Update rustls to 0.23. Support 'CryptoProvider's.

This commit updates rustls to 0.23 and adds support for custom
'CryptoProvider's installable via 'CryptoProvider::install_default()'.
In particular, this enables using `aws-lc-rs` for cryptography related
operation in TLS. The 'TLS' example was updated to test use of
'aws-lc-rs' on Unix.
This commit is contained in:
Abdullah Alyan 2024-03-25 15:31:00 +03:00 committed by Sergio Benitez
parent bd26ca462a
commit ce92c5dd76
10 changed files with 104 additions and 19 deletions

View File

@ -50,8 +50,8 @@ rmp-serde = { version = "1", optional = true }
uuid_ = { package = "uuid", version = "1", optional = true, features = ["serde"] } uuid_ = { package = "uuid", version = "1", optional = true, features = ["serde"] }
# Optional TLS dependencies # Optional TLS dependencies
rustls = { version = "0.22", optional = true } rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
tokio-rustls = { version = "0.25", optional = true } tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
rustls-pemfile = { version = "2.0.0", optional = true } rustls-pemfile = { version = "2.0.0", optional = true }
# Optional MTLS dependencies # Optional MTLS dependencies

View File

@ -7,7 +7,7 @@ use tokio::io::{AsyncRead, AsyncWrite};
use tokio_rustls::TlsAcceptor; use tokio_rustls::TlsAcceptor;
use crate::tls::{TlsConfig, Error}; use crate::tls::{TlsConfig, Error};
use crate::tls::util::{load_cert_chain, load_key, load_ca_certs}; use crate::tls::util::{self, load_cert_chain, load_key, load_ca_certs};
use crate::listener::{Listener, Bindable, Connection, Certificates, Endpoint}; use crate::listener::{Listener, Bindable, Connection, Certificates, Endpoint};
#[doc(inline)] #[doc(inline)]
@ -31,7 +31,7 @@ impl TlsConfig {
pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> { pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> {
let provider = rustls::crypto::CryptoProvider { let provider = rustls::crypto::CryptoProvider {
cipher_suites: self.ciphers().map(|c| c.into()).collect(), cipher_suites: self.ciphers().map(|c| c.into()).collect(),
..rustls::crypto::ring::default_provider() ..util::get_crypto_provider()
}; };
#[cfg(feature = "mtls")] #[cfg(feature = "mtls")]

View File

@ -1,6 +1,7 @@
use std::io; use std::io;
use rustls::RootCertStore; use rustls::RootCertStore;
use rustls::crypto::CryptoProvider;
use rustls::pki_types::{CertificateDer, PrivateKeyDer}; use rustls::pki_types::{CertificateDer, PrivateKeyDer};
use crate::tls::error::{Result, Error, KeyError}; use crate::tls::error::{Result, Error, KeyError};
@ -33,7 +34,8 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
// Ensure we can use the key. // Ensure we can use the key.
let key = keys.remove(0); let key = keys.remove(0);
rustls::crypto::ring::sign::any_supported_type(&key).map_err(KeyError::Unsupported)?; get_crypto_provider().key_provider.load_private_key(key.clone_key())
.map_err(KeyError::Unsupported)?;
Ok(key) Ok(key)
} }
@ -47,6 +49,19 @@ pub fn load_ca_certs(reader: &mut dyn io::BufRead) -> Result<RootCertStore> {
Ok(roots) Ok(roots)
} }
pub(crate) fn get_crypto_provider() -> CryptoProvider {
if let Some(crypto_provider) = rustls::crypto::CryptoProvider::get_default() {
CryptoProvider::clone(crypto_provider)
} else {
let crypto_provider = rustls::crypto::ring::default_provider();
// Should only fail due to other concurrent install, so we ignore it
let _ = crypto_provider.clone().install_default();
crypto_provider
}
}
#[cfg(test)] #[cfg(test)]
mod test { mod test {
use super::*; use super::*;

View File

@ -7,4 +7,5 @@ publish = false
[dependencies] [dependencies]
rocket = { path = "../../core/lib", features = ["tls", "mtls", "secrets", "http3-preview"] } rocket = { path = "../../core/lib", features = ["tls", "mtls", "secrets", "http3-preview"] }
rustls = { version = "0.23", features = ["aws_lc_rs"] }
yansi = "1.0.1" yansi = "1.0.1"

View File

@ -25,6 +25,10 @@ key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
certs = "private/ecdsa_nistp384_sha384_cert.pem" certs = "private/ecdsa_nistp384_sha384_cert.pem"
key = "private/ecdsa_nistp384_sha384_key_pkcs8.pem" key = "private/ecdsa_nistp384_sha384_key_pkcs8.pem"
[ecdsa_nistp521_sha512_pkcs8.tls]
certs = "private/ecdsa_nistp521_sha512_cert.pem"
key = "private/ecdsa_nistp521_sha512_key_pkcs8.pem"
[ecdsa_nistp256_sha256_sec1.tls] [ecdsa_nistp256_sha256_sec1.tls]
certs = "private/ecdsa_nistp256_sha256_cert.pem" certs = "private/ecdsa_nistp256_sha256_cert.pem"
key = "private/ecdsa_nistp256_sha256_key_sec1.pem" key = "private/ecdsa_nistp256_sha256_key_sec1.pem"

Binary file not shown.

View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID5DCCAcygAwIBAgIUZ2n0Lhg+9cVPCOtK7Ov1D5n58GIwDQYJKoZIhvcNAQEN
BQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlSb2NrZXQg
Q0ExFzAVBgNVBAMMDlJvY2tldCBSb290IENBMB4XDTI0MDMyNzExMDYzMFoXDTM0
MDMyNTExMDYzMFowPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQK
DAZSb2NrZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDCBmzAQBgcqhkjOPQIBBgUrgQQA
IwOBhgAEAYXtydjaJR3BsC6NVEPD8wxIobzKO004WjyKFupkQcuQPg4DDzLTimho
SyH3ohaYX398MBSSgxo5A1zTb0TB/Yl1AYLiP6SWmZfejRdyZuRQSNrNIH07MIId
e+l8VD0DVSb9+Zej5eet4sRgcVgxIzfSCi1mVzSCttbwagpvZW/HBEEgo1gwVjAU
BgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFMvhtxA9Tm+8JRx1MfLdJk3Z
XW5DMB8GA1UdIwQYMBaAFEQDJSPSVPCilnYHVWae8w99S0KTMA0GCSqGSIb3DQEB
DQUAA4ICAQCscu1VBrqQRLON5s86UQv+sCATmW9kWWLCnHn78iGfxMa9N4L9rsf4
aFTFpfklOHYBPLK0q2Jm681rzD09FN0DTxG5t9WIsQ2PEJc2akqbzx1Sm4sMZ/td
79oS/BLgKEOL8RDtU4dQu5DsrOqOYtDbH4ETwGs3TL3eWH+3sC9S25Sq/DJ9TFHm
pZIzEB9rEwgXMsZ0KVYzEAByKZvJZJbp5nRFJPO4riuY+RkyeqQh+oWxRAplqk2s
yZEgxgnJIPzVYJkZ8VxaWLF9mU2kHtJlHwlTf6Yp3LTuyr9mwVsNTY+xXco6d5p8
bMVUBvVCxNmFHsv2maNOHF2AkxwncIkSNK00ohX5rSnZ1Tdipq3ckjpkbTccYWO2
aEPUphZUkGNReSnJ0LKDyCW4Y4Yna3SG152DfMaIjQjflyh8jUnsrGdISxuemE/z
2RnTzoSJLGMZvw52BsPbq9aNiZy7kM495oANFSaHwDbkEAknYKyAj2uO2740qEOH
xhmsa67lPeofZBoU86gydkszCOWN1GzGOmoF9OFfD5H9M6mtYJ6l1h6/80ofx2Fv
SdaksbRdERx20hVPM6tsAbfeP2mmxelVmhxwziQe5ERybrBx23w+khsfsA8Ldv+7
hbAqYufmcmsSxdEA+Fuo18vhHOT98UmKlXx1hyERm0hbJe9rW+rGKg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,8 @@
-----BEGIN PRIVATE KEY-----
MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA3a6vdhcCDC8p/8yG
eDASmWqQdkmgU9kaqqgmBh2gcLhTxxtjwAy8BxBy4UmRFo8VJtFUDLXt8ZR2vzTc
zKybjrmhgYkDgYYABAGF7cnY2iUdwbAujVRDw/MMSKG8yjtNOFo8ihbqZEHLkD4O
Aw8y04poaEsh96IWmF9/fDAUkoMaOQNc029Ewf2JdQGC4j+klpmX3o0XcmbkUEja
zSB9OzCCHXvpfFQ9A1Um/fmXo+XnreLEYHFYMSM30gotZlc0grbW8GoKb2VvxwRB
IA==
-----END PRIVATE KEY-----

View File

@ -113,15 +113,39 @@ function gen_ecdsa_nistp384_sha384() {
rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem
} }
function gen_ecdsa_nistp521_sha512() {
gen_ca_if_non_existent
openssl ecparam -out ecdsa_nistp521_sha512_key.pem -name secp521r1 -genkey
# Convert to pkcs8 format supported by rustls
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp521_sha512_key.pem \
-out ecdsa_nistp521_sha512_key_pkcs8.pem
openssl req -new -nodes -sha512 -key ecdsa_nistp521_sha512_key_pkcs8.pem \
-subj "${SUBJECT}" -out server.csr
openssl x509 -req -sha512 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
-in server.csr -out ecdsa_nistp521_sha512_cert.pem
openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp521_sha512_cert.pem \
-inkey ecdsa_nistp521_sha512_key_pkcs8.pem -out ecdsa_nistp521_sha512.p12
rm ca_cert.srl server.csr ecdsa_nistp521_sha512_key.pem
}
case $1 in case $1 in
ed25519) gen_ed25519 ;; ed25519) gen_ed25519 ;;
rsa_sha256) gen_rsa_sha256 ;; rsa_sha256) gen_rsa_sha256 ;;
ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;; ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;;
ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;; ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;;
ecdsa_nistp521_sha512) gen_ecdsa_nistp521_sha512 ;;
*) *)
gen_ed25519 gen_ed25519
gen_rsa_sha256 gen_rsa_sha256
gen_ecdsa_nistp256_sha256 gen_ecdsa_nistp256_sha256
gen_ecdsa_nistp384_sha384 gen_ecdsa_nistp384_sha384
gen_ecdsa_nistp521_sha512
;; ;;
esac esac

View File

@ -69,8 +69,9 @@ fn insecure_cookies() {
fn hello_world() { fn hello_world() {
use rocket::listener::DefaultListener; use rocket::listener::DefaultListener;
use rocket::config::{Config, SecretKey}; use rocket::config::{Config, SecretKey};
use rustls::crypto::aws_lc_rs;
let profiles = [ let mut profiles = vec![
"rsa_sha256", "rsa_sha256",
"ecdsa_nistp256_sha256_pkcs8", "ecdsa_nistp256_sha256_pkcs8",
"ecdsa_nistp384_sha384_pkcs8", "ecdsa_nistp384_sha384_pkcs8",
@ -79,20 +80,29 @@ fn hello_world() {
"ed25519", "ed25519",
]; ];
for profile in profiles { for use_aws_lc in [false, true] {
let config = Config { if use_aws_lc {
secret_key: SecretKey::generate().unwrap(), let crypto_provider = aws_lc_rs::default_provider();
..Config::debug_default() crypto_provider.install_default().unwrap();
};
let figment = Config::figment().merge(config).select(profile); profiles.push("ecdsa_nistp521_sha512_pkcs8");
let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap(); }
let response = client.get("/").dispatch();
assert_eq!(response.into_string().unwrap(), "Hello, world!");
let figment = client.rocket().figment(); for profile in &profiles {
let listener: DefaultListener = figment.extract().unwrap(); let config = Config {
assert_eq!(figment.profile(), profile); secret_key: SecretKey::generate().unwrap(),
listener.tls.as_ref().unwrap().validate().expect("valid TLS config"); ..Config::debug_default()
};
let figment = Config::figment().merge(config).select(profile);
let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
let response = client.get("/").dispatch();
assert_eq!(response.into_string().unwrap(), "Hello, world!");
let figment = client.rocket().figment();
let listener: DefaultListener = figment.extract().unwrap();
assert_eq!(figment.profile(), profile);
listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
}
} }
} }