mirror of
https://github.com/YGGverse/agate.git
synced 2026-04-08 20:45:29 +00:00
update rustls and related dependencies (#72)
* chore(deps): bump rustls from 0.19.1 to 0.20.0 * chore(deps): bump webpki from 0.21.4 to 0.22.0 * chore(deps): bump tokio-rustls from 0.22.0 to 0.23.0 * update rustls calls * update webpki naming * update tests
This commit is contained in:
Johann150
parent
824d384693
commit
b5a416fc35
5 changed files with 121 additions and 80 deletions
|
|
@ -1,7 +1,7 @@
|
|||
use {
|
||||
rustls::{
|
||||
sign::{any_supported_type, CertifiedKey},
|
||||
ResolvesServerCert,
|
||||
server::{ClientHello, ResolvesServerCert},
|
||||
sign::{any_supported_type, CertifiedKey, SignError},
|
||||
},
|
||||
std::{
|
||||
ffi::OsStr,
|
||||
|
|
@ -9,7 +9,6 @@ use {
|
|||
path::Path,
|
||||
sync::Arc,
|
||||
},
|
||||
webpki::DNSNameRef,
|
||||
};
|
||||
|
||||
/// A struct that holds all loaded certificates and the respective domain
|
||||
|
|
@ -17,7 +16,7 @@ use {
|
|||
pub(crate) struct CertStore {
|
||||
/// Stores the certificates and the domains they apply to, sorted by domain
|
||||
/// names, longest matches first
|
||||
certs: Vec<(String, CertifiedKey)>,
|
||||
certs: Vec<(String, Arc<CertifiedKey>)>,
|
||||
}
|
||||
|
||||
pub static CERT_FILE_NAME: &str = "cert.der";
|
||||
|
|
@ -29,14 +28,9 @@ pub enum CertLoadError {
|
|||
NoReadCertDir,
|
||||
/// no certificates or keys were found
|
||||
Empty,
|
||||
/// the specified domain name cannot be processed correctly
|
||||
BadDomain(String),
|
||||
/// the key file for the specified domain is bad (e.g. does not contain a
|
||||
/// key or is invalid)
|
||||
BadKey(String),
|
||||
/// The certificate file for the specified domain is bad (e.g. invalid)
|
||||
/// The second parameter is the error message.
|
||||
BadCert(String, String),
|
||||
BadKey(String, SignError),
|
||||
/// the key file for the specified domain is missing (but a certificate
|
||||
/// file was present)
|
||||
MissingKey(String),
|
||||
|
|
@ -53,16 +47,7 @@ impl Display for CertLoadError {
|
|||
match self {
|
||||
Self::NoReadCertDir => write!(f, "Could not read from certificate directory."),
|
||||
Self::Empty => write!(f, "No keys or certificates were found in the given directory.\nSpecify the --hostname option to generate these automatically."),
|
||||
Self::BadDomain(domain) if !domain.is_ascii() => write!(
|
||||
f,
|
||||
"The domain name {} cannot be processed, it must be punycoded.",
|
||||
domain
|
||||
),
|
||||
Self::BadDomain(domain) => write!(f, "The domain name {} cannot be processed.", domain),
|
||||
Self::BadKey(domain) => write!(f, "The key file for {} is malformed.", domain),
|
||||
Self::BadCert(domain, e) => {
|
||||
write!(f, "The certificate file for {} is malformed: {}", domain, e)
|
||||
}
|
||||
Self::BadKey(domain, err) => write!(f, "The key file for {} is malformed: {:?}", domain, err),
|
||||
Self::MissingKey(domain) => write!(f, "The key file for {} is missing.", domain),
|
||||
Self::MissingCert(domain) => {
|
||||
write!(f, "The certificate file for {} is missing.", domain)
|
||||
|
|
@ -106,9 +91,9 @@ fn load_domain(certs_dir: &Path, domain: String) -> Result<CertifiedKey, CertLoa
|
|||
// transform key to correct format
|
||||
let key = match any_supported_type(&key) {
|
||||
Ok(key) => key,
|
||||
Err(()) => return Err(CertLoadError::BadKey(domain)),
|
||||
Err(e) => return Err(CertLoadError::BadKey(domain, e)),
|
||||
};
|
||||
Ok(CertifiedKey::new(vec![cert], Arc::new(key)))
|
||||
Ok(CertifiedKey::new(vec![cert], key))
|
||||
}
|
||||
|
||||
impl CertStore {
|
||||
|
|
@ -127,14 +112,9 @@ impl CertStore {
|
|||
// certificate directory.
