2024-01-01 14:58:21 -05:00
|
|
|
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
2024-06-19 10:09:17 -04:00
|
|
|
|
2023-10-31 07:55:46 -04:00
|
|
|
pub use deno_native_certs;
|
2021-08-07 08:49:38 -04:00
|
|
|
pub use rustls;
|
2021-12-06 18:48:11 -05:00
|
|
|
pub use rustls_pemfile;
|
2024-04-25 17:00:04 -04:00
|
|
|
pub use rustls_tokio_stream::*;
|
2021-08-07 08:49:38 -04:00
|
|
|
pub use webpki;
|
|
|
|
pub use webpki_roots;
|
|
|
|
|
2021-11-16 09:02:28 -05:00
|
|
|
use deno_core::anyhow::anyhow;
|
2021-08-25 08:25:12 -04:00
|
|
|
use deno_core::error::custom_error;
|
2021-08-07 08:49:38 -04:00
|
|
|
use deno_core::error::AnyError;
|
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
use rustls::client::HandshakeSignatureValid;
|
|
|
|
use rustls::client::ServerCertVerified;
|
|
|
|
use rustls::client::ServerCertVerifier;
|
|
|
|
use rustls::client::WebPkiVerifier;
|
2021-08-07 08:49:38 -04:00
|
|
|
use rustls::ClientConfig;
|
2023-05-16 20:19:23 -04:00
|
|
|
use rustls::DigitallySignedStruct;
|
2021-12-06 18:48:11 -05:00
|
|
|
use rustls::Error;
|
2024-06-19 10:09:17 -04:00
|
|
|
use rustls::ServerName;
|
2021-12-06 18:48:11 -05:00
|
|
|
use rustls_pemfile::certs;
|
2024-04-08 13:36:34 -04:00
|
|
|
use rustls_pemfile::ec_private_keys;
|
2021-12-06 18:48:11 -05:00
|
|
|
use rustls_pemfile::pkcs8_private_keys;
|
|
|
|
use rustls_pemfile::rsa_private_keys;
|
2021-08-07 08:49:38 -04:00
|
|
|
use serde::Deserialize;
|
2021-08-25 08:25:12 -04:00
|
|
|
use std::io::BufRead;
|
2021-08-07 08:49:38 -04:00
|
|
|
use std::io::BufReader;
|
|
|
|
use std::io::Cursor;
|
|
|
|
use std::sync::Arc;
|
2024-06-19 10:09:17 -04:00
|
|
|
use std::time::SystemTime;
|
2021-08-07 08:49:38 -04:00
|
|
|
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
mod tls_key;
|
|
|
|
pub use tls_key::*;
|
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
pub type Certificate = rustls::Certificate;
|
|
|
|
pub type PrivateKey = rustls::PrivateKey;
|
|
|
|
pub type RootCertStore = rustls::RootCertStore;
|
|
|
|
|
2023-05-01 16:42:05 -04:00
|
|
|
/// Lazily resolves the root cert store.
|
|
|
|
///
|
|
|
|
/// This was done because the root cert store is not needed in all cases
|
|
|
|
/// and takes a bit of time to initialize.
|
|
|
|
pub trait RootCertStoreProvider: Send + Sync {
|
|
|
|
fn get_or_try_init(&self) -> Result<&RootCertStore, AnyError>;
|
|
|
|
}
|
|
|
|
|
2023-03-17 14:22:15 -04:00
|
|
|
// This extension has no runtime apis, it only exports some shared native functions.
