Update rustls to 0.23. Support 'CryptoProvider's.

This commit updates rustls to 0.23 and adds support for custom
'CryptoProvider's installable via 'CryptoProvider::install_default()'.
In particular, this enables using `aws-lc-rs` for cryptography related
operation in TLS. The 'TLS' example was updated to test use of
'aws-lc-rs' on Unix.

core/lib/Cargo.toml

@@ -50,8 +50,8 @@ rmp-serde = { version = "1", optional = true }
 uuid_ = { package = "uuid", version = "1", optional = true, features = ["serde"] }
 
 # Optional TLS dependencies
-rustls = { version = "0.22", optional = true }
+rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
-tokio-rustls = { version = "0.25", optional = true }
+tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
 rustls-pemfile = { version = "2.0.0", optional = true }
 
 # Optional MTLS dependencies

core/lib/src/listener/tls.rs

@@ -7,7 +7,7 @@ use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::TlsAcceptor;
 
 use crate::tls::{TlsConfig, Error};
-use crate::tls::util::{load_cert_chain, load_key, load_ca_certs};
+use crate::tls::util::{self, load_cert_chain, load_key, load_ca_certs};
 use crate::listener::{Listener, Bindable, Connection, Certificates, Endpoint};
 
 #[doc(inline)]
@@ -31,7 +31,7 @@ impl TlsConfig {
     pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> {
         let provider = rustls::crypto::CryptoProvider {
             cipher_suites: self.ciphers().map(|c| c.into()).collect(),
-            ..rustls::crypto::ring::default_provider()
+            ..util::get_crypto_provider()
         };
 
         #[cfg(feature = "mtls")]

core/lib/src/tls/util.rs

@@ -1,6 +1,7 @@
 use std::io;
 
 use rustls::RootCertStore;
+use rustls::crypto::CryptoProvider;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 
 use crate::tls::error::{Result, Error, KeyError};
@@ -33,7 +34,8 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
 
     // Ensure we can use the key.
     let key = keys.remove(0);
-    rustls::crypto::ring::sign::any_supported_type(&key).map_err(KeyError::Unsupported)?;
+    get_crypto_provider().key_provider.load_private_key(key.clone_key())
+        .map_err(KeyError::Unsupported)?;
     Ok(key)
 }
 
@@ -47,6 +49,19 @@ pub fn load_ca_certs(reader: &mut dyn io::BufRead) -> Result<RootCertStore> {
     Ok(roots)
 }
 
+pub(crate) fn get_crypto_provider() -> CryptoProvider {
+    if let Some(crypto_provider) = rustls::crypto::CryptoProvider::get_default() {
+        CryptoProvider::clone(crypto_provider)
+    } else {
+        let crypto_provider = rustls::crypto::ring::default_provider();
+        // Should only fail due to other concurrent install, so we ignore it
+        let _ = crypto_provider.clone().install_default();
+
+        crypto_provider
+    }
+
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

examples/tls/Cargo.toml

@@ -7,4 +7,5 @@ publish = false
 
 [dependencies]
 rocket = { path = "../../core/lib", features = ["tls", "mtls", "secrets", "http3-preview"] }
+rustls = { version = "0.23", features = ["aws_lc_rs"] }
 yansi = "1.0.1"

examples/tls/Rocket.toml

@@ -25,6 +25,10 @@ key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
 certs = "private/ecdsa_nistp384_sha384_cert.pem"
 key = "private/ecdsa_nistp384_sha384_key_pkcs8.pem"
 
+[ecdsa_nistp521_sha512_pkcs8.tls]
+certs = "private/ecdsa_nistp521_sha512_cert.pem"
+key = "private/ecdsa_nistp521_sha512_key_pkcs8.pem"
+
 [ecdsa_nistp256_sha256_sec1.tls]
 certs = "private/ecdsa_nistp256_sha256_cert.pem"
 key = "private/ecdsa_nistp256_sha256_key_sec1.pem"

examples/tls/private/ecdsa_nistp521_sha512_cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5DCCAcygAwIBAgIUZ2n0Lhg+9cVPCOtK7Ov1D5n58GIwDQYJKoZIhvcNAQEN
+BQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlSb2NrZXQg
+Q0ExFzAVBgNVBAMMDlJvY2tldCBSb290IENBMB4XDTI0MDMyNzExMDYzMFoXDTM0
+MDMyNTExMDYzMFowPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQK
+DAZSb2NrZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDCBmzAQBgcqhkjOPQIBBgUrgQQA
+IwOBhgAEAYXtydjaJR3BsC6NVEPD8wxIobzKO004WjyKFupkQcuQPg4DDzLTimho
+SyH3ohaYX398MBSSgxo5A1zTb0TB/Yl1AYLiP6SWmZfejRdyZuRQSNrNIH07MIId
+e+l8VD0DVSb9+Zej5eet4sRgcVgxIzfSCi1mVzSCttbwagpvZW/HBEEgo1gwVjAU
+BgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFMvhtxA9Tm+8JRx1MfLdJk3Z
+XW5DMB8GA1UdIwQYMBaAFEQDJSPSVPCilnYHVWae8w99S0KTMA0GCSqGSIb3DQEB
+DQUAA4ICAQCscu1VBrqQRLON5s86UQv+sCATmW9kWWLCnHn78iGfxMa9N4L9rsf4
+aFTFpfklOHYBPLK0q2Jm681rzD09FN0DTxG5t9WIsQ2PEJc2akqbzx1Sm4sMZ/td
+79oS/BLgKEOL8RDtU4dQu5DsrOqOYtDbH4ETwGs3TL3eWH+3sC9S25Sq/DJ9TFHm
+pZIzEB9rEwgXMsZ0KVYzEAByKZvJZJbp5nRFJPO4riuY+RkyeqQh+oWxRAplqk2s
+yZEgxgnJIPzVYJkZ8VxaWLF9mU2kHtJlHwlTf6Yp3LTuyr9mwVsNTY+xXco6d5p8
+bMVUBvVCxNmFHsv2maNOHF2AkxwncIkSNK00ohX5rSnZ1Tdipq3ckjpkbTccYWO2
+aEPUphZUkGNReSnJ0LKDyCW4Y4Yna3SG152DfMaIjQjflyh8jUnsrGdISxuemE/z
+2RnTzoSJLGMZvw52BsPbq9aNiZy7kM495oANFSaHwDbkEAknYKyAj2uO2740qEOH
+xhmsa67lPeofZBoU86gydkszCOWN1GzGOmoF9OFfD5H9M6mtYJ6l1h6/80ofx2Fv
+SdaksbRdERx20hVPM6tsAbfeP2mmxelVmhxwziQe5ERybrBx23w+khsfsA8Ldv+7
+hbAqYufmcmsSxdEA+Fuo18vhHOT98UmKlXx1hyERm0hbJe9rW+rGKg==
+-----END CERTIFICATE-----

examples/tls/private/ecdsa_nistp521_sha512_key_pkcs8.pem

@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA3a6vdhcCDC8p/8yG
+eDASmWqQdkmgU9kaqqgmBh2gcLhTxxtjwAy8BxBy4UmRFo8VJtFUDLXt8ZR2vzTc
+zKybjrmhgYkDgYYABAGF7cnY2iUdwbAujVRDw/MMSKG8yjtNOFo8ihbqZEHLkD4O
+Aw8y04poaEsh96IWmF9/fDAUkoMaOQNc029Ewf2JdQGC4j+klpmX3o0XcmbkUEja
+zSB9OzCCHXvpfFQ9A1Um/fmXo+XnreLEYHFYMSM30gotZlc0grbW8GoKb2VvxwRB
+IA==
+-----END PRIVATE KEY-----

examples/tls/private/gen_certs.sh

@@ -113,15 +113,39 @@ function gen_ecdsa_nistp384_sha384() {
   rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem
 }
 
+function gen_ecdsa_nistp521_sha512() {
+  gen_ca_if_non_existent
+
+  openssl ecparam -out ecdsa_nistp521_sha512_key.pem -name secp521r1 -genkey
+
+  # Convert to pkcs8 format supported by rustls
+  openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp521_sha512_key.pem \
+    -out ecdsa_nistp521_sha512_key_pkcs8.pem
+
+  openssl req -new -nodes -sha512 -key ecdsa_nistp521_sha512_key_pkcs8.pem \
+    -subj "${SUBJECT}" -out server.csr
+
+  openssl x509 -req -sha512 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
+    -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
+    -in server.csr -out ecdsa_nistp521_sha512_cert.pem
+
+  openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp521_sha512_cert.pem \
+    -inkey ecdsa_nistp521_sha512_key_pkcs8.pem -out ecdsa_nistp521_sha512.p12
+
+  rm ca_cert.srl server.csr ecdsa_nistp521_sha512_key.pem
+}
+
 case $1 in
   ed25519) gen_ed25519 ;;
   rsa_sha256) gen_rsa_sha256 ;;
   ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;;
   ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;;
+  ecdsa_nistp521_sha512) gen_ecdsa_nistp521_sha512 ;;
   *)
     gen_ed25519
     gen_rsa_sha256
     gen_ecdsa_nistp256_sha256
     gen_ecdsa_nistp384_sha384
+    gen_ecdsa_nistp521_sha512
     ;;
 esac

examples/tls/src/tests.rs

@@ -69,8 +69,9 @@ fn insecure_cookies() {
 fn hello_world() {
     use rocket::listener::DefaultListener;
     use rocket::config::{Config, SecretKey};
+    use rustls::crypto::aws_lc_rs;
 
-    let profiles = [
+    let mut profiles = vec![
         "rsa_sha256",
         "ecdsa_nistp256_sha256_pkcs8",
         "ecdsa_nistp384_sha384_pkcs8",
@@ -79,20 +80,29 @@ fn hello_world() {
         "ed25519",
     ];
 
-    for profile in profiles {
+    for use_aws_lc in [false, true] {
-        let config = Config {
+        if use_aws_lc {
-            secret_key: SecretKey::generate().unwrap(),
+            let crypto_provider = aws_lc_rs::default_provider();
-            ..Config::debug_default()
+            crypto_provider.install_default().unwrap();
-        };
 
-        let figment = Config::figment().merge(config).select(profile);
+            profiles.push("ecdsa_nistp521_sha512_pkcs8");
-        let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
+        }
-        let response = client.get("/").dispatch();
-        assert_eq!(response.into_string().unwrap(), "Hello, world!");
 
-        let figment = client.rocket().figment();
+        for profile in &profiles {
-        let listener: DefaultListener = figment.extract().unwrap();
+            let config = Config {
-        assert_eq!(figment.profile(), profile);
+                secret_key: SecretKey::generate().unwrap(),
-        listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
+                ..Config::debug_default()
+            };
+
+            let figment = Config::figment().merge(config).select(profile);
+            let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
+            let response = client.get("/").dispatch();
+            assert_eq!(response.into_string().unwrap(), "Hello, world!");
+
+            let figment = client.rocket().figment();
+            let listener: DefaultListener = figment.extract().unwrap();
+            assert_eq!(figment.profile(), profile);
+            listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
+        }
     }
 }