|
||||
match load_domain(certs_dir, String::new()) {
|
||||
Err(CertLoadError::EmptyDomain(_)) => { /* there are no fallback keys */ }
|
||||
Err(CertLoadError::Empty)
|
||||
| Err(CertLoadError::NoReadCertDir)
|
||||
| Err(CertLoadError::BadDomain(_)) => unreachable!(),
|
||||
Err(CertLoadError::BadKey(_)) => {
|
||||
return Err(CertLoadError::BadKey("fallback".to_string()))
|
||||
}
|
||||
Err(CertLoadError::BadCert(_, e)) => {
|
||||
return Err(CertLoadError::BadCert("fallback".to_string(), e))
|
||||
Err(CertLoadError::Empty) | Err(CertLoadError::NoReadCertDir) => unreachable!(),
|
||||
Err(CertLoadError::BadKey(_, e)) => {
|
||||
return Err(CertLoadError::BadKey("fallback".to_string(), e))
|
||||
}
|
||||
Err(CertLoadError::MissingKey(_)) => {
|
||||
return Err(CertLoadError::MissingKey("fallback".to_string()))
|
||||
|
|
@ -145,7 +125,7 @@ impl CertStore {
|
|||
// For the fallback keys there is no domain name to verify them
|
||||
// against, so we can skip that step and only have to do it for the
|
||||
// other keys below.
|
||||
Ok(key) => certs.push((String::new(), key)),
|
||||
Ok(key) => certs.push((String::new(), Arc::new(key))),
|
||||
}
|
||||
|
||||
for file in certs_dir
|
||||
|
|
@ -163,16 +143,9 @@ impl CertStore {
|
|||
.unwrap()
|
||||
.to_string();
|
||||
|
||||
let dns_name = match DNSNameRef::try_from_ascii_str(&filename) {
|
||||
Ok(name) => name,
|
||||
Err(_) => return Err(CertLoadError::BadDomain(filename)),
|
||||
};
|
||||
|
||||
let key = load_domain(certs_dir, filename.clone())?;
|
||||
key.cross_check_end_entity_cert(Some(dns_name))
|
||||
.map_err(|e| CertLoadError::BadCert(filename.clone(), e.to_string()))?;
|
||||
|
||||
certs.push((filename, key));
|
||||
certs.push((filename, Arc::new(key)));
|
||||
}
|
||||
|
||||
if certs.is_empty() {
|
||||
|
|
@ -211,9 +184,9 @@ impl CertStore {
|
|||
}
|
||||
|
||||
impl ResolvesServerCert for CertStore {
|
||||
fn resolve(&self, client_hello: rustls::ClientHello<'_>) -> Option<CertifiedKey> {
|
||||
fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
|
||||
if let Some(name) = client_hello.server_name() {
|
||||
let name: &str = name.into();
|
||||
let name: &str = name;
|
||||
// The certificate list is sorted so the longest match will always
|
||||
// appear first. We have to find the first that is either this
|
||||
// domain or a parent domain of the current one.
|
||||
|
|
|
|||
16
src/main.rs
16
src/main.rs
|
|
@ -8,7 +8,7 @@ use {
|
|||
once_cell::sync::Lazy,
|
||||
percent_encoding::{percent_decode_str, percent_encode, AsciiSet, CONTROLS},
|
||||
rcgen::{Certificate, CertificateParams, DnType},
|
||||
rustls::{NoClientAuth, ServerConfig},
|
||||
rustls::server::ServerConfig,
|
||||
std::{
|
||||
borrow::Cow,
|
||||
error::Error,
|
||||
|
|
@ -318,11 +318,17 @@ fn check_path(s: String) -> Result<PathBuf, String> {
|
|||
static TLS: Lazy<TlsAcceptor> = Lazy::new(acceptor);
|
||||
|
||||
fn acceptor() -> TlsAcceptor {
|
||||
let mut config = ServerConfig::new(NoClientAuth::new());
|
||||
if ARGS.only_tls13 {
|
||||
config.versions = vec![rustls::ProtocolVersion::TLSv1_3];
|
||||
let config = if ARGS.only_tls13 {
|
||||
ServerConfig::builder()
|
||||
.with_safe_default_cipher_suites()
|
||||
.with_safe_default_kx_groups()
|
||||
.with_protocol_versions(&[&rustls::version::TLS13])
|
||||
.expect("could not build server config")
|
||||
} else {
|
||||
ServerConfig::builder().with_safe_defaults()
|
||||
}
|
||||
config.cert_resolver = ARGS.certs.clone();
|
||||
.with_no_client_auth()
|
||||
.with_cert_resolver(ARGS.certs.clone());
|
||||
TlsAcceptor::from(Arc::new(config))
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue