mirror of https://github.com/rwf2/Rocket.git
Update rustls to 0.23. Support 'CryptoProvider's.
This commit updates rustls to 0.23 and adds support for custom 'CryptoProvider's installable via 'CryptoProvider::install_default()'. In particular, this enables using `aws-lc-rs` for cryptography related operation in TLS. The 'TLS' example was updated to test use of 'aws-lc-rs' on Unix.
This commit is contained in:
parent
bd26ca462a
commit
ce92c5dd76
|
@ -50,8 +50,8 @@ rmp-serde = { version = "1", optional = true }
|
|||
uuid_ = { package = "uuid", version = "1", optional = true, features = ["serde"] }
|
||||
|
||||
# Optional TLS dependencies
|
||||
rustls = { version = "0.22", optional = true }
|
||||
tokio-rustls = { version = "0.25", optional = true }
|
||||
rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
|
||||
tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
|
||||
rustls-pemfile = { version = "2.0.0", optional = true }
|
||||
|
||||
# Optional MTLS dependencies
|
||||
|
|
|
@ -7,7 +7,7 @@ use tokio::io::{AsyncRead, AsyncWrite};
|
|||
use tokio_rustls::TlsAcceptor;
|
||||
|
||||
use crate::tls::{TlsConfig, Error};
|
||||
use crate::tls::util::{load_cert_chain, load_key, load_ca_certs};
|
||||
use crate::tls::util::{self, load_cert_chain, load_key, load_ca_certs};
|
||||
use crate::listener::{Listener, Bindable, Connection, Certificates, Endpoint};
|
||||
|
||||
#[doc(inline)]
|
||||
|
@ -31,7 +31,7 @@ impl TlsConfig {
|
|||
pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> {
|
||||
let provider = rustls::crypto::CryptoProvider {
|
||||
cipher_suites: self.ciphers().map(|c| c.into()).collect(),
|
||||
..rustls::crypto::ring::default_provider()
|
||||
..util::get_crypto_provider()
|
||||
};
|
||||
|
||||
#[cfg(feature = "mtls")]
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
use std::io;
|
||||
|
||||
use rustls::RootCertStore;
|
||||
use rustls::crypto::CryptoProvider;
|
||||
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
||||
|
||||
use crate::tls::error::{Result, Error, KeyError};
|
||||
|
@ -33,7 +34,8 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
|
|||
|
||||
// Ensure we can use the key.
|
||||
let key = keys.remove(0);
|
||||
rustls::crypto::ring::sign::any_supported_type(&key).map_err(KeyError::Unsupported)?;
|
||||
get_crypto_provider().key_provider.load_private_key(key.clone_key())
|
||||
.map_err(KeyError::Unsupported)?;
|
||||
Ok(key)
|
||||
}
|
||||
|
||||
|
@ -47,6 +49,19 @@ pub fn load_ca_certs(reader: &mut dyn io::BufRead) -> Result<RootCertStore> {
|
|||
Ok(roots)
|
||||
}
|
||||
|
||||
pub(crate) fn get_crypto_provider() -> CryptoProvider {
|
||||
if let Some(crypto_provider) = rustls::crypto::CryptoProvider::get_default() {
|
||||
CryptoProvider::clone(crypto_provider)
|
||||
} else {
|
||||
let crypto_provider = rustls::crypto::ring::default_provider();
|
||||
// Should only fail due to other concurrent install, so we ignore it
|
||||
let _ = crypto_provider.clone().install_default();
|
||||
|
||||
crypto_provider
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod test {
|
||||
use super::*;
|
||||
|
|
|
@ -7,4 +7,5 @@ publish = false
