Error> {
+        let anchor = webpki::trust_anchor_util::cert_der_as_trust_anchor(&cert.inner.0)?;
+        Arc::make_mut(&mut self.crypto)
+            .root_store
+            .add_server_trust_anchors(&webpki::TLSServerTrustAnchors(&[anchor]));
+        Ok(self)
+    }
+}
+
 impl<S> Default for ClientConfig<S>
 where
     S: crypto::Session,

diff --git a/quinn/src/builders.rs b/quinn/src/builders.rs
@@ -2,7 +2,6 @@ use std::{io, net::SocketAddr, str, sync::Arc};
 
 use err_derive::Error;
 use proto::{ClientConfig, EndpointConfig, ServerConfig};
-use rustls::TLSError;
 use tracing::error;
 
 use crate::{
@@ -132,8 +131,8 @@ impl ServerConfigBuilder {
         &mut self,
         cert_chain: CertificateChain,
         key: PrivateKey,
-    ) -> Result<&mut Self, TLSError> {
-        Arc::make_mut(&mut self.config.crypto).set_single_cert(cert_chain.certs, key.inner)?;
+    ) -> Result<&mut Self, rustls::TLSError> {
+        self.config.certificate(cert_chain, key)?;
         Ok(self)
     }
 
@@ -194,10 +193,7 @@ impl ClientConfigBuilder {
         &mut self,
         cert: Certificate,
     ) -> Result<&mut Self, webpki::Error> {
-        let anchor = webpki::trust_anchor_util::cert_der_as_trust_anchor(&cert.inner.0)?;
-        Arc::make_mut(&mut self.config.crypto)
-            .root_store
-            .add_server_trust_anchors(&webpki::TLSServerTrustAnchors(&[anchor]));
+        self.config.add_certificate_authority(cert)?;
         Ok(self)
     }
 

diff --git a/quinn/src/connection.rs b/quinn/src/connection.rs
@@ -15,14 +15,14 @@ use futures::{
     channel::{mpsc, oneshot},
     FutureExt, StreamExt,
 };
-use proto::{ConnectionError, ConnectionHandle, Dir, StreamId};
+use proto::{Certificate, ConnectionError, ConnectionHandle, Dir, StreamId};
 use tokio::time::{delay_until, Delay, Instant as TokioInstant};
 use tracing::info_span;
 
 use crate::{
     broadcast::{self, Broadcast},
     streams::{RecvStream, SendStream, WriteError},
-    tls, ConnectionEvent, EndpointEvent, SendDatagramError, VarInt,
+    ConnectionEvent, EndpointEvent, SendDatagramError, VarInt,
 };
 
 /// In-progress connection attempt future
@@ -320,19 +320,14 @@ impl Connection {
     /// For clients, this is the certificate chain of the server. For servers,
     /// it is the certificate chain of the client, or [`None`] if client
     /// authentication was not requested.
-    pub fn presented_certs(&self) -> Option<Vec<tls::Certificate>> {
+    pub fn presented_certs(&self) -> Option<Vec<Certificate>> {
         self.0
             .lock()
             .unwrap()
             .inner
             .crypto_session()
             .get_peer_certificates()
-            .map(|certs| {
-                certs
-                    .into_iter()
-                    .map(|cert| tls::Certificate { inner: cert })
-                    .collect()
-            })
+            .map(|certs| certs.into_iter().map(|cert| cert.into()).collect())
     }
 
     // Update traffic keys spontaneously for testing purposes.

diff --git a/quinn/src/lib.rs b/quinn/src/lib.rs
@@ -53,9 +53,9 @@ mod platform;
 mod udp;
 
 pub use proto::{
-    crypto, ApplicationClose, ClientConfig, ConnectError, ConnectionClose, ConnectionError,
-    SendDatagramError, ServerConfig, Transmit, TransportConfig, TransportError, TransportErrorCode,
-    VarInt,
+    crypto, ApplicationClose, Certificate, CertificateChain, ClientConfig, ConnectError,
+    ConnectionClose, ConnectionError, ParseError, PrivateKey, SendDatagramError, ServerConfig,
+    Transmit, TransportConfig, VarInt,
 };
 
 pub use crate::builders::{
@@ -77,9 +77,6 @@ pub use streams::{
     WriteError,
 };
 
-mod tls;
-pub use tls::{Certificate, CertificateChain, ParseError, PrivateKey};
-
 #[cfg(test)]
 mod tests;