mirror of
https://github.com/denoland/deno.git
synced 2025-01-11 00:21:05 -05:00
chore: rework TLS code in test server (#23566)
In order to make the reqwest/rustls upgrade more straightforward, we refactor the test server to depend on deno_tls.
This commit is contained in:
parent
084eafe508
commit
8c9caeb418
7 changed files with 53 additions and 73 deletions
3
Cargo.lock
generated
3
Cargo.lock
generated
|
@ -6555,6 +6555,7 @@ dependencies = [
|
|||
"base64",
|
||||
"bytes",
|
||||
"console_static_text",
|
||||
"deno_tls",
|
||||
"deno_unsync",
|
||||
"denokv_proto",
|
||||
"fastwebsockets",
|
||||
|
@ -6580,8 +6581,6 @@ dependencies = [
|
|||
"prost-build",
|
||||
"regex",
|
||||
"reqwest",
|
||||
"rustls-pemfile",
|
||||
"rustls-tokio-stream",
|
||||
"semver 1.0.14",
|
||||
"serde",
|
||||
"serde_json",
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
pub use deno_native_certs;
|
||||
pub use rustls;
|
||||
pub use rustls_pemfile;
|
||||
pub use rustls_tokio_stream;
|
||||
pub use rustls_tokio_stream::*;
|
||||
pub use webpki;
|
||||
pub use webpki_roots;
|
||||
|
||||
|
@ -15,12 +15,9 @@ use rustls::client::HandshakeSignatureValid;
|
|||
use rustls::client::ServerCertVerified;
|
||||
use rustls::client::ServerCertVerifier;
|
||||
use rustls::client::WebPkiVerifier;
|
||||
use rustls::Certificate;
|
||||
use rustls::ClientConfig;
|
||||
use rustls::DigitallySignedStruct;
|
||||
use rustls::Error;
|
||||
use rustls::PrivateKey;
|
||||
use rustls::RootCertStore;
|
||||
use rustls::ServerName;
|
||||
use rustls_pemfile::certs;
|
||||
use rustls_pemfile::ec_private_keys;
|
||||
|
@ -33,6 +30,10 @@ use std::io::Cursor;
|
|||
use std::sync::Arc;
|
||||
use std::time::SystemTime;
|
||||
|
||||
pub type Certificate = rustls::Certificate;
|
||||
pub type PrivateKey = rustls::PrivateKey;
|
||||
pub type RootCertStore = rustls::RootCertStore;
|
||||
|
||||
/// Lazily resolves the root cert store.
|
||||
///
|
||||
/// This was done because the root cert store is not needed in all cases
|
||||
|
@ -263,7 +264,7 @@ pub fn load_certs(
|
|||
return Err(cert_not_found_err());
|
||||
}
|
||||
|
||||
Ok(certs.into_iter().map(Certificate).collect())
|
||||
Ok(certs.into_iter().map(rustls::Certificate).collect())
|
||||
}
|
||||
|
||||
fn key_decode_err() -> AnyError {
|
||||
|
@ -281,19 +282,19 @@ fn cert_not_found_err() -> AnyError {
|
|||
/// Starts with -----BEGIN RSA PRIVATE KEY-----
|
||||
fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
||||
let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
|
||||
Ok(keys.into_iter().map(PrivateKey).collect())
|
||||
Ok(keys.into_iter().map(rustls::PrivateKey).collect())
|
||||
}
|
||||
|
||||
/// Starts with -----BEGIN EC PRIVATE KEY-----
|
||||
fn load_ec_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
||||
let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
|
||||
Ok(keys.into_iter().map(PrivateKey).collect())
|
||||
Ok(keys.into_iter().map(rustls::PrivateKey).collect())
|
||||
}
|
||||
|
||||
/// Starts with -----BEGIN PRIVATE KEY-----
|
||||
fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
|
||||
let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
|
||||
Ok(keys.into_iter().map(PrivateKey).collect())
|
||||
Ok(keys.into_iter().map(rustls::PrivateKey).collect())
|
||||
}
|
||||
|
||||
fn filter_invalid_encoding_err(
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
use deno_tls::rustls;
|
||||
use deno_tls::rustls_pemfile;
|
||||
use deno_tls::rustls_tokio_stream::TlsStream;
|
||||
use deno_tls::TlsStream;
|
||||
use std::io::BufReader;
|
||||
use std::io::Cursor;
|
||||
use std::io::Read;
|
||||
|
|
|
@ -19,6 +19,7 @@ async-stream = "0.3.3"
|
|||
base64.workspace = true
|
||||
bytes.workspace = true
|
||||
console_static_text.workspace = true
|
||||
deno_tls.workspace = true
|
||||
deno_unsync = "0"
|
||||
denokv_proto.workspace = true
|
||||
fastwebsockets.workspace = true
|
||||
|
@ -43,8 +44,6 @@ pretty_assertions.workspace = true
|
|||
prost.workspace = true
|
||||
regex.workspace = true
|
||||
reqwest.workspace = true
|
||||
rustls-pemfile.workspace = true
|
||||
rustls-tokio-stream.workspace = true
|
||||
semver = "=1.0.14"
|
||||
serde.workspace = true
|
||||
serde_json.workspace = true
|
||||
|
|
|
@ -1,12 +1,14 @@
|
|||
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
||||
use anyhow::anyhow;
|
||||
use deno_tls::load_certs;
|
||||
use deno_tls::load_private_keys;
|
||||
use deno_tls::rustls;
|
||||
use deno_tls::RootCertStore;
|
||||
use deno_tls::TlsStream;
|
||||
use futures::Stream;
|
||||
use futures::StreamExt;
|
||||
use rustls::Certificate;
|
||||
use rustls::PrivateKey;
|
||||
use rustls_tokio_stream::rustls;
|
||||
use rustls_tokio_stream::TlsStream;
|
||||
use std::io;
|
||||
use std::io::Read;
|
||||
use std::num::NonZeroUsize;
|
||||
use std::result::Result;
|
||||
use std::sync::Arc;
|
||||
|
@ -68,65 +70,43 @@ pub fn get_tls_config(
|
|||
let key_file = std::fs::File::open(key_path)?;
|
||||
let ca_file = std::fs::File::open(ca_path)?;
|
||||
|
||||
let certs: Vec<Certificate> = {
|
||||
let mut cert_reader = io::BufReader::new(cert_file);
|
||||
rustls_pemfile::certs(&mut cert_reader)
|
||||
.unwrap()
|
||||
.into_iter()
|
||||
.map(Certificate)
|
||||
.collect()
|
||||
};
|
||||
let err_map = |x| io::Error::new(io::ErrorKind::InvalidData, x);
|
||||
let certs =
|
||||
load_certs(&mut io::BufReader::new(cert_file)).map_err(err_map)?;
|
||||
|
||||
let mut ca_cert_reader = io::BufReader::new(ca_file);
|
||||
let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader)
|
||||
.expect("Cannot load CA certificate")
|
||||
.remove(0);
|
||||
let ca_cert = load_certs(&mut ca_cert_reader).map_err(err_map)?.remove(0);
|
||||
|
||||
let mut key_reader = io::BufReader::new(key_file);
|
||||
let key = {
|
||||
let pkcs8_key = rustls_pemfile::pkcs8_private_keys(&mut key_reader)
|
||||
.expect("Cannot load key file");
|
||||
let rsa_key = rustls_pemfile::rsa_private_keys(&mut key_reader)
|
||||
.expect("Cannot load key file");
|
||||
if !pkcs8_key.is_empty() {
|
||||
Some(pkcs8_key[0].clone())
|
||||
} else if !rsa_key.is_empty() {
|
||||
Some(rsa_key[0].clone())
|
||||
} else {
|
||||
None
|
||||
let mut key = vec![];
|
||||
key_reader.read_to_end(&mut key)?;
|
||||
let key = load_private_keys(&key).map_err(err_map)?.remove(0);
|
||||
|
||||
let mut root_cert_store = RootCertStore::empty();
|
||||
root_cert_store.add(&ca_cert).unwrap();
|
||||
|
||||
// Allow (but do not require) client authentication.
|
||||
|
||||
let mut config = rustls::ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_client_cert_verifier(Arc::new(
|
||||
rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
|
||||
root_cert_store,
|
||||
),
|
||||
))
|
||||
.with_single_cert(certs, key)
|
||||
.map_err(|e| anyhow!("Error setting cert: {:?}", e))
|
||||
.unwrap();
|
||||
|
||||
match http_versions {
|
||||
SupportedHttpVersions::All => {
|
||||
config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
|
||||
}
|
||||
};
|
||||
|
||||
match key {
|
||||
Some(key) => {
|
||||
let mut root_cert_store = rustls::RootCertStore::empty();
|
||||
root_cert_store.add(&rustls::Certificate(ca_cert)).unwrap();
|
||||
|
||||
// Allow (but do not require) client authentication.
|
||||
|
||||
let mut config = rustls::ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_client_cert_verifier(Arc::new(
|
||||
rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
|
||||
root_cert_store,
|
||||
),
|
||||
))
|
||||
.with_single_cert(certs, PrivateKey(key))
|
||||
.map_err(|e| anyhow!("Error setting cert: {:?}", e))
|
||||
.unwrap();
|
||||
|
||||
match http_versions {
|
||||
SupportedHttpVersions::All => {
|
||||
config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
|
||||
}
|
||||
SupportedHttpVersions::Http1Only => {}
|
||||
SupportedHttpVersions::Http2Only => {
|
||||
config.alpn_protocols = vec!["h2".into()];
|
||||
}
|
||||
}
|
||||
|
||||
Ok(Arc::new(config))
|
||||
SupportedHttpVersions::Http1Only => {}
|
||||
SupportedHttpVersions::Http2Only => {
|
||||
config.alpn_protocols = vec!["h2".into()];
|
||||
}
|
||||
None => Err(io::Error::new(io::ErrorKind::Other, "Cannot find key")),
|
||||
}
|
||||
|
||||
Ok(Arc::new(config))
|
||||
}
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
||||
|
||||
use deno_tls::TlsStream;
|
||||
use futures::StreamExt;
|
||||
use h2;
|
||||
use hyper::header::HeaderName;
|
||||
use hyper::header::HeaderValue;
|
||||
use rustls_tokio_stream::TlsStream;
|
||||
use tokio::net::TcpStream;
|
||||
use tokio::task::LocalSet;
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
||||
|
||||
use bytes::Bytes;
|
||||
use deno_tls::TlsStream;
|
||||
use futures::Future;
|
||||
use futures::FutureExt;
|
||||
use futures::Stream;
|
||||
|
@ -69,7 +70,7 @@ pub async fn run_server_with_acceptor<'a, A, F, S>(
|
|||
error_msg: &'static str,
|
||||
kind: ServerKind,
|
||||
) where
|
||||
A: Stream<Item = io::Result<rustls_tokio_stream::TlsStream>> + ?Sized,
|
||||
A: Stream<Item = io::Result<TlsStream>> + ?Sized,
|
||||
F: Fn(Request<hyper::body::Incoming>) -> S + Copy + 'static,
|
||||
S: Future<Output = HandlerOutput> + 'static,
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue