mirror of
https://github.com/denoland/deno.git
synced 2024-11-28 16:20:57 -05:00
refactor(ext/tls): Implement required functionality for later SNI support (#23686)
Precursor to #23236 This implements the SNI features, but uses private symbols to avoid exposing the functionality at this time. Note that to properly test this feature, we need to add a way for `connectTls` to specify a hostname. This is something that should be pushed into that API at a later time as well. ```ts Deno.test( { permissions: { net: true, read: true } }, async function listenResolver() { let sniRequests = []; const listener = Deno.listenTls({ hostname: "localhost", port: 0, [resolverSymbol]: (sni: string) => { sniRequests.push(sni); return { cert, key, }; }, }); { const conn = await Deno.connectTls({ hostname: "localhost", [serverNameSymbol]: "server-1", port: listener.addr.port, }); const [_handshake, serverConn] = await Promise.all([ conn.handshake(), listener.accept(), ]); conn.close(); serverConn.close(); } { const conn = await Deno.connectTls({ hostname: "localhost", [serverNameSymbol]: "server-2", port: listener.addr.port, }); const [_handshake, serverConn] = await Promise.all([ conn.handshake(), listener.accept(), ]); conn.close(); serverConn.close(); } assertEquals(sniRequests, ["server-1", "server-2"]); listener.close(); }, ); ``` --------- Signed-off-by: Matt Mastracci <matthew@mastracci.com>
This commit is contained in:
parent
dc29986ae5
commit
684377c92c
16 changed files with 615 additions and 102 deletions
5
Cargo.lock
generated
5
Cargo.lock
generated
|
@ -1913,6 +1913,7 @@ dependencies = [
|
|||
"rustls-tokio-stream",
|
||||
"rustls-webpki",
|
||||
"serde",
|
||||
"tokio",
|
||||
"webpki-roots",
|
||||
]
|
||||
|
||||
|
@ -5457,9 +5458,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "rustls-tokio-stream"
|
||||
version = "0.2.17"
|
||||
version = "0.2.23"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ded7a36e8ac05b8ada77a84c5ceec95361942ee9dedb60a82f93f788a791aae8"
|
||||
checksum = "c478c030dfd68498e6c59168d9eec4f8bead33152a5f3095ad4bdbdcea09d466"
|
||||
dependencies = [
|
||||
"futures",
|
||||
"rustls",
|
||||
|
|
|
@ -150,7 +150,7 @@ ring = "^0.17.0"
|
|||
rusqlite = { version = "=0.29.0", features = ["unlock_notify", "bundled"] }
|
||||
rustls = "0.21.11"
|
||||
rustls-pemfile = "1.0.0"
|
||||
rustls-tokio-stream = "=0.2.17"
|
||||
rustls-tokio-stream = "=0.2.23"
|
||||
rustls-webpki = "0.101.4"
|
||||
rustyline = "=13.0.0"
|
||||
saffron = "=0.1.0"
|
||||
|
|
|
@ -46,6 +46,7 @@ use deno_tls::RootCertStoreProvider;
|
|||
use data_url::DataUrl;
|
||||
use deno_tls::TlsKey;
|
||||
use deno_tls::TlsKeys;
|
||||
use deno_tls::TlsKeysHolder;
|
||||
use http_v02::header::CONTENT_LENGTH;
|
||||
use http_v02::Uri;
|
||||
use reqwest::header::HeaderMap;
|
||||
|
@ -80,7 +81,7 @@ pub struct Options {
|
|||
pub request_builder_hook:
|
||||
Option<fn(RequestBuilder) -> Result<RequestBuilder, AnyError>>,
|
||||
pub unsafely_ignore_certificate_errors: Option<Vec<String>>,
|
||||
pub client_cert_chain_and_key: Option<TlsKey>,
|
||||
pub client_cert_chain_and_key: TlsKeys,
|
||||
pub file_fetch_handler: Rc<dyn FetchHandler>,
|
||||
}
|
||||
|
||||
|
@ -101,7 +102,7 @@ impl Default for Options {
|
|||
proxy: None,
|
||||
request_builder_hook: None,
|
||||
unsafely_ignore_certificate_errors: None,
|
||||
client_cert_chain_and_key: None,
|
||||
client_cert_chain_and_key: TlsKeys::Null,
|
||||
file_fetch_handler: Rc::new(DefaultFileFetchHandler),
|
||||
}
|
||||
}
|
||||
|
@ -205,7 +206,11 @@ pub fn create_client_from_options(
|
|||
unsafely_ignore_certificate_errors: options
|
||||
.unsafely_ignore_certificate_errors
|
||||
.clone(),
|
||||
client_cert_chain_and_key: options.client_cert_chain_and_key.clone(),
|
||||
client_cert_chain_and_key: options
|
||||
.client_cert_chain_and_key
|
||||
.clone()
|
||||
.try_into()
|
||||
.unwrap_or_default(),
|
||||
pool_max_idle_per_host: None,
|
||||
pool_idle_timeout: None,
|
||||
http1: true,
|
||||
|
@ -821,7 +826,7 @@ fn default_true() -> bool {
|
|||
pub fn op_fetch_custom_client<FP>(
|
||||
state: &mut OpState,
|
||||
#[serde] args: CreateHttpClientArgs,
|
||||
#[cppgc] tls_keys: &deno_tls::TlsKeys,
|
||||
#[cppgc] tls_keys: &TlsKeysHolder,
|
||||
) -> Result<ResourceId, AnyError>
|
||||
where
|
||||
FP: FetchPermissions + 'static,
|
||||
|
@ -832,11 +837,6 @@ where
|
|||
permissions.check_net_url(&url, "Deno.createHttpClient()")?;
|
||||
}
|
||||
|
||||
let client_cert_chain_and_key = match tls_keys {
|
||||
TlsKeys::Null => None,
|
||||
TlsKeys::Static(key) => Some(key.clone()),
|
||||
};
|
||||
|
||||
let options = state.borrow::<Options>();
|
||||
let ca_certs = args
|
||||
.ca_certs
|
||||
|
@ -853,7 +853,7 @@ where
|
|||
unsafely_ignore_certificate_errors: options
|
||||
.unsafely_ignore_certificate_errors
|
||||
.clone(),
|
||||
client_cert_chain_and_key,
|
||||
client_cert_chain_and_key: tls_keys.take().try_into().unwrap(),
|
||||
pool_max_idle_per_host: args.pool_max_idle_per_host,
|
||||
pool_idle_timeout: args.pool_idle_timeout.and_then(
|
||||
|timeout| match timeout {
|
||||
|
@ -915,7 +915,7 @@ pub fn create_http_client(
|
|||
options.root_cert_store,
|
||||
options.ca_certs,
|
||||
options.unsafely_ignore_certificate_errors,
|
||||
options.client_cert_chain_and_key,
|
||||
options.client_cert_chain_and_key.into(),
|
||||
deno_tls::SocketUse::Http,
|
||||
)?;
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ use deno_fetch::CreateHttpClientOptions;
|
|||
use deno_tls::rustls::RootCertStore;
|
||||
use deno_tls::Proxy;
|
||||
use deno_tls::RootCertStoreProvider;
|
||||
use deno_tls::TlsKey;
|
||||
use deno_tls::TlsKeys;
|
||||
use denokv_remote::MetadataEndpoint;
|
||||
use denokv_remote::Remote;
|
||||
use url::Url;
|
||||
|
@ -27,7 +27,7 @@ pub struct HttpOptions {
|
|||
pub root_cert_store_provider: Option<Arc<dyn RootCertStoreProvider>>,
|
||||
pub proxy: Option<Proxy>,
|
||||
pub unsafely_ignore_certificate_errors: Option<Vec<String>>,
|
||||
pub client_cert_chain_and_key: Option<TlsKey>,
|
||||
pub client_cert_chain_and_key: TlsKeys,
|
||||
}
|
||||
|
||||
impl HttpOptions {
|
||||
|
@ -135,7 +135,11 @@ impl<P: RemoteDbHandlerPermissions + 'static> DatabaseHandler
|
|||
unsafely_ignore_certificate_errors: options
|
||||
.unsafely_ignore_certificate_errors
|
||||
.clone(),
|
||||
client_cert_chain_and_key: options.client_cert_chain_and_key.clone(),
|
||||
client_cert_chain_and_key: options
|
||||
.client_cert_chain_and_key
|
||||
.clone()
|
||||
.try_into()
|
||||
.unwrap(),
|
||||
pool_max_idle_per_host: None,
|
||||
pool_idle_timeout: None,
|
||||
http1: false,
|
||||
|
|
|
@ -6,6 +6,10 @@ import {
|
|||
op_net_accept_tls,
|
||||
op_net_connect_tls,
|
||||
op_net_listen_tls,
|
||||
op_tls_cert_resolver_create,
|
||||
op_tls_cert_resolver_poll,
|
||||
op_tls_cert_resolver_resolve,
|
||||
op_tls_cert_resolver_resolve_error,
|
||||
op_tls_handshake,
|
||||
op_tls_key_null,
|
||||
op_tls_key_static,
|
||||
|
@ -16,6 +20,7 @@ const {
|
|||
Number,
|
||||
ObjectDefineProperty,
|
||||
TypeError,
|
||||
SymbolFor,
|
||||
} = primordials;
|
||||
|
||||
import { Conn, Listener } from "ext:deno_net/01_net.js";
|
||||
|
@ -87,9 +92,12 @@ async function connectTls({
|
|||
keyFile,
|
||||
privateKey,
|
||||
});
|
||||
// TODO(mmastrac): We only expose this feature via symbol for now. This should actually be a feature
|
||||
// in Deno.connectTls, however.
|
||||
const serverName = arguments[0][serverNameSymbol] ?? null;
|
||||
const { 0: rid, 1: localAddr, 2: remoteAddr } = await op_net_connect_tls(
|
||||
{ hostname, port },
|
||||
{ certFile: deprecatedCertFile, caCerts, alpnProtocols },
|
||||
{ certFile: deprecatedCertFile, caCerts, alpnProtocols, serverName },
|
||||
keyPair,
|
||||
);
|
||||
localAddr.transport = "tcp";
|
||||
|
@ -133,6 +141,10 @@ class TlsListener extends Listener {
|
|||
* interfaces.
|
||||
*/
|
||||
function hasTlsKeyPairOptions(options) {
|
||||
// TODO(mmastrac): remove this temporary symbol when the API lands
|
||||
if (options[resolverSymbol] !== undefined) {
|
||||
return true;
|
||||
}
|
||||
return (options.cert !== undefined || options.key !== undefined ||
|
||||
options.certFile !== undefined ||
|
||||
options.keyFile !== undefined || options.privateKey !== undefined ||
|
||||
|
@ -159,6 +171,11 @@ function loadTlsKeyPair(api, {
|
|||
privateKey = undefined;
|
||||
}
|
||||
|
||||
// TODO(mmastrac): remove this temporary symbol when the API lands
|
||||
if (arguments[1][resolverSymbol] !== undefined) {
|
||||
return createTlsKeyResolver(arguments[1][resolverSymbol]);
|
||||
}
|
||||
|
||||
// Check for "pem" format
|
||||
if (keyFormat !== undefined && keyFormat !== "pem") {
|
||||
throw new TypeError('If `keyFormat` is specified, it must be "pem"');
|
||||
|
@ -275,6 +292,37 @@ async function startTls(
|
|||
return new TlsConn(rid, remoteAddr, localAddr);
|
||||
}
|
||||
|
||||
const resolverSymbol = SymbolFor("unstableSniResolver");
|
||||
const serverNameSymbol = SymbolFor("unstableServerName");
|
||||
|
||||
function createTlsKeyResolver(callback) {
|
||||
const { 0: resolver, 1: lookup } = op_tls_cert_resolver_create();
|
||||
(async () => {
|
||||
while (true) {
|
||||
const sni = await op_tls_cert_resolver_poll(lookup);
|
||||
if (typeof sni !== "string") {
|
||||
break;
|
||||
}
|
||||
try {
|
||||
const key = await callback(sni);
|
||||
if (!hasTlsKeyPairOptions(key)) {
|
||||
op_tls_cert_resolver_resolve_error(lookup, sni, "Invalid key");
|
||||
} else {
|
||||
const resolved = loadTlsKeyPair("Deno.listenTls", key);
|
||||
op_tls_cert_resolver_resolve(lookup, sni, resolved);
|
||||
}
|
||||
} catch (e) {
|
||||
op_tls_cert_resolver_resolve_error(lookup, sni, e.message);
|
||||
}
|
||||
}
|
||||
})();
|
||||
return resolver;
|
||||
}
|
||||
|
||||
internals.resolverSymbol = resolverSymbol;
|
||||
internals.serverNameSymbol = serverNameSymbol;
|
||||
internals.createTlsKeyResolver = createTlsKeyResolver;
|
||||
|
||||
export {
|
||||
connectTls,
|
||||
hasTlsKeyPairOptions,
|
||||
|
|
|
@ -87,6 +87,10 @@ deno_core::extension!(deno_net,
|
|||
ops_tls::op_tls_key_null,
|
||||
ops_tls::op_tls_key_static,
|
||||
ops_tls::op_tls_key_static_from_file<P>,
|
||||
ops_tls::op_tls_cert_resolver_create,
|
||||
ops_tls::op_tls_cert_resolver_poll,
|
||||
ops_tls::op_tls_cert_resolver_resolve,
|
||||
ops_tls::op_tls_cert_resolver_resolve_error,
|
||||
ops_tls::op_tls_start<P>,
|
||||
ops_tls::op_net_connect_tls<P>,
|
||||
ops_tls::op_net_listen_tls<P>,
|
||||
|
|
|
@ -11,6 +11,7 @@ use crate::DefaultTlsOptions;
|
|||
use crate::NetPermissions;
|
||||
use crate::UnsafelyIgnoreCertificateErrors;
|
||||
use deno_core::anyhow::anyhow;
|
||||
use deno_core::anyhow::bail;
|
||||
use deno_core::error::bad_resource;
|
||||
use deno_core::error::custom_error;
|
||||
use deno_core::error::generic_error;
|
||||
|
@ -29,13 +30,18 @@ use deno_core::ResourceId;
|
|||
use deno_tls::create_client_config;
|
||||
use deno_tls::load_certs;
|
||||
use deno_tls::load_private_keys;
|
||||
use deno_tls::new_resolver;
|
||||
use deno_tls::rustls::Certificate;
|
||||
use deno_tls::rustls::ClientConnection;
|
||||
use deno_tls::rustls::PrivateKey;
|
||||
use deno_tls::rustls::ServerConfig;
|
||||
use deno_tls::rustls::ServerName;
|
||||
use deno_tls::ServerConfigProvider;
|
||||
use deno_tls::SocketUse;
|
||||
use deno_tls::TlsKey;
|
||||
use deno_tls::TlsKeyLookup;
|
||||
use deno_tls::TlsKeys;
|
||||
use deno_tls::TlsKeysHolder;
|
||||
use rustls_tokio_stream::TlsStreamRead;
|
||||
use rustls_tokio_stream::TlsStreamWrite;
|
||||
use serde::Deserialize;
|
||||
|
@ -63,14 +69,26 @@ pub(crate) const TLS_BUFFER_SIZE: Option<NonZeroUsize> =
|
|||
|
||||
pub struct TlsListener {
|
||||
pub(crate) tcp_listener: TcpListener,
|
||||
pub(crate) tls_config: Arc<ServerConfig>,
|
||||
pub(crate) tls_config: Option<Arc<ServerConfig>>,
|
||||
pub(crate) server_config_provider: Option<ServerConfigProvider>,
|
||||
}
|
||||
|
||||
impl TlsListener {
|
||||
pub async fn accept(&self) -> std::io::Result<(TlsStream, SocketAddr)> {
|
||||
let (tcp, addr) = self.tcp_listener.accept().await?;
|
||||
let tls =
|
||||
TlsStream::new_server_side(tcp, self.tls_config.clone(), TLS_BUFFER_SIZE);
|
||||
let tls = if let Some(provider) = &self.server_config_provider {
|
||||
TlsStream::new_server_side_acceptor(
|
||||
tcp,
|
||||
provider.clone(),
|
||||
TLS_BUFFER_SIZE,
|
||||
)
|
||||
} else {
|
||||
TlsStream::new_server_side(
|
||||
tcp,
|
||||
self.tls_config.clone().unwrap(),
|
||||
TLS_BUFFER_SIZE,
|
||||
)
|
||||
};
|
||||
Ok((tls, addr))
|
||||
}
|
||||
pub fn local_addr(&self) -> std::io::Result<SocketAddr> {
|
||||
|
@ -164,6 +182,7 @@ pub struct ConnectTlsArgs {
|
|||
cert_file: Option<String>,
|
||||
ca_certs: Vec<String>,
|
||||
alpn_protocols: Option<Vec<String>>,
|
||||
server_name: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
|
@ -179,7 +198,10 @@ pub struct StartTlsArgs {
|
|||
pub fn op_tls_key_null<'s>(
|
||||
scope: &mut v8::HandleScope<'s>,
|
||||
) -> Result<v8::Local<'s, v8::Object>, AnyError> {
|
||||
Ok(deno_core::cppgc::make_cppgc_object(scope, TlsKeys::Null))
|
||||
Ok(deno_core::cppgc::make_cppgc_object(
|
||||
scope,
|
||||
TlsKeysHolder::from(TlsKeys::Null),
|
||||
))
|
||||
}
|
||||
|
||||
#[op2]
|
||||
|
@ -195,7 +217,7 @@ pub fn op_tls_key_static<'s>(
|
|||
.unwrap();
|
||||
Ok(deno_core::cppgc::make_cppgc_object(
|
||||
scope,
|
||||
TlsKeys::Static(TlsKey(cert, key)),
|
||||
TlsKeysHolder::from(TlsKeys::Static(TlsKey(cert, key))),
|
||||
))
|
||||
}
|
||||
|
||||
|
@ -224,10 +246,53 @@ where
|
|||
.unwrap();
|
||||
Ok(deno_core::cppgc::make_cppgc_object(
|
||||
scope,
|
||||
TlsKeys::Static(TlsKey(cert, key)),
|
||||
TlsKeysHolder::from(TlsKeys::Static(TlsKey(cert, key))),
|
||||
))
|
||||
}
|
||||
|
||||
#[op2]
|
||||
pub fn op_tls_cert_resolver_create<'s>(
|
||||
scope: &mut v8::HandleScope<'s>,
|
||||
) -> v8::Local<'s, v8::Array> {
|
||||
let (resolver, lookup) = new_resolver();
|
||||
let resolver = deno_core::cppgc::make_cppgc_object(
|
||||
scope,
|
||||
TlsKeysHolder::from(TlsKeys::Resolver(resolver)),
|
||||
);
|
||||
let lookup = deno_core::cppgc::make_cppgc_object(scope, lookup);
|
||||
v8::Array::new_with_elements(scope, &[resolver.into(), lookup.into()])
|
||||
}
|
||||
|
||||
#[op2(async)]
|
||||
#[string]
|
||||
pub async fn op_tls_cert_resolver_poll(
|
||||
#[cppgc] lookup: &TlsKeyLookup,
|
||||
) -> Option<String> {
|
||||
lookup.poll().await
|
||||
}
|
||||
|
||||
#[op2(fast)]
|
||||
pub fn op_tls_cert_resolver_resolve(
|
||||
#[cppgc] lookup: &TlsKeyLookup,
|
||||
#[string] sni: String,
|
||||
#[cppgc] key: &TlsKeysHolder,
|
||||
) -> Result<(), AnyError> {
|
||||
let TlsKeys::Static(key) = key.take() else {
|
||||
bail!("unexpected key type");
|
||||
};
|
||||
lookup.resolve(sni, Ok(key));
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[op2(fast)]
|
||||
pub fn op_tls_cert_resolver_resolve_error(
|
||||
#[cppgc] lookup: &TlsKeyLookup,
|
||||
#[string] sni: String,
|
||||
#[string] error: String,
|
||||
) {
|
||||
lookup.resolve(sni, Err(anyhow!(error)))
|
||||
}
|
||||
|
||||
#[op2]
|
||||
#[serde]
|
||||
pub fn op_tls_start<NP>(
|
||||
|
@ -287,7 +352,7 @@ where
|
|||
root_cert_store,
|
||||
ca_certs,
|
||||
unsafely_ignore_certificate_errors,
|
||||
None,
|
||||
TlsKeys::Null,
|
||||
SocketUse::GeneralSsl,
|
||||
)?;
|
||||
|
||||
|
@ -299,8 +364,7 @@ where
|
|||
let tls_config = Arc::new(tls_config);
|
||||
let tls_stream = TlsStream::new_client_side(
|
||||
tcp_stream,
|
||||
tls_config,
|
||||
hostname_dns,
|
||||
ClientConnection::new(tls_config, hostname_dns)?,
|
||||
TLS_BUFFER_SIZE,
|
||||
);
|
||||
|
||||
|
@ -320,7 +384,7 @@ pub async fn op_net_connect_tls<NP>(
|
|||
state: Rc<RefCell<OpState>>,
|
||||
#[serde] addr: IpAddr,
|
||||
#[serde] args: ConnectTlsArgs,
|
||||
#[cppgc] key_pair: &TlsKeys,
|
||||
#[cppgc] key_pair: &TlsKeysHolder,
|
||||
) -> Result<(ResourceId, IpAddr, IpAddr), AnyError>
|
||||
where
|
||||
NP: NetPermissions + 'static,
|
||||
|
@ -357,7 +421,11 @@ where
|
|||
.borrow()
|
||||
.borrow::<DefaultTlsOptions>()
|
||||
.root_cert_store()?;
|
||||
let hostname_dns = ServerName::try_from(&*addr.hostname)
|
||||
let hostname_dns = if let Some(server_name) = args.server_name {
|
||||
ServerName::try_from(server_name.as_str())
|
||||
} else {
|
||||
ServerName::try_from(&*addr.hostname)
|
||||
}
|
||||
.map_err(|_| invalid_hostname(&addr.hostname))?;
|
||||
let connect_addr = resolve_addr(&addr.hostname, addr.port)
|
||||
.await?
|
||||
|
@ -367,15 +435,11 @@ where
|
|||
let local_addr = tcp_stream.local_addr()?;
|
||||
let remote_addr = tcp_stream.peer_addr()?;
|
||||
|
||||
let cert_and_key = match key_pair {
|
||||
TlsKeys::Null => None,
|
||||
TlsKeys::Static(key) => Some(key.clone()),
|
||||
};
|
||||
let mut tls_config = create_client_config(
|
||||
root_cert_store,
|
||||
ca_certs,
|
||||
unsafely_ignore_certificate_errors,
|
||||
cert_and_key,
|
||||
key_pair.take(),
|
||||
SocketUse::GeneralSsl,
|
||||
)?;
|
||||
|
||||
|
@ -388,8 +452,7 @@ where
|
|||
|
||||
let tls_stream = TlsStream::new_client_side(
|
||||
tcp_stream,
|
||||
tls_config,
|
||||
hostname_dns,
|
||||
ClientConnection::new(tls_config, hostname_dns)?,
|
||||
TLS_BUFFER_SIZE,
|
||||
);
|
||||
|
||||
|
@ -429,7 +492,7 @@ pub fn op_net_listen_tls<NP>(
|
|||
state: &mut OpState,
|
||||
#[serde] addr: IpAddr,
|
||||
#[serde] args: ListenTlsArgs,
|
||||
#[cppgc] keys: &TlsKeys,
|
||||
#[cppgc] keys: &TlsKeysHolder,
|
||||
) -> Result<(ResourceId, IpAddr), AnyError>
|
||||
where
|
||||
NP: NetPermissions + 'static,
|
||||
|
@ -444,36 +507,44 @@ where
|
|||
.check_net(&(&addr.hostname, Some(addr.port)), "Deno.listenTls()")?;
|
||||
}
|
||||
|
||||
let tls_config = ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_no_client_auth();
|
||||
|
||||
let mut tls_config = match keys {
|
||||
TlsKeys::Null => Err(anyhow!("Deno.listenTls requires a key")),
|
||||
TlsKeys::Static(TlsKey(cert, key)) => tls_config
|
||||
.with_single_cert(cert.clone(), key.clone())
|
||||
.map_err(|e| anyhow!(e)),
|
||||
}
|
||||
.map_err(|e| {
|
||||
custom_error("InvalidData", "Error creating TLS certificate").context(e)
|
||||
})?;
|
||||
|
||||
if let Some(alpn_protocols) = args.alpn_protocols {
|
||||
tls_config.alpn_protocols =
|
||||
alpn_protocols.into_iter().map(|s| s.into_bytes()).collect();
|
||||
}
|
||||
|
||||
let bind_addr = resolve_addr_sync(&addr.hostname, addr.port)?
