Simplify cert-watch example

2025-04-17 06:17:56 +02:00 · 2025-04-03 17:50:46 +02:00 · 2025-04-03 17:50:46 +02:00 · c3bd9d9620
commit c3bd9d9620
parent 60c8160d6a
2 changed files with 19 additions and 26 deletions
--- a/https-tls/cert-watch/Cargo.toml
+++ b/https-tls/cert-watch/Cargo.toml
@ -11,5 +11,4 @@ eyre.workspace = true
 log.workspace = true
 notify = "6"
 rustls.workspace = true
-rustls-pemfile.workspace = true
 tokio = { workspace = true, features = ["time", "rt", "macros"] }
--- a/https-tls/cert-watch/src/main.rs
+++ b/https-tls/cert-watch/src/main.rs
@ -1,12 +1,14 @@
-use std::{fs::File, io::BufReader, path::Path};
+use std::path::Path;

 use actix_web::{
    App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web,
 };
 use log::debug;
 use notify::{Event, RecursiveMode, Watcher as _};
-use rustls::{ServerConfig, pki_types::PrivateKeyDer};
-use rustls_pemfile::{certs, pkcs8_private_keys};
+use rustls::{
+    ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
+};
 use tokio::sync::mpsc;

 #[derive(Debug)]
@ -27,6 +29,11 @@ async fn main() -> eyre::Result<()> {
    color_eyre::install()?;
    env_logger::init_from_env(env_logger::Env::default().default_filter_or("info"));

+    // Load default provider, to be done once for the process
+    rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .unwrap();
+
    // signal channel used to notify main event loop of cert/key file changes
    let (reload_tx, mut reload_rx) = mpsc::channel(1);

@ -100,29 +107,16 @@ async fn main() -> eyre::Result<()> {
 }

 fn load_rustls_config() -> eyre::Result<rustls::ServerConfig> {
-    rustls::crypto::aws_lc_rs::default_provider()
-        .install_default()
-        .unwrap();
-
-    // init server config builder with safe defaults
-    let config = ServerConfig::builder().with_no_client_auth();
-
    // load TLS key/cert files
-    let cert_file = &mut BufReader::new(File::open("cert.pem")?);
-    let key_file = &mut BufReader::new(File::open("key.pem")?);
+    let cert_chain = CertificateDer::pem_file_iter("cert.pem")
+        .unwrap()
+        .flatten()
+        .collect();

-    // convert files to key/cert objects
-    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
-    let mut keys = pkcs8_private_keys(key_file)
-        .map(|key| key.map(PrivateKeyDer::Pkcs8))
-        .collect::<Result<Vec<_>, _>>()
-        .unwrap();
+    let key_der =
+        PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");

-    // exit if no keys could be parsed
-    if keys.is_empty() {
-        eprintln!("Could not locate PKCS 8 private keys.");
-        std::process::exit(1);
-    }
-
-    Ok(config.with_single_cert(cert_chain, keys.remove(0))?)
+    Ok(ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key_der)?)
 }