|
|
|
|
deno_core::extension!(deno_tls);
|
2021-08-07 08:49:38 -04:00
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
struct DefaultSignatureVerification;
|
2022-05-18 07:32:12 -04:00
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
impl ServerCertVerifier for DefaultSignatureVerification {
|
|
|
|
fn verify_server_cert(
|
|
|
|
&self,
|
|
|
|
_end_entity: &Certificate,
|
|
|
|
_intermediates: &[Certificate],
|
|
|
|
_server_name: &ServerName,
|
|
|
|
_scts: &mut dyn Iterator<Item = &[u8]>,
|
|
|
|
_ocsp_response: &[u8],
|
|
|
|
_now: SystemTime,
|
|
|
|
) -> Result<ServerCertVerified, Error> {
|
|
|
|
Err(Error::General("Should not be used".to_string()))
|
2022-05-18 07:32:12 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
pub struct NoCertificateVerification(pub Vec<String>);
|
2024-06-13 16:41:26 -04:00
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
impl ServerCertVerifier for NoCertificateVerification {
|
2021-08-09 10:53:21 -04:00
|
|
|
fn verify_server_cert(
|
|
|
|
&self,
|
2024-06-19 10:09:17 -04:00
|
|
|
end_entity: &Certificate,
|
|
|
|
intermediates: &[Certificate],
|
|
|
|
server_name: &ServerName,
|
|
|
|
scts: &mut dyn Iterator<Item = &[u8]>,
|
2021-12-06 18:48:11 -05:00
|
|
|
ocsp_response: &[u8],
|
2024-06-19 10:09:17 -04:00
|
|
|
now: SystemTime,
|
2021-12-06 18:48:11 -05:00
|
|
|
) -> Result<ServerCertVerified, Error> {
|
2024-06-19 10:09:17 -04:00
|
|
|
if self.0.is_empty() {
|
2022-05-18 07:32:12 -04:00
|
|
|
return Ok(ServerCertVerified::assertion());
|
|
|
|
}
|
|
|
|
let dns_name_or_ip_address = match server_name {
|
|
|
|
ServerName::DnsName(dns_name) => dns_name.as_ref().to_owned(),
|
2024-06-19 10:09:17 -04:00
|
|
|
ServerName::IpAddress(ip_address) => ip_address.to_string(),
|
2022-05-18 07:32:12 -04:00
|
|
|
_ => {
|
|
|
|
// NOTE(bartlomieju): `ServerName` is a non-exhaustive enum
|
|
|
|
// so we have this catch all errors here.
|
|
|
|
return Err(Error::General("Unknown `ServerName` variant".to_string()));
|
2021-12-06 18:48:11 -05:00
|
|
|
}
|
2022-05-18 07:32:12 -04:00
|
|
|
};
|
2024-06-19 10:09:17 -04:00
|
|
|
if self.0.contains(&dns_name_or_ip_address) {
|
2022-05-18 07:32:12 -04:00
|
|
|
Ok(ServerCertVerified::assertion())
|
2021-08-09 10:53:21 -04:00
|
|
|
} else {
|
2024-06-19 10:09:17 -04:00
|
|
|
let root_store = create_default_root_cert_store();
|
|
|
|
let verifier = WebPkiVerifier::new(root_store, None);
|
|
|
|
verifier.verify_server_cert(
|
2022-05-18 07:32:12 -04:00
|
|
|
end_entity,
|
|
|
|
intermediates,
|
|
|
|
server_name,
|
2024-06-19 10:09:17 -04:00
|
|
|
scts,
|
2022-05-18 07:32:12 -04:00
|
|
|
ocsp_response,
|
|
|
|
now,
|
|
|
|
)
|
2021-08-09 10:53:21 -04:00
|
|
|
}
|
|
|
|
}
|
2022-05-18 07:32:12 -04:00
|
|
|
|
|
|
|
fn verify_tls12_signature(
|
|
|
|
&self,
|
|
|
|
message: &[u8],
|
2024-06-19 10:09:17 -04:00
|
|
|
cert: &rustls::Certificate,
|
2022-05-18 07:32:12 -04:00
|
|
|
dss: &DigitallySignedStruct,
|
|
|
|
) -> Result<HandshakeSignatureValid, Error> {
|
2024-06-19 10:09:17 -04:00
|
|
|
if self.0.is_empty() {
|
2022-05-18 07:32:12 -04:00
|
|
|
return Ok(HandshakeSignatureValid::assertion());
|
|
|
|
}
|
|
|
|
filter_invalid_encoding_err(
|
2024-06-19 10:09:17 -04:00
|
|
|