|
|||
|
||||
[dependencies]
|
||||
rocket = { path = "../../core/lib", features = ["tls", "mtls", "secrets", "http3-preview"] }
|
||||
rustls = { version = "0.23", features = ["aws_lc_rs"] }
|
||||
yansi = "1.0.1"
|
||||
|
|
|
@ -25,6 +25,10 @@ key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
|
|||
certs = "private/ecdsa_nistp384_sha384_cert.pem"
|
||||
key = "private/ecdsa_nistp384_sha384_key_pkcs8.pem"
|
||||
|
||||
[ecdsa_nistp521_sha512_pkcs8.tls]
|
||||
certs = "private/ecdsa_nistp521_sha512_cert.pem"
|
||||
key = "private/ecdsa_nistp521_sha512_key_pkcs8.pem"
|
||||
|
||||
[ecdsa_nistp256_sha256_sec1.tls]
|
||||
certs = "private/ecdsa_nistp256_sha256_cert.pem"
|
||||
key = "private/ecdsa_nistp256_sha256_key_sec1.pem"
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIID5DCCAcygAwIBAgIUZ2n0Lhg+9cVPCOtK7Ov1D5n58GIwDQYJKoZIhvcNAQEN
|
||||
BQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlSb2NrZXQg
|
||||
Q0ExFzAVBgNVBAMMDlJvY2tldCBSb290IENBMB4XDTI0MDMyNzExMDYzMFoXDTM0
|
||||
MDMyNTExMDYzMFowPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQK
|
||||
DAZSb2NrZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDCBmzAQBgcqhkjOPQIBBgUrgQQA
|
||||
IwOBhgAEAYXtydjaJR3BsC6NVEPD8wxIobzKO004WjyKFupkQcuQPg4DDzLTimho
|
||||
SyH3ohaYX398MBSSgxo5A1zTb0TB/Yl1AYLiP6SWmZfejRdyZuRQSNrNIH07MIId
|
||||
e+l8VD0DVSb9+Zej5eet4sRgcVgxIzfSCi1mVzSCttbwagpvZW/HBEEgo1gwVjAU
|
||||
BgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFMvhtxA9Tm+8JRx1MfLdJk3Z
|
||||
XW5DMB8GA1UdIwQYMBaAFEQDJSPSVPCilnYHVWae8w99S0KTMA0GCSqGSIb3DQEB
|
||||
DQUAA4ICAQCscu1VBrqQRLON5s86UQv+sCATmW9kWWLCnHn78iGfxMa9N4L9rsf4
|
||||
aFTFpfklOHYBPLK0q2Jm681rzD09FN0DTxG5t9WIsQ2PEJc2akqbzx1Sm4sMZ/td
|
||||
79oS/BLgKEOL8RDtU4dQu5DsrOqOYtDbH4ETwGs3TL3eWH+3sC9S25Sq/DJ9TFHm
|
||||
pZIzEB9rEwgXMsZ0KVYzEAByKZvJZJbp5nRFJPO4riuY+RkyeqQh+oWxRAplqk2s
|
||||
yZEgxgnJIPzVYJkZ8VxaWLF9mU2kHtJlHwlTf6Yp3LTuyr9mwVsNTY+xXco6d5p8
|
||||
bMVUBvVCxNmFHsv2maNOHF2AkxwncIkSNK00ohX5rSnZ1Tdipq3ckjpkbTccYWO2
|
||||
aEPUphZUkGNReSnJ0LKDyCW4Y4Yna3SG152DfMaIjQjflyh8jUnsrGdISxuemE/z
|
||||
2RnTzoSJLGMZvw52BsPbq9aNiZy7kM495oANFSaHwDbkEAknYKyAj2uO2740qEOH
|
||||
xhmsa67lPeofZBoU86gydkszCOWN1GzGOmoF9OFfD5H9M6mtYJ6l1h6/80ofx2Fv
|
||||
SdaksbRdERx20hVPM6tsAbfeP2mmxelVmhxwziQe5ERybrBx23w+khsfsA8Ldv+7
|
||||
hbAqYufmcmsSxdEA+Fuo18vhHOT98UmKlXx1hyERm0hbJe9rW+rGKg==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA3a6vdhcCDC8p/8yG
|
||||
eDASmWqQdkmgU9kaqqgmBh2gcLhTxxtjwAy8BxBy4UmRFo8VJtFUDLXt8ZR2vzTc
|
||||
zKybjrmhgYkDgYYABAGF7cnY2iUdwbAujVRDw/MMSKG8yjtNOFo8ihbqZEHLkD4O
|
||||
Aw8y04poaEsh96IWmF9/fDAUkoMaOQNc029Ewf2JdQGC4j+klpmX3o0XcmbkUEja
|
||||
zSB9OzCCHXvpfFQ9A1Um/fmXo+XnreLEYHFYMSM30gotZlc0grbW8GoKb2VvxwRB
|
||||
IA==
|
||||
-----END PRIVATE KEY-----
|
|
@ -113,15 +113,39 @@ function gen_ecdsa_nistp384_sha384() {
|
|||
rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem
|
||||
}
|
||||
|
||||
function gen_ecdsa_nistp521_sha512() {
|
||||
gen_ca_if_non_existent
|
||||
|
||||
openssl ecparam -out ecdsa_nistp521_sha512_key.pem -name secp521r1 -genkey
|
||||
|
||||
# Convert to pkcs8 format supported by rustls
|
||||
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp521_sha512_key.pem \
|
||||
-out ecdsa_nistp521_sha512_key_pkcs8.pem
|
||||
|
||||
openssl req -new -nodes -sha512 -key ecdsa_nistp521_sha512_key_pkcs8.pem \
|
||||
-subj "${SUBJECT}" -out server.csr
|
||||
|
||||
openssl x509 -req -sha512 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
||||
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
||||
-in server.csr -out ecdsa_nistp521_sha512_cert.pem
|
||||
|
||||
openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp521_sha512_cert.pem \
|
||||
-inkey ecdsa_nistp521_sha512_key_pkcs8.pem -out ecdsa_nistp521_sha512.p12
|
||||
|
||||
rm ca_cert.srl server.csr ecdsa_nistp521_sha512_key.pem
|
||||
}
|
||||
|
||||
case $1 in
|
||||
ed25519) gen_ed25519 ;;
|
||||
rsa_sha256) gen_rsa_sha256 ;;
|
||||
ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;;
|
||||
ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;;
|
||||
ecdsa_nistp521_sha512) gen_ecdsa_nistp521_sha512 ;;
|
||||
*)
|
||||
gen_ed25519
|
||||
gen_rsa_sha256
|
||||
gen_ecdsa_nistp256_sha256
|
||||
gen_ecdsa_nistp384_sha384
|
||||
gen_ecdsa_nistp521_sha512
|
||||
;;
|
||||
esac
|
||||
|
|
|
@ -69,8 +69,9 @@ fn insecure_cookies() {
|
|||
fn hello_world() {
|
||||
use rocket::listener::DefaultListener;
|
||||
use rocket::config::{Config, SecretKey};
|
||||
use rustls::crypto::aws_lc_rs;
|
||||
|
||||
let profiles = [
|
||||
let mut profiles = vec![
|
||||
"rsa_sha256",
|
||||
"ecdsa_nistp256_sha256_pkcs8",
|
||||
"ecdsa_nistp384_sha384_pkcs8",
|
||||
|
@ -79,20 +80,29 @@ fn hello_world() {
|
|||
"ed25519",
|
||||
];
|
||||
|
||||
for profile in profiles {
|
||||
let config = Config {
|
||||
secret_key: SecretKey::generate().unwrap(),
|
||||
..Config::debug_default()
|
||||
};
|
||||
for use_aws_lc in [false, true] {
|
||||
if use_aws_lc {
|
||||
let crypto_provider = aws_lc_rs::default_provider();
|
||||
crypto_provider.install_default().unwrap();
|
||||
|
||||
let figment = Config::figment().merge(config).select(profile);
|
||||
let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
|
||||
let response = client.get("/").dispatch();
|
||||
assert_eq!(response.into_string().unwrap(), "Hello, world!");
|
||||
profiles.push("ecdsa_nistp521_sha512_pkcs8");
|
||||
}
|
||||
|
||||
let figment = client.rocket().figment();
|
||||
let listener: DefaultListener = figment.extract().unwrap();
|
||||
assert_eq!(figment.profile(), profile);
|
||||
listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
|
||||
for profile in &profiles {
|
||||
let config = Config {
|
||||
secret_key: SecretKey::generate().unwrap(),
|
||||
..Config::debug_default()
|
||||
};
|
||||
|
||||
let figment = Config::figment().merge(config).select(profile);
|
||||
let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
|
||||
let response = client.get("/").dispatch();
|
||||
assert_eq!(response.into_string().unwrap(), "Hello, world!");
|
||||
|
||||
let figment = client.rocket().figment();
|
||||
let listener: DefaultListener = figment.extract().unwrap();
|
||||
assert_eq!(figment.profile(), profile);
|
||||
listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue