foster/denoland-deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-21 15:04:11 -05:00
Code Issues Packages 1 Wiki Activity

fix(ext/tls): add support EC private key (#23261)

Browse source 
Deno works with the `EC` key, but cannot recognize it.
This code works correctly if the prefix 'EC' is removed.

```typescript
const cert = `-----BEGIN CERTIFICATE-----
MIICqjCCAZKgAwIBAgIULvZQk8us6eYdpKZraHVkW8YKL/IwDQYJKoZIhvcNAQEL
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y
NDA0MDYwNzM4MDlaGA8yMTIzMDMxNDA3MzgwOVowbTELMAkGA1UEBhMCVVMxEjAQ
BgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwIWW91ckNpdHkxHTAbBgNVBAoMFEV4
YW1wbGUtQ2VydGlmaWNhdGVzMRgwFgYDVQQDDA9sb2NhbGhvc3QubG9jYWwwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAATWOALcgzz4LbNikhjVGpkOCUmR8NahjfFw
9pNBuyZnaTcjfeGfiPaV0iQqvTuQnmL+fTBw8PKxzlKGpzsodQaWo1EwTzAfBgNV
HSMEGDAWgBTzut+pwwDfqmMYcI9KNWRDhxcIpTAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBABWp
5LsGj5mWGIy7XpksXb0k2e3fUh+CobNl4JbvE7em68nuyojm0+/vEs8Bpd9vJaUo
tU1btyTO8xUlOGeyNa9Ddd2gj3oB8IGMjxhazWTSDseZ/WqBt6OudPMmnj+jPRQL
8Hb0vyXfmabZnWO9WH9/tcCoGdUdKo2KYN/7M2ojSeRq/4BIL08lC2SVX8DlBG40
8aj3FJo9xsUG59NI31iXVN1UPEN2pakKRJdSVdpbBjxDaEoLw/TB02gqfA43T1fU
wKz+0UYxSCjeW0lOZ3wlaNN2KqiHLuQ6ePG5kqD8aRufmYWK/ImlO/ZiSX60GiPu
K1cC6aWEohOhx+k424Y=
-----END CERTIFICATE-----`
const key = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILL8H0x2ZP/ZZ+CwmKLS/zRleO7k7NBgWH0P767zYvlVoAoGCCqGSM49
AwEHoUQDQgAE1jgC3IM8+C2zYpIY1RqZDglJkfDWoY3xcPaTQbsmZ2k3I33hn4j2
ldIkKr07kJ5i/n0wcPDysc5Shqc7KHUGlg==
-----END EC PRIVATE KEY-----`

const config: Deno.ServeTlsOptions = {
  cert,
  // key, // not working // error: Uncaught (in promise) InvalidData: No keys found in key file
  key: key.replaceAll(' EC', ''), // remove ' EC'. it works
}

Deno.serve(config, (r) => Response.json('ok'))
```
This commit is contained in:
MAKS11060 2024-04-08 19:36:34 +02:00 committed by GitHub
parent 2670c1d580
commit e3833b5a52
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 65 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
ext/tls/lib.rs
View file

@ -23,6 +23,7 @@ use rustls::PrivateKey;
use rustls::RootCertStore; use rustls::RootCertStore;
use rustls::ServerName; use rustls::ServerName;
use rustls_pemfile::certs; use rustls_pemfile::certs;
use rustls_pemfile::ec_private_keys;
use rustls_pemfile::pkcs8_private_keys; use rustls_pemfile::pkcs8_private_keys;
use rustls_pemfile::rsa_private_keys; use rustls_pemfile::rsa_private_keys;
use serde::Deserialize; use serde::Deserialize;
@ -290,6 +291,12 @@ fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
Ok(keys.into_iter().map(PrivateKey).collect()) Ok(keys.into_iter().map(PrivateKey).collect())
} }
/// Starts with -----BEGIN EC PRIVATE KEY-----
fn load_ec_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
Ok(keys.into_iter().map(PrivateKey).collect())
}
/// Starts with -----BEGIN PRIVATE KEY----- /// Starts with -----BEGIN PRIVATE KEY-----
fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
@ -314,6 +321,10 @@ pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
keys = load_pkcs8_keys(bytes)?; keys = load_pkcs8_keys(bytes)?;
} }
if keys.is_empty() {
keys = load_ec_keys(bytes)?;
}
if keys.is_empty() { if keys.is_empty() {
return Err(key_not_found_err()); return Err(key_not_found_err());
} }

10
tests/testdata/tls/README.md vendored
View file

@ -38,6 +38,14 @@ openssl x509 -req -sha256 -days 36135 -in localhost.csr -CA RootCA.pem -CAkey Ro
Note that the country / state / city / name in the first command can be Note that the country / state / city / name in the first command can be
customized. customized.
Generate localhost_ecc.key, localhost_ecc.csr, and localhost_ecc.crt:
```shell
openssl ecparam -genkey -name prime256v1 -noout --out localhost_ecc.key
openssl req -new -key localhost_ecc.key -out localhost_ecc.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 36135 -in localhost_ecc.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.txt -out localhost_ecc.crt
```
For testing purposes we need following files: For testing purposes we need following files:
- `RootCA.crt` - `RootCA.crt`
@ -45,3 +53,5 @@ For testing purposes we need following files:
- `RootCA.pem` - `RootCA.pem`
- `localhost.crt` - `localhost.crt`
- `localhost.key` - `localhost.key`
- `localhost_ecc.crt`
- `localhost_ecc.key`

17
tests/testdata/tls/localhost_ecc.crt vendored Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICqjCCAZKgAwIBAgIULvZQk8us6eYdpKZraHVkW8YKL/IwDQYJKoZIhvcNAQEL
BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y
NDA0MDYwNzM4MDlaGA8yMTIzMDMxNDA3MzgwOVowbTELMAkGA1UEBhMCVVMxEjAQ
BgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwIWW91ckNpdHkxHTAbBgNVBAoMFEV4
YW1wbGUtQ2VydGlmaWNhdGVzMRgwFgYDVQQDDA9sb2NhbGhvc3QubG9jYWwwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAATWOALcgzz4LbNikhjVGpkOCUmR8NahjfFw
9pNBuyZnaTcjfeGfiPaV0iQqvTuQnmL+fTBw8PKxzlKGpzsodQaWo1EwTzAfBgNV
HSMEGDAWgBTzut+pwwDfqmMYcI9KNWRDhxcIpTAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBABWp
5LsGj5mWGIy7XpksXb0k2e3fUh+CobNl4JbvE7em68nuyojm0+/vEs8Bpd9vJaUo
tU1btyTO8xUlOGeyNa9Ddd2gj3oB8IGMjxhazWTSDseZ/WqBt6OudPMmnj+jPRQL
8Hb0vyXfmabZnWO9WH9/tcCoGdUdKo2KYN/7M2ojSeRq/4BIL08lC2SVX8DlBG40
8aj3FJo9xsUG59NI31iXVN1UPEN2pakKRJdSVdpbBjxDaEoLw/TB02gqfA43T1fU
wKz+0UYxSCjeW0lOZ3wlaNN2KqiHLuQ6ePG5kqD8aRufmYWK/ImlO/ZiSX60GiPu
K1cC6aWEohOhx+k424Y=
-----END CERTIFICATE-----

9
tests/testdata/tls/localhost_ecc.csr vendored Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBKDCBzwIBADBtMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91clN0YXRlMREw
DwYDVQQHDAhZb3VyQ2l0eTEdMBsGA1UECgwURXhhbXBsZS1DZXJ0aWZpY2F0ZXMx
GDAWBgNVBAMMD2xvY2FsaG9zdC5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABNY4AtyDPPgts2KSGNUamQ4JSZHw1qGN8XD2k0G7JmdpNyN94Z+I9pXSJCq9
O5CeYv59MHDw8rHOUoanOyh1BpagADAKBggqhkjOPQQDAgNIADBFAiBhQS10Z4WC
nWEeW1WW1JjFSEZLnM/+SwFRnd5qi4XDOgIhAKANBw+FekrP0NppVCLN/RC7DTra
jFvKH2rUuewC6iXR
-----END CERTIFICATE REQUEST-----

5
tests/testdata/tls/localhost_ecc.key vendored Normal file
View file

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILL8H0x2ZP/ZZ+CwmKLS/zRleO7k7NBgWH0P767zYvlVoAoGCCqGSM49
AwEHoUQDQgAE1jgC3IM8+C2zYpIY1RqZDglJkfDWoY3xcPaTQbsmZ2k3I33hn4j2
ldIkKr07kJ5i/n0wcPDysc5Shqc7KHUGlg==
-----END EC PRIVATE KEY-----

13
tests/unit/tls_test.ts
View file

@ -1633,3 +1633,16 @@ Deno.test(
}, Deno.errors.InvalidData); }, Deno.errors.InvalidData);
}, },
); );
Deno.test(
{ permissions: { net: true, read: true } },
function listenTLSEcKey() {
const listener = Deno.listenTls({
hostname: "localhost",
port: 0,
certFile: "tests/testdata/tls/localhost_ecc.crt",
keyFile: "tests/testdata/tls/localhost_ecc.key",
});
listener.close();
},
);