DefaultSignatureVerification.verify_tls12_signature(message, cert, dss),
|
2022-05-18 07:32:12 -04:00
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn verify_tls13_signature(
|
|
|
|
&self,
|
|
|
|
message: &[u8],
|
2024-06-19 10:09:17 -04:00
|
|
|
cert: &rustls::Certificate,
|
2022-05-18 07:32:12 -04:00
|
|
|
dss: &DigitallySignedStruct,
|
|
|
|
) -> Result<HandshakeSignatureValid, Error> {
|
2024-06-19 10:09:17 -04:00
|
|
|
if self.0.is_empty() {
|
2022-05-18 07:32:12 -04:00
|
|
|
return Ok(HandshakeSignatureValid::assertion());
|
|
|
|
}
|
|
|
|
filter_invalid_encoding_err(
|
2024-06-19 10:09:17 -04:00
|
|
|
DefaultSignatureVerification.verify_tls13_signature(message, cert, dss),
|
2022-05-18 07:32:12 -04:00
|
|
|
)
|
|
|
|
}
|
2021-08-09 10:53:21 -04:00
|
|
|
}
|
|
|
|
|
2021-08-07 08:49:38 -04:00
|
|
|
#[derive(Deserialize, Default, Debug, Clone)]
|
|
|
|
#[serde(rename_all = "camelCase")]
|
|
|
|
#[serde(default)]
|
|
|
|
pub struct Proxy {
|
|
|
|
pub url: String,
|
|
|
|
pub basic_auth: Option<BasicAuth>,
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize, Default, Debug, Clone)]
|
|
|
|
#[serde(default)]
|
|
|
|
pub struct BasicAuth {
|
|
|
|
pub username: String,
|
|
|
|
pub password: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn create_default_root_cert_store() -> RootCertStore {
|
2024-06-19 10:09:17 -04:00
|
|
|
let mut root_cert_store = RootCertStore::empty();
|
|
|
|
// TODO(@justinmchase): Consider also loading the system keychain here
|
|
|
|
root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
|
|
|
|
|ta| {
|
|
|
|
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
|
|
|
|
ta.subject,
|
|
|
|
ta.spki,
|
|
|
|
ta.name_constraints,
|
|
|
|
)
|
|
|
|
},
|
|
|
|
));
|
2021-08-07 08:49:38 -04:00
|
|
|
root_cert_store
|
|
|
|
}
|
|
|
|
|
2023-11-01 17:11:01 -04:00
|
|
|
pub enum SocketUse {
|
|
|
|
/// General SSL: No ALPN
|
|
|
|
GeneralSsl,
|
|
|
|
/// HTTP: h1 and h2
|
|
|
|
Http,
|
|
|
|
/// http/1.1 only
|
|
|
|
Http1Only,
|
|
|
|
/// http/2 only
|
|
|
|
Http2Only,
|
|
|
|
}
|
|
|
|
|
2021-08-07 08:49:38 -04:00
|
|
|
pub fn create_client_config(
|
|
|
|
root_cert_store: Option<RootCertStore>,
|
2021-09-30 03:26:15 -04:00
|
|
|
ca_certs: Vec<Vec<u8>>,
|
2021-08-10 07:19:45 -04:00
|
|
|
unsafely_ignore_certificate_errors: Option<Vec<String>>,
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
maybe_cert_chain_and_key: TlsKeys,
|
2023-11-01 17:11:01 -04:00
|
|
|
socket_use: SocketUse,
|
2021-08-07 08:49:38 -04:00
|
|
|
) -> Result<ClientConfig, AnyError> {
|
2021-08-10 07:19:45 -04:00
|
|
|
if let Some(ic_allowlist) = unsafely_ignore_certificate_errors {
|
2021-12-06 18:48:11 -05:00
|
|
|
let client_config = ClientConfig::builder()
|
2024-06-19 10:09:17 -04:00
|
|
|
.with_safe_defaults()
|
|
|
|
.with_custom_certificate_verifier(Arc::new(NoCertificateVerification(
|
|
|
|
ic_allowlist,
|
|
|
|
)));
|
2021-12-06 18:48:11 -05:00
|
|
|
|
|
|
|
// NOTE(bartlomieju): this if/else is duplicated at the end of the body of this function.
|
|
|
|
// However it's not really feasible to deduplicate it as the `client_config` instances
|
|
|
|
// are not type-compatible - one wants "client cert", the other wants "transparency policy
|
|
|
|
// or client cert".
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
let mut client = match maybe_cert_chain_and_key {
|
|
|
|
TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config
|
2024-06-19 10:09:17 -04:00
|
|
|
.with_client_auth_cert(cert_chain, private_key)
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
.expect("invalid client key or certificate"),
|
|
|
|
TlsKeys::Null => client_config.with_no_client_auth(),
|
|
|
|
TlsKeys::Resolver(_) => unimplemented!(),
|
|
|
|
};
|
2021-12-06 18:48:11 -05:00
|
|
|
|
2023-11-01 17:11:01 -04:00
|
|
|
add_alpn(&mut client, socket_use);
|
2021-12-06 18:48:11 -05:00
|
|
|
return Ok(client);
|
2021-12-01 11:13:11 -05:00
|
|
|
}
|
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
let client_config = ClientConfig::builder()
|
|
|
|
.with_safe_defaults()
|
|
|
|
.with_root_certificates({
|
|
|
|
let mut root_cert_store =
|
|
|
|
root_cert_store.unwrap_or_else(create_default_root_cert_store);
|
|
|
|
// If custom certs are specified, add them to the store
|
|
|
|
for cert in ca_certs {
|
|
|
|
let reader = &mut BufReader::new(Cursor::new(cert));
|
|
|
|
// This function does not return specific errors, if it fails give a generic message.
|
|
|
|
match rustls_pemfile::certs(reader) {
|
|
|
|
Ok(certs) => {
|
|
|
|
root_cert_store.add_parsable_certificates(&certs);
|
|
|
|
}
|
|
|
|
Err(e) => {
|
|
|
|
return Err(anyhow!(
|
|
|
|
"Unable to add pem file to certificate store: {}",
|
|
|
|
e
|
|
|
|
));
|
|
|
|
}
|
2021-12-06 18:48:11 -05:00
|
|
|
}
|
|
|
|
}
|
2024-06-19 10:09:17 -04:00
|
|
|
root_cert_store
|
|
|
|
});
|
2021-12-06 18:48:11 -05:00
|
|
|
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
let mut client = match maybe_cert_chain_and_key {
|
|
|
|
TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config
|
2024-06-19 10:09:17 -04:00
|
|
|
.with_client_auth_cert(cert_chain, private_key)
|
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236
This implements the SNI features, but uses private symbols to avoid
exposing the functionality at this time. Note that to properly test this
feature, we need to add a way for `connectTls` to specify a hostname.
This is something that should be pushed into that API at a later time as
well.
```ts
Deno.test(
{ permissions: { net: true, read: true } },
async function listenResolver() {
let sniRequests = [];
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
[resolverSymbol]: (sni: string) => {
sniRequests.push(sni);
return {
cert,
key,
};
},
});
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-1",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
{
const conn = await Deno.connectTls({
hostname: "localhost",
[serverNameSymbol]: "server-2",
port: listener.addr.port,
});
const [_handshake, serverConn] = await Promise.all([
conn.handshake(),
listener.accept(),
]);
conn.close();
serverConn.close();
}
assertEquals(sniRequests, ["server-1", "server-2"]);
listener.close();
},
);
```
---------
Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-05-09 12:54:47 -04:00
|
|
|
.expect("invalid client key or certificate"),
|
|
|
|
TlsKeys::Null => client_config.with_no_client_auth(),
|
|
|
|
TlsKeys::Resolver(_) => unimplemented!(),
|
|
|
|
};
|
2021-12-06 18:48:11 -05:00
|
|
|
|
2023-11-01 17:11:01 -04:00
|
|
|
add_alpn(&mut client, socket_use);
|
2021-12-06 18:48:11 -05:00
|
|
|
Ok(client)
|
2021-08-07 08:49:38 -04:00
|
|
|
}
|
|
|
|
|
2023-11-01 17:11:01 -04:00
|
|
|
fn add_alpn(client: &mut ClientConfig, socket_use: SocketUse) {
|
|
|
|
match socket_use {
|
|
|
|
SocketUse::Http1Only => {
|
|
|
|
client.alpn_protocols = vec!["http/1.1".into()];
|
|
|
|
}
|
|
|
|
SocketUse::Http2Only => {
|
|
|
|
client.alpn_protocols = vec!["h2".into()];
|
|
|
|
}
|
|
|
|
SocketUse::Http => {
|
|
|
|
client.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
|
|
|
|
}
|
|
|
|
SocketUse::GeneralSsl => {}
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2021-08-25 08:25:12 -04:00
|
|
|
pub fn load_certs(
|
|
|
|
reader: &mut dyn BufRead,
|
2024-06-19 10:09:17 -04:00
|
|
|
) -> Result<Vec<Certificate>, AnyError> {
|
|
|
|
let certs = certs(reader)
|
2021-08-25 08:25:12 -04:00
|
|
|
.map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?;
|
|
|
|
|
|
|
|
if certs.is_empty() {
|
2024-04-08 17:01:02 -04:00
|
|
|
return Err(cert_not_found_err());
|
2021-08-25 08:25:12 -04:00
|
|
|
}
|
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
Ok(certs.into_iter().map(rustls::Certificate).collect())
|
2021-08-25 08:25:12 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
fn key_decode_err() -> AnyError {
|
|
|
|
custom_error("InvalidData", "Unable to decode key")
|
|
|
|
}
|
|
|
|
|
|
|
|
fn key_not_found_err() -> AnyError {
|
2024-04-08 17:01:02 -04:00
|
|
|
custom_error("InvalidData", "No keys found in key data")
|
|
|
|
}
|
|
|
|
|
|
|
|
fn cert_not_found_err() -> AnyError {
|
|
|
|
custom_error("InvalidData", "No certificates found in certificate data")
|
2021-08-25 08:25:12 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Starts with -----BEGIN RSA PRIVATE KEY-----
|
2024-06-19 10:09:17 -04:00
|
|
|
fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
|
|
|
let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
|
|
|
|
Ok(keys.into_iter().map(rustls::PrivateKey).collect())
|
2021-08-25 08:25:12 -04:00
|
|
|
}
|
|
|
|
|
2024-04-08 13:36:34 -04:00
|
|
|
/// Starts with -----BEGIN EC PRIVATE KEY-----
|
2024-06-19 10:09:17 -04:00
|
|
|
fn load_ec_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
|
|
|
let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
|
|
|
|
Ok(keys.into_iter().map(rustls::PrivateKey).collect())
|
2024-04-08 13:36:34 -04:00
|
|
|
}
|
|
|
|
|
2021-08-25 08:25:12 -04:00
|
|
|
/// Starts with -----BEGIN PRIVATE KEY-----
|
2024-06-19 10:09:17 -04:00
|
|
|
fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
|
|
|
let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
|
|
|
|
Ok(keys.into_iter().map(rustls::PrivateKey).collect())
|
2021-08-25 08:25:12 -04:00
|
|
|
}
|
|
|
|
|
2022-05-18 07:32:12 -04:00
|
|
|
fn filter_invalid_encoding_err(
|
|
|
|
to_be_filtered: Result<HandshakeSignatureValid, Error>,
|
|
|
|
) -> Result<HandshakeSignatureValid, Error> {
|
|
|
|
match to_be_filtered {
|
2023-05-16 20:19:23 -04:00
|
|
|
Err(Error::InvalidCertificate(rustls::CertificateError::BadEncoding)) => {
|
2022-05-18 07:32:12 -04:00
|
|
|
Ok(HandshakeSignatureValid::assertion())
|
|
|
|
}
|
|
|
|
res => res,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-06-19 10:09:17 -04:00
|
|
|
pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
2021-08-25 08:25:12 -04:00
|
|
|
let mut keys = load_rsa_keys(bytes)?;
|
|
|
|
|
|
|
|
if keys.is_empty() {
|
|
|
|
keys = load_pkcs8_keys(bytes)?;
|
|
|
|
}
|
|
|
|
|
2024-04-08 13:36:34 -04:00
|
|
|
if keys.is_empty() {
|
|
|
|
keys = load_ec_keys(bytes)?;
|
|
|
|
}
|
|
|
|
|
2021-08-25 08:25:12 -04:00
|
|
|
if keys.is_empty() {
|
|
|
|
return Err(key_not_found_err());
|
|
|
|
}
|
|
|
|
|
|
|
|
Ok(keys)
|
|
|
|
}
|