feat: add rustls v0.22 support (#513)

2025-06-26 19:47:43 +02:00 · 2023-12-06 04:04:39 +00:00
parent 9edc0b393a
commit 951e46186b
10 changed files with 248 additions and 49 deletions
--- a/actix-tls/tests/accept-openssl.rs
+++ b/actix-tls/tests/accept-openssl.rs
@ -3,19 +3,20 @@
 #![cfg(all(
    feature = "accept",
    feature = "connect",
-    feature = "rustls-0_21",
+    feature = "rustls-0_22",
    feature = "openssl"
 ))]

-use std::{convert::TryFrom, io::Write, sync::Arc};
+use std::{io::Write as _, sync::Arc};

 use actix_rt::net::TcpStream;
 use actix_server::TestServer;
 use actix_service::ServiceFactoryExt as _;
 use actix_tls::accept::openssl::{Acceptor, TlsStream};
 use actix_utils::future::ok;
-use tokio_rustls::rustls::{Certificate, ClientConfig, RootCertStore, ServerName};
-use tokio_rustls_024 as tokio_rustls;
+use rustls_pki_types_1::ServerName;
+use tokio_rustls::rustls::{ClientConfig, RootCertStore};
+use tokio_rustls_025 as tokio_rustls;

 fn new_cert_and_key() -> (String, String) {
    let cert =
@ -48,28 +49,45 @@ fn openssl_acceptor(cert: String, key: String) -> tls_openssl::ssl::SslAcceptor

 #[allow(dead_code)]
 mod danger {
-    use std::time::SystemTime;
-
-    use tokio_rustls_024::rustls::{
-        self,
-        client::{ServerCertVerified, ServerCertVerifier},
-    };
-
-    use super::*;
+    use tokio_rustls_025::rustls;

+    #[derive(Debug)]
    pub struct NoCertificateVerification;

-    impl ServerCertVerifier for NoCertificateVerification {
+    impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
        fn verify_server_cert(
            &self,
-            _end_entity: &Certificate,
-            _intermediates: &[Certificate],
-            _server_name: &ServerName,
-            _scts: &mut dyn Iterator<Item = &[u8]>,
-            _ocsp_response: &[u8],
-            _now: SystemTime,
-        ) -> Result<ServerCertVerified, rustls::Error> {
-            Ok(ServerCertVerified::assertion())
+            end_entity: &rustls_pki_types_1::CertificateDer::CertificateDer<'_>,
+            intermediates: &[rustls_pki_types_1::CertificateDer::CertificateDer<'_>],
+            server_name: &rustls_pki_types_1::CertificateDer::ServerName<'_>,
+            ocsp_response: &[u8],
+            now: rustls_pki_types_1::CertificateDer::UnixTime,
+        ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+            Ok(rustls::client::danger::ServerCertVerified::assertion())
+        }
+
+        fn verify_tls12_signature(
+            &self,
+            message: &[u8],
+            cert: &rustls_pki_types_1::CertificateDer<'_>,
+            dss: &rustls::DigitallySignedStruct,
+        ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+            Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+        }
+
+        fn verify_tls13_signature(
+            &self,
+            message: &[u8],
+            cert: &rustls_pki_types_1::CertificateDer<'_>,
+            dss: &rustls::DigitallySignedStruct,
+        ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+            Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+        }
+
+        fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+            rustls::crypto::ring::default_provider()
+                .signature_verification_algorithms
+                .supported_schemes()
        }
    }
 }
@ -77,7 +95,6 @@ mod danger {
 #[allow(dead_code)]
 fn rustls_connector(_cert: String, _key: String) -> ClientConfig {
    let mut config = ClientConfig::builder()
-        .with_safe_defaults()
        .with_root_certificates(RootCertStore::empty())
        .with_no_client_auth();

--- a/actix-tls/tests/accept-rustls.rs
+++ b/actix-tls/tests/accept-rustls.rs
@ -3,7 +3,7 @@
 #![cfg(all(
    feature = "accept",
    feature = "connect",
-    feature = "rustls-0_21",
+    feature = "rustls-0_22",
    feature = "openssl"
 ))]

@ -41,8 +41,10 @@ fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig {
    let cert = &mut BufReader::new(cert.as_bytes());
    let key = &mut BufReader::new(key.as_bytes());

-    let cert_chain = certs(cert).unwrap().into_iter().map(Certificate).collect();
-    let mut keys = pkcs8_private_keys(key).unwrap();
+    let cert_chain = certs(cert).collect::<Result<Vec<_>, _>>().unwrap();
+    let mut keys = pkcs8_private_keys(key)
+        .collect::<Result<Vec<_>, _>>()
+        .unwrap();

    let mut config = ServerConfig::builder()
        .with_safe_defaults()
--- a/actix-tls/tests/test_connect.rs
+++ b/actix-tls/tests/test_connect.rs
@ -11,7 +11,7 @@ use actix_server::TestServer;
 use actix_service::{fn_service, Service, ServiceFactory};
 use actix_tls::connect::{ConnectError, ConnectInfo, Connection, Connector, Host};
 use bytes::Bytes;
-use futures_util::sink::SinkExt;
+use futures_util::sink::SinkExt as _;

 #[cfg(feature = "openssl")]
 #[actix_rt::test]
@ -30,7 +30,7 @@ async fn test_string() {
    assert_eq!(con.peer_addr().unwrap(), srv.addr());
 }

-#[cfg(feature = "rustls-0_21")]
+#[cfg(feature = "rustls-0_22")]
 #[actix_rt::test]
 async fn test_rustls_string() {
    let srv = TestServer::start(|| {
@ -114,7 +114,7 @@ async fn test_openssl_uri() {
    assert_eq!(con.peer_addr().unwrap(), srv.addr());
 }

-#[cfg(all(feature = "rustls-0_21", feature = "uri"))]
+#[cfg(all(feature = "rustls-0_22", feature = "uri"))]
 #[actix_rt::test]
 async fn test_rustls_uri_http1() {
    let srv = TestServer::start(|| {
@ -131,7 +131,7 @@ async fn test_rustls_uri_http1() {
    assert_eq!(con.peer_addr().unwrap(), srv.addr());
 }

-#[cfg(all(feature = "rustls-0_21", feature = "uri"))]
+#[cfg(all(feature = "rustls-0_22", feature = "uri"))]
 #[actix_rt::test]
 async fn test_rustls_uri() {
    use std::convert::TryFrom;