|
||||
.next()
|
||||
.ok_or_else(|| generic_error("No resolved address found"))?;
|
||||
|
||||
let tcp_listener = TcpListener::bind_direct(bind_addr, args.reuse_port)?;
|
||||
let local_addr = tcp_listener.local_addr()?;
|
||||
|
||||
let tls_listener_resource = NetworkListenerResource::new(TlsListener {
|
||||
let alpn = args
|
||||
.alpn_protocols
|
||||
.unwrap_or_default()
|
||||
.into_iter()
|
||||
.map(|s| s.into_bytes())
|
||||
.collect();
|
||||
let listener = match keys.take() {
|
||||
TlsKeys::Null => Err(anyhow!("Deno.listenTls requires a key")),
|
||||
TlsKeys::Static(TlsKey(cert, key)) => {
|
||||
let mut tls_config = ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_no_client_auth()
|
||||
.with_single_cert(cert, key)
|
||||
.map_err(|e| anyhow!(e))?;
|
||||
tls_config.alpn_protocols = alpn;
|
||||
Ok(TlsListener {
|
||||
tcp_listener,
|
||||
tls_config: tls_config.into(),
|
||||
});
|
||||
tls_config: Some(tls_config.into()),
|
||||
server_config_provider: None,
|
||||
})
|
||||
}
|
||||
TlsKeys::Resolver(resolver) => Ok(TlsListener {
|
||||
tcp_listener,
|
||||
tls_config: None,
|
||||
server_config_provider: Some(resolver.into_server_config_provider(alpn)),
|
||||
}),
|
||||
}
|
||||
.map_err(|e| {
|
||||
custom_error("InvalidData", "Error creating TLS certificate").context(e)
|
||||
})?;
|
||||
|
||||
let tls_listener_resource = NetworkListenerResource::new(listener);
|
||||
|
||||
let rid = state.resource_table.add(tls_listener_resource);
|
||||
|
||||
|
|
|
@ -22,4 +22,5 @@ rustls-pemfile.workspace = true
|
|||
rustls-tokio-stream.workspace = true
|
||||
rustls-webpki.workspace = true
|
||||
serde.workspace = true
|
||||
tokio.workspace = true
|
||||
webpki-roots.workspace = true
|
||||
|
|
|
@ -30,6 +30,9 @@ use std::io::Cursor;
|
|||
use std::sync::Arc;
|
||||
use std::time::SystemTime;
|
||||
|
||||
mod tls_key;
|
||||
pub use tls_key::*;
|
||||
|
||||
pub type Certificate = rustls::Certificate;
|
||||
pub type PrivateKey = rustls::PrivateKey;
|
||||
pub type RootCertStore = rustls::RootCertStore;
|
||||
|
@ -175,7 +178,7 @@ pub fn create_client_config(
|
|||
root_cert_store: Option<RootCertStore>,
|
||||
ca_certs: Vec<Vec<u8>>,
|
||||
unsafely_ignore_certificate_errors: Option<Vec<String>>,
|
||||
maybe_cert_chain_and_key: Option<TlsKey>,
|
||||
maybe_cert_chain_and_key: TlsKeys,
|
||||
socket_use: SocketUse,
|
||||
) -> Result<ClientConfig, AnyError> {
|
||||
if let Some(ic_allowlist) = unsafely_ignore_certificate_errors {
|
||||
|
@ -189,13 +192,12 @@ pub fn create_client_config(
|
|||
// However it's not really feasible to deduplicate it as the `client_config` instances
|
||||
// are not type-compatible - one wants "client cert", the other wants "transparency policy
|
||||
// or client cert".
|
||||
let mut client =
|
||||
if let Some(TlsKey(cert_chain, private_key)) = maybe_cert_chain_and_key {
|
||||
client_config
|
||||
let mut client = match maybe_cert_chain_and_key {
|
||||
TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config
|
||||
.with_client_auth_cert(cert_chain, private_key)
|
||||
.expect("invalid client key or certificate")
|
||||
} else {
|
||||
client_config.with_no_client_auth()
|
||||
.expect("invalid client key or certificate"),
|
||||
TlsKeys::Null => client_config.with_no_client_auth(),
|
||||
TlsKeys::Resolver(_) => unimplemented!(),
|
||||
};
|
||||
|
||||
add_alpn(&mut client, socket_use);
|
||||
|
@ -226,13 +228,12 @@ pub fn create_client_config(
|
|||
root_cert_store
|
||||
});
|
||||
|
||||
let mut client =
|
||||
if let Some(TlsKey(cert_chain, private_key)) = maybe_cert_chain_and_key {
|
||||
client_config
|
||||
let mut client = match maybe_cert_chain_and_key {
|
||||
TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config
|
||||
.with_client_auth_cert(cert_chain, private_key)
|
||||
.expect("invalid client key or certificate")
|
||||
} else {
|
||||
client_config.with_no_client_auth()
|
||||
.expect("invalid client key or certificate"),
|
||||
TlsKeys::Null => client_config.with_no_client_auth(),
|
||||
TlsKeys::Resolver(_) => unimplemented!(),
|
||||
};
|
||||
|
||||
add_alpn(&mut client, socket_use);
|
||||
|
@ -325,15 +326,3 @@ pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
|||
|
||||
Ok(keys)
|
||||
}
|
||||
|
||||
/// A loaded key.
|
||||
// FUTURE(mmastrac): add resolver enum value to support dynamic SNI
|
||||
pub enum TlsKeys {
|
||||
// TODO(mmastrac): We need Option<&T> for cppgc -- this is a workaround
|
||||
Null,
|
||||
Static(TlsKey),
|
||||
}
|
||||
|
||||
/// A TLS certificate/private key pair.
|
||||
#[derive(Clone, Debug)]
|
||||
pub struct TlsKey(pub Vec<Certificate>, pub PrivateKey);
|
||||
|
|
321
ext/tls/tls_key.rs
Normal file
321
ext/tls/tls_key.rs
Normal file
|
@ -0,0 +1,321 @@
|
|||
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
||||
|
||||
//! These represent the various types of TLS keys we support for both client and server
|
||||
//! connections.
|
||||
//!
|
||||
//! A TLS key will most often be static, and will loaded from a certificate and key file
|
||||
//! or string. These are represented by `TlsKey`, which is stored in `TlsKeys::Static`.
|
||||
//!
|
||||
//! In more complex cases, you may need a `TlsKeyResolver`/`TlsKeyLookup` pair, which
|
||||
//! requires polling of the `TlsKeyLookup` lookup queue. The underlying channels that used for
|
||||
//! key lookup can handle closing one end of the pair, in which case they will just
|
||||
//! attempt to clean up the associated resources.
|
||||
|
||||
use crate::Certificate;
|
||||
use crate::PrivateKey;
|
||||
use deno_core::anyhow::anyhow;
|
||||
use deno_core::error::AnyError;
|
||||
use deno_core::futures::future::poll_fn;
|
||||
use deno_core::futures::future::Either;
|
||||
use deno_core::futures::FutureExt;
|
||||
use deno_core::unsync::spawn;
|
||||
use rustls::ServerConfig;
|
||||
use rustls_tokio_stream::ServerConfigProvider;
|
||||
use std::cell::RefCell;
|
||||
use std::collections::HashMap;
|
||||
use std::fmt::Debug;
|
||||
use std::future::ready;
|
||||
use std::future::Future;
|
||||
use std::io::ErrorKind;
|
||||
use std::rc::Rc;
|
||||
use std::sync::Arc;
|
||||
use tokio::sync::broadcast;
|
||||
use tokio::sync::mpsc;
|
||||
use tokio::sync::oneshot;
|
||||
|
||||
type ErrorType = Rc<AnyError>;
|
||||
|
||||
/// A TLS certificate/private key pair.
|
||||
#[derive(Clone, Debug, PartialEq, Eq)]
|
||||
pub struct TlsKey(pub Vec<Certificate>, pub PrivateKey);
|
||||
|
||||
#[derive(Clone, Debug, Default)]
|
||||
pub enum TlsKeys {
|
||||
// TODO(mmastrac): We need Option<&T> for cppgc -- this is a workaround
|
||||
#[default]
|
||||
Null,
|
||||
Static(TlsKey),
|
||||
Resolver(TlsKeyResolver),
|
||||
}
|
||||
|
||||
pub struct TlsKeysHolder(RefCell<TlsKeys>);
|
||||
|
||||
impl TlsKeysHolder {
|
||||
pub fn take(&self) -> TlsKeys {
|
||||
std::mem::take(&mut *self.0.borrow_mut())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<TlsKeys> for TlsKeysHolder {
|
||||
fn from(value: TlsKeys) -> Self {
|
||||
TlsKeysHolder(RefCell::new(value))
|
||||
}
|
||||
}
|
||||
|
||||
impl TryInto<Option<TlsKey>> for TlsKeys {
|
||||
type Error = Self;
|
||||
fn try_into(self) -> Result<Option<TlsKey>, Self::Error> {
|
||||
match self {
|
||||
Self::Null => Ok(None),
|
||||
Self::Static(key) => Ok(Some(key)),
|
||||
Self::Resolver(_) => Err(self),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl From<Option<TlsKey>> for TlsKeys {
|
||||
fn from(value: Option<TlsKey>) -> Self {
|
||||
match value {
|
||||
None => TlsKeys::Null,
|
||||
Some(key) => TlsKeys::Static(key),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
enum TlsKeyState {
|
||||
Resolving(broadcast::Receiver<Result<TlsKey, ErrorType>>),
|
||||
Resolved(Result<TlsKey, ErrorType>),
|
||||
}
|
||||
|
||||
struct TlsKeyResolverInner {
|
||||
resolution_tx: mpsc::UnboundedSender<(
|
||||
String,
|
||||
broadcast::Sender<Result<TlsKey, ErrorType>>,
|
||||
)>,
|
||||
cache: RefCell<HashMap<String, TlsKeyState>>,
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct TlsKeyResolver {
|
||||
inner: Rc<TlsKeyResolverInner>,
|
||||
}
|
||||
|
||||
impl TlsKeyResolver {
|
||||
async fn resolve_internal(
|
||||
&self,
|
||||
sni: String,
|
||||
alpn: Vec<Vec<u8>>,
|
||||
) -> Result<Arc<ServerConfig>, AnyError> {
|
||||
let key = self.resolve(sni).await?;
|
||||
|
||||
let mut tls_config = ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_no_client_auth()
|
||||
.with_single_cert(key.0, key.1)?;
|
||||
tls_config.alpn_protocols = alpn;
|
||||
Ok(tls_config.into())
|
||||
}
|
||||
|
||||
pub fn into_server_config_provider(
|
||||
self,
|
||||
alpn: Vec<Vec<u8>>,
|
||||
) -> ServerConfigProvider {
|
||||
let (tx, mut rx) = mpsc::unbounded_channel::<(_, oneshot::Sender<_>)>();
|
||||
|
||||
// We don't want to make the resolver multi-threaded, but the `ServerConfigProvider` is
|
||||
// required to be wrapped in an Arc. To fix this, we spawn a task in our current runtime
|
||||
// to respond to the requests.
|
||||
spawn(async move {
|
||||
while let Some((sni, txr)) = rx.recv().await {
|
||||
_ = txr.send(self.resolve_internal(sni, alpn.clone()).await);
|
||||
}
|
||||
});
|
||||
|
||||
Arc::new(move |hello| {
|
||||
// Take ownership of the SNI information
|
||||
let sni = hello.server_name().unwrap_or_default().to_owned();
|
||||
let (txr, rxr) = tokio::sync::oneshot::channel::<_>();
|
||||
_ = tx.send((sni, txr));
|
||||
rxr
|
||||
.map(|res| match res {
|
||||
Err(e) => Err(std::io::Error::new(ErrorKind::InvalidData, e)),
|
||||
Ok(Err(e)) => Err(std::io::Error::new(ErrorKind::InvalidData, e)),
|
||||
Ok(Ok(res)) => Ok(res),
|
||||
})
|
||||
.boxed()
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl Debug for TlsKeyResolver {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
f.debug_struct("TlsKeyResolver").finish()
|
||||
}
|
||||
}
|
||||
|
||||
pub fn new_resolver() -> (TlsKeyResolver, TlsKeyLookup) {
|
||||
let (resolution_tx, resolution_rx) = mpsc::unbounded_channel();
|
||||
(
|
||||
TlsKeyResolver {
|
||||
inner: Rc::new(TlsKeyResolverInner {
|
||||
resolution_tx,
|
||||
cache: Default::default(),
|
||||
}),
|
||||
},
|
||||
TlsKeyLookup {
|
||||
resolution_rx: RefCell::new(resolution_rx),
|
||||
pending: Default::default(),
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
impl TlsKeyResolver {
|
||||
/// Resolve the certificate and key for a given host. This immediately spawns a task in the
|
||||
/// background and is therefore cancellation-safe.
|
||||
pub fn resolve(
|
||||
&self,
|
||||
sni: String,
|
||||
) -> impl Future<Output = Result<TlsKey, AnyError>> {
|
||||
let mut cache = self.inner.cache.borrow_mut();
|
||||
let mut recv = match cache.get(&sni) {
|
||||
None => {
|
||||
let (tx, rx) = broadcast::channel(1);
|
||||
cache.insert(sni.clone(), TlsKeyState::Resolving(rx.resubscribe()));
|
||||
_ = self.inner.resolution_tx.send((sni.clone(), tx));
|
||||
rx
|
||||
}
|
||||
Some(TlsKeyState::Resolving(recv)) => recv.resubscribe(),
|
||||
Some(TlsKeyState::Resolved(res)) => {
|
||||
return Either::Left(ready(res.clone().map_err(|_| anyhow!("Failed"))));
|
||||
}
|
||||
};
|
||||
drop(cache);
|
||||
|
||||
// Make this cancellation safe
|
||||
let inner = self.inner.clone();
|
||||
let handle = spawn(async move {
|
||||
let res = recv.recv().await?;
|
||||
let mut cache = inner.cache.borrow_mut();
|
||||
match cache.get(&sni) {
|
||||
None | Some(TlsKeyState::Resolving(..)) => {
|
||||
cache.insert(sni, TlsKeyState::Resolved(res.clone()));
|
||||
}
|
||||
Some(TlsKeyState::Resolved(..)) => {
|
||||
// Someone beat us to it
|
||||
}
|
||||
}
|
||||
res.map_err(|_| anyhow!("Failed"))
|
||||
});
|
||||
Either::Right(async move { handle.await? })
|
||||
}
|
||||
}
|
||||
|
||||
pub struct TlsKeyLookup {
|
||||
#[allow(clippy::type_complexity)]
|
||||
resolution_rx: RefCell<
|
||||
mpsc::UnboundedReceiver<(
|
||||
String,
|
||||
broadcast::Sender<Result<TlsKey, ErrorType>>,
|
||||
)>,
|
||||
>,
|
||||
pending:
|
||||
RefCell<HashMap<String, broadcast::Sender<Result<TlsKey, ErrorType>>>>,
|
||||
}
|
||||
|
||||
impl TlsKeyLookup {
|
||||
/// Multiple `poll` calls are safe, but this method is not starvation-safe. Generally
|
||||
/// only one `poll`er should be active at any time.
|
||||
pub async fn poll(&self) -> Option<String> {
|
||||
if let Some((sni, sender)) =
|
||||
poll_fn(|cx| self.resolution_rx.borrow_mut().poll_recv(cx)).await
|
||||
{
|
||||
self.pending.borrow_mut().insert(sni.clone(), sender);
|
||||
Some(sni)
|
||||
} else {
|
||||
None
|
||||
}
|
||||
}
|
||||
|
||||
/// Resolve a previously polled item.
|
||||
pub fn resolve(&self, sni: String, res: Result<TlsKey, AnyError>) {
|
||||
_ = self
|
||||
.pending
|
||||
.borrow_mut()
|
||||
.remove(&sni)
|
||||
.unwrap()
|
||||
.send(res.map_err(Rc::new));
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
pub mod tests {
|
||||
use super::*;
|
||||
use deno_core::unsync::spawn;
|
||||
use rustls::Certificate;
|
||||
use rustls::PrivateKey;
|
||||
|
||||
fn tls_key_for_test(sni: &str) -> TlsKey {
|
||||
TlsKey(
|
||||
vec![Certificate(format!("{sni}-cert").into_bytes())],
|
||||
PrivateKey(format!("{sni}-key").into_bytes()),
|
||||
)
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn test_resolve_once() {
|
||||
let (resolver, lookup) = new_resolver();
|
||||
let task = spawn(async move {
|
||||
while let Some(sni) = lookup.poll().await {
|
||||
lookup.resolve(sni.clone(), Ok(tls_key_for_test(&sni)));
|
||||
}
|
||||
});
|
||||
|
||||
let key = resolver.resolve("example.com".to_owned()).await.unwrap();
|
||||
assert_eq!(tls_key_for_test("example.com"), key);
|
||||
drop(resolver);
|
||||
|
||||
task.await.unwrap();
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn test_resolve_concurrent() {
|
||||
let (resolver, lookup) = new_resolver();
|
||||
let task = spawn(async move {
|
||||
while let Some(sni) = lookup.poll().await {
|
||||
lookup.resolve(sni.clone(), Ok(tls_key_for_test(&sni)));
|
||||
}
|
||||
});
|
||||
|
||||
let f1 = resolver.resolve("example.com".to_owned());
|
||||
let f2 = resolver.resolve("example.com".to_owned());
|
||||
|
||||
let key = f1.await.unwrap();
|
||||
assert_eq!(tls_key_for_test("example.com"), key);
|
||||
let key = f2.await.unwrap();
|
||||
assert_eq!(tls_key_for_test("example.com"), key);
|
||||
drop(resolver);
|
||||
|
||||
task.await.unwrap();
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn test_resolve_multiple_concurrent() {
|
||||
let (resolver, lookup) = new_resolver();
|
||||
let task = spawn(async move {
|
||||
while let Some(sni) = lookup.poll().await {
|
||||
lookup.resolve(sni.clone(), Ok(tls_key_for_test(&sni)));
|
||||
}
|
||||
});
|
||||
|
||||
let f1 = resolver.resolve("example1.com".to_owned());
|
||||
let f2 = resolver.resolve("example2.com".to_owned());
|
||||
|
||||
let key = f1.await.unwrap();
|
||||
assert_eq!(tls_key_for_test("example1.com"), key);
|
||||
let key = f2.await.unwrap();
|
||||
assert_eq!(tls_key_for_test("example2.com"), key);
|
||||
drop(resolver);
|
||||
|
||||
task.await.unwrap();
|
||||
}
|
||||
}
|
|
@ -23,8 +23,10 @@ use deno_core::ToJsBuffer;
|
|||
use deno_net::raw::NetworkStream;
|
||||
use deno_tls::create_client_config;
|
||||
use deno_tls::rustls::ClientConfig;
|
||||
use deno_tls::rustls::ClientConnection;
|
||||
use deno_tls::RootCertStoreProvider;
|
||||
use deno_tls::SocketUse;
|
||||
use deno_tls::TlsKeys;
|
||||
use http::header::CONNECTION;
|
||||
use http::header::UPGRADE;
|
||||
use http::HeaderName;
|
||||
|
@ -236,8 +238,7 @@ async fn handshake_http1_wss(
|
|||
ServerName::try_from(domain).map_err(|_| invalid_hostname(domain))?;
|
||||
let mut tls_connector = TlsStream::new_client_side(
|
||||
tcp_socket,
|
||||
tls_config.into(),
|
||||
dnsname,
|
||||
ClientConnection::new(tls_config.into(), dnsname)?,
|
||||
NonZeroUsize::new(65536),
|
||||
);
|
||||
// If we can bail on an http/1.1 ALPN mismatch here, we can avoid doing extra work
|
||||
|
@ -261,8 +262,11 @@ async fn handshake_http2_wss(
|
|||
let dnsname =
|
||||
ServerName::try_from(domain).map_err(|_| invalid_hostname(domain))?;
|
||||
// We need to better expose the underlying errors here
|
||||
let mut tls_connector =
|
||||
TlsStream::new_client_side(tcp_socket, tls_config.into(), dnsname, None);
|
||||
let mut tls_connector = TlsStream::new_client_side(
|
||||
tcp_socket,
|
||||
ClientConnection::new(tls_config.into(), dnsname)?,
|
||||
None,
|
||||
);
|
||||
let handshake = tls_connector.handshake().await?;
|
||||
if handshake.alpn.is_none() {
|
||||
bail!("Didn't receive h2 alpn, aborting connection");
|
||||
|
@ -332,7 +336,7 @@ pub fn create_ws_client_config(
|
|||
root_cert_store,
|
||||
vec![],
|
||||
unsafely_ignore_certificate_errors,
|
||||
None,
|
||||
TlsKeys::Null,
|
||||
socket_use,
|
||||
)
|
||||
}
|
||||
|
|
|
@ -47,6 +47,7 @@ use deno_io::Stdio;
|
|||
use deno_kv::dynamic::MultiBackendDbHandler;
|
||||
use deno_terminal::colors;
|
||||
use deno_tls::RootCertStoreProvider;
|
||||
use deno_tls::TlsKeys;
|
||||
use deno_web::create_entangled_message_port;
|
||||
use deno_web::serialize_transferables;
|
||||
use deno_web::BlobStore;
|
||||
|
@ -477,7 +478,7 @@ impl WebWorker {
|
|||
unsafely_ignore_certificate_errors: options
|
||||
.unsafely_ignore_certificate_errors
|
||||
.clone(),
|
||||
client_cert_chain_and_key: None,
|
||||
client_cert_chain_and_key: TlsKeys::Null,
|
||||
proxy: None,
|
||||
},
|
||||
),
|
||||
|
|
|
@ -39,6 +39,7 @@ use deno_http::DefaultHttpPropertyExtractor;
|
|||
use deno_io::Stdio;
|
||||
use deno_kv::dynamic::MultiBackendDbHandler;
|
||||
use deno_tls::RootCertStoreProvider;
|
||||
use deno_tls::TlsKeys;
|
||||
use deno_web::BlobStore;
|
||||
use log::debug;
|
||||
|
||||
|
@ -450,7 +451,7 @@ impl MainWorker {
|
|||
unsafely_ignore_certificate_errors: options
|
||||
.unsafely_ignore_certificate_errors
|
||||
.clone(),
|
||||
client_cert_chain_and_key: None,
|
||||
client_cert_chain_and_key: TlsKeys::Null,
|
||||
proxy: None,
|
||||
},
|
||||
),
|
||||
|
|
|
@ -94,6 +94,7 @@ util::unit_test_factory!(
|
|||
text_encoding_test,
|
||||
timers_test,
|
||||
tls_test,
|
||||
tls_sni_test,
|
||||
truncate_test,
|
||||
tty_color_test,
|
||||
tty_test,
|
||||
|
@ -129,7 +130,7 @@ fn js_unit_test(test: String) {
|
|||
.arg("--no-prompt");
|
||||
|
||||
// TODO(mmastrac): it would be better to just load a test CA for all tests
|
||||
let deno = if test == "websocket_test" {
|
||||
let deno = if test == "websocket_test" || test == "tls_sni_test" {
|
||||
deno.arg("--unsafely-ignore-certificate-errors")
|
||||
} else {
|
||||
deno
|
||||
|
|
|
@ -13,6 +13,7 @@ use deno_core::serde_json::json;
|
|||
use deno_core::url;
|
||||
use deno_fetch::reqwest;
|
||||
use deno_tls::rustls;
|
||||
use deno_tls::rustls::ClientConnection;
|
||||
use deno_tls::rustls_pemfile;
|
||||
use deno_tls::TlsStream;
|
||||
use pretty_assertions::assert_eq;
|
||||
|
@ -5388,8 +5389,11 @@ async fn listen_tls_alpn() {
|
|||
let tcp_stream = tokio::net::TcpStream::connect("localhost:4504")
|
||||
.await
|
||||
.unwrap();
|
||||
let mut tls_stream =
|
||||
TlsStream::new_client_side(tcp_stream, cfg, hostname, None);
|
||||
let mut tls_stream = TlsStream::new_client_side(
|
||||
tcp_stream,
|
||||
ClientConnection::new(cfg, hostname).unwrap(),
|
||||
None,
|
||||
);
|
||||
|
||||
let handshake = tls_stream.handshake().await.unwrap();
|
||||
|
||||
|
@ -5437,8 +5441,11 @@ async fn listen_tls_alpn_fail() {
|
|||
let tcp_stream = tokio::net::TcpStream::connect("localhost:4505")
|
||||
.await
|
||||
.unwrap();
|
||||
let mut tls_stream =
|
||||
TlsStream::new_client_side(tcp_stream, cfg, hostname, None);
|
||||
let mut tls_stream = TlsStream::new_client_side(
|
||||
tcp_stream,
|
||||
ClientConnection::new(cfg, hostname).unwrap(),
|
||||
None,
|
||||
);
|
||||
|
||||
tls_stream.handshake().await.unwrap_err();
|
||||
|
||||
|
|
60
tests/unit/tls_sni_test.ts
Normal file
60
tests/unit/tls_sni_test.ts
Normal file
|
@ -0,0 +1,60 @@
|
|||
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
||||
import { assertEquals, assertRejects } from "./test_util.ts";
|
||||
// @ts-expect-error TypeScript (as of 3.7) does not support indexing namespaces by symbol
|
||||
const { resolverSymbol, serverNameSymbol } = Deno[Deno.internal];
|
||||
|
||||
const cert = Deno.readTextFileSync("tests/testdata/tls/localhost.crt");
|
||||
const key = Deno.readTextFileSync("tests/testdata/tls/localhost.key");
|
||||
const certEcc = Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.crt");
|
||||
const keyEcc = Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.key");
|
||||
|
||||
Deno.test(
|
||||
{ permissions: { net: true, read: true } },
|
||||
async function listenResolver() {
|
||||
const sniRequests: string[] = [];
|
||||
const keys: Record<string, { cert: string; key: string }> = {
|
||||
"server-1": { cert, key },
|
||||
"server-2": { cert: certEcc, key: keyEcc },
|
||||
"fail-server-3": { cert: "(invalid)", key: "(bad)" },
|
||||
};
|
||||
const opts: unknown = {
|
||||
hostname: "localhost",
|
||||
port: 0,
|
||||
[resolverSymbol]: (sni: string) => {
|
||||
sniRequests.push(sni);
|
||||
return keys[sni]!;
|
||||
},
|
||||
};
|
||||
const listener = Deno.listenTls(
|
||||
<Deno.ListenTlsOptions & Deno.TlsCertifiedKeyConnectTls> opts,
|
||||
);
|
||||
|
||||
for (
|
||||
const server of ["server-1", "server-2", "fail-server-3", "fail-server-4"]
|
||||
) {
|
||||
const conn = await Deno.connectTls({
|
||||
hostname: "localhost",
|
||||
[serverNameSymbol]: server,
|
||||
port: listener.addr.port,
|
||||
});
|
||||
const serverConn = await listener.accept();
|
||||
if (server.startsWith("fail-")) {
|
||||
await assertRejects(async () => await conn.handshake());
|
||||
await assertRejects(async () => await serverConn.handshake());
|
||||
} else {
|
||||
await conn.handshake();
|
||||
await serverConn.handshake();
|
||||
}
|
||||
conn.close();
|
||||
serverConn.close();
|
||||
}
|
||||
|
||||
assertEquals(sniRequests, [
|
||||
"server-1",
|
||||
"server-2",
|
||||
"fail-server-3",
|
||||
"fail-server-4",
|
||||
]);
|
||||
listener.close();
|
||||
},
|
||||
);
|
Loading…
Reference in